AEPD (Spain) - PS/00324/2020

From GDPRhub
AEPD - PS/00324/2020
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 5(1)(f) GDPR
Article 58(2) GDPR
Article 83(2) GDPR
Article 83(5)(a) GDPR
Type: Complaint
Outcome: Upheld
Decided: 27.11.2020
Fine: 10000 EUR
Parties: n/a
National Case Number/Name: PS/00324/2020
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: Paola L.

The Spanish DPA (AEPD) imposed a fine of €10,000 on a company for sending an email containing personal data to a third party without the authorisation of the data subject.

English Summary


The data subject submitted a complaint to the AEPD stating that the defendant had sent an email containing an accusation of attempted fraud, letter of dismissal, and severance pay of the claimant, to a third party without the their authorisation. This information as well as the response from the third party to the email received, became known to the data subject when appearing before the Court of First Instance of Solares (Cantabria) following a report the defendant made to the Local Police of Santander for theft of tools. The third party upon receiving said documents responded stating the following:

“… We believe that the accompanying documentation, particularly the letter of dismissal and the corresponding severance pay, should not have sent to us as it contains personal data ...”

The AEPD sent a request for information to the defendant but they did not respond. The AEPD admitted the data subject's complaint in accordance with Article 65 LOPDGDD and decided to initiate a sanctioning procedure in accordance with Article 83(5)(a) GDPR against the defendant for alleged infringement of Article 5(1)(f) GDPR.


Does the action of the defendant constitute a violation of Article 5(1)(f) GDPR?


Considering the evidence available, the AEPD held that the action of the defendant violated the principle of confidentiality established in Article 5 (1)(f) GDPR by sending an email containing the data subject's personal data without authorisation for doing so, and decided to impose a fine of €10,000 on the defendant.

The fine imposed falls within the criteria stated in Article 83(5)(a) GDPR. In imposing the fine, the AEPD factored in accordance with Article 83(2) GDPR and Article 76 LOPDGDD the following points:

  • The local scope of processing concerned by the defendant
  • The volume of data subject affected. In this instance, only one person was affected.
  • There is no evidence of actions taken by the defendant to mitigate the damage suffered by the affected data subject and to prevent recurrence as the defendant did not respond to the request of information made by the AEPD, this also reveals the absence of cooperation of the defendant with the supervisory authority, in order to remedy the infringement and mitigate its possible adverse effects.
  • There is no evidence that the defendant acted intentionally, however, it is evident that the actions constitute a high degree of negligence.
  • The defendant is a small-sized company.


It would have been interesting to know if the defendant provided the data subject with a copy of its Privacy Notice and whether the categories of the data disclosed, the name of the third party, and the legal basis for sending personal data to the third party were included in it.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.


                                                     Procedure Nº: PS / 00324/2020


Of the procedure instructed by the Spanish Agency for Data Protection and based on
to the following


FIRST: D. A.A.A. (hereinafter, the claimant) on 04/16/2020 filed
claim before the Spanish Agency for Data Protection. The claim is
directs against *** COMPANY. 1. with NIF *** NIF.1 (hereinafter, the claimed one). The

reasons on which the claim is based are: that the company in which you were working
sent an email on 10/16/2019, to the Condal transport company
Express, attaching the documents of your dismissal and severance pay and accusing you of
attempted fraud, thus communicating your personal data to a third party does not

       Along with the claim, provide the police report and email
sent by the claimed entity to the freight transport company.

SECOND: Upon receipt of the claim, the Subdirectorate General of

Data Inspection proceeded to carry out the following actions:

On 06/05/2020, the claim submitted for his
analysis. Likewise, he was required to submit to the
Agency certain information:

       - Copy of the communications, of the adopted decision that has been sent to the
       claimant regarding the transfer of this claim, and accreditation that
       the claimant has received the communication of that decision.
       - Report on the causes that have motivated the incidence that has originated the

       - Report on the measures adopted to prevent the occurrence of
       similar incidents.
       - Any other that you consider relevant.

The defendant has not given any response to the request of the AEPD.

THIRD: On 09/16/2020, in accordance with article 65 of the LOPDGDD, the
Director of the Spanish Data Protection Agency agreed to admit for processing the
claim filed by the claimant against the defendant.

FOURTH: On 10/26/2020, the Director of the Spanish Protection Agency

of Data agreed to initiate a sanctioning procedure against the claimed party, for the alleged
infringement of article 5.1.f) of the RGPD contemplated in article 83.5.a) of the aforementioned

C / Jorge Juan, 6
28001 - Madrid 2/8

FIFTH: Notified the initiation agreement, the one claimed at the time of the present
resolution has not submitted a brief of allegations, so it is applicable
indicated in article 64 of Law 39/2015, of October 1, on the Procedure
Common Administrative of Public Administrations, which in its section f)
establishes that in case of not making allegations within the period provided for the

content of the initiation agreement, it may be considered a proposal for
resolution when it contains a precise pronouncement about the responsibility
imputed, for which a Resolution is issued.

