All About Water SL – €3,000 Fine (Spain, 2025)

The data subject purchased a product through a website, All About Water S.L. (controller). The data subject later made a complaint to the controller about the product via email. The initial complaint was closed and joined with a second complaint, submitted by another individual. The data subject received a thread of emails relating to the 3rd party’s complaint, revealing their name, surname and contact number. The third party also erroneously received an email thread revealing the name, surname, address and telephone number of the data subject. On 15th July 2022, the data subject filed a complaint with the AEPD. During the course of the investigation, it was revealed that the process for merging complaints is performed manually and the incident giving rise to the complaint occurred as a result of human error. The controller did not supply, as requested, details of technical and organisational measures taken to ensure the confidentiality of personal data that employees are given access to. The DPA rejected the controller’s claim that no infringement of the GDPR occurred as the incident was explicable due to simple human error. The DPA was critical of the lack of technical and organisational measures adopted to ensure the confidentiality of personal data being handled by the employees, noting that issues such as that which arose could have been avoided if suitable measures had have been in place. The DPA found that the controller had infringed Article 5(1)(f) GDPR in failing to process personal data in a manner which ensures its appropriate security. The DPA considered the infringement serious in nature as an irretrievable loss of control occurred over the personal data, and the taking of online orders is the core business of the controller. The DPA fined the controller €3000 and ordered it to adopt appropriate technical and organisational security measures within one month.