Lawyer fined for sending personal data by WhatsApp

Lawyer using WhatsApp and a court judgment with personal data, illustrating a GDPR fine in Spain.

Lawyer fined for sending a court judgment by WhatsApp

The Spanish Data Protection Agency fined a lawyer for sending a court judgment containing her client’s personal data to third parties through WhatsApp. The message was sent for promotional purposes without an appropriate legal basis.

The case is a useful reminder for law firms and companies: a court judgment may contain personal data, sensitive information or details identifying third parties. Sharing it through messaging apps without anonymisation and without a valid legal basis can breach the GDPR.

Why sending a judgment by WhatsApp can breach the GDPR

The GDPR requires every processing activity involving personal data to have a valid legal basis. In this case, sending the judgment to third parties was not covered by consent or by another sufficient legal ground.

Article 5.1.f GDPR also requires personal data to be processed with appropriate security, including protection against unauthorised or unlawful processing. Sending judicial documentation by WhatsApp to people outside the proceedings can compromise confidentiality.

Which GDPR provisions were breached?

  • Article 6 GDPR: lawfulness of processing. Personal data cannot be disclosed to third parties without a valid legal basis.
  • Article 5.1.f GDPR: integrity and confidentiality. Controllers must protect information against unauthorised access or disclosure.

Lawyer using WhatsApp and a court judgment with personal data, illustrating a GDPR fine in Spain.

Amount of the fine

The total fine amounted to 4,000 euros, split between two infringements: one for the lack of a lawful basis and another for breaching the principle of integrity and confidentiality.

Lessons for law firms and companies

Before sharing a court decision, contract, report or document containing personal data, organisations should check:

  • Whether there is a legal basis to disclose the data.
  • Whether the document should be anonymised or pseudonymised.
  • Whether the channel used is appropriate and secure.
  • Whether the promotional or commercial purpose is lawful.
  • Whether confidentiality and data minimisation safeguards have been applied.

WhatsApp may be a common communication tool, but it does not make every professional data transfer lawful. When client, employee or third-party data is involved, the organisation or professional should assess the channel, purpose and legal basis before sharing documentation.

Auratech Legal Solutions remains at your disposal for any GDPR compliance questions.

/0 Comments/by
0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *