AEPD Resolution: EXP202414050

On 23rd August 2024, a job applicant (A.A.A.) filed a complaint with the Spanish Data Protection Agency against the Extremadura Regional Government's Finance and Public Administration Department (Consejería de Hacienda y Administración Pública de la Junta de Extremadura). The complaint alleged a serious and long-standing data protection violation affecting hundreds of people.

The Public Data Exposure: The regional government had published a list of 492 successful job applicants on its public website (openly accessible without any authentication or access controls) as part of a civil service recruitment process for warehouse supervisor positions (mozo de almacén, Group IV labour personnel). The published list included:

• Full names (first name and surnames) of all 492 applicants
• Complete DNI numbers (Spanish national identity card numbers—equivalent to social security numbers)
• Information that these individuals had passed the competitive examination phase and were now on the definitive waiting list for employment

The Critical Detail: This sensitive personal information had been publicly accessible on the internet since September 2019—nearly five years before the complaint was filed. Anyone with internet access could view, download, and potentially misuse the complete identity details of 492 people.

The Complainant's Concerns: The complainant highlighted several alarming issues:

1. Fraud and Identity Theft Risk: With full names and complete DNI numbers publicly available, the affected individuals were exposed to significant risks of:
   • Identity fraud
   • Identity theft (suplantación de identidad)
   • Unauthorised use of their personal data for criminal purposes
   • Potential financial fraud (DNI numbers can be used to open accounts, apply for credit, etc.)

2. Third-Party Republication: The complainant discovered that the data hadn't just remained on the government website. It had been copied and republished on third-party platforms like Scribd (a digital document library). A simple Google search using any of the DNI numbers revealed results from both:
   • The original Junta de Extremadura government website (Juntaex.es)
   • Scribd platform (where someone had uploaded the document)

This meant the data had proliferated beyond the original source, making complete removal nearly impossible.

3. Lack of Consent: The complainant emphasised that neither he nor the other 491 affected individuals had consented to this public disclosure of their complete identity documents.

The Evidence: The complainant provided compelling documentation:

• Screenshots showing excerpts of the published list with multiple individuals' full names and complete DNI numbers visible
• Screenshots of Google search results demonstrating how easily the data could be found by searching for any DNI number
• Evidence of republication on Scribd platform

The AEPD's Investigation: Following standard procedure, on 24th October 2024, the AEPD transferred the complaint to the Extremadura Regional Government, requesting an explanation and information about compliance measures. The government received this notification but provided absolutely no response—complete radio silence.

On 23rd November 2024, the AEPD formally admitted the claim for processing, confirming the allegations warranted full investigation.

On 3rd February 2025, the AEPD issued a formal agreement to initiate sanction proceedings against the Consejería for alleged infringement of Article 5.1(c) RGPD (the data minimisation principle).

The Government's Belated Response: When finally responding to the sanction proceedings (having ignored the initial information request), the Extremadura Regional Government made several arguments that the AEPD systematically rejected:

Argument 1: "We Didn't Understand the Initial Request"

The government claimed they hadn't responded to the initial information transfer because they thought it was an error. They argued that the complaint only mentioned a list published on a "third-party website" (Scribd) and didn't include the complainant's personal data, making it impossible to identify which specific treatment was being challenged.

AEPD's Rejection: The AEPD noted that:

• The government never responded to explain this supposed confusion
• The initial transfer clearly stated that full names and complete DNI numbers were published on the government's own website since September 2019
• An extract of the published list (showing multiple affected individuals) was provided
• Locating the publication required only entering any of those DNI numbers into a search engine
• The government had managed the recruitment process themselves, so claiming inability to identify which treatment was referenced was untenable
• Moreover, the information transfer (Article 65.4 LOPDGDD) is a non-mandatory preliminary step, not part of the formal sanction procedure, so claims of "defenselessness" were unfounded

Argument 2: "We Have Proper Access Controls"

The government claimed they had implemented "necessary controls regarding the publication and access to waiting lists, exclusively through the 'My Space' section of the web portal, 'My Public Employment' option."

AEPD's Rejection: This argument was irrelevant because:

• The published dataset contained direct identifiers (full name + complete DNI number)
• This allowed direct identification of 492 physical persons
• The publication violated the data minimisation principle regardless of whatever other controls might exist elsewhere
• The damage was done—492 people's complete identity details had been publicly exposed for five years

The Legal Analysis—Why This Violated GDPR:

The Data Minimisation Principle (Article 5.1(c) RGPD): This principle requires that personal data be "adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed."

