Even when there is legal authorization to process personal data in workplace harassment investigations, the employer must strictly comply with the principles of confidentiality and security.
On February 25, 2025, the Spanish Data Protection Agency (AEPD) initiated disciplinary proceedings against a company after receiving two complaints from employees alleging that the company had revealed their identities as complainants and respondents in a workplace harassment case, disclosing their first and last names.
In fact, this conflict arose from a complaint of workplace harassment filed by 5 employees against 10 accused individuals, in response to which the company decided to launch the corresponding internal investigation.
Thus, on July 31, 2024, said employer sent an email to the “Works Council” informing them that the investigation had been concluded, attaching the respective resolution to each of the 5 complainants and the 10 respondents, thereby revealing the identity of each of them and disclosing their first and last names and job titles.
For this reason, the claimant argued that, ultimately, the entire workplace knew that she was one of the complainants and, furthermore, that she knew all of the respondents, even though she had not authorized the disclosure of her identity, which led one of the respondents to post in a WhatsApp work group (on the very day the decision was made public), an emoji of a kiss along with the phrase: “Thanks for the complaint”.
For its part, the company—in presenting its defense—argued, fundamentally, that it was not possible to find a violation of the Personal Data Protection Act, since all parties involved were aware of the identities of those affected from the outset and, furthermore, given that the complaint that gave rise to the internal investigation into harassment had been filed with the Works Council, without the complainants invoking their right to anonymity, nor having requested it.
Thus, the AEPD focused its analysis not on the legality of the internal investigation itself, but on the manner in which the company communicated the closure of the proceedings.
In particular, it found that there was sufficient evidence of a violation of the principle of integrity and confidentiality, because the company allowed both complainants and respondents to access the identities of all parties involved in the proceedings, exposing particularly sensitive information in the context of a workplace harassment complaint.
Thus, thelegal issue in the case did not lie in the appropriateness of processing the complaint, but rather in the failure to safeguard the confidentiality of those involved in it.
In light of the above, the AEPD concludes by proposing—given the seriousness of the potential violation and the level of employer negligence—the imposition of an administrative fine that is effective, proportionate, and dissuasive, amounting to €200,000, in addition to the adoption of corrective measures, if appropriate (in this case, that the company adopt, within three months, the appropriate measures to ensure the confidentiality of personal data).
Finally, it is worth noting that, in response to the AEPD’s decision to initiate disciplinary proceedings, the company chose to accept responsibility, with the aim of reducing the amount of the fine imposed, ultimately paying the sum of €120,000.
Given these circumstances, this case is particularly interesting as a comparative reference from the Spanish experience, especially considering that, as of December 1, 2026, Law No. 21,719 will come into effect in our country, which regulates the protection and processing of personal data and establishes the Personal Data Protection Agency, an authority that will fulfill a role equivalent to that currently exercised by the AEPD in Spain.
In this context, this is a case fully applicable to Chile, particularly within the framework of the Karin Law, since even though there is a legal authorization to process personal data in the course of investigations into workplace harassment, this does not relieve the employer of the duty to strictly comply with the principles of confidentiality and security that govern all data processing.
It follows that the mere existence of a legal basis allowing for investigation is not sufficient on its own; rather, it is also essential to have clear internal policies, secure reporting channels, restricted-access protocols, and effective safeguards to prevent the undue exposure of particularly sensitive information.
For more information on these topics, please consult:
Jorge Arredondo | Partner | jarredondo@az.cl
Jocelyn Aros | Labor Group Director | jaros@az.cl
Yoab Bitran | Compliance Group Director | ybitran@az.cl
Felipe Neira | Labor Group Senior Associate | fneira@az.cl
Antonia Nudman | az Tech Senior Associate | anudman@az.cl
Palmira Valdivia | Labor Group Associate | pvaldivia@az.cl
Manuel Sepúlveda | Labor Group Associate | msepulveda@az.cl
Catalina Díaz | Labor Group Associate | cdiazp@az.cl
Felipe Barrera | Compliance Group Associate | fbarrera@az.cl
Be part of our multimedia platform and you can receive the latest legal news, events, podcazt and webinars.