SIXTH: Of the actions carried out in this proceeding, there have been
accredited the following:

                               PROVEN FACTS

FIRST: On 04/16/2020 the claimant has a written entry in the AEPD

that the defendant reported to the Local Police of Santander, attested *** NUMBER 1
dated 10/07/2020 for theft of tools; consequence of the complaint
Preliminary Proceedings *** NUMBER 2 are open in the First Court
Instance of Solares (Cantabria); on 03/06/2020 the claimant appeared at the
Court of First Instance of Solares (Cantabria) within the Preliminary Proceedings
*** NUMBER 2, when he learned all the documentation and comments that the

claimed had made the company CONDAL EXPRESS; the claimed sent
email on 10/16/2019 to CONDAL EXPRESS, to the address, attaching the documents of your dismissal and the settlement as well
as an accusation for attempted fraud, revealing your personal data to a
unauthorized third party; CONDAL EXPRESS responded to the email on the same date
noting: We acknowledge receipt of your writing.

… We believe that the accompanying documentation, particularly the letter of
dismissal and the corresponding severance pay, you should not have sent it to us while
how much it contains personal data ...

SECOND: An email has been provided to the address,
containing the documentation indicated in the previous point as well as the response of

Condal Express of the same date.

THIRD: A copy of the complaint made by the defendant before the
Santander Local Police, attested *** NUMBER 1 dated 10/07/2020, XIII zone of
the Civil Guard of Cantabria.

FOURTH: The statement of the claimant before the Court of First is provided
Instance and Instruction nº2 Valdecilla-Solares in Preliminary Proceedings procedure
*** NUMBER 2.

                          FOUNDATIONS OF LAW

       By virtue of the powers that article 58.2 of the RGPD recognizes to each
control authority, and as established in articles 47 and 48 of the LOPDGDD,

C / Jorge Juan, 6
28001 - Madrid 3/8

the Director of the Spanish Data Protection Agency is competent to initiate
and to solve this procedure.

        Law 39/2015, of October 1, on the Common Administrative Procedure of
the Public Administrations, in its article 64 “Agreement of initiation in the
procedures of a sanctioning nature ”, provides:

        "1. The initiation agreement will be communicated to the instructor of the procedure, with

transfer of how many actions exist in this regard, and the interested parties will be notified,
understanding in any case as such the accused.
        Likewise, the initiation will be communicated to the complainant when the regulations
regulating the procedure so provide.

        2. The initiation agreement must contain at least:

        a) Identification of the person or persons allegedly responsible.
        b) The facts that motivate the initiation of the procedure, it's possible
        qualification and penalties that may correspond, without prejudice to what
        result of the instruction.

        c) Identification of the instructor and, where appropriate, Secretary of the procedure, with
        express indication of the regime of the challenge of the same.
        d) Competent body for the resolution of the procedure and regulation that
        attributes such competence, indicating the possibility that the alleged
        responsible can voluntarily acknowledge their responsibility, with the

        effects provided for in article 85.
        e) Provisional measures that have been agreed by the body
        competent to initiate the sanctioning procedure, without prejudice to those
        can be adopted during the same in accordance with article 56.
        f) Indication of the right to present allegations and to the hearing in the

        procedure and deadlines for its exercise, as well as an indication that, in
        case of not making allegations within the term provided on the content of the
        initiation agreement, this may be considered a resolution proposal
        when it contains a precise statement about liability

        3. Exceptionally, when at the time of issuing the initiation agreement
there are insufficient elements for the initial qualification of the facts that motivate
the initiation of the procedure, the aforementioned qualification may be carried out in a phase
later by preparing a Statement of Charges, which must be notified to
the interested".

        In application of the previous precept and taking into account that they have not
formulated allegations to the initiation agreement, it is necessary to resolve the procedure initiated.


        The denounced facts materialize in the sending by the claimed of a
email to the company Condal Express, attaching the dismissal and termination of the
claimant and in which he is accused of attempted fraud, revealing his data of
personal character.

