Sanction of €5,000 for informing the company's clients about the dismissal grounds of an employee
13 May 2024
13 May 2024
The Spanish Data Protection Agency (hereinafter, AEPD) has imposed a sanction on a company which sent an e-mail to its clients informing them about the disciplinary dismissal due to professional malpractice of an employee.
The former employee, filed a complaint before the AEPD, denouncing that the company has breached the principle of minimization, since the clients were informed of the grounds of his dismissal. Besides, when he exercised the former employee exercised his right of access to find out exactly which clients were provided with said information, the company merely stated that the clients contacted were those managed from his side (without providing their specific identification).
The two aspects analysed were:
(i) whether there had been a breach of the data minimisation principle regulated in Article 5(1)(c) GDPR, which requires that the data processed are "adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed"; and
(ii) whether the company correctly complied with the right of access or if it was necessary to specify the identity of the customers to whom the data were addressed.
With regard to the first aspect, the AEPD concluded that:
(i) there has indeed been an infringement of Article 5.1.c) GDPR relating to the principle of data minimisation: the information relating to the grounds of the termination of his contract were unnecessary. Particularly, the AEPD states that "the reasons for the termination of the employment relationship between employee and employer is a private matter which only concerns both parties and not third parties".
(ii) the Company attended correctly to the employee's access request: the AEPD considers there was no infringement in this respect on the basis that the employee was perfectly aware of the portfolio of clients he had managed during his employment relationship.
The AEPD fined the company with €5,000, concluding that there was (i) an infringement of one of the processing principles established in the GDPR, including the principle of minimisation classified in Article 72.1.a) Spanish Organic Data Protection Act (3/2018), and (ii) an aggravating circumstance of intentional action to cause harm to the claimant (Article 83.2.b) GDPR).
Authors: Carmen Gordillo, Associate; Cristina Grande,Counsel
The information provided is not intended to be a comprehensive review of all developments in the law and practice, or to cover all aspects of those referred to.
Readers should take legal advice before applying it to specific issues or transactions.