IZA OBRAS Y PROMOCIONES, S.A. – €50,000 Fine (Spain, 2021)

€50,000Agencia Española de Protección de Datos14 December 2021Spain
final
Fine

General GDPR enforcement action

This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.

IZA OBRAS Y PROMOCIONES, S.A. was fined EUR 50,000 for sharing an employee's personal and health information with a client without permission. This case highlights the importance of protecting employee data and only sharing what's absolutely necessary. Companies should ensure they follow data minimization principles to avoid similar fines.

What happened

IZA OBRAS Y PROMOCIONES, S.A. disclosed an employee's personal and health information to a client without authorization.

Who was affected

An employee whose personal and health information was shared with a client without consent.

What the authority found

The Spanish Data Protection Authority found that the company violated the principle of data minimization by sharing unnecessary personal data.

Why this matters

This case underscores the need for businesses to limit data sharing to what is strictly necessary, especially regarding employee information. It serves as a reminder to review data handling practices to comply with privacy laws.

GDPR Articles Cited

Art. 5(1)(c) GDPR
Spain enforcementAgencia Española de Protección de Datos actionsAll IZA OBRAS Y PROMOCIONES, S.A. actions
Full Legal Summary
Detailed

The Spanish DPA has fined IZA OBRAS Y PROMOCIONES, S.A. EUR 50,000. An employee had filed a complaint with the DPA against the company, alleging that the controller had unauthorizedly disclosed his personal data to another company from which it had received a construction order. The data subject was working as a construction manager on the project, but was absent from work for a period of time due to illness. The controller therefore informed its client and additionally disclosed the data subject's email address and certain health information. The DPA determined that the disclosure of this data would not have been necessary and that the controller had therefore violated the principle of data minimization.

Related Enforcement Actions (0)

No other enforcement actions found for IZA OBRAS Y PROMOCIONES, S.A. in ES

This is the only recorded action for this entity in this jurisdiction.

Details

Fine Date

14 December 2021

Authority

Agencia Española de Protección de Datos

Fine Amount

€50,000

Enforcement Tracker ID

ETid-956

Sources

About this data

Data: CMS GDPR Enforcement Tracker
Licensed under CC BY-NC-SA 4.0
AI-verified and classified

Cite as: Cookie Fines. IZA OBRAS Y PROMOCIONES, S.A. - Spain (2021). Retrieved from cookiefines.eu

Report Inaccuracy

Last updated: