VOX España – €500 Fine (Spain, 2025)

On 22 March 2024, a data subject filed a complaint with the Spanish Data Protection Agency (AEPD) against VOX España. VOX had sent a certified letter to a municipal company. On 8 February 2024, the data subject received the letter at their workplace and signed the proof of delivery. The document included the data subject’s name, national identification number and signature. On 16 March 2024, VOX published an image of that proof of delivery on its Facebook page. The publication made the data subject’s personal data visible without restrictions. The publication remained online for five days. The data subject stated that they had not consented to the publication of their personal data on social media. On 29 April 2024, the AEPD informed VOX about the complaint and invited it to submit observations. VOX replied that the publication had been an oversight and that it deleted the post once it became aware of the issue. On 2 October 2024, the AEPD verified that the post was no longer accessible. On 17 February 2025, the AEPD opened formal proceedings against VOX for a possible infringement of Article 6 GDPR. VOX argued that the publication was unintentional, that it had caused no real harm, that it had acted in good faith, and that the fine would be disproportionate. The AEPD held that VOX had processed personal data by publishing the proof of delivery on Facebook. The authority considered that VOX acted as controller because it determined the purpose and means of the publication. The AEPD found that the processing had no legal basis under Article 6 GDPR. The data subject had not given consent within the meaning of Article 6(1)(a), and none of the other legal grounds in Article 6(1) GDPR applied. The AEPD rejected VOX’s arguments on lack of intent and absence of harm. It stated that negligence was sufficient to establish liability. The authority also held that the later deletion of the post did not remove the infringement, although it could reduce the fine. The AEPD concl