Administrative fine of €270 000 imposed by the Spanish Data Protection Authority on UNIQLO EUROPE, LTD for violation of Articles 5.1(f) and 32 of the GDPR

The National Center for Personal Data Protection (NCPDP), for information and enforcement purposes, communicates about the administrative fine of 270 000 euro imposed by the Spanish Data Protection Authority on UNIQLO EUROPE, LTD for violation of Article 5 Principles relating to processing of personal data and 32 Security of processing of GDPR.

The complainant in this case, whose employment contract had been terminated, requested access to his payroll information for July 2022. Following the request, the controller sent an e-mail to the complainant that contained an attached PDF document that included his payroll and that of 446 other workers on the staff.

The documentation in the file offers clear indications that UNIQLO violated article 5.1.f) of the GDPR, by not duly guaranteeing the confidentiality and integrity of the personal data of its employees, having been brought to the attention of an unauthorized third party. This duty of confidentiality and integrity must be understood as having the purpose of preventing data leaks that are not consented by the data subject.

Also, the provisions of Article 32(1) of the GDPR have been violated due to the failure to adopt appropriate technical and organizational measures. 

UNIQLO EUROPE, LTD justifies a series of technical and organisational measures to preserve the security and privacy of its information systems. However, these measures were not appropriate to avoid the facts that are the subject of the complaint.  A series of measures adopted subsequently have been provided, such as allowing former employees access to their payrolls for a period of 60 days after the termination of the contract or the review of the payroll process by the human resources department, as well as redesigning the internal protocols of said department. These measures cannot be taken into consideration for the purposes of assessing UNIQLO’s responsibility in the facts.

In this context, the Spanish Data Protection Authority has imposed on UNIQLO EUROPE, LTD a total fine of €450,000 for the infringement of the legal provisions mentioned above, which was reduced to €270,000, based on the provisions of national law, which allow for a reduction of the fine when a controller voluntarily pays the fine and acknowledges responsibility for the violation.

The NCPDP, as the national supervisory authority for the processing of personal data, emphasizes the responsibility of personal data controllers to comply with the provisions of the legal framework for the protection of personal data and to ensure that personal data processing operations comply with the legislation in force.