The Spanish DPA (Resolution No. R/3014/2013 dated 14 February 2014) initiated a sanctioning procedure against a company after having received a complaint submitted by its former HR deputy manager. The complaint reported a data-protection breach related to the company’s processing of employee health data. During a previous on-site inspection and the procedure, it was confirmed that the company had an Excel file saved on its system and backups, where health data of its employees for the last 15 years were stored. Despite the allegations raised by the company to argue that the existence of that file was totally unknown to the company and so it could not be held responsible for something beyond its knowledge, the Spanish DPA concluded that the company was the data controller of the Excel file and therefore responsible for the processing of health data during the period of 15 years without obtaining the required express consent of the concerned employees. Under the Spanish Data Protection Act, failure to obtain the express consent for the processing of health data is generally deemed a very serious infringement with sanctions ranging from € 300,001 to € 600,000. In the case at issue, however, the Spanish DPA imposed a lower fine (€40,001) on the company, as the company addressed the infringement diligently by deleting the concerned Excel file.