The Spanish Data Protection Agency (AEPD) has fined 12,000 euros to the training academy Sean Seria for publishing on its website the results of a competition process of the Galician Health Service (SERGAS) where participants’ data appeared.
In July 2021, an academy student filed a complaint with the AEPD after realizing that her name and surname appeared on the company’s website. The URL also contained the identification data of 95 more candidates, with the DNI anonymized and the notes broken down into “competition and competition”. The latter distinguished between training, experience and other activities where the order number also appeared.
Therefore, the AEPD forwarded it to the complaining party so that it could carry out its analysis and arguments within one month, but did not reply until January, when the sanctioning procedure was initiated for the alleged infringement of Article 6.1 of the Data Protection Regulation.
The academy claimed that its purpose was to provide the list to students so that they could verify whether their score gives them access to the job or not.
THEY THOUGHT IT WAS A PROCESSING OF PUBLIC PERSONAL DATA
The academy also added that when the list was published on the SERGAS website and in the Galician Official Journal, they considered that “it could be a public personal data processing” and therefore understood that the rights and freedoms of the persons concerned did not prevail.
The reason for the publication on its website was “to publicize the results published by SERGAS since many of the participants in the selection process were students of the academy” and the information was public.
In addition, the company said that before publishing the list they carried out a “regulatory compliance analysis” in order to confirm whether or not such publication could involve a breach of the Data Protection regulations.
They concluded that the information was already published on the SERGAS website and “it was previously anonymized» because the ID of the students had been hidden. For “the name and surname of only one person should not be considered personal data because there are numerous people who coincide in name and surname».
«DISPROPORTIONATE PENALTY»
But the AEPD reproached them that the privacy policy of the website did not reflect this treatment and that, in the publication of the prepared list does not indicate where the data came from, nor the right to object and that, based on a legitimate interest of the treatment, it should be offered.
Finally, they added that it was the only time they had done so and that they corrected the error by deleting the web, so they requested a warning of 600 euros instead of an administrative sanction of 12,000 considering that it was disproportionate to be a micropyme.
But Data Protection has ignored his request and has finally decided to fine him with 12,000 euros for a violation of article 6.1 of the GDPR, typified in article 83.5 a) of the GDPR.