Support Centre

Spain: AEPD finds data security violation for emails sent by Club Atlantida without Bcc

The Spanish data protection authority ('AEPD') issued, on 2 July 2020, a resolution ('the Resolution') in proceedings PS/00478/2019, against Club Atlantida sub de Santa Cruz de Tenerife because the Board of Directors had sent two separate emails to partners without a blind carbon copy ('Bcc'), thus making the email addresses of all partners accessible, and had not responded to requests to ask partners to delete said email from inboxes. As a result, the complainants claimed to have received threatening emails from fake email addresses. Furthermore, the AEPD decided that this constituted a violation of Article 5(1)(f) of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'). Therefore, the AEPD requested that Club Atlantida take appropriate measures in the management of personal data to ensure that emails sent to all partners are sent with a blind copy of recipients and to adapt their privacy policy to the current data protection legislation.

You can read the Resolution, only available in Spanish, here.