Spain: GDPR fine against lawyer

The Spa­nish data pro­tec­tion super­vi­so­ry aut­ho­ri­ty, the,has impo­sed a fine of EUR 2 000 on a lawy­er (Deci­si­on in the ori­gi­nal in Spa­nish; Ger­man ver­si­on via DeepL). The lawy­er had sum­mo­ned ten­ants of an apart­ment buil­ding in the cour­se of pro­ce­e­dings. In doing so, he used docu­ments on the back of which per­so­nal data of other ten­ants rele­vant to the pro­ce­e­dings could be seen, but also the name of a minor.

The AEPD con­si­de­red this to be a vio­la­ti­on of Arti­cle 32 (1) of the GDPR becau­se the con­trol­ler had not taken appro­pria­te tech­ni­cal and orga­niz­a­tio­nal mea­su­res wit­hin the mea­ning of Arti­cle 32 (1) of the GDPR. Appar­ent­ly, the lawy­er should have blacked out the data of the third par­ty ten­ants. This bre­ach was negli­gent and affec­ted sen­si­ti­ve data.