DIRECCIÓN GENERAL DE LA GUARDIA CIVIL – Complaint Upheld (Spain, 2021)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
Spain's data protection authority found that the Guardia Civil sent an email containing personal information to a wrong email address, accessible by unauthorized staff. This violated GDPR rules about keeping data confidential and secure. The authority warned the police directorate to fix their processes within a month.
What happened
The Guardia Civil sent an email with personal data to an incorrect email address, making it accessible to unauthorized personnel.
Who was affected
The person whose firearm license suspension procedure details were mistakenly shared with unauthorized police unit members.
What the authority found
The Spanish data protection authority found that the Guardia Civil violated GDPR by not keeping personal data confidential and secure.
Why this matters
This case highlights the importance of ensuring that personal data is only accessible to those who need it. Organizations should review their data handling procedures to prevent unauthorized access.
GDPR Articles Cited
The Spanish DPA (AEPD) received a complaint against a Directorate from the Spanish Police Force (Guardia Civil) indicating that an email containing an agreement to commence a procedure for the suspension of the data subject's firearm license was sent to a generic email address of a different unit which did not have any relation to the procedure, other than notifying the data subject, and that could be accessed by third parties. The email was accessible by the whole police unit, while the purpose of the sending was only to notify the data subject about the commencement of the procedure. The AEPD held that the facts constituted an infringement of Article 5(1)(f) GDPR for violating the principle of confidentiality and Article 32 GDPR for failing to implement appropriate technical and organisational measures according to the risk and sensitivity of the personal data processed, since third parties that was not in charge of the procedure and did not need to access the data had access to it. The AEPD warned the directorate and provided them with one month to review its processes and bring them into compliance with GDPR.
Outcome
Complaint Upheld
A data subject complaint that was upheld by the DPA.
Related Enforcement Actions (0)
No other enforcement actions found for DIRECCIÓN GENERAL DE LA GUARDIA CIVIL in ES
This is the only recorded action for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. DIRECCIÓN GENERAL DE LA GUARDIA CIVIL - Spain (2021). Retrieved from cookiefines.eu
Last updated: