The Spanish Data Protection Agency (AEPD) has sanctioned the worker of a fruit shop for taking the list of customers from the establishment and extracting the number of a client to link with it. An action that violates the General Data Protection Regulation (RGPD), as stated in the resolution of the file.
As stated in it, the woman denounced that, without prior consent, she was contacted by WhatsApp by the fruit worker, understanding that he had obtained her data as a result of a points card with which discounts could be obtained in local shops.
You may be interested
They catch it by 27 km/h above the limit and the police fine with 85,000 euros
The Labor Inspection is firm: a fine of 225,018 euros to a company for not collaborating in the identification of several workers who ran when they saw them
This contributed screenshots with messages sent by the employee in November 2022, who responded to a clearly personal content: “A vegan and sympathetic wapa girl who will be Jaajaj” (sent at 8:32 p.m.) and “I let you guess who I am” (sent at 20:33), being able to see the client who was treated by the profile photo of the same.
Since they had used their data, such as the phone, for non -commercial purposes (which is for what gave it), it filed a complaint against the fruit shop, as well as a complaint to the National Police. For its part, the company denied the accusations, defending that it was a usual client that had given them their personal number for the management of orders for perishable vegan products, contacting her by message to remind her that she had to collect an order, after they tried to call her “without success” (something they could not demonstrate).
Fine of 300 euros: messages had no commercial purposes
The Spanish data protection agency failed that the man, as a fruit employee with access to client data, obtained his personal information and sent him messages with a non -commercial purpose, since their content did not refer to any order.
In this case, the agency established that the worker was responsible for the processing of personal data, and not the establishment, since the messages were sent from their personal telephone number (and not in the name of the fruit shop). In addition, the content was “clearly of a personal nature” and did not act in compliance with its labor functions or following the instructions of the company.
“From the clearly personal content of the messages, in which the word” order “does not appear or notice in any case that there is a pending order to collect, together with the fact that the messages were sent from a BBB personal telephone number, it can be deduced that it sent such messages for its own account for personal purposes, and not by account of the fruit shop for contractual purposes,” he says, the resolution of the AEPD exposes.
Consequently, the AEPD failed that the employee had incurred an infraction of article 6.1 of the General Data Protection Regulation, when dealing with the personal data of the client without a basis of legality. Therefore, they imposed a fine of 300 euros.