Alvea Soluciones Tecnológicas, S.L – €21,000 Fine (Spain, 2025)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
Alvea Soluciones Tecnológicas mistakenly sent an email that exposed candidates' personal data to unauthorized access. The company was fined €21,000 for failing to protect sensitive information properly. This incident serves as a reminder for businesses to be careful with how they handle personal data.
What happened
Alvea Soluciones Tecnológicas sent an email that included a link to an internal spreadsheet with candidates' personal information.
Who was affected
Job candidates whose personal data was exposed through an unsecured link in an email.
What the authority found
The Spanish Data Protection Authority ruled that Alvea violated Article 5(1)(f) GDPR by not ensuring the security of personal data.
Why this matters
This case highlights the risks of mishandling personal data in communications. Companies must implement strict controls to prevent unauthorized access to sensitive information.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
National Law Articles
On 7 October 2024, a data subject filed a complaint to the DPA against Alvea Soluciones Tecnológicas, S.L. (the controller). They alleged that the controller sent an email to candidates for a job offer (data subjects) requesting the processing of their data. Further, such an email included a link to a Google form indicating the disclosure of the data subjects’ personal data by transmission of the controller to third companies that work with it (processors). The form entailed a spreadsheet with the name and ID of data subjects who had denied the processing of their data. Lastly, that spreadsheet could be accessed by anyone with the form’s URL. On 17 October 2024, the DPA requested information on the measures taken by the controller to comply with the GDPR. In response, the controller admitted an administrative error, claiming that a new technician included both internal and external links in the email sent to the data subject, instead of just the external one. Furthermore, the controller has implemented several measures to address the error. Three measures were crucial for the development of the complaint. First, analysing the need for a Data Protection Officer (DPO), which led to the controller appointing one. Second, restricting access to the internal link, deactivating it. Third, proving that only the controller’s authorized members could open the internal link. On 23 October 2024, the controller informed the data subjects about the error in the previous email and requested its deletion. On 15 November 2024, the complaint was allowed to proceed. First, the DPA held that the controller had violated Article 5(1)(f)GDPR. The controller had enabled access to an internal spreadsheet containing candidates' personal data and had transmitted its link without any limitations or control. Therefore, under Articles 83(5)(a)GDPR and [https://www.boe.es/buscar/act.php?id=BOE-A-2018-16673#a7-3 71 Organic Law on Protection of Personal Data and Guarantee of Digital Right
Related Enforcement Actions (0)
No other enforcement actions found for Alvea Soluciones Tecnológicas, S.L in ES
This is the only recorded action for this entity in this jurisdiction.
Details
Fine Date
18 March 2025
Authority
Agencia Española de Protección de Datos
Fine Amount
€21,000
GDPRhub ID
gdprhub-9356About this data
Cite as: Cookie Fines. Alvea Soluciones Tecnológicas, S.L - Spain (2025). Retrieved from cookiefines.eu
Last updated: