Fundació Universitat Oberta de Catalunya (FUOC) – €31,000 Fine (Spain, 2024)

In 2000, a student at the Universitat Oberta de Catalunya (UOC) conducted a study for her practicum project involving 54 minors at a secondary school, collecting highly sensitive personal data, including cognitive and psychological test results. In January 2001, the student completed the project, which included names and test scores without anonymization or pseudonymization. On 16 February 2010, the controller, the Fundació per a la Universitat Oberta de Catalunya (FUOC), published the project in its open-access institutional repository (O2), making the data publicly accessible. On 7 August 2023, the data subject, one of the students evaluated in the 2000 study, discovered the document by Googling her name and filed a complaint with the Catalan DPA. She alleged that her full name and intelligence scores appeared in the annexes of the published project. On 8 August 2023, the DPA’s inspection team verified that the report was accessible online and contained non-anonymized personal data of the data subject and other minors. On 1 March 2024, after receiving a request for information from the DPA, the controller removed the document from public access. On 4 June 2024, the DPA initiated a sanctioning procedure against the controller for violating the GDPR. On 10 September 2024, the Catalan Data Protection Authority (APDCAT) found that the Fundació per a la Universitat Oberta de Catalunya (FUOC), as controller of the O2 institutional repository, had infringed Article 5(1)(c) GDPR (data minimisation) in connection with Article 83(5)(a) GDPR, by allowing the long-term public accessibility of a student project that disclosed non-anonymized sensitive personal data of 54 minors. The DPA imposed a fine of €31,000.