Practical guide · GDPR
Health data left unredacted: the email that ended in a warning
An attachment sent by mistake can turn an internal communication into a disclosure of specially sensitive data. This happened in a proceeding decided by the Spanish Data Protection Agency against the Unión Sindical Obrera in the Valencian Community.
The case shows that documents used by health and safety committees, prevention services, HR units and trade union representatives need strict controls before being sent by email.
What happened?
On 8 February 2024 a meeting of the Health and Safety Committee of the Provincial Council of Castellón was held. The documentation shared with members included a report with information related to medical examinations and health surveillance protocols.
The same day, a union prevention officer sent an email to worker contacts available to them. The message attached the meeting documentation, including the report with personal data left unredacted.
Why health data enjoys reinforced protection
Article 9 of the GDPR includes data concerning health among the special categories of personal data. Processing is prohibited in general and only allowed when one of the specific exceptions applies.
The AEPD's decision
The Agency found that the union had disclosed workers' personal data, including health data, without anonymisation. The decision issued a warning against the Unión Sindical Obrera in the Valencian Community for a breach of Article 9 of the GDPR.
Official source: Decision PA/00041/2025.
The risk isn't only in the body of the email
Many organisations review recipients and message text but don't apply the same control to attachments. A document may have circulated correctly within a restricted committee yet be unsuitable for wider distribution.
How to avoid sending health data unredacted
- Classify documents that contain special categories of data.
- Limit access to people who need the full information.
- Produce aggregate or anonymised versions for broad communications.
- Always review attachments before sending or forwarding an email.
- Avoid general distribution lists for sensitive documentation.
- Establish a validation step whenever the file includes health data.
- Train staff, representatives and collaborators on the risks of forwarding.
How anonimIA helps
anonimIA helps locate personal data and sensitive categories before sharing documentation, adding a verifiable review to your emails and publications.
Do you anonymise documents daily?
Stop redacting by hand. Automate it with anonimIA.
Upload your PDFs and get GDPR-compliant anonymised documents in seconds.
Try it free