Background
On May 9, 2019, a complaint was filed before the AEPD (Spanish Agency of Data Protection), claiming that the respondent sent emails (with and advertising content) without blind copy, disclosing the email accounts of all of them.
After carrying out the appropriate actions, the AEPD agreed to initiate disciplinary proceedings against the respondent for the alleged infringement of Article 5.1.f) of the GDPR.
Legal grounds and decision
The reported facts entail a breach of the principle of integrity and confidentiality established in the aforementioned article, since the data of dozens of email accounts were disclosed by sending communications without using the blind format in which it was informed and advertised the services provided, without consent or authorization to do so. It is indicated that this duty of confidentiality is an obligation applicable not only to the data controller and data processor but also on all those involved in any phase of the processing, and complementary to the duty of professional secrecy, with the purpose of avoiding any leakage of the data provided by the data owners.
Therefore, taking into account the merely local scope of the processing, being solely one person affected by the infringing conduct (there is only one claimant), there is no evidence of malice in the conduct and since the reported entity is a small company, it is decided to impose a fine (5,000 euros) as these acts constitute a serious infringement.
Decision issued by the Director of the Spanish Data Protection Agency. Resolution in proceedings No.: PS/00320/2019.