General Labour Union (GCT) – Violation Found (Spain, 2019)

Violation Found
Agencia Española de Protección de Datos13 November 2019Spain
final
Violation Found

General GDPR enforcement action

This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.

Spain's data protection authority found that the General Labour Union violated privacy rules by emailing a member's personal details to 400 people. Although no fine was issued, the authority emphasized the union's responsibility to protect member data. This case shows the importance of safeguarding personal information within organizations.

What happened

The General Labour Union disclosed a member's personal information to 400 members without proper safeguards.

Who was affected

The affected individual was a union member whose private information was shared with other members.

What the authority found

The Spanish data protection authority determined that the union breached GDPR by failing to protect personal data adequately.

Why this matters

This decision highlights the proactive responsibility organizations have to safeguard personal data. It serves as a warning to similar entities to review their data handling practices to avoid privacy breaches.

GDPR Articles Cited

Art. 5(1)(f) GDPR
Spain enforcementAgencia Española de Protección de Datos actionsAll General Labour Union (GCT) actions
Full Legal Summary
Detailed

The GCT’s 400 members received an email that includes personal data about a citizen (personal information about her private relationship, her home address, her pregnancy status). The email was originally sent to organise an assembly regarding the data subject. The data subject filled a complaint with the AEPD. Could disclosure of personal data about an organisation's member to the other members of the same organisation contravene Article 5(1)(f) GDPR? The AEPD found that the disclosure of her personal data to the 400 members violated Article 5(1)(f) GDPR. The AEPD stressed that Article 5(1(f) GDPR constitutes a basis for the "proactive responsibility" of the controller to demonstrate its compliance. The controller was fined € 3,000.

Outcome

Violation Found

The DPA found a violation but did not impose a fine.

Related Enforcement Actions (0)

No other enforcement actions found for General Labour Union (GCT) in ES

This is the only recorded action for this entity in this jurisdiction.

Details

Decision Date

13 November 2019

Authority

Agencia Española de Protección de Datos

GDPRhub ID

gdprhub-1503

Sources

About this data

Data: GDPRhub (noyb.eu)
Licensed under CC BY-NC-SA 4.0
AI-verified and classified

Cite as: Cookie Fines. General Labour Union (GCT) - Spain (2019). Retrieved from cookiefines.eu

Report Inaccuracy

Last updated: