The protection of personal data, a principle governed by the European Union through the General Data Protection Regulation (GDPR), isn't intended to punish individuals for non-compliance. The sanction is the consequence of non-compliance with the legislation. It's a fundamental right to protect individuals, at various levels. The Spanish Data Protection Agency (AEPD) recently reminded us of the need to regulate the processing of personal data of the persons concerned.
In this case, the subject was hired by a property syndicate to perform housekeeping tasks within the building. Owners included her in a WhatsApp group, without her consent, in order to monitor her work activity, ordering her to send photographs of the tasks performed at the end of each work day.
The claimant contacted her employer to express her refusal to transfer her personal data to third parties, the application, which ultimately led to her dismissal.
She also provided a letter to the union requesting access to her personal data held by this one, but received no response. She then filed a complaint with the AEPD.
The AEPD's decision
While a data processing must have a legal basis in order to legitimize it, the AEPD considers that there is no evidence that one exists for the processing of the complainant's data, in accordance with Article 6.1 of the GDPR, in relation to the cell phone number, which was used by the union, in order to be included in a Whatsapp group.
In addition, it held that the union had violated Article 15 of the GDPR, since the applicant had exercised her right of access to the union, which didn't prove to have responded.
The AEPD then fined the union €1,500 in violation of Article 6.1 of the GDPR, and a fine of €500 in violation of Article 15 of the same Regulation.
💡 This case is a perfect demonstration of the importance of personal data protection. The scope of application of the Regulation is wide, and as soon as there are risks for the rights and freedoms of individuals, it applies, even if it concerns only a few individuals.