Spanish company fined 5,000 euros for divulging sensitive information about former employee to clients

Spanish company fined 5,000 euros for divulging sensitive information about former employee to clients

People were told in an email the individual had been dismissed due to malpractice, but data protection authorities in Spain said the reason for the dismissal should be a "private matter" only between the two parties involved

Susana Zamora


Wednesday, 22 May 2024, 18:26

Opciones para compartir

Spanish data protection authorities have fined a company 5,000 euros for sending an email to clients of an employee telling them "he had stopped providing services because he had been dismissed for disciplinary reasons due to professional malpractice".

Initially, the Spanish Data Protection Agency (AEPD) sent this complaint to the company so it could investigate it and inform it within one month of the actions taken to adapt to the requirements set out in the data protection regulations.

The case was taken up by the person in charge of the business and on 10 December 2021 he responded by pointing out, among other issues, he had communicated the name, first surname and corporate email address of the worker to the clients to whom he had been providing his services as an employee and that this communication "was made in the legitimate interest of both the entity complained of and the clients of said entity, to whom the claimant provided tax advice".

On 13 November 2021, the employee's claim was accepted for processing. On 8 January 2024, it was agreed to initiate proceedings against the company.

In its ruling the AEPD claimed more information was divulged than was necessary and "it is not justifiable" to communicate the cause for which the worker has been dismissed. The AEPD considered the reasons why an employee is dismissed as a "private matter that only concerns both parties involved and not third parties".

The AEPD said according to the response provided by the company, it acknowledged the cause of termination had been communicated to clients, but did not indicate a willingness to adopt measures to ensure it does not happen again.

The company must pay a 5,000-euro fine, which can be reduced to 3,000 for prompt payment.

Reporta un error en esta noticia

* Campos obligatorios