The Incident (The Funeral Invoice Mix-Up): A woman arranged funeral services for her deceased father through a Spanish funeral home. When the company attempted to send the invoice, an administrative employee telephoned what they believed was the client's contact number to request her email address. The person who answered the call falsely identified herself as the client and provided two email addresses where the invoice should be sent. The funeral home's staff, believing they were speaking with the legitimate client, emailed a copy of the funeral invoice to both addresses. One of those email addresses belonged to a third party—later revealed to be the client's sister—who had deliberately impersonated her sibling during the phone call.
The Complaint: The actual client filed a GDPR complaint, stating she never consented to having her funeral invoice (containing personal and financial data) sent to anyone else. She emphasised that the telephone number the funeral home called was not hers and that she had previously clarified this fact. She was outraged that her sensitive bereavement-related information had been disclosed to a family member without authorisation.
The Funeral Home's Defence: The company explained that when they collected the deceased, the sister had been the person who reported the death and provided her own phone number, which was recorded in their IT system (FIORI). During the formal service contract signing, the actual client provided her details, but the staff member did not cross-check or correct the pre-existing phone number, nor did they collect an email address at that time. Days later, when administration called the number on file to request an email address for invoicing, the sister answered, falsely identified herself as the client, and provided two email addresses (her own and another). The funeral home, acting in good faith, sent the invoice to both addresses. When the real client complained, the funeral home immediately contacted the sister, asking her to delete the email and invoice, and sent a formal written apology to the client.
The Core Ruling (Archive Without Sanction): The AEPD found that whilst a data disclosure breach technically occurred (the invoice was sent to an unauthorised third party), the funeral home lacked the subjective element of culpability required for administrative sanction. The regulator concluded that the company had been the victim of deliberate identity fraud by the sister, had reasonable data protection measures and external consultancy support in place, acted diligently upon discovering the error, and demonstrated no intent, bad faith, or profit motive. The case was archived without sanction under the principle that administrative penalties require proof of fault or negligence, which was absent here.
Based on Resolution EXP202413550, here is the compliance protocol for service providers handling sensitive client data in bereavement, healthcare, and family-related contexts:
This case confirms that deliberate third-party deception can negate culpability for data breaches—but only if your procedures were otherwise reasonable.
Action: Document your standard operating procedures for client verification. If fraud occurs, demonstrate to the AEPD that you followed normal protocols and were deceived by sophisticated misrepresentation, not negligent practices.
The funeral home's mistake was trusting a voice on the phone without additional verification.
Protocol: Before disclosing financial documents, invoices, or sensitive personal data via email, implement a two-step verification process:
The funeral home admitted that staff collecting the deceased recorded the sister's phone number, but the contracting staff member never cross-checked or updated this data when the actual client signed the contract.
Action: Train all staff to verify and reconcile contact data at every interaction. When a client signs a contract in person, display the existing contact data on screen and ask: "Are these details correct?" Update records immediately if discrepancies are identified.
Funeral services, medical invoices, and family-related documentation are especially vulnerable to identity fraud because multiple family members may be involved in arrangements.
Best Practice: For services involving bereavement, healthcare, legal estates, or family disputes, implement a "red flag" system requiring additional verification before sharing documents. If someone calls requesting an invoice be sent to a different email than what's on file, require written confirmation from the original email address before proceeding.
The funeral home's swift response—contacting the sister, requesting deletion, reviewing protocols, and issuing a formal apology—was critical to avoiding a fine.
Protocol: Create an "Unauthorised Disclosure Incident Response Plan":
The AEPD noted that the funeral home had an external data protection consultancy providing continuous support and risk assessment.
Action: Especially for SMEs in sensitive sectors (healthcare, legal, funeral services), retain external GDPR advisors on a continuous monitoring contract, not just for one-off audits. This demonstrates organisational commitment to compliance and provides expert support during incidents.
This case relied heavily on the absence of intent, bad faith, or financial gain. However, this defence has limits.
Warning: If similar incidents recur after this one, the AEPD will view repeated failures as evidence of systemic negligence, and the "we were deceived" defence will no longer apply. Implement the verification protocols above immediately to avoid future liability.
Whilst the funeral home avoided sanction due to third-party fraud and diligent incident response, this case exposes serious vulnerabilities in telephone-based identity verification for sensitive data disclosures. Businesses handling bereavement, medical, legal, or family-related services must implement multi-factor identity verification before emailing financial or personal documents. The AEPD's leniency here reflects good-faith victim status, but repeated incidents would trigger negligence-based sanctions.
Informational Purposes Only: The content provided by ANRO DIGITAL SOLUTIONS S.L.U. (including resolution summaries, infographics, and case analyses) is for educational and informational purposes only.
No Legal Advice: This information does not constitute legal advice, a formal legal opinion, or a substitute for professional legal counsel. The interpretation of data protection laws (including the GDPR, LOPDGDD, and AEPD resolutions) is subject to change and can vary based on specific facts and circumstances.
No Liability: ANRO DIGITAL SOLUTIONS S.L.U. assumes no responsibility or liability for any actions taken, or not taken, based on the information provided on this website. While we strive for accuracy, we make no guarantees regarding the completeness or timeliness of the information.
Consult a Professional: Data protection compliance is a complex legal requirement. You should not act upon this information without seeking advice from a qualified Data Protection Officer (DPO) or a specialist data protection lawyer licensed to practice in your jurisdiction.
Third-Party Links: Links to official AEPD documents are provided for convenience. We are not responsible for the content or availability of these external government portals.
Este resumen tiene carácter meramente informativo. Para más información, consulte nuestro Aviso Legal.