The Balancing Test: The AEPD conducted a careful analysis of how transparency and recruitment fairness principles should be balanced against data protection:

Legitimate Purposes of Public Employment Lists:

• Allow applicants to verify their own status
• Enable applicants to check competitors' positions (for fairness/appeal purposes)
• Facilitate challenges to arbitrary decisions
• Calculate deadlines for appeals and objections
• Ensure transparency in public administration

Who Actually Needs Access:

• The specific applicants who participated in the process
• Their legal representatives
• Potentially, employee unions or works councils (in specific circumstances)

Who Does NOT Need Access:

• The general public
• People who didn't participate in the recruitment process
• Third parties with no legal standing in the procedure

The AEPD's Precedent: The resolution extensively quoted two previous AEPD decisions establishing clear criteria:

Resolution R/2593/2017: "Exposure of data within [the circle of affected applicants] is adequate, proportionate and serves its purposes. [...] The rest of the public, those who are not taking the tests, lack a legitimate basis to access the surnames, names and DNI of each applicant or their qualifications. This is not proportionate to the purpose of the process and does not affect transparency, since third parties who are not going to take the exam do not compete. That access by anyone to the data is invasive and contrary to the principle of minimisation and data quality [...]. It would be less intrusive and more in accordance with data protection regulations if its publication only affected and could be viewed by those who compete, not the general public."

Resolution R/1600/2018: Confirmed that access to such lists should require "prior identification limited to participants."

The Complete DNI Problem: The AEPD emphasised that publishing complete DNI numbers was particularly egregious:

• DNI numbers are unique personal identifiers
• They're used across Spanish society for banking, healthcare, employment, legal processes
• Their exposure creates serious identity theft and fraud risks
• There was absolutely no justification for making them publicly accessible to anyone with internet access

Alternative Approaches That Would Comply: The AEPD implicitly endorsed several alternatives:

1. Authenticated Access: Require applicants to log in with credentials before viewing lists
2. Partial Identification: Use last name + partial DNI (e.g., first 4 digits) for public lists
3. Individual Notifications: Send individual letters/emails to each applicant with their status
4. Secure Portal: Provide a "My Applications" portal where each user sees only their own data
5. Limited Publication Period: If public lists are necessary, remove them after a short period (e.g., 30 days for appeals)

The Accountability Failure: Article 5.2 RGPD requires controllers to demonstrate GDPR compliance. The AEPD noted that there was no evidence the government had:

• Conducted a risk assessment before publishing the data
• Considered data protection implications
• Analysed how to balance transparency with privacy rights
• Implemented data protection by design and by default

The Remedial Action (Too Little, Too Late): The government finally removed the publication from their website on 6th March 2025—but only after the AEPD had initiated sanction proceedings, and over five and a half years after the initial publication in September 2019.

The Formal Declaration: By 22nd December 2025, the AEPD confirmed the website was no longer available. However, the damage was already done:

• 492 people's data had been exposed for over five years
• The data had been copied to third-party sites (like Scribd)
• Complete removal from the internet was likely impossible
• The affected individuals remained at risk from anyone who had previously downloaded or saved the list

The Resolution: Under Article 77 LOPDGDD, public authorities cannot be fined for GDPR violations. Instead, the AEPD issued a formal declaration of infringement, which:

• Confirms the violation occurred
• Establishes public record of non-compliance
• Gets communicated to the Defensor del Pueblo (Spanish Ombudsman)
• Gets published on the AEPD website (with the responsible authority's identity)
• May trigger disciplinary proceedings against responsible officials

Based on Resolution EXP202414050, public authorities and private employers conducting recruitment processes must implement the following protocol:

1. The "Need-to-Know" Principle for Recruitment Lists

Not everyone needs access to everyone else's personal data in recruitment processes.

