Ayuntamiento de Burgos (Burgos City Hall) – Violation Found (Spain, 2020)

In the context of a conciliation procedure, the Burgos City Council summoned the conflicting parties via email. In doing so, the Council did not use the BCC option therefore disclosing the email address of one of the parties involved and other personal data. The affected party filed a complaint with the Spanish DPA. Is the sharing via email of the ID card and a complaint made with the parties of an arbitration settlement without using the BCC option a violation of Article 5 (1) GDPR? The Spanish DPA imposed a warning penalty on the Municipality of Burgos, under Article 83 (5) GDPR, for infringing Articles 5(1)(b) GDPR and 5(1)(f) GDPR. The Spanish DPA also requested Burgos City Council to prove within one month that it had adopted the necessary measures to comply with the principles of "purpose limitation" and "integrity and confidentiality" under Article 5(1)(b) and (f) of the GDPR.