Servicios Especiales S.A. – €120,000 Fine (Spain, 2025)

In April 2024, the data subjects, along with four coworkers, made claims of workplace harassment against ten of their colleagues. The Spanish Works Committee requested that their employer, Servicios Especiales S.A. (data controller), initiate a labour harassment protocol with the complainants and the accused. In July 2024, the controller informed the Works Committee of the resolutions to each of the complaints, attaching the resolution in each case. The controller also forwarded these resolutions to each of the complainants and the accused, without redacting or anonymising the attachments. This resulted in each of the complainants and the accused receiving details of each complaint made, including their name and surname, their job, as well as the position they had reported. One of the accused then posted a message in a work WhatsApp group that read “Thank you for the complaint” with a kissing emoji. As a result, one of the complainants suffered an anxiety attack and had to take medical leave. In another WhatsApp group, a copy of the email was sent in, revealing the names of both the complainants and the accused in the workplace harassment claim. In August 2024, two of the complainants to the harassment claim filed a complaint with the AEPD. During the course of the investigation, the controller argued that all parties were aware of the identities of those who complained and those who were accused. The AEPD (Spanish DPA) launched their investigation in November 2024. The DPA found that the controller had infringed Article 5(1)(f) GDPR in failing to ensure appropriate security of the personal data undergoing processing. In considering the appropriate sanction, the DPA noted the seriousness of the personal data in question, as well as the sensitivity of the context. The DPA found a high degree of negligence on the part of the controller. The DPA initially set the fine at €200,000 but pursuant to Law 39/2015, a Spanish law concerning administrative proceedings, th