The Spanish Data Protection Agency has published a ruling in which it sanctions one of the most serious errors when sending an email to several recipients: not using the BCC function (with blind copy).
The Spanish organization that ensures our privacy considers that the behavior of not using CCO in a shipment to several recipients is a violation of articles 5 and 32 of the General Data Protection Regulation.
Data disclosure without consent
The sentence and penalty of a fine of 15,000 euros is for Ilunion Seguridad. This arises as a result of a complaint from a worker who considered that he had not given his consent to be included in a WhatsApp group or to receive work-related emails in which his address was public to the rest of his colleagues. It was destined.
The AEPD considers the use of the WhatsApp group appropriate taking into account the specific circumstances of the moment (in the midst of a pandemic) and that none of the participants in the group showed their lack of consent, which is considered active consent. On the other hand, it does sanction the case of two emails sent without using the blind copy option, revealing the claimant’s email address to the rest of the recipients without their consent.
Due to this violation, the AEPD considers that the security measures of the claimed entity are not adequate to the data protection regulations and points out that “there are tools on the market that reduce the risk of emails being sent by mistake to several recipients without use the blind copy option, by keeping the recipients hidden by default.” “Intentionality or negligence” are taken into account as aggravating factors in this case, setting a penalty of 10,000 euros for violating article 5 and 5,000 for violating the provisions of article 32, both of the RGPD.
The importance of using BCC when sending an email
When we send an email to several recipients, we must be cautious and use the BCC option to avoid showing the email addresses of others to some, or, failing that, have all the authorizations of the recipients so that they know each other. the same.
The Spanish Data Protection Agency considers that failure to do so violates articles 5.1 f) (“Personal data will be treated in such a way that adequate security of personal data is guaranteed, including protection against unauthorized or illicit processing and against its loss, destruction or accidental damage, through the application of appropriate technical or organizational measures of integrity and confidentiality.
It also considers that article 32 of the General Data Protection Regulation was violated, which refers to the security of data processing (“Taking into account the state of the art, the costs of application, and the nature, scope, context and purposes of the processing, as well as risks of varying probability and severity for the rights and freedoms of natural persons, the controller and the person in charge of the processing will apply appropriate technical and organizational measures to guarantee a level of security appropriate to the risk, which in Your case includes, among others: a) pseudonymization and encryption of personal data; b) the ability to guarantee the permanent confidentiality, integrity, availability and resilience of treatment systems and services.”
