Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Spain: AEPD fines UNIQLO EUROPE LTD €450,000 following a data breach

On August 12, 2024, the Spanish data protection authority (AEPD) published its decision in Proceeding No. PS/00238/2024 in which it imposed a fine of €450,000, which was subsequently reduced to €270,000, on UNIQLO EUROPE LTD (UNIQLO), branch in Spain, for a violation of the General Data Protection Regulation (GDPR) following a complaint.

Background to the decision

The AEPD outlined that the complainant, who provided services to UNIQLO, requested to receive their payroll and received an email containing a PDF document with payroll information on the entire UNIQLO workforce for the month of July. The document contained information including name, surname, ID, social security membership number, and bank account number. The complainant submitted a complaint to the AEPD on March 31, 2023.

The AEPD further stated that UNIQLO explained that the breach was caused by a human error within the human resources department and that the notification was not done in a timely manner due to the employee in question not informing the hierarchical superior. The AEPD highlighted that UNIQLO formally notified the AEPD of the breach on April 24, 2023, and communicated it to the data subjects on May 4, 2024.

Findings of the AEPD

The AEPD held that UNIQLO appeared to have violated Article 5(1)(f) of the GDPR by not duly guaranteeing the confidentiality and integrity of the personal data of its workers by sharing it with an unauthorized third party.

Furthermore, the AEPD found that the provided documentation showed a violation of Article 32 of the GDPR due to the failure to adopt appropriate technical and organizational measures, which allowed an unauthorized third party to access the personal data of the employees.

In particular, the AEPD noted that the measures must be appropriate to the risk involved in the processing and that UNIQLO is responsible for making decisions to effectively implement the appropriate technical and organizational measures to guarantee a level of security appropriate to the risk, ensuring the confidentiality of the data, restoring its availability, and preventing access to it in the event of a physical or technical incident.

Lastly, the AEPD confirmed that the negligent action of the employee in the management of the employee's payroll does not exempt UNIQLO from liability.

Outcomes

As a result of the above, the AEPD ordered UNIQLO to adopt technical and organizational measures to guarantee the security of the personal data of its workers and imposed initial fines of:

  • €300,000 for the violation of Article 5(1)(f) of the GDPR; and
  • €150,000 for the violation of Article 32 of the GDPR.

The total amount of the fine was subsequently reduced to €270,000 on account of UNIQLO's voluntary payment of the fine and acknowledgment of responsibility.

You can read the decision, only available in Spanish, here, and the European Data Protection Board (EDPB) summary here.