AEPD Resolution: EXP202404630

On 1st March 2024, an employee (A.A.A.) filed a complaint with the Spanish Data Protection Agency against her employer, DIVERSSO CLUB 2018, S.L., a company established in 2018 with annual revenues of €88,367 (as of 2022). The employee alleged serious breaches of her privacy and data protection rights in how the company handled and disseminated a workplace disciplinary sanction imposed against her.

The Dual Privacy Violation: The complaint centred on two separate but related disclosures that occurred on 21st February 2024:

1. Physical Notice Board Display The employer displayed the employee's disciplinary sanction on a physical notice board (tablón) within the workplace. The document was placed in a plastic sleeve and hung in an area accessible to other employees. The displayed sanction included:

• The employee's full name and surname
• Details of the disciplinary infraction
• The sanctions imposed

This meant that any colleague walking past the notice board could read the employee's full name and the reasons for her disciplinary action—information that had nothing to do with their work duties.

2. WhatsApp Group Distribution More egregiously, the employer also shared the disciplinary sanction document in a company WhatsApp group. This group comprised multiple members of the company's workforce (described as "part of the staff members"). The evidence showed:

• A screenshot of the company WhatsApp group conversation
• A document labelled "sanción" (sanction) was distributed in the group
• The document clearly displayed the employee's full name and surname
• The message was timestamped, confirming the date of dissemination

The Evidence: The complainant provided photographic and digital evidence supporting both allegations:

• A photograph showing the sanction hung on the notice board in its plastic sleeve, with her name and details visible
• A screenshot from the WhatsApp group showing the sanction document being shared, with her name clearly legible in the preview

The AEPD's Investigation: Following standard procedure, on 4th April 2024, the AEPD transferred the complaint to DIVERSSO CLUB 2018, S.L., requesting an explanation and information about actions taken to comply with data protection requirements. The company received this notification but completely ignored it—no response was ever provided.

On 1st June 2024, the AEPD formally admitted the claim for processing, confirming that the allegations warranted full investigation.

The Sanction Procedure: On 3rd February 2025, the AEPD issued a formal agreement to initiate sanction proceedings against DIVERSSO CLUB 2018, S.L. for alleged infringement of Article 5.1(f) RGPD (the integrity and confidentiality principle, also known as the security principle). This article requires that personal data be "processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing."

The AEPD attempted to notify the company of the sanction proceedings through postal mail, but delivery failed. In accordance with administrative procedure law, the notice was then published in the Official State Gazette (Boletín Oficial del Estado - BOE) on 19th February 2025, providing the company with an opportunity to submit allegations or defences.

Radio Silence: The company never responded. No allegations were filed, no explanations provided, no defences offered. The procedural deadline passed with complete silence from DIVERSSO CLUB 2018, S.L.

The Unexpected Development: On 12th November 2025, an announcement appeared in the Official Mercantile Registry Gazette (Boletín Oficial del Registro Mercantil - BORME) declaring the extinction (dissolution) of DIVERSSO CLUB 2018, S.L. The company had ceased to exist as a legal entity.

The Legal Consequence: Spanish administrative law, specifically Article 28.1 of Law 40/2015 on the Legal Regime of the Public Sector, establishes a fundamental principle: "Only natural persons and legal entities, as well as groups, unions and entities without legal personality when a law recognises their capacity to act, and independent or autonomous estates, who are responsible for them by way of intent or negligence, may be sanctioned for acts constituting an administrative infringement."

In simpler terms: you can only sanction an entity that has legal capacity to be sanctioned. Once a company is dissolved and its legal personality extinguished, it ceases to be a subject capable of bearing administrative responsibility.

The Archival Decision: Despite clear evidence of GDPR violations, the AEPD was legally compelled to archive the sanction procedure. The company's dissolution eliminated one of the essential elements required for administrative sanctions: the existence of a legal subject with capacity to act and be held responsible.

