Background information

• Date of final decision:    12 August 2024
• national case
• Controller: UNIQLO EUROPE, LTD. (BRANCH IN SPAIN)
• Legal Reference (s): Article 5 (Principles relating to processing of personal data), Article 32 (Security of processing).
• Decision: Administrative fine.
• Key words: Integrity and confidentiality’ and  Security of processing.

Summary of the Decision

Origin of the case

The complainant in the case, whose employment contract had been terminated, requested access to their payroll information for July 2022. In responding to the request, the controller sent an e-mail to the complainant that contained an attached PDF document that included his payroll and that of 446 other workers on the staff.

Key Findings 

The documentation in the file offers clear indications that UNIQLO violated article 5.1.f) of the GDPR, by not duly guaranteeing the confidentiality and integrity of the personal data of its employees, having been brought to the attention of an unauthorized third party. This duty of confidentiality and integrity must be understood as having the purpose of preventing data leaks that are not consented by the data subject.

Also, the documentation shows the violation of article 32.1 of the GDPR, due to the failure to adopt appropriate technical and organisational measures.

UNIQLO justifies a series of technical and organisational measures to preserve the security and privacy of its information systems. These measures were not appropriate to avoid the facts that are the subject of the complaint. A series of measures adopted subsequently have been provided, such as allowing former employees access to their payrolls for a period of 60 days after the termination of the contract or the review of the payroll process by the human resources department, as well as redesigning the internal protocols of said department. These measures cannot be taken into consideration for the purposes of assessing UNIQLO's responsibility in the facts.

The negligent action of the employee in the management of the personal data in the workers' payslips does not exempt UNIQLO from liability. The liability of the company in the field of sanctions for the negligent action of an employee that involves non-compliance with data protection regulations has been confirmed by the jurisprudence of the Spanish Supreme Court.

Decision 

The Spanish Supervisory Authority, AEPD imposes a total fine of 450,000 euros for the infringement, which was reduced to 270,000 euros, based on provisions in the Spanish law allowing for a reduction in the fine amount when a controller voluntarily pays the fine and acknowledges responsibility for the violation.

For further information: 

• Decision in national language