Request your pay and receive that of all staff. Up to 446 workers affected, with breakdown of their salaries, full names, IDs, social security numbers and bank accounts. A huge security breach for which the Spanish Data Protection Agency (AEPD) imposed a fine of 450,000 euros on the Japanese fashion company Uniqlo, which has now admitted its responsibility for the failure and has given up its appeal to reduce the amount of the penalty.
The facts date back to August 2022. An employee then contacted Uniqlo’s human resources department to request her pay due to the end of her employment relationship with the company, which occurred the previous month. What he received was a PDF file with all his colleagues’ paychecks for the month of July, including those who had multiple paychecks due to their different working relationships with the company. A total of 471.
“The claimed party acknowledges the alleged facts,” declares the AEPD: “It claims that, in the context of the exchange of information by email, its human resources department mistakenly sent the indicated file, with the information of all staff. “They attribute this fact to human error,” breaks down the resolution.
Despite the severity of the breach, Uniqlo did not notify affected individuals of what had happened. The time bomb continued until March 2023, when the employee who received the data filed a complaint with the AEPD and informed the works council, which filed another complaint in May. It was when the privacy regulator contacted Uniqlo that it informed staff.
The brand assures that it “reiterates that there was no evidence at management level until it was communicated by the AEPD, thus justifying the delay of several months between the events and the communication” , specifies the resolution. At the time of communication, 160 people were no longer with the company.
However, the AEPD considered that beyond the “human error” in which Uniqlo frames the events, what happened showed that the company did not have “appropriate measures” to safeguard the data the most sensitive of its workers in Spain. As responsible for processing its workers’ data, the company has the responsibility to “guarantee a level of security appropriate to the risk” and to prevent such an event from occurring and being hidden from those affected for eight months .
Therefore, the AEPD ordered Uniqlo to take measures to prevent similar incidents from happening in the future and considers it responsible for two violations of privacy regulations, one for failing to guarantee the security of its employees’ data and the other for not having applied appropriate measures. for that. The two total 450,000 euros.
Uniqlo received a 20% reduction on the pick-up penalty and another for prompt payment, allowing it to reduce it by another 20%. The amount of the fine therefore remains at 270,000 euros. elDiario.es contacted the Japanese company to include its position in this information, but it did not respond to the request.
