Eulen, Servicios sociosanitarios SA – €3,000 Fine (Spain, 2024)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
On 18 February 2023, 5 May 2023, 8 May 2023, 10 May 2023 and 14 June 2023, the Catalan DPA received a number of complaints against Eulen, Servicios sociosanitarios SA (the controller), an occupational center for people with disabilities. The complaints claimed that on six occasions, employees of the controller sent several emails to the family and guardians of patients without using the blind copy option (BCC). The emails were sent on separate occasions and by different employees. The incidents involved mailing lists of over 50 data subjects, which differed in each instance. As a result of the failure to BCC, the names, surnames and email addresses of several data subjects, as well as their status as ‘family and guardians’, were disclosed to unauthorized third parties. Because some email addresses featured a corporate domain, the disclosure in some cases permitted inference of the organization to which data subjects belong. In response to the complaints, the DPA initiated an investigation. In its defense brief, the controller stated that the lack of BCC had been caused by human error and a breach of internal procedures, as the usual operation according to distributed employee instructions was to BCC email addresses. The controller also stated that it carried out periodic trainings in data protection. With regard to the creation of mailing lists, it stated that family members voluntarily provided their electronic address information at the beginning of service. After the investigation had already been initiated, the DPA received additional complaints against the controller for the same breach of personal data via emails sent without BCC. In response to these complaints, the DPA initiated a disciplinary procedure against the controller on 3 October 2023 for violating Article 5(1)(f) GDPR. On 1 January 2024, the investigator for the Catalan DPA proposed a fine of € 3000 for the controller’s infringement of Article 5(1)(f) GDPR’s principle of confidentiality. On 16
GDPR Articles Cited
National Law Articles
On 18 February 2023, 5 May 2023, 8 May 2023, 10 May 2023 and 14 June 2023, the Catalan DPA received a number of complaints against Eulen, Servicios sociosanitarios SA (the controller), an occupational center for people with disabilities. The complaints claimed that on six occasions, employees of the controller sent several emails to the family and guardians of patients without using the blind copy option (BCC). The emails were sent on separate occasions and by different employees. The incidents involved mailing lists of over 50 data subjects, which differed in each instance. As a result of the failure to BCC, the names, surnames and email addresses of several data subjects, as well as their status as ‘family and guardians’, were disclosed to unauthorized third parties. Because some email addresses featured a corporate domain, the disclosure in some cases permitted inference of the organization to which data subjects belong. In response to the complaints, the DPA initiated an investigation. In its defense brief, the controller stated that the lack of BCC had been caused by human error and a breach of internal procedures, as the usual operation according to distributed employee instructions was to BCC email addresses. The controller also stated that it carried out periodic trainings in data protection. With regard to the creation of mailing lists, it stated that family members voluntarily provided their electronic address information at the beginning of service. After the investigation had already been initiated, the DPA received additional complaints against the controller for the same breach of personal data via emails sent without BCC. In response to these complaints, the DPA initiated a disciplinary procedure against the controller on 3 October 2023 for violating Article 5(1)(f) GDPR. On 1 January 2024, the investigator for the Catalan DPA proposed a fine of € 3000 for the controller’s infringement of Article 5(1)(f) GDPR’s principle of confidentiality. On 16
Related Enforcement Actions (0)
No other enforcement actions found for Eulen, Servicios sociosanitarios SA in ES
This is the only recorded action for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Eulen, Servicios sociosanitarios SA - Spain (2024). Retrieved from cookiefines.eu
Last updated: