Servicios Especiales S.A. – €120,000 Fine (Spain, 2025)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
Servicios Especiales S.A. was fined for mishandling sensitive personal data during a workplace harassment investigation. They shared details of complaints, including names, with all parties involved, leading to distress for the complainants. This case serves as a reminder for companies to protect personal information during sensitive processes.
What happened
Servicios Especiales shared personal details of harassment complaints without proper security measures.
Who was affected
Employees involved in workplace harassment claims, including both complainants and accused individuals.
What the authority found
The Spanish DPA found that the company failed to ensure appropriate security for personal data, violating GDPR.
Why this matters
This case highlights the need for strict data protection measures, especially in sensitive situations. Companies should implement better security protocols to safeguard personal information.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
In April 2024, the data subjects, along with four coworkers, made claims of workplace harassment against ten of their colleagues. The Spanish Works Committee requested that their employer, Servicios Especiales S.A. (data controller), initiate a labour harassment protocol with the complainants and the accused. In July 2024, the controller informed the Works Committee of the resolutions to each of the complaints, attaching the resolution in each case. The controller also forwarded these resolutions to each of the complainants and the accused, without redacting or anonymising the attachments. This resulted in each of the complainants and the accused receiving details of each complaint made, including their name and surname, their job, as well as the position they had reported. One of the accused then posted a message in a work WhatsApp group that read “Thank you for the complaint” with a kissing emoji. As a result, one of the complainants suffered an anxiety attack and had to take medical leave. In another WhatsApp group, a copy of the email was sent in, revealing the names of both the complainants and the accused in the workplace harassment claim. In August 2024, two of the complainants to the harassment claim filed a complaint with the AEPD. During the course of the investigation, the controller argued that all parties were aware of the identities of those who complained and those who were accused. The AEPD (Spanish DPA) launched their investigation in November 2024. The DPA found that the controller had infringed Article 5(1)(f) GDPR in failing to ensure appropriate security of the personal data undergoing processing. In considering the appropriate sanction, the DPA noted the seriousness of the personal data in question, as well as the sensitivity of the context. The DPA found a high degree of negligence on the part of the controller. The DPA initially set the fine at €200,000 but pursuant to Law 39/2015, a Spanish law concerning administrative proceedings, th
Related Enforcement Actions (0)
No other enforcement actions found for Servicios Especiales S.A. in ES
This is the only recorded action for this entity in this jurisdiction.
Details
Fine Date
25 February 2025
Authority
Agencia Española de Protección de Datos
Fine Amount
€120,000
GDPRhub ID
gdprhub-9102About this data
Cite as: Cookie Fines. Servicios Especiales S.A. - Spain (2025). Retrieved from cookiefines.eu
Last updated: