APDCAT (Catalonia) - PS 46/2024
| APDCAT - PS 46/2024 | |
|---|---|
 | |
| Authority: | APDCAT (Catalonia) |
| Jurisdiction: | Spain |
| Relevant Law: | Article 5(1)(c) GDPR Article 5(2) GDPR Article 9 GDPR Article 83(5)(a) GDPR |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | 04.06.2024 |
| Decided: | 21.03.2024 |
| Published: | 26.03.2024 |
| Fine: | 31,000 EUR |
| Parties: | Fundació Universitat Oberta de Catalunya (FUOC) Autoritat Catalana de Protecció de Dades (APDCAT) |
| National Case Number/Name: | PS 46/2024 |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | Catalan, Valencian |
| Original Source: | APDCAT (in CA) |
| Initial Contributor: | Arran |
The Catalan DPA fined FUOC €31,000 for violating Article 5(1)(c) GDPR by publishing a student’s project with excessive, non-anonymized data of 54 minors in its open-access repository, breaching the data minimisation principle.
English Summary
Facts
In 2000, a student at the Universitat Oberta de Catalunya (UOC) conducted a study for her practicum project involving 54 minors at a secondary school, collecting highly sensitive personal data, including cognitive and psychological test results. In January 2001, the student completed the project, which included names and test scores without anonymization or pseudonymization.
On 16 February 2010, the controller, the Fundació per a la Universitat Oberta de Catalunya (FUOC), published the project in its open-access institutional repository (O2), making the data publicly accessible.
On 7 August 2023, the data subject, one of the students evaluated in the 2000 study, discovered the document by Googling her name and filed a complaint with the Catalan DPA. She alleged that her full name and intelligence scores appeared in the annexes of the published project.
On 8 August 2023, the DPA’s inspection team verified that the report was accessible online and contained non-anonymized personal data of the data subject and other minors. On 1 March 2024, after receiving a request for information from the DPA, the controller removed the document from public access. On 4 June 2024, the DPA initiated a sanctioning procedure against the controller for violating the GDPR.
Holding
On 10 September 2024, the Catalan Data Protection Authority (APDCAT) found that the Fundació per a la Universitat Oberta de Catalunya (FUOC), as controller of the O2 institutional repository, had infringed Article 5(1)(c) GDPR (data minimisation) in connection with Article 83(5)(a) GDPR, by allowing the long-term public accessibility of a student project that disclosed non-anonymized sensitive personal data of 54 minors. The DPA imposed a fine of €31,000.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Catalan, Valencian original. Please refer to the Catalan, Valencian original for more details.
To navigate the contents of this website with more peace of mind, keep the following in mind: Quick Exit 1. You have the Quick Exit button to exit immediately. 2. When you open a PDF, simply view it, without saving it 3. Make sure to clear your browsing history before exiting. 4. Use private or incognito browsing.