Important Legal Nuance: This archival does NOT mean:

• The company did nothing wrong
• The violations didn't occur
• The employee's rights weren't breached

Rather, it means that the procedural vehicle for imposing sanctions (the sanction procedure against DIVERSSO CLUB 2018, S.L.) became legally impossible once the respondent ceased to exist as a legal entity.

What Happened to the Employee? The resolution doesn't address this, but the archival means:

• No fine was imposed on the (now dissolved) company
• No corrective measures could be ordered (there's no entity to comply)
• The employee received official confirmation that violations occurred (the AEPD's findings of fact)
• But she received no tangible remedy through the data protection enforcement process

The employee might still have recourse through:

• Labour courts (for workplace discrimination or unfair treatment claims)
• Civil liability claims against the company's former directors/shareholders
• Criminal complaints if the actions constituted criminal offences

Based on Resolution EXP202404630, employers must implement the following protocol for handling employee disciplinary actions whilst respecting data protection:

1. The Need-to-Know Principle for Disciplinary Matters

Workplace discipline is a private matter between employer and employee unless there's a specific legal or operational reason to disclose it more widely.

Action:

• Default Rule: Disciplinary sanctions should be communicated ONLY to:
  • The affected employee
  • Their direct supervisor (if necessary for implementation)
  • HR personnel responsible for maintaining employment records
  • Legal/compliance officers (if legally required)

• Never Disclose To:
  • Other employees not directly involved in the disciplinary process
  • General staff WhatsApp/Slack groups
  • Public notice boards accessible to the entire workforce
  • Social media or external platforms

Legal Basis: Article 5.1(c) RGPD (data minimisation) and Article 5.1(f) RGPD (security) require limiting access to personal data to those who genuinely need it for legitimate purposes.

2. WhatsApp Groups are NOT Secure Communication Channels

Sharing employee disciplinary information via WhatsApp group is a serious GDPR violation.

Why This is Prohibited:

• WhatsApp groups lack access controls (any member can screenshot and forward)
• Messages persist on multiple devices
• Group membership may include people without need-to-know
• No audit trail of who accessed the information
• Violates confidentiality obligations under employment law and GDPR

Correct Communication Channels for Disciplinary Matters:

• Registered postal mail to employee's address
• Secure email to employee's company email address
• In-person delivery with signed acknowledgement
• Secure employee portal with access logs
• Official HR management system with role-based access control

Absolute Rule: NEVER use group messaging apps (WhatsApp, Telegram, Signal) for individual employee disciplinary communications.

3. Notice Boards Require Strict Content Control

Physical notice boards in workplaces serve legitimate purposes (health & safety notices, legal postings, company announcements), but they are NOT appropriate for individual employee data.

What CAN Be Posted on Public Notice Boards:

• General health and safety information
• Legally required postings (labour law notices, equal opportunities policies)
• Company-wide announcements (holiday schedules, policy updates)
• Anonymous aggregated information (company performance, team achievements)

What CANNOT Be Posted:

• Individual employee disciplinary sanctions
• Employee performance reviews
• Personal employee information (salaries, medical conditions, absences)
• Photographs or personal data of individual employees without consent

Best Practice: If you must use notice boards for employee communications, create separate, access-controlled boards in HR offices or management areas that are not accessible to general staff.

4. Data Protection Impact of Labour Law Compliance

Some employers mistakenly believe that labour law requirements to "communicate" sanctions justify broad disclosure.

Critical Distinction:

• Labour Law Requires: That the employee receives formal notification of their sanction (for fairness, right to defence, and potential appeals)
• Labour Law Does NOT Require: That other employees be informed

Spanish Context: Under the Workers' Statute (Estatuto de los Trabajadores), disciplinary sanctions must be communicated to the affected worker and their legal representatives (union representatives, works council) in certain circumstances. But this does NOT mean posting sanctions publicly or sharing them in staff WhatsApp groups.

Proper Protocol:

1. Notify the affected employee in writing (registered mail or in-person delivery)
2. Notify employee representatives if required by collective bargaining agreement
3. Record the sanction in the employee's confidential HR file
4. Do NOT disclose to general workforce

5. Understand "Unlawful Processing" Under Article 5.1(f)

Article 5.1(f) RGPD prohibits "unauthorised or unlawful processing."