Action:

• Identify Legitimate Access Groups:
  • Applicants themselves: Need to see their own status and results
  • Fellow applicants: May need to verify fairness and identify who they're competing against (but NOT their complete identity documents)
  • The general public: Has NO legitimate need to access applicant identity details

• Implement Tiered Access:
  • Tier 1 (Public): General process information (positions, requirements, deadlines, selection criteria) with no personal data
  • Tier 2 (Authenticated Applicants): Each applicant sees their own status plus anonymised or partially identified competitor information
  • Tier 3 (Full Access): Only recruitment committee members, HR personnel, and legal representatives see complete personal data

Legal Shield: Article 5.1(c) RGPD requires data minimisation. Making complete identity details publicly accessible fails this test when only participants need limited information for fairness purposes.

2. Never Publish Complete DNI Numbers Publicly

Complete national identity numbers should be treated as highly sensitive data.

Why This is Critical:

• DNI numbers are unique personal identifiers used across Spanish society
• They enable identity fraud, financial fraud, and impersonation
• Their exposure creates long-term risks (unlike temporary data like exam scores)
• Once published online, they can be copied, archived, and republished indefinitely

Correct Approaches:

• For public lists: Use last name + first initial + partial DNI (e.g., "García M****1234X")
• For authenticated applicants: Show enough information to verify identity without exposing complete DNI (e.g., full name + last 4 digits of DNI)
• For internal administration: Store complete DNI securely in backend systems, never display fully on public-facing pages

Absolute Rule: Complete DNI numbers should NEVER appear on:

• Publicly accessible websites
• PDF documents downloadable without authentication
• Notice boards in public areas
• Documents shared via email to multiple recipients
• Any medium accessible to non-participants

3. Implement Authenticated Access for Recruitment Results

Public employment transparency does not require public data exposure.

Best Practice Systems:

1. Secure Portal Approach:
   • Create applicant accounts during registration
   • Require login to view any results or lists
   • Each applicant sees personalised dashboard showing their status
   • Provide anonymised competitor rankings (e.g., "You ranked 47th out of 492 applicants")

2. Verification Code System:
   • Assign unique verification codes to each applicant
   • Publish results accessible only by entering application number + verification code
   • No personal data visible without correct credentials

3. Individual Notifications:
   • Send individual letters/emails to each applicant with their specific results
   • Provide contact details for queries or appeals
   • No public list required at all

Technology Solutions:

• Modern HR recruitment platforms (Workday, SuccessFactors, Oracle HCM) include compliant applicant portals
• Custom government portals with secure authentication (similar to tax filing systems)
• Encrypted PDF documents with password protection (as interim solution)

4. Understand "Transparency" Does Not Mean "Public Data Exposure"

Many public authorities conflate administrative transparency with unrestricted data publication.

Critical Distinction:

• Transparency Principle: Citizens can scrutinise public administration processes, challenge arbitrary decisions, and verify fairness
• Does NOT Require: Making everyone's personal data accessible to anyone with internet access

How to Achieve Both:

• Process Transparency: Publish selection criteria, evaluation methodologies, timelines, appeal procedures
• Individual Transparency: Each applicant can access complete information about their own application and results
• Competitive Transparency: Applicants can verify they're competing fairly without seeing competitors' complete identity documents
• Aggregate Transparency: Publish statistics (number of applicants, success rates, demographic breakdowns) without individual identification

Example of Compliant Transparency: "The warehouse supervisor recruitment process received 492 applications. After the examination phase, all 492 applicants passed and are now on the waiting list. Results are available through the authenticated applicant portal at [URL]. For questions or appeals, contact [email/phone]."

5. Conduct Data Protection Impact Assessments for Recruitment Processes

Article 35 RGPD requires DPIAs for processing likely to result in high risk to individuals' rights.

When DPIAs Are Mandatory:

• Large-scale processing of special categories of data
• Systematic monitoring of publicly accessible areas
• Processing that could significantly affect individuals

Recruitment May Trigger DPIA Requirements When:

• Processing data of hundreds/thousands of applicants
• Publishing lists that could enable identity fraud
• Using automated decision-making or profiling
• Processing data of vulnerable groups (e.g., disability information)

DPIA Should Address:

• What data will be published and to whom
• What risks does publication create (fraud, discrimination, harassment)
• How can risks be mitigated (authentication, partial anonymisation, time limits)
• Are there less intrusive alternatives that achieve the same legitimate purposes
• What security measures will protect the data

In This Case: The government provided no evidence of conducting any risk assessment before publishing 492 complete identity sets online for over five years.

6. Time-Limit Public Data Exposures

Even if some public disclosure is justified, it should be time-limited.

