Practical guide · GDPR
€15,000 fine for publishing employee data without anonymisation
An internal publication can also breach the confidentiality of personal data. Proceeding PS/00447/2023 of the Spanish Data Protection Agency ended with a €15,000 fine against Dimagaza for exposing collective dismissal documentation without anonymisation.
The case is useful because it illustrates three common mistakes: reusing the full copy of a case file, failing to review annexes and assuming an internal notice board is by itself a sufficient security measure.
Which document was published?
The company posted the final minutes of the consultation period of a collective dismissal procedure on a notice board. The body of the minutes included data on four workers and the annex incorporated a wider list of affected people.
Visible data included names and surnames, national ID numbers, social security numbers, dates of birth, positions, professional groups, seniority, workplaces, provinces and contribution account codes. The AEPD's 2024 annual report notes that the list covered 43 dismissed workers.
Why did the AEPD impose the sanction?
The AEPD assessed the case against the duty to apply appropriate technical and organisational measures to ensure a level of security appropriate to the risk. The information was left exposed without anonymisation and the board had no enclosure limiting access.
The Agency found a breach of Article 32 of the GDPR. The initially proposed sanction of €30,000 was reduced to €15,000 in view of circumstances such as the final duration and the company's turnover.
Official source: Decision PS/00447/2023.
Official source: AEPD 2024 Annual Report.
An internal board doesn't remove the risk
Data protection isn't limited to publications on the internet. Exposure inside an organisation can grant access to people who don't need to know all the information in the document.
The annex was central to the problem
In many case files the first page carries little personal information while the annexes concentrate full lists of affected people. A superficial review can leave visible precisely the highest-risk data.
How to avoid a similar exposure
- Separate the original case file from the version intended for disclosure.
- Decide which groups need access to each version.
- Review the full document and every annex.
- Hide the data that isn't necessary for the specific purpose.
- Validate the final file before placing it on a board, intranet or portal.
- Keep a log of who prepared and approved the anonymised version.
Frequently asked questions
Can a list of workers be posted on an internal board?
It depends on the purpose, legal basis, recipients and data involved. Being inside the company doesn't allow indiscriminate exposure of personal information from the file.
Does removing the document later avoid the fine?
Removal and corrective measures may be valued, but they don't automatically erase the breach already committed.
How anonimIA helps
anonimIA detects personal data in documents and prepares a reviewable version before disclosure, keeping human control over the outcome.
Do you anonymise documents daily?
Stop redacting by hand. Automate it with anonimIA.
Upload your PDFs and get GDPR-compliant anonymised documents in seconds.
Try it free