20 May, 2025

Xnet wins the Battle in Data Protection for millions of Freelancers

BREAKING NEWS – Xnet WINS THE BATTLE IN DATA PROTECTION FOR MILLIONS OF FREELANCERS

In 2018, following a complaint from an affected individual and together with the participants [1] to our university postgraduate program in Technopolitics and Rights in the Digital Age, we began investigating how it was possible that the personal data of the vast majority of freelancers—those data we are required to provide when registering as a freelancer, including sensitive information like our home address—were being sold online by private consulting firms without our consent or benefit. Where was the breach in data custody by institutions?

In 2022, we published a compelling report, “Abuses in the labor field: sale of data of freelancers” where we explained that it was the very Chamber of Commerce that allowed and facilitated this violation of rights:
https://xnet-x.net/en/abuses-labor-field-sale-data-freelancers/

We reported this in December 2022 to the Spanish Data Protection,
https://xnet.maadix.org/nextcloud/index.php/s/6pijiTLrggWHeTs

which opened an investigation in April 2023, and…

Today, they issued a statement confirming that they agree with what we requested and a total fines amount to one million euros.
https://www.aepd.es/informes-y-resoluciones/criterios-juridicos-aepd/tratamiento-datos-personales-empresarios-autonomos
 

Infringements reported by us and confirmed by the AEPD

In the case concerning the Spanish Chamber of Commerce, multiple infringements of the General Data Protection Regulation (GDPR) were identified:


    1. Article 6(1) GDPR – Lawfulness of Processing
    The Chamber unlawfully disclosed personal data to Camerdata without a valid legal basis.
    Administrative fine: €100,000.

    2. Article 5(1)(b) GDPR – Purpose Limitation
    Personal data initially collected to create a public census was subsequently used for purposes incompatible with the original one, namely for commercial use.
    Administrative fine: €100,000.

    3. Article 5(1)(f) GDPR – Integrity and Confidentiality
    The Chamber failed to ensure the security and confidentiality of the Tax Identification Number (NIF) and other personal data.
    Administrative fine: €100,000.

    4. Article 5(1)(a) GDPR – Lawfulness, Fairness, and Transparency
    The principle of fairness was violated in relation to self-employed individuals who had provided their personal data in good faith, trusting it would not be disclosed without their consent.
    Administrative fine: €100,000.

    5. Article 14 GDPR – Duty to Inform Data Subjects
    The Chamber failed to properly inform data subjects (self-employed individuals) of the data transfer to Camerdata.
    Administrative fine: €100,000.

    Total amount of sanctions: €500,000.

6. In addition to the financial penalties, the Spanish Data Protection Agency (AEPD) has expressly ordered the Spanish Chamber of Commerce to:

    Cease the transfer of personal data to Camerdata within one month from the date the decision becomes final and enforceable.
    – Failure to comply with this order may result in the initiation of an additional sanctioning procedure by the AEPD.

 

Xnet’s work is explicitly acknowledged and highlighted in the AEPD’s resolution, which can be accessed through the provided viewer.

Download the PDF file .


 

https://www.aepd.es/documento/ps-00145-2024.pdf

https://www.aepd.es/documento/ps-00146-2024.pdf

 

[1] Project coordinated by Simona Levi, together with Míriam Carles, based on the work of researchers from the postgraduate program in Technopolitics and Rights in the Digital Age, led by Simona Levi and Cristina Ribas. The initiating researcher has requested to remain anonymous. Other contributions come from researchers Alba Soler, Carmelo Ordóñez, Jose Luis Ribés, Carlos García, Carlos Amat, and G.A.LL.

 

Join us

// |