(Foto: Economist & Jurist)
The parties had no relationship for more than ten years.
The Spanish Agency for Data Protection has sanctioned a sports club with a fine of 4,000 euros for including a former user of its entity in a WhatsApp group, without their prior consent.
Thus, the AEPD considers up to four precepts of the General Data Protection Regulation violated.
Claim
The affected user (claimant) files a claim with the AEPD against a sports club (claimed).
The reason on which you base your claim is that the respondent has included his mobile phone number in a WhatsApp group without previously requesting any consent or authorization.
In addition, the claimant informs that he was a user of the aforementioned sports center that is the object of this claim, but for more than ten years that he has no any relationship with the same.
After transferring said claim to the sports entity so that it can proceed to its analysis and report to the Agency of the actions carried out to adapt to the requirements provided in the data protection regulations, which never gave an answer </ strong > to such a requirement.
Penalty procedure
In July 2021, the Director of the AEPD agreed to initiate a sanctioning procedure for the accused, for the alleged violation of arts. 32, 5.1.e) and 6 of the GDPR.
In particular, in the present case it is considered that the complainant has processed the complainant’s personal data (mobile phone number) without their prior consent and, therefore, in violation of art. 6 of the GDPR.
In addition, contravene art. 5.1 e) of the RGPD, the sports center keeps your personal data even if the claimant has not been its client for more than ten years. It should be remembered that this precept indicates that the data may not be kept longer than necessary for the purpose for which they were taken.
On the other hand, providing the claimant’s mobile phone number to third parties and including it in a WhatsApp group is a violation of their confidentiality . Thus, in the opinion of the AEPD, the claimed security measures do not conform to the data protection regulations, assuming such facts two more offenses for contravening sections b) and d) of art. 32 of the GDPR.
Sanctions
Well, considering the Agency that we are facing an unintentional but significant negligent action (art. 83.2 b)) of the RGPD) since, despite the fact that the claimant has not been a client for more than ten years, the The claimed entity still keeps your personal data, the Director of the AEPD, Mar España Martí , imposes the following four sanctions on the sports club:
- For the violation of art. 6 of the RGPD, a fine of 1,000 euros;
- For the violation of art. 5.1 e) of the RGPD, a fine of 1,000 euros;
- For the violation of art. 32.1 e) of the RGPD, a fine of 1,000 euros;
- For the violation of art. 32.1 d) of the RGPD, a fine of 1,000 euros.