Eulen, Servicios sociosanitarios SA – €3,000 Fine (Spain, 2024)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
Eulen, Servicios sociosanitarios SA was fined €3,000 for sending emails without using the blind copy option, exposing personal information of patients' families. This breach occurred multiple times and revealed sensitive details to unauthorized recipients. It emphasizes the need for careful handling of email communications to protect privacy.
What happened
Eulen, Servicios sociosanitarios SA sent emails disclosing personal information without using the blind copy option.
Who was affected
Families and guardians of patients at Eulen, whose names and email addresses were exposed.
What the authority found
The Catalan data protection authority found that Eulen violated GDPR's confidentiality principle by failing to protect personal information in emails.
Why this matters
This ruling highlights the importance of using proper email practices to safeguard personal information. Companies should ensure their staff are trained in data protection to avoid similar breaches.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
National Law Articles
On 18 February 2023, 5 May 2023, 8 May 2023, 10 May 2023 and 14 June 2023, the Catalan DPA received a number of complaints against Eulen, Servicios sociosanitarios SA (the controller), an occupational center for people with disabilities. The complaints claimed that on six occasions, employees of the controller sent several emails to the family and guardians of patients without using the blind copy option (BCC). The emails were sent on separate occasions and by different employees. The incidents involved mailing lists of over 50 data subjects, which differed in each instance. As a result of the failure to BCC, the names, surnames and email addresses of several data subjects, as well as their status as ‘family and guardians’, were disclosed to unauthorized third parties. Because some email addresses featured a corporate domain, the disclosure in some cases permitted inference of the organization to which data subjects belong. In response to the complaints, the DPA initiated an investigation. In its defense brief, the controller stated that the lack of BCC had been caused by human error and a breach of internal procedures, as the usual operation according to distributed employee instructions was to BCC email addresses. The controller also stated that it carried out periodic trainings in data protection. With regard to the creation of mailing lists, it stated that family members voluntarily provided their electronic address information at the beginning of service. After the investigation had already been initiated, the DPA received additional complaints against the controller for the same breach of personal data via emails sent without BCC. In response to these complaints, the DPA initiated a disciplinary procedure against the controller on 3 October 2023 for violating Article 5(1)(f) GDPR. On 1 January 2024, the investigator for the Catalan DPA proposed a fine of € 3000 for the controller’s infringement of Article 5(1)(f) GDPR’s principle of confidentiality. On 16
Related Enforcement Actions (0)
No other enforcement actions found for Eulen, Servicios sociosanitarios SA in ES
This is the only recorded action for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Eulen, Servicios sociosanitarios SA - Spain (2024). Retrieved from cookiefines.eu
Last updated: