A couple of months ago, we commented in this same forum that the Spanish Data Protection Agency had sanctioned 2,000 euros to a political party for sending an email to 241 recipients without using the hidden copy tool (CCO), thus revealing the personal information and data of dozens of users to third parties.  In the same vein, at the end of 2020, a law firm in Girona committed the same mistake and was sanctioned with 10,000 euros by the highest institution in the field of data protection in our country.  Now, the same public body has fined 9,000 euros to a company for the same misdirection, send an email to their customers without helping themselves the option of hidden copy.

The case

As stated by the complaining party in its complaint to the AEPD, the respondent, a merchant engaged in the sale of real estate on its own account, sent an email to a plurality of people revealing, without their consent, your email address to third parties.

After forwarding the complaint to the company for analysis and informing the Agency within one month of the actions taken to comply with the requirements of the data protection regulations, the respondent made no response. Also, after the complaint was accepted, the merchant did not make any claims.

9.000 euros of penalty

The AEPD considers that the requested entity, by sending an e-mail in a plural manner without using the hidden copy method, “has transferred its data to third parties without cause to legitimize it” and, therefore, “has processed your personal data against the law”.

When we send an email to several users outside our organization we must be cautious and make use of the hidden copy

The institution headed by Mar España Martí considers that the company has violated the arts. 5.1 f) and 32 of the GDPR, by violating the principle of integrity and confidentiality, as well as failing to take the necessary security measures to ensure the protection of personal data of its customers, not using the hidden copy mode in the email submission.

Thus, taking into account the nuance of the special link between the data controller and the processing of personal data, the AEPD decides to sanction the requested merchant with 9,000 euros. In particular, 6,000 euros are derived from the infringement of art. 5.1 f) of the GDPR, and the remaining 3,000 euros of the infringement of art. 32 of the same legal text.