The Spanish data protection supervisory authority, the,has imposed a fine of EUR 2 000 on a lawyer (Decision in the original in Spanish; German version via DeepL). The lawyer had summoned tenants of an apartment building in the course of proceedings. In doing so, he used documents on the back of which personal data of other tenants relevant to the proceedings could be seen, but also the name of a minor.
The AEPD considered this to be a violation of Article 32 (1) of the GDPR because the controller had not taken appropriate technical and organizational measures within the meaning of Article 32 (1) of the GDPR. Apparently, the lawyer should have blacked out the data of the third party tenants. This breach was negligent and affected sensitive data.