On the 10th July 2020, the AEPD – Spain’s data protection authority initiated a sanctioning procedure to fine the Barcelona Airport Security Guard Association (AVSAB) under the GDPR.
The case found that a member of the AVSAB security group had used WhatsApp to send messages to private phone numbers containing personal information about employees.
The AEPD had multiple concerns about this practice, and ultimately found that this breached the integrity and confidentiality principle of GDPR.
The integrity and confidentiality principle states that you must have appropriate security measures in place to protect the personal data you process. This principle is commonly referred to as the security principle.
Transferring personal data through a third party system, like WhatsApp undermines this in many ways. Effectively this is a data leak, as personal data now is available on personal devices that are unlikely to have the required cybersecurity protections in place.
This case reminds us that the data controller is responsible for data processing at every level. Even though they may have had adequate protections in place for their own systems, they are still responsible for what employees do with that data. The fine and legal responsibility falls on the organisation, not the individual.
If the committee member who shared this data had been trained properly, things may have been different.