Quirón Prevención – €50,000 Fine (Spain, 2024)

A data subject claimed she suffered from harassment in her workplace. She filed a complaint with the Labour and Social Security Inspectorate (la Inspección de Trabajo y Seguridad). Then, the data subject and an employee involved took part in the mediation proceedings held by employer, i.e. [https://www.quironprevencion.com/es Quirón Prevención] (the controller). The controller sent a mediation report to the data subject. However, the data subject’s and employee’s data (name and surname, ID, mobile number and email) were not redacted. The controller crossed out the data subject’s personal data after the request of the data subject. The data subject lodged a complaint with the Spanish DPA (AEPD), claiming violation of personal data security. The DPA upheld the complaint. The controller violated Article 5(1)(f) GDPR and Article 32 GDPR. According to the DPA, the controller didn’t implement appropriate technical and organisational measures to guarantee data confidentiality. In particular, at the stage of document preparation and disclosure there were no data anonymization techniques present. Because of that, unlawful disclosure of documents containing personal data took place. The DPA issued a fine of €30,000 for a violation of Article 5(1)(f) GDPR and €20,000 for a violation of Article 32 GDPR. The original fine of €50,000 was reduced to €30,000 due to voluntary payment and admission of responsibility.