Protocol:

• Determine Minimum Necessary Period: How long do applicants need access for appeals? (Typically 15-30 days)
• Set Automatic Expiration: Configure systems to automatically remove or restrict access after the period expires
• Provide Alternative Access: After public period expires, require authenticated access or formal requests

Example Timeline:

• Day 0: Publish provisional results (authenticated access only)
• Days 1-15: Appeal period (results remain accessible to authenticated applicants)
• Day 16: Remove public access; results available only through individual request or secure portal
• Month 6: Archive results; accessible only for legal/administrative purposes

Critical Rule: Data should NEVER remain publicly accessible indefinitely. The five-year exposure in this case was indefensible.

7. Monitor for Third-Party Republication

Once data is published online, it can be copied and republished elsewhere.

Proactive Monitoring:

• Use Google Alerts with sample DNI numbers or applicant names to detect republication
• Conduct periodic searches for recruitment process identifiers
• Check document-sharing platforms (Scribd, SlideShare, Archive.org)
• Monitor social media for screenshots or shared documents

Reactive Measures:

• When republication is discovered, immediately request takedown from platform
• Exercise "right to be forgotten" with search engines to de-index results
• Document all republication instances and removal efforts
• Notify affected individuals if their data has been further exposed

In This Case: The complainant discovered the data on Scribd, demonstrating that government publication led to uncontrolled proliferation.

8. Special Considerations for Public Sector Employers

Public authorities face unique obligations under Article 77 LOPDGDD.

Key Differences from Private Sector:

• Cannot be fined (only formal declarations of infringement)
• Violations may trigger disciplinary proceedings against responsible officials
• Infringement declarations are publicly reported to the Ombudsman
• Higher public scrutiny and reputational consequences
• Must balance transparency obligations with privacy rights

Enhanced Accountability:

• Designate Data Protection Officers (mandatory under Article 37 RGPD)
• Implement formal data protection governance structures
• Conduct regular compliance audits
• Provide comprehensive staff training
• Document all decisions balancing transparency and privacy

Personal Liability Risk: If the AEPD identifies "sufficient evidence," they can recommend disciplinary proceedings against specific officials. Article 77.3 LOPDGDD states that when violations are attributable to authorities and managers who ignored technical reports or recommendations, the resolution will include a reprimand naming the responsible position and order publication in the official gazette.

9. Learn from AEPD Precedent

The AEPD has repeatedly ruled on recruitment list publication:

Established Principles (from Resolutions R/2593/2017 and R/1600/2018):

1. Provisional admission/exclusion lists affect only participants, not general public
2. General public access lacks legitimate basis and is disproportionate
3. Third parties who don't compete have no right to competitors' personal data
4. Publication should be "less intrusive" by limiting visibility to actual participants
5. Authenticated access "limited to participants" is the compliant approach

Practical Implementation:

• Review all recruitment process publications for GDPR compliance
• Implement authenticated access for results and lists
• Remove complete DNI numbers from any public-facing documents
• Set expiration dates for public accessibility
• Document the balancing of transparency and privacy interests

10. Remediation Steps When Violations Are Discovered

If you discover similar violations in your organisation:

Immediate Actions (Within 24 Hours):

1. Remove the publicly accessible data immediately
2. Disable unauthenticated access to affected pages
3. Document when the violation occurred and when it was discovered
4. Notify your Data Protection Officer and legal department

Short-Term Actions (Within 1 Week):

1. Assess the scope (how many individuals affected, how long exposed)
2. Search for third-party republications and request removal
3. Determine if notification to affected individuals is required (Article 34 RGPD—if high risk)
4. Implement interim protective measures

Medium-Term Actions (Within 1 Month):

1. Conduct full investigation into how the violation occurred
2. Identify responsible individuals and procedural failures
3. Implement corrective measures (new systems, policies, training)
4. Document all remedial actions taken
5. If appropriate, voluntarily report to the AEPD (may reduce penalties)

Long-Term Actions (Ongoing):

1. Review all similar publications for compliance
2. Update recruitment processes and systems
3. Provide staff training on data minimisation and transparency balancing
4. Implement ongoing monitoring and compliance auditing

The "Waiting Five Years" Mistake: The Extremadura government waited over five years to remove the publication, and only acted after the AEPD initiated sanction proceedings. This delay significantly aggravated the violation and demonstrated lack of accountability.