Alvea Soluciones Tecnológicas, S.L – €21,000 Fine (Spain, 2025)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
On 7 October 2024, a data subject filed a complaint to the DPA against Alvea Soluciones Tecnológicas, S.L. (the controller). They alleged that the controller sent an email to candidates for a job offer (data subjects) requesting the processing of their data. Further, such an email included a link to a Google form indicating the disclosure of the data subjects’ personal data by transmission of the controller to third companies that work with it (processors). The form entailed a spreadsheet with the name and ID of data subjects who had denied the processing of their data. Lastly, that spreadsheet could be accessed by anyone with the form’s URL. On 17 October 2024, the DPA requested information on the measures taken by the controller to comply with the GDPR. In response, the controller admitted an administrative error, claiming that a new technician included both internal and external links in the email sent to the data subject, instead of just the external one. Furthermore, the controller has implemented several measures to address the error. Three measures were crucial for the development of the complaint. First, analysing the need for a Data Protection Officer (DPO), which led to the controller appointing one. Second, restricting access to the internal link, deactivating it. Third, proving that only the controller’s authorized members could open the internal link. On 23 October 2024, the controller informed the data subjects about the error in the previous email and requested its deletion. On 15 November 2024, the complaint was allowed to proceed. First, the DPA held that the controller had violated Article 5(1)(f)GDPR. The controller had enabled access to an internal spreadsheet containing candidates' personal data and had transmitted its link without any limitations or control. Therefore, under Articles 83(5)(a)GDPR and [https://www.boe.es/buscar/act.php?id=BOE-A-2018-16673#a7-3 71 Organic Law on Protection of Personal Data and Guarantee of Digital Right
GDPR Articles Cited
National Law Articles
On 7 October 2024, a data subject filed a complaint to the DPA against Alvea Soluciones Tecnológicas, S.L. (the controller). They alleged that the controller sent an email to candidates for a job offer (data subjects) requesting the processing of their data. Further, such an email included a link to a Google form indicating the disclosure of the data subjects’ personal data by transmission of the controller to third companies that work with it (processors). The form entailed a spreadsheet with the name and ID of data subjects who had denied the processing of their data. Lastly, that spreadsheet could be accessed by anyone with the form’s URL. On 17 October 2024, the DPA requested information on the measures taken by the controller to comply with the GDPR. In response, the controller admitted an administrative error, claiming that a new technician included both internal and external links in the email sent to the data subject, instead of just the external one. Furthermore, the controller has implemented several measures to address the error. Three measures were crucial for the development of the complaint. First, analysing the need for a Data Protection Officer (DPO), which led to the controller appointing one. Second, restricting access to the internal link, deactivating it. Third, proving that only the controller’s authorized members could open the internal link. On 23 October 2024, the controller informed the data subjects about the error in the previous email and requested its deletion. On 15 November 2024, the complaint was allowed to proceed. First, the DPA held that the controller had violated Article 5(1)(f)GDPR. The controller had enabled access to an internal spreadsheet containing candidates' personal data and had transmitted its link without any limitations or control. Therefore, under Articles 83(5)(a)GDPR and [https://www.boe.es/buscar/act.php?id=BOE-A-2018-16673#a7-3 71 Organic Law on Protection of Personal Data and Guarantee of Digital Right
Related Enforcement Actions (0)
No other enforcement actions found for Alvea Soluciones Tecnológicas, S.L in ES
This is the only recorded action for this entity in this jurisdiction.
Details
Fine Date
18 March 2025
Authority
Agencia Española de Protección de Datos
Fine Amount
€21,000
GDPRhub ID
gdprhub-9356About this data
Cite as: Cookie Fines. Alvea Soluciones Tecnológicas, S.L - Spain (2025). Retrieved from cookiefines.eu
Last updated: