AEPD (Spain) - EXP202306260
| AEPD - EXP202306260 | |
|---|---|
 | |
| Authority: | AEPD (Spain) |
| Jurisdiction: | Spain |
| Relevant Law: | Article 5(1)(f) GDPR Article 32 GDPR |
| Type: | Investigation |
| Outcome: | Violation Found |
| Started: | 14.04.2021 |
| Decided: | 27.12.2023 |
| Published: | |
| Fine: | 6,500,000 EUR |
| Parties: | The Phone House Spain |
| National Case Number/Name: | EXP202306260 |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | Spanish |
| Original Source: | AEPD (in ES) |
| Initial Contributor: | Ao |
The DPA fined a telecommunications company a total of €6,500,000 after a cyberattack showed that it hadn't implemented adequate measures to protect the personal data of their customers, suppliers and employees.
English Summary
Facts
On 14 April 2021, the Spanish DPA (AEPD) received a notification of a personal data breach registered by the controller, a telecommunications provider.
The Security Breach Assessment Report showed that approximately 13,000,000 people were affected by the data breach. The attackers downloaded a database containing the personal data of clients, former clients, suppliers and employees of the controller and published the information on a public website. The personal data included names, ID numbers, postal addresses, email addresses, mobile numbers, nationality, sex, dates of birth, bank account numbers as well as employment details of employees.
The data had been stored in plain text without any pseudonimisation or anonymisation measures in place.
The controller argued that adequate measures were in place and that the attack could not have been prevented due to the technical expertise of the cyber attackers. Crucially the controller submitted that there is no relationship between the alleged inadequacy and the data breach as more robust measures could not have prevented the attack. Therefore, no causal link could be established between the actions of the controller and the incident. The controller firmly posited itself as a victim of an unforeseen attack and argued that every security system shows room for improvement but that Article 5(1)(f) GDPR cannot be interpreted as an obligation of result.
Holding
The AEPD clarifies that Article 5(1)(f) GDPR is violated if there is a personal data breach regardless of whether the breach was caused due to the absence or deficiency of security