Fines, GDPR

Security firm fined under GDPR after employee used WhatsApp to transfer personal information

Published:

WhatsApp on Phone
Home » Articles » Security firm fined under GDPR after employee used WhatsApp to transfer personal information

On the 10th July 2020, the AEPD – Spain’s data protection authority initiated a sanctioning procedure to fine the Barcelona Airport Security Guard Association (AVSAB) under the GDPR.

The case found that a member of the AVSAB security group had used WhatsApp to send messages to private phone numbers containing personal information about employees. 

The AEPD had multiple concerns about this practice, and ultimately found that this breached the integrity and confidentiality principle of GDPR.

The integrity and confidentiality principle states that you must have appropriate security measures in place to protect the personal data you process. This principle is commonly referred to as the security principle. 

Transferring personal data through a third party system, like WhatsApp undermines this in many ways. Effectively this is a data leak, as personal data now is available on personal devices that are unlikely to have the required cybersecurity protections in place.

This case reminds us that the data controller is responsible for data processing at every level. Even though they may have had adequate protections in place for their own systems, they are still responsible for what employees do with that data. The fine and legal responsibility falls on the organisation, not the individual.

If the committee member who shared this data had been trained properly, things may have been different.

Author

  • Scott Dooley

    Scott Dooley is a seasoned entrepreneur and data protection expert with over 15 years of experience in the tech industry. As the founder of Measured Collective and Kahunam, Scott has dedicated his career to helping businesses navigate the complex landscape of data privacy and GDPR compliance. With a background in marketing and web development, Scott brings a unique perspective to data protection issues, understanding both the technical and business implications of privacy regulations. His expertise spans from cookie compliance to implementing privacy-by-design principles in software development. Scott is passionate about demystifying GDPR and making data protection accessible to businesses of all sizes. Through his blog, he shares practical insights, best practices, and the latest developments in data privacy law, helping readers stay informed and compliant in an ever-changing regulatory environment.

    View all posts

Popular posts on Measured Collective

  1. GDPR & Google Workspace: How to stay compliant with GDPR
  2. Europe data privacy decisions round-up August 2021
  3. Can an individual get a GDPR fine?
  4. GDPR: what counts as personal data?
  5. GDPR & Recaptcha: How to stay compliant with GDPR

Now Available to Start Immediately:

GDPR Online Training Course

There's no time like now, to give your team the training they need.

Article: Do I need ongoing GDPR training?

New to the site

Measured Collective Logo in White on Transparent