What Constitutes "Unlawful Processing" in Employment Context:

• Processing employee data for purposes not covered by the employment relationship
• Disclosing employee data more widely than necessary for legitimate business purposes
• Using employee data to embarrass, humiliate, or punish beyond the scope of legitimate disciplinary action
• Sharing confidential employee information with colleagues who have no operational need to know

In This Case: The employer's actions were "unlawful" because:

• No legitimate employment purpose justified informing other employees of the sanction
• The disclosure exceeded what was necessary to implement the disciplinary measure
• The method (public notice board, WhatsApp group) showed disregard for confidentiality

6. The "Public Shaming" Risk

Displaying disciplinary sanctions publicly can constitute:

• GDPR violations (as confirmed here)
• Workplace harassment under labour law
• Breach of employment contract (implied duty of confidentiality)
• Potential defamation (if information is false or misleading)
• Violation of dignity and privacy rights under Spanish Constitution Article 18

Employer Liability: Even if the sanction itself was justified, the method of communication creates separate legal violations.

Risk Assessment Question: "Would I want my disciplinary matters shared with all my colleagues?" If the answer is no, don't do it to your employees.

7. Corporate Dissolution Does Not Erase Wrongdoing

DIVERSSO CLUB 2018, S.L. avoided fines through dissolution, but this is NOT a recommended strategy.

Why Dissolution Doesn't "Work":

• Directors and shareholders can face personal liability for serious misconduct
• Dissolution doesn't prevent civil claims from affected individuals
• Criminal liability (if applicable) transfers to responsible individuals
• Reputational damage persists (this resolution is public)
• Directors may be disqualified from serving on other company boards

Plus, Practical Reality: Most employers dissolve due to financial failure, not to escape GDPR fines. This case likely involved business collapse, and the timing (November 2025 dissolution, after February 2025 sanction proceedings) suggests the company was already in distress.

8. Employee Rights Don't Disappear with Company Dissolution

Although the AEPD archived the procedure, the affected employee retains rights:

Potential Remedies Still Available:

• Labour Courts: Claims for workplace harassment, breach of privacy, unfair treatment
• Civil Liability: Claims against company directors/shareholders for damages caused by GDPR violations
• Criminal Complaints: If the disclosure constitutes criminal offences under Spanish Criminal Code (e.g., disclosure of secrets - Article 197)
• Compensation: Damages for moral harm, emotional distress, reputational damage

Evidence Preserved: The AEPD's findings of fact in this resolution (that the violations occurred) can support other legal proceedings.

9. Preventive Measures for Employers

To avoid similar violations:

A. Implement Clear Data Protection Policies:

• Written policy on handling employee disciplinary information
• Designated roles for who can access disciplinary records
• Training for managers and HR on confidentiality obligations
• Regular audits of notice board content

B. Use Secure Communication Systems:

• Invest in proper HR management software
• Implement role-based access controls
• Maintain audit logs of who accessed what information
• Avoid consumer messaging apps for business communications

C. Train Management:

• Managers must understand that disciplinary matters are confidential
• Never discuss employee discipline in team meetings or group chats
• Communicate discipline through proper HR channels only

D. Document Everything:

• Keep records of how sanctions were communicated
• Maintain evidence of who had access to disciplinary information
• If disclosure is necessary (e.g., to employee representatives), document the legal basis

10. The Intersection of Employment Law and Data Protection

Many employers view disciplinary processes purely through labour law lens, forgetting GDPR applies.

Key Principle: Employment law and data protection law operate simultaneously. Compliance with one doesn't excuse violations of the other.

Practical Application:

• Employment Law Question: "What sanction is appropriate for this employee's misconduct?"
• Data Protection Question: "How do I communicate this sanction whilst respecting the employee's data protection rights?"

Both must be answered correctly. A legally sound disciplinary sanction can become a GDPR violation through improper communication.