The protection of personal data: a necessary defense for the individual in case of abuse

The protection of personal data: a necessary defense for the individual in case of abuse
Maëva Vidal

The protection of personal data, a principle governed by the European Union through the General Data Protection Regulation (GDPR), isn't intended to punish individuals for non-compliance. The sanction is the consequence of non-compliance with the legislation. It's a fundamental right to protect individuals, at various levels. The Spanish Data Protection Agency (AEPD) recently reminded us of the need to regulate the processing of personal data of the persons concerned.

The facts

In this case, the subject was hired by a property syndicate to perform housekeeping tasks within the building. Owners included her in a WhatsApp group, without her consent, in order to monitor her work activity, ordering her to send photographs of the tasks performed at the end of each work day.

The claimant contacted her employer to express her refusal to transfer her personal data to third parties, the application, which ultimately led to her dismissal.

She also provided a letter to the union requesting access to her personal data held by this one, but received no response. She then filed a complaint with the AEPD.

The AEPD's decision

While a data processing must have a legal basis in order to legitimize it, the AEPD considers that there is no evidence that one exists for the processing of the complainant's data, in accordance with Article 6.1 of the GDPR, in relation to the cell phone number, which was used by the union, in order to be included in a Whatsapp group.

In addition, it held that the union had violated Article 15 of the GDPR, since the applicant had exercised her right of access to the union, which didn't prove to have responded.

The AEPD then fined the union €1,500 in violation of Article 6.1 of the GDPR, and a fine of €500 in violation of Article 15 of the same Regulation.

💡 This case is a perfect demonstration of the importance of personal data protection. The scope of application of the Regulation is wide, and as soon as there are risks for the rights and freedoms of individuals, it applies, even if it concerns only a few individuals.


Subscribe to our newsletter

We will send you a few emails to keep you informed of our news and what's new in our solution*

*You will always be able to unsubscribe on each newsletter. Learn more.

Sanction of the operator Orange España: lack of verification the identity of the person concerned

The Spanish Data Protection Agency (AEPD) has fined Orange Spain €30,000 for illegally registering a telephone line in the name of a custome...

Maëva Vidal

CJEU ruling against Google: Right to oblivion extended against manifestly inaccurate information

In a ruling dated December 8, 2022, the Court of Justice of the European Union (CJEU) states that the search engine operator must dereferenc...

Margaux Morel

Update 1.5.0 : customs fields!

New version of Dastra incorporating custom fields!

Antoine Bidault

A small step for DPOs, a big step for data protection is free to try, easy to set up, and work seamlessly together.

Startup for free Ask for a demo

Free 30 day trial - No credit card required - No commitment