Practical guide · GDPR

Can the AEPD fine a town council for failing to anonymise documents?

8 min read

When a decision on improper disclosure of personal data becomes public, a common question arises: can the Spanish Data Protection Agency impose a financial fine on a town council?

The answer requires distinguishing between the existence of a breach and the type of consequence available. A public authority can breach the GDPR and the LOPDGDD, be investigated, receive corrective measures and see the decision made public. However, certain public entities are subject to the specific regime of article 77 of Spain's Organic Law 3/2018.

What article 77 of the LOPDGDD establishes

Article 77 applies, among others, to public authorities and their public bodies. When one of these controllers or processors commits a breach, the supervisory authority issues a decision declaring the infringement and setting, where appropriate, the measures needed to stop the conduct or correct its effects.

This regime excludes the administrative fine provided for in Article 58(2)(i) of the GDPR for the entities within its scope. Presenting every decision against a council as a financial fine is therefore technically inaccurate.

Official source: Article 77 of Organic Law 3/2018 (BOE).

So does a municipal breach have no consequences?

No. The absence of an ordinary fine doesn't mean the breach has no effect. The decision may require the council to remove documents, produce anonymised versions, change procedures and review the actions of the responsible units.

  • Public declaration of the infringement.
  • Removal or replacement of published documents.
  • Mandatory technical and organisational measures.
  • Communication of the decision to the Ombudsman or equivalent regional institution.
  • Possible proposal of disciplinary action where sufficient evidence exists.
  • Reputational damage and loss of public trust.

The Los Alcázares case: concrete measures for unredacted minutes

The Los Alcázares Town Council published plenary minutes with a resident's name, their request to pay taxes in instalments and the amounts owed. The AEPD required removal of the full minutes and adoption of general anonymisation criteria for minutes, resolutions and decisions.

Official source: Case File E/01062/2016.

When a town council must anonymise documents

  • Plenary and governing board minutes.
  • Mayoral resolutions and decrees.
  • Procurement and subsidy files.
  • Tax and enforcement documentation.
  • HR and recruitment information.
  • Social services, health and minors' files.
  • Responses to freedom-of-information requests.

How anonimIA helps

anonimIA lets public authorities embed anonymisation into their document workflow, with automated detection, review and traceability.

Do you anonymise documents daily?

Stop redacting by hand. Automate it with anonimIA.

Upload your PDFs and get GDPR-compliant anonymised documents in seconds.

Try it free