The Incident (The Unsolicited Job Offer): On 9 May 2024, a professional received an unexpected email in their personal inbox from someone identifying as the CEO of Blue Team Flight School, S.L., a Spanish aviation training company. The message, written in English, enquired about their current job satisfaction and whether they would be interested in hearing about a job opportunity. The following day, the same individual received a WhatsApp message (from a Greek mobile number) asking them to confirm receipt of the email. The complainant was alarmed because they had never shared their personal contact details with this company and had no idea how Blue Team obtained their email address and mobile number.
The Complaint: The complainant filed a GDPR complaint with the AEPD, alleging that Blue Team was processing their personal data without consent or lawful basis. They emphasised that they did not know who could have provided their contact information to the company.
The Investigation: The AEPD issued multiple information requests to Blue Team between September and October 2024. Despite valid electronic notifications (and postal follow-ups), Blue Team never responded to the AEPD's enquiries. However, the AEPD's investigation independently verified that the person who sent the email and WhatsApp message was indeed Blue Team's registered sole administrator, and that Blue Team's privacy policy identified the company as the data controller for personal data processed via its website.
The Core Ruling (Archive Without Sanction): Despite Blue Team's complete failure to cooperate with the investigation, the AEPD concluded that there was insufficient evidence to prove unlawful data processing beyond reasonable doubt. The AEPD acknowledged that whilst the complainant received unsolicited communications, the investigation could not definitively establish that Blue Team lacked a valid legal basis for processing the data. The AEPD applied the principle of presumption of innocence and the in dubio pro reo doctrine (when in doubt, favour the accused), concluding that without conclusive proof of illegality, no administrative infraction could be established.
Based on Resolution EXP202407584, here is the compliance protocol for recruitment marketing and unsolicited outreach:
This case demonstrates that even when a company ignores the AEPD entirely, the regulator may archive the case if evidence is inconclusive.
Action: Whilst this may seem like a "win" for non-cooperation, businesses should never rely on this strategy. The AEPD explicitly noted that the archive is "without prejudice to possible future actions" if new evidence emerges. Future complaints could reopen the case with harsher consequences.
Blue Team's silence left the AEPD unable to verify whether they had legitimate interest, consent, or another lawful basis.
Protocol: For every recruitment email or WhatsApp message sent, maintain records showing:
Blue Team ignored repeated notifications (electronic and postal). This severely damaged their credibility.
Action: Assign a Data Protection Officer or compliance manager to monitor the official electronic notification system (Dirección Electrónica Habilitada). Failing to respond can result in fines up to €20,000 under Article 72.1(h) LOPDGDD for obstruction of the AEPD's investigative functions.
Even though the case was archived, recruitment firms should assess whether unsolicited contact passes the three-part legitimate interest test:
Necessity Test: Is contacting this person necessary for your recruitment business?
Balancing Test: Does your interest outweigh the person's privacy rights?
Safeguards: Did you provide an easy opt-out and transparency about data sources?
Action: If you cannot document all three elements, you should obtain explicit consent before contacting individuals via personal channels (especially WhatsApp).
The complainant was contacted via personal email and a personal mobile number (not business channels).
Risk: Contacting someone's personal WhatsApp without prior relationship may be viewed as intrusive and could trigger complaints. Courts and regulators are increasingly sceptical of "legitimate interest" claims for marketing via personal messaging apps.
Best Practice: Restrict cold outreach to professional channels (LinkedIn InMail, business email) and always include clear opt-out language.
This case was archived due to evidentiary gaps, not because Blue Team acted lawfully. Companies relying on "legitimate interest" for recruitment outreach must document their legal basis meticulously. Ignoring AEPD enquiries is a separate sanctionable offence. Whilst Blue Team avoided a fine here, future complaints with stronger evidence could result in penalties, particularly if the AEPD finds a pattern of unsolicited contact via personal channels.
Informational Purposes Only: The content provided by ANRO DIGITAL SOLUTIONS S.L.U. (including resolution summaries, infographics, and case analyses) is for educational and informational purposes only.
No Legal Advice: This information does not constitute legal advice, a formal legal opinion, or a substitute for professional legal counsel. The interpretation of data protection laws (including the GDPR, LOPDGDD, and AEPD resolutions) is subject to change and can vary based on specific facts and circumstances.
No Liability: ANRO DIGITAL SOLUTIONS S.L.U. assumes no responsibility or liability for any actions taken, or not taken, based on the information provided on this website. While we strive for accuracy, we make no guarantees regarding the completeness or timeliness of the information.
Consult a Professional: Data protection compliance is a complex legal requirement. You should not act upon this information without seeking advice from a qualified Data Protection Officer (DPO) or a specialist data protection lawyer licensed to practice in your jurisdiction.
Third-Party Links: Links to official AEPD documents are provided for convenience. We are not responsible for the content or availability of these external government portals.
Este resumen tiene carácter meramente informativo. Para más información, consulte nuestro Aviso Legal.