EasyJet Airlines Spain – Court Ruling (Spain, 2026)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
A court ruled that EasyJet Airlines Spain did not have to publish full names of employees in a seniority list, as it had already pseudonymized the data. This is important because it highlights how companies can protect employee privacy while still complying with legal obligations.
What happened
EasyJet Airlines Spain published a seniority list but kept employee identities anonymous by using numbers instead of names.
Who was affected
Employees of EasyJet Airlines Spain whose names were on the seniority list.
What the authority found
The High Court dismissed the trade union's request for full names, stating that EasyJet complied with its obligations by pseudonymizing the data.
Why this matters
This case shows that companies can meet legal requirements while also protecting employee privacy. It encourages businesses to consider how they handle personal information.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
EasyJet Airlines Spain (the controller) is an airline company. In 2024, Unión Sindical Obrera-Sector de Transporte Aéreo (USO-STA, a trade union in the aviation sector) brought a case against the controller to the High Court. The controller published a seniority list on its intranet, as an obligation from its collective bargaining agreement with SITCPLA (Sindicato Independiente de Tripulantes de Cabina de Pasajeros, also a trade union). This list was made for the purpose of regulating access and organising promotions and changes of contract. The controller pseudonymised the identities of the data subjects, replacing their names with a number. The USO-STA requested the court to order the controller to publish the full names of the data subjects, as it considered that the controller did not fully comply with the collective bargaining agreement. According to USO-STA, this obligation complied with the GDPR, because the controller processed data under the legal basis of legal obligation (Article 6(1)(c) GDPR). The High Court dismissed the case on procedural grounds. According to the court, there was no current and real litigious interest, as the controller fulfilled its obligation in relation to the collective bargaining agreement. The court considered the manner in which the controller did this (pseudonymising the data) irrelevant. The trade union appealed the case to the court. The controller argued that it complied with the collective bargaining agreement, and that it pseudonymised the data to comply with the principle of data minimisation (Article 5(1)(c) GDPR) and CJEU case lawSee case C-65/2023 (MK v K GmbH), https://infocuria.curia.europa.eu/tabs/jurisprudence?lang=en&sort=DOC_DATE-DESC&searchTerm=%22c-65%2F23%22&publishedId=c-65%2F23. In addition, the controller argued that the pseudonymised data allowed data subjects to see their relative position within the company. The court first clarified that the case was admissible, as there was a potential conflict bet
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (0)
No other cases found for EasyJet Airlines Spain in ES
This is the only recorded case for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. EasyJet Airlines Spain - Spain (2026). Retrieved from cookiefines.eu
Last updated: