Workplace data protection complaints increase by 35%

The Spanish Data Protection Agency (AEPD) has published its 2023 Annual Report, which shows a significant increase in sanctions against businesses for failing to comply with the regulations. Especially in Commerce, Hospitality and Transportation.

Inspection procedures and penalties for businesses for breaching data protection grew significantly last year. This was shown in the 2023 Annual Report recently published by the Spanish Data Protection Agency (AEPD), which shows a notable increase in cases of non-compliance in the workplace. And, especially, in the Commerce, Hospitality and Transportation sectors.

Specifically, claims made to the AEPD in the labour field against companies grew by 35% last year, exceeding 700 appeals. This figure is even higher in the case of businesses dedicated to Commerce, Hospitality and Transportation, where they exceeded 1,500 complaints, 66% more than last year.

Spain is the country that sanctions businesses the most for failing to comply with data protection: these are the reasons

Regarding fines, these sectors – where there are several hundred thousand self-employed workers – experienced a 24% increase in sanctioning procedures last year. Within this area, the AEPD highlighted “the increase in reported infractions related to the use of personal data by delivery and parcel companies.”

Based on this data, it is worth remembering that surveillance of businesses in the data protection section continues to grow, and that many of them do not comply with all current legislation. All of this, despite the fact that the fines can even lead to the closure of the company, reaching a maximum of 300,000 euro in the case of offences considered serious.

Commerce, Hospitality and Transport suffered 66% more complaints for breaching data protection

Based on the data from the Annual Report of the Spanish Data Protection Agency (AEPD), Commerce, Hospitality and Transport businesses were the ones that suffered the most complaints for non-compliance with regulations last year. Specifically, these grew by 66% in 2023, up to 1,504.

However, not all of them ended in sanctions. The number of fines for businesses in these sectors grew by 24% last year. Above all, in the use of personal data – in the case of the Transport or Hospitality sector -, but also on the video surveillance cameras installed in commercial premises, a section where, by itself, complaints increased by 29% in 2023.

Likewise, complaints to the AEPD against businesses for failing to comply with data protection grew significantly last year in the field of advertising. Specifically, these formal protests multiplied by two last year, exceeding 4,200 compared to 2,000 the previous year.

Furthermore, the AEPD’s Annual Report showed how businesses that offer services on the Internet are increasingly susceptible to a claim for failing to comply with data protection with their clients. In 2023 these exceeded 2,800, 30% more than in 2022.

Complaints and fines from the AEPD to businesses have been growing “explosively” for three years

The data from the AEPD’s 2023 Annual Report showed how, in the last three years – between 2021 and 2023 – there has been a “new phase of explosive growth in claims”, ending the year with a volume that will be close to 22,000. claims, therefore, more than double that of just three years before”, highlighted the Spanish Data Protection Agency.

As they explained, during these years “the most frequent complaints become those related to Internet services, followed by video surveillance and those related to advertising. Between these three areas, 40% of the claims received at the Agency accumulate.”

In labour matters, the AEPD highlighted one of the aspects on which the judges have ruled in recent months: the registration of the day using a fingerprint or using other biometric data. In this sense, “claims for the processing of biometric data are not yet numerous in absolute data, but they are also clearly growing, having tripled in these two years.”

Why can the AEPD sanction businesses regarding data protection?

The Spanish Data Protection Agency (AEPD) is the body in charge of carrying out inspections regarding compliance with this matter, as well as imposing sanctions on businesses. These fines can reach 40,000 euro in the case of the most minor infractions, and up to 300,000 in the case of serious ones, so it is advisable to review compliance with their obligations in this matter.

But what exactly are these obligations? The legislation includes different aspects to take into account, depending on the size or sector of the company. However, all self-employed people and businesses must address the following issues:

• Inform interested parties about the processing of their data.
• Determine a legal basis that legitimises the treatment.
• Adopt technical and organisational measures that guarantee the confidentiality, integrity and availability of the personal data you handle.
• Comply with conservation deadlines.
• Notify security breaches to the Spanish Data Protection Agency (AEPD).
• Keep a Record of Treatment Activities.

For example, non-compliance with the duty of confidentiality or violating the provisions on the principles relating to treatment, preventing or hindering the exercise of rights, failing to comply with a requirement of the AEPD, failing to adopt appropriate technical and organisational measures for the treatment of data would be subject to sanctions. data, not notifying the AEPD about a security breach or not having a complete Record of Processing Activities.