News

Source : PS-00395-2021

?? Facts:

In response to negative reviews left by customers on Google, a Spanish café published the personal data of its former employee:

·       Response to negative reviews:

• ? The company identified the reviewer as a friend of the former employee.
• ? It disclosed personal information such as her full name and details about her disciplinary actions (dismissal, suspension of salary for "serious and very serious" misconduct).

·       Attempt to defend the company’s reputation:

• ?? The goal was to justify the negative reviews by implying they came from a circle of acquaintances of the former employee.
• ?? The company tried to discredit the former employee and her connections to protect its public image.

? The former employee filed a complaint with the AEPD.

?? Violations Identified:
1?? Breach of the Duty of Confidentiality (Article 5.1.f of the GDPR):

• Failure to maintain the security and confidentiality of personal data.

2?? Violation of Lawful Processing (Article 6.1.a of the GDPR):

• Data was processed without consent or any other legitimate legal basis.

? Consequences :

• ?? April 28, 2022:
• Administrative fine: €1,500.
• Requirement: Remove the personal data from the comments.
• Corrective measures: Implement actions to ensure compliance.