Ayuntamiento de Llucmajor – Complaint Upheld (Spain, 2024)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
On 1 December 2021, a PDF was created by the resource management department of the local police of Llucmajor (the controller). The document contained the personal data of 47 police agents, including their first names, surnames, agent numbers, and sick leave information. On 12 January 2022, the document was posted on the intranet of the Llucmajor government in the ‘local police’ folder, within a subfolder labeled ‘photocopier.’ A complaint was filed with the DPA on 22 March 2022 and the DPA subsequently conducted an investigation. The controller reported that access to the document was meant to be restricted to the police headquarters and their staff, but due to an error, it was not deleted and remained in the ‘photocopier’ folder for several days. The controller also noted that the document was accessed by individuals who were not its intended recipients. In addition, the DPA found no evidence that the controller had designated a data protection officer. The DPA held that the controller violated Article 5(1)(f), 32, and 37 GDPR. Pursuant to Article 58(2)(d), it ordered the controller to bring processing operations into compliance within 6 months. No other corrective measures were issued. First, the DPA found that the controller violated the principle of confidentiality guarded by Article 5(1)(f) GDPR because, by keeping the document containing personal data in the ‘photocopier’ folder for a number of days rather than being immediately deleted, the personal data was exposed to unauthorised third parties. Second, the DPA held that the controller lacked appropriate security measures to protect against data breaches pursuant to Article 32 GDPR. The DPA noted that there was no measure to ensure that documents placed in the ‘photocopier’ folder were properly deleted. In addition, the folder granted access to a number of users beyond the intended recipients. Finally, the controller violated Article 37 GDPR because it did not have a designated data protection officer o
GDPR Articles Cited
On 1 December 2021, a PDF was created by the resource management department of the local police of Llucmajor (the controller). The document contained the personal data of 47 police agents, including their first names, surnames, agent numbers, and sick leave information. On 12 January 2022, the document was posted on the intranet of the Llucmajor government in the ‘local police’ folder, within a subfolder labeled ‘photocopier.’ A complaint was filed with the DPA on 22 March 2022 and the DPA subsequently conducted an investigation. The controller reported that access to the document was meant to be restricted to the police headquarters and their staff, but due to an error, it was not deleted and remained in the ‘photocopier’ folder for several days. The controller also noted that the document was accessed by individuals who were not its intended recipients. In addition, the DPA found no evidence that the controller had designated a data protection officer. The DPA held that the controller violated Article 5(1)(f), 32, and 37 GDPR. Pursuant to Article 58(2)(d), it ordered the controller to bring processing operations into compliance within 6 months. No other corrective measures were issued. First, the DPA found that the controller violated the principle of confidentiality guarded by Article 5(1)(f) GDPR because, by keeping the document containing personal data in the ‘photocopier’ folder for a number of days rather than being immediately deleted, the personal data was exposed to unauthorised third parties. Second, the DPA held that the controller lacked appropriate security measures to protect against data breaches pursuant to Article 32 GDPR. The DPA noted that there was no measure to ensure that documents placed in the ‘photocopier’ folder were properly deleted. In addition, the folder granted access to a number of users beyond the intended recipients. Finally, the controller violated Article 37 GDPR because it did not have a designated data protection officer o
Outcome
Complaint Upheld
A data subject complaint that was upheld by the DPA.
Related Enforcement Actions (0)
No other enforcement actions found for Ayuntamiento de Llucmajor in ES
This is the only recorded action for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Ayuntamiento de Llucmajor - Spain (2024). Retrieved from cookiefines.eu
Last updated: