4,000 euro fine for adding a former customer to a WhatsApp group: they did not protect her personal data and did not have her consent

4,000 euro fine for adding a former customer to a WhatsApp group: they did not protect her personal data and did not have her consent

  • 2 Min To Read
  • Thursday, Sep 15, 2022

    The Spanish Data Protection Agency (AEPD) has fined a sports club in Cordoba 4,000 euros for adding a former member to a WhatsApp group for commercial purposes without her permission, ten years after the relationship between the two had ended and without guaranteeing the confidentiality of her personal information, according to the sentence in this case. In total, the public body has found the company guilty of four infringements punishable by 1,000 euros each.

    And the fine could have been even higher, since the AEPD specifies in the text that for infringements of this type the penalty can reach 20 million euros or the amount equivalent to 4% of the annual turnover if it is a company. However, the agency has considered in this case that it is an “unintentional negligent action”, which is why the final amount has been lower.

    The first of the infringements incurred by the sanctioned sports entity was to keep the complainant’s personal data for ten years after the woman had ceased to be a client. The law specifies that personal information collected by a company shall not be kept for longer than necessary for the purposes for which it was collected, nor shall it be used for different purposes.

    In other words, if the person provided their data for registration as a member, in order to be able to access the sports facilities, that information should have been deleted when they ceased to be a client and, under no circumstances, can it be used to try to recruit them again.

    The second of the violations has to do with consent. The sanctioned company used the telephone number of the data subject, which is considered personal data, without obtaining her authorization to send her commercial information, which is also against the law, which specifies that the processing will only be lawful if the data subject gave her permission for the processing of her personal data for that or specific purposes.

    In addition, by including the phone number of the data subject in a group with more people, the sports club did not guarantee the confidentiality of the complainant, a fact that entails two further infringements.

    The case would have been very different if, instead of a group for commercial purposes, the complainant had been added to a personal group chat, i.e. of friends or family members. In this case, the law specifies that “the regulation does not apply to the processing of personal data carried out by a natural person in the exercise of exclusively personal or domestic activities”.

    comments powered by Disqus