The Spanish Data Protection Agency has fined Pinkgreen Barcelona, S. L. with 4,000 euros for revealing personal data of two clients when responding to their negative reviews on Google. The resolution also orders the company to delete the published information and cease its processing within a period of ten days.
The conflict started on May 7, 2024, when two claims were filed against the restaurant for the content of its replies to reviews published online. In one of the cases, a user had left a negative review. In the other, a one-star rating without comment.
Personal data exposed in public responses
One of the complainants maintained that their profile on the platform only showed their name, without surnames or an identifying photograph. Despite this, the establishment's response included their full name, the university where they studied, their sexual orientation, and the name of their partner. In that same message, data of two people who accompanied them also appeared.
The second complaint denounced a response described as totally disproportionate, in which identifying data were also exposed. The AEPD verified in March and September 2025 that the two reviews remained published, so that the responses with personal data remained visible months later.
The Agency rejects the allegations of the company
During the procedure, Pinkgreen Barcelona alleged defenselessness by maintaining that it had not received prior communications. The Agency dismissed that argument and concluded that no such situation existed, as failed electronic and postal notification attempts were recorded due to causes attributable to the entity itself. Afterwards, furthermore, the sanctioning procedure was notified with a deadline to submit allegations.
The company also argued that the disseminated data came from public profiles on social networks. The AEPD rejected that justification and recalled that the presence of information on the internet does not authorize its collection and re-publication without a valid legitimizing basis.
"The fact that these data appear on social networks does not imply that anyone can collect and publish them without a legitimate basis" - Spanish Data Protection Agency
Special gravity for disseminating sexual orientation
The resolution considers that the restaurant's action constitutes a processing of personal data, by disseminating that information on an open platform. The Agency concludes that that processing did not have a legal basis in accordance with the General Data Protection Regulation.
The file highlights the special seriousness of having published data related to the sexual orientation of one of those affected. The resolution itself recalls that the processing of personal data revealing aspects of sexual life or sexual orientation is prohibited, and adds that in this case none of the exceptions provided to allow the use of that special category of data apply.
"It is clearly deduced the intentionality to publish said data to the complaining party who had made, in their judgment, a bad review" - Spanish Data Protection Agency
The sanction is broken down into 2,500 euros for violating Article 9 of the GDPR, relating to special categories of data, and 1,500 euros for infringing Article 6, on the lawfulness of processing. The resolution emphasizes that the dissemination of data on the internet allows access by third parties without any restriction, a scope that has weighed on the final decision of the body.