C / Jorge Juan, 6
28001 - Madrid 4/8

       Article 58 of the RGPD, Powers, points out in point 2 that:

       "2. Each supervisory authority shall have all the following powers
corrective measures listed below:

       i) impose an administrative fine in accordance with article 83, in addition or in
       instead of the measures mentioned in this section, according to the

       circumstances of each particular case;
       (…) "

       In the first place, the treatment of the claimed person could constitute a
violation of article 5, Principles relating to treatment, of the RGPD that establishes


       "1. The personal data will be:

       f) treated in such a way as to guarantee adequate security for the

       personal data, including protection against unauthorized processing or
       illicit and against its loss, destruction or accidental damage, through the application
       appropriate technical or organizational measures ('integrity and
       confidentiality »)”.

       Article 5, Duty of confidentiality, of the new Organic Law 3/2018, of 5
December, Protection of Personal Data and guarantee of digital rights
(hereinafter LOPDGDD), states that:

       "1. Those responsible and in charge of data processing as well as all
people who intervene in any phase of this will be subject to the duty of
confidentiality referred to in article 5.1.f) of Regulation (EU) 2016/679.

       2. The general obligation indicated in the previous section will be complementary
of the duties of professional secrecy in accordance with its applicable regulations.

       3. The obligations established in the previous sections will be maintained
even when the relationship between the obligated party and the person in charge or manager has ended
treatment ”.

       The documentation in the file shows that the defendant
violated article 5 of the RGPD, principles relating to treatment, in relation to the
Article 5 of the LOPGDD, duty of confidentiality, when sending an email to
a third party, containing the dismissal and termination document, revealing your

personal character and being accessible to third parties without their authorization.

C / Jorge Juan, 6
28001 - Madrid 5/8

       This duty of confidentiality, previously the duty of secrecy, must
It is understood that its purpose is to prevent leaks of data not
consented by the holders thereof.

       Therefore, this duty of confidentiality is an obligation incumbent upon not
only to the person in charge and in charge of the treatment but to everyone who intervenes in
any phase of the treatment and complementary to the duty of professional secrecy.


       Article 83.5 a) of the RGPD, considers that the infringement of “the principles
basic for the treatment, including the conditions for consent in accordance with
of articles 5, 6, 7 and 9 ”is punishable, in accordance with section 5 of the
mentioned article 83 of the aforementioned RGPD, “with administrative fines of € 20,000,000
at most or, in the case of a company, an amount equivalent to 4% as

maximum total annual global business volume of the previous financial year,
opting for the highest amount ”.

       On the other hand, the LOPDGDD, for prescription purposes, in its article 72 indicates:
“Violations considered very serious:

       1. In accordance with the provisions of article 83.5 of the Regulation (EU)
2016/679 are considered very serious and will prescribe after three years the infractions that
suppose a substantial violation of the articles mentioned in that and, in
in particular, the following:

       a) The processing of personal data violating the principles and guarantees
       established in article 5 of Regulation (EU) 2016/679.
       (…) "


       In order to establish the administrative fine to be imposed, they must
observe the provisions contained in articles 83.1 and 83.2 of the RGPD, which
point out:

       "1. Each supervisory authority shall ensure that the imposition of fines
administrative under this article for the infractions of this

Regulations indicated in paragraphs 4, 5 and 6 are in each individual case
effective, proportionate and dissuasive.

       2. Administrative fines will be imposed, depending on the circumstances
of each individual case, as an additional or substitute for the measures contemplated

in article 58, paragraph 2, letters a) to h) and j). When deciding to impose a fine
administrative and its amount in each individual case will be duly taken into account:

       a) the nature, severity and duration of the offense, taking into account the
       nature, scope or purpose of the processing operation in question

       as well as the number of affected stakeholders and the level of damage and
       damages they have suffered;
       b) intentionality or negligence in the infringement;

C / Jorge Juan, 6
28001 - Madrid 6/8

        c) any measure taken by the controller or processor
        to mitigate the damages suffered by the interested parties;
        d) the degree of responsibility of the person in charge of the

        treatment, taking into account the technical or organizational measures that have
        applied by virtue of articles 25 and 32;
        e) any previous infringement committed by the person in charge or the person in charge of the
        f) the degree of cooperation with the supervisory authority in order to
        remedy the violation and mitigate the possible adverse effects of the violation;

        g) the categories of personal data affected by the infringement;
        h) the way in which the supervisory authority learned of the infringement, in
        particular if the person in charge or the person in charge notified the infringement and, in such case,
        what extent;
        i) when the measures indicated in Article 58 (2) have been

        previously ordered against the person in charge or the person in charge
        in relation to the same matter, compliance with said measures;
        j) adherence to codes of conduct under Article 40 or to mechanisms
        certification approved in accordance with Article 42, and
        k) any other aggravating or mitigating factor applicable to the circumstances of the
        case, such as financial benefits obtained or losses avoided, direct

        or indirectly, through infringement.

