AEPD sanction for deleting private and personal data from a former employee's device

The Spanish Data Protection Agency (AEPD) has sanctioned a bank for deleting personal data from a corporate terminal that was purchased by a former employee for personal use. Following the employee's complaint, the AEPD concluded that the deletion of the data by the bank involved the processing of the data without a legal basis for legitimisation. What you need to know:

• The Spanish Data Protection Agency (AEPD) has sanctioned a banking entity for deleting personal data from a corporate device that had been acquired by a former employee after the end of her employment relationship.
• Although the entity had internal policies that provided for the possibility of deleting the information contained in corporate applications from the devices, the AEPD concludes that the entity did not have a legal basis to proceed with the deletion of the former employee's personal information that went beyond the data contained in corporate applications.
• The sanction analysed highlights the importance of clearly defining the scope of internal policies and analysing their adaptation to the principles and obligations of data protection regulations.

The Spanish Data Protection Agency (AEPD) has sanctioned a banking institution for proceeding to erase personal data and private information from a corporate terminal subsequently acquired by the former employee for personal use. The AEPD, following the complaint filed by the employee, concluded that the deletion of the data by the entity involved the processing of the data without a legal basis for legitimisation. (I) Grounds for the complaint The sanctioned entity had a programme that offered its employees the possibility of acquiring corporate devices for their personal use. Making use of the possibility offered by the entity, the interested party, after terminating her employment relationship with the entity, agreed to acquire the corporate terminal with which she worked. The complainant indicates to the AEPD that months after terminating her employment relationship with the entity, the terminal ceased to be active and so, after contacting the entity, the latter indicated that she should restore it to factory settings, implying the loss of all the information contained in the terminal. The complainant complained that this practice meant that her personal information was deleted without authorisation or prior notice and that she lost control over her data. Faced with these facts, the sanctioned entity argued that it was entitled to delete the data from the device at any time during the employment relationship between the parties or at the end of that employment relationship. To this effect, the entity argues that the internal policy for the acquisition of the devices expressly provides that the entity may delete, physically or remotely and at any time during the employment relationship or thereafter, all corporate application data contained in the device without prior notice. (II) Obligations breached The AEPD considers that, although the conditions of use of the corporate device granted the entity the right to delete all the data contained in the corporate applications contained in the device, this did not imply the possibility of deleting the data not included in these corporate applications and which affected the personal data and information of the complainant contained in the device acquired. It therefore concludes that the possibility of deleting the data set out in the internal policy of the Entity should only be applicable to the information contained in the corporate applications, but did not cover the deletion of data that did not form part of those applications, i.e. data and information of a personal nature of the complainant stored on the device acquired by the complainant. Furthermore, the Agency considers that the deletion of data after a period of time has elapsed since the termination of the employment relationship should be exceptional. Therefore, the Agency considers that, in accordance with the provisions of the RGPD, it has not been accredited that the Entity had any legitimate basis for the data processing carried out (in this case, to proceed with the erasure of the information). In order to impose the amount of the sanction imposed, the AEPD takes into account:

• the nature and seriousness of the infringement, insofar as it considers that the Entity's actions affect legitimacy as a basic principle of data processing, considered to be of greater seriousness by the regulations;
• the intentionality or negligence of the entity, due to non-compliance with its own internal procedures and lack of diligence on the part of the data controller. This is based on the jurisprudence of the Supreme Court, considering that imprudence exists whenever a legal duty of care is disregarded, i.e. when the offender does not behave with the required diligence; diligence that must be weighed up according to the professionalism of the offender.

Likewise, the volume of sales of the sanctioned entity is taken into account as an aggravating factor. (III) Conclusions This resolution is relevant because it highlights the importance of clearly defining the scope of internal policies and analysing their adaptation to the principles and obligations of data protection regulations. Therefore, the development and implementation of any internal process or procedure, especially those with a greater impact on the handling of information and personal data, must be designed taking into account the principles and obligations contemplated in the data protection regulations and the impact on the rights and freedoms of data subjects, integrating in their development and implementation a risk approach that reinforces the diligence of the data controller and allows preventing conflicts and possible infringements of the data protection regulations.