Fine of 4,000 euros for adding a former client to a WhatsApp group: they did not protect her personal data or have her consent
The Spanish Data Protection Agency (AEPD) has fined a sports club in Córdoba with 4,000 euros for adding a former partner to a WhatsApp group for commercial purposes without your permission, ten years after the relationship between the two had ended and without guaranteeing the confidentiality of your personal information, according to the sentence of this case. In total, the public body has found the company guilty of four infractions sanctioned with 1,000 euros each.
And the fine could have been even higher, since the AEPD specifies in the text that for infractions of this type the sanction can reach 20 million euros or the amount equivalent to 4% of the annual business volume if it is a company . However, the agency has considered in this case that it is an “unintentional negligent action”, which is why the final amount has been less.
The first of the infractions in which the sanctioned sports entity incurred was to keep the personal data of the complainant for ten years after the woman had ceased to be a client. The law specifies that Personal information collected by a company will not be kept for longer than necessary for the purposes for which it was collected., nor will it be used for any other purpose.
That is, if the person provided their data for registration as a member, in order to be able to access the sports facilities, that information should have been deleted when she stopped being a customer and, in no case, can it be used to try to capture it again.
The second of the infractions has to do with consent. The sanctioned company used the telephone number of the affected party, which is considered personal data, without obtaining her authorization to send her commercial information, which is also against the law, which specifies that the treatment will only be lawful if the interested party gave their permission for the processing of their personal data for that purpose or specific purposes.
In addition, by including the telephone number of the affected person in a group with more people, the sports club did not guarantee the confidentiality of the complainant, a fact that involves two more offenses.
The case would have been very different if, instead of a group for commercial purposes, the affected person had been added to a personal collective chat, that is, of friends or family. In this case, the law specifies that “the regulation does not apply to the processing of personal data carried out by a natural person in the exercise of exclusively personal activities the domestics”.