Practical guide · GDPR
Fines for failing to anonymise documents: 4 real AEPD cases
Publishing a document without proper anonymisation can trigger the immediate removal of the information, the opening of proceedings before the Spanish Data Protection Agency (AEPD), corrective measures and, in certain cases, a financial fine.
The risk isn't limited to uploading files to a website. It can also happen when posting documents on a notice board, sending an email attachment, responding to a freedom-of-information request or reusing a court ruling without reviewing every identifier.
The following cases are real and show why anonymisation must be part of the standard document publishing and communication workflow.
Do all sanctions for failing to anonymise end in a fine?
No. The consequences depend on the type of entity, the nature of the data, the number of people affected, the scope of the disclosure and the measures taken after the incident.
A private company can be fined. For public bodies covered by article 77 of Spain's Organic Law 3/2018, the data protection authority declares the infringement and can impose measures to stop the conduct or correct its effects. The decision may be made public and generate internal, organisational and disciplinary obligations.
Case 1: €15,000 fine for publishing employee data
The company Dimagaza posted the final minutes of a collective dismissal procedure and its annex on a notice board. The documentation included names and surnames, national ID numbers, dates of birth, social security numbers, positions, seniority and workplaces.
The AEPD found that appropriate technical and organisational measures had not been applied to protect the confidentiality of the information. The decision imposed a €15,000 fine for breaching article 32 of the GDPR. The Agency's annual report identifies 43 affected workers.
Official source: AEPD Decision PS/00447/2023.
Official source: AEPD 2024 Annual Report.
Case 2: a town council published a resident's tax debts
The Los Alcázares Town Council openly published the minutes of a plenary session that included a resident's name and surnames, their request to pay unpaid taxes in instalments and the amounts owed.
The AEPD concluded that this data was excessive for the purpose of reporting municipal activity. The Council had to remove the full minutes, publish an extract and adopt as a general rule the anonymisation of personal data included in minutes, resolutions and decisions.
Official source: AEPD Case File E/01062/2016.
Case 3: a court ruling published with the national ID visible
A digital legal journal published a court ruling online without anonymising the national ID number of one of the people mentioned. The identifier could be found via a Google search.
The AEPD found a breach of the rules then in force and issued a warning to the company. The entity had replaced the data, requested its removal from search engines and adopted corrective measures, but those later actions did not erase the breach already committed.
Official source: AEPD Decision A/00040/2011.
Case 4: health data sent by email without anonymisation
A representative of the Unión Sindical Obrera trade union in the Valencian Community forwarded by email documentation used in the Health and Safety Committee of the Provincial Council of Castellón. The file contained personal data of workers and information related to medical examinations and health protocols, without anonymisation.
The AEPD considered that the disclosure involved special categories of data and issued a warning to the union for breaching article 9 of the GDPR.
Official source: AEPD Decision PA/00041/2025.
What these four cases teach us
All the documents served legitimate purposes: reporting on a labour procedure, publishing the activity of a plenary session, disseminating a court ruling or communicating documentation to employees. The problem was using a version that contained more personal data than necessary or that was made available to unauthorised recipients.
- The full version of a case file should not automatically become the public version.
- Annexes, tables and attachments require the same review as the main document.
- Removing only the name may be insufficient if the remaining data still identifies the person.
- Later removal reduces impact but does not necessarily erase the breach.
- The organisation must be able to prove who reviewed the document and which version was finally published.
How to reduce the risk before publishing
- Define the purpose of the publication and its recipients.
- Detect direct and indirect identifiers across the whole file.
- Generate a specific copy for publication or delivery.
- Review the final result, including annexes, signatures, QR codes and visible metadata.
- Log the validation and keep traceability of the process.
Frequently asked questions
What is the fine for publishing a document without anonymisation?
It depends. GDPR fines can reach very high figures, but in practice they depend on the type of data, the number of people affected and the measures taken by the organisation. Public bodies are not fined but do face a declaration of infringement and corrective measures.
Do only documents published on the internet need to be anonymised?
No. Documentation sent by email, posted on notice boards, shared with third parties or delivered in response to access requests must also be reviewed.
How anonimIA helps
anonimIA detects and hides personal data in documents before publication or delivery, with full process traceability. Request a demo and see how to add anonymisation to your organisation's standard workflow.
Do you anonymise documents daily?
Stop redacting by hand. Automate it with anonimIA.
Upload your PDFs and get GDPR-compliant anonymised documents in seconds.
Try it free