        In relation to letter k) of article 83.2 of the RGPD, the LOPDGDD, in its
Article 76, “Sanctions and corrective measures”, establishes that:

        "2. In accordance with the provisions of article 83.2.k) of Regulation (EU)
2016/679 may also be taken into account:

        a) The continuing nature of the offense.
        b) The linking of the offender's activity with the performance of treatments

        of personal data.
        c) The benefits obtained as a result of the commission of the offense.
        d) The possibility that the affected person's conduct could have led to the
        commission of the offense.
        e) The existence of a merger process by absorption after the commission
        of the infringement, which cannot be attributed to the absorbing entity.

        f) Affecting the rights of minors.
        g) To have, when not mandatory, a delegate for the protection of
        h) The submission by the person in charge or in charge, with character
        voluntary, to alternative dispute resolution mechanisms, in those

        cases in which there are controversies between those and any

        In accordance with the transcribed precepts, in order to set the amount of the
sanction of a fine to be imposed in the present case for the offense typified in the

Article 83.5.a) of the RGPD for which the claimed person is responsible, in an assessment
initial, the following factors are considered concurrent:

C / Jorge Juan, 6
28001 - Madrid 7/8

       The scope in a local environment of the treatment carried out by the entity

       The number of affected is limited to a single person, the claimant.

       The measures taken by the defendant to avoid being
       produce similar incidents, since before the information request
       the Agency has not responded to it, which in turn affects the absence
       of cooperation with the supervisory authority in order to remedy the

       infringement and mitigate the possible adverse effects of the same.

       There is no evidence that the entity acted maliciously, although
       the performance reveals a serious lack of diligence.

       The claimed entity is a small business.

       Therefore, in accordance with the applicable legislation and the criteria of
graduation of sanctions whose existence has been proven,

       The Director of the Spanish Agency for Data Protection RESOLVES:

FIRST: IMPOSE *** COMPANY.1., With NIF *** NIF.1, for a violation of the
article 5.1.f) of the RGPD, typified in article 83.5. a) of the RGPD, a fine of
€ 10,000 (ten thousand euros).

SECOND: NOTIFY this resolution to *** COMPANY. 1.

THIRD: Warn the sanctioned person that the sanction imposed by a
Once this resolution is enforceable, in accordance with the provisions of the

art. 98.1.b) of Law 39/2015, of October 1, on Administrative Procedure
Common of Public Administrations (hereinafter LPACAP), within the payment period
voluntary established in art. 68 of the General Collection Regulations, approved
by Royal Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003,
of December 17, by means of their entry, indicating the NIF of the sanctioned person and the number
of procedure that appears in the heading of this document, in the account

restricted number ES00 0000 0000 0000 0000 0000, opened in the name of the Agency
Spanish Data Protection in the bank CAIXABANK, S.A .. In case
Otherwise, it will be collected in the executive period.

       Once the notification has been received and once it is executed, if the date of execution is

finds between the 1st and 15th of each month, both inclusive, the deadline to carry out the
voluntary payment will be until the 20th of the following or immediately subsequent business month, and if
is between the 16th and last days of each month, both inclusive, the term of the
Payment will be up to the 5th of the second following or immediate business month.

       In accordance with the provisions of article 50 of the LOPDGDD, the
This Resolution will be made public once it has been notified to the interested parties.

C / Jorge Juan, 6
28001 - Madrid 8/8

       Against this resolution, which puts an end to the administrative procedure in accordance with art.
48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of the
LPACAP, the interested parties may optionally file an appeal for reversal

before the Director of the Spanish Agency for Data Protection within a period of
month from the day after notification of this resolution or directly
contentious-administrative appeal before the Contentious-Administrative Chamber of the
National High Court, in accordance with the provisions of article 25 and section 5 of
the fourth additional provision of Law 29/1998, of July 13, regulating the
Contentious-administrative jurisdiction, within a period of two months from the

day following notification of this act, as provided in article 46.1 of the
referred Law.

       Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the
LPACAP, the final resolution may be suspended in an administrative way

If the interested party expresses his intention to file a contentious appeal-
administrative. If this is the case, the interested party must formally communicate this
made by writing to the Spanish Agency for Data Protection,
Presenting it through the Electronic Registry of the Agency
[], or through any of the rest
records provided for in art. 16.4 of the aforementioned Law 39/2015, of October 1. Too

must forward to the Agency the documentation that proves the effective filing
of the contentious-administrative appeal. If the Agency is not aware of the
filing of the contentious-administrative appeal within a period of two months from the
day after the notification of this resolution, would terminate the
precautionary suspension.

                                                                       Mar Spain Martí
                               Director of the Spanish Agency for Data Protection

C / Jorge Juan, 6
28001 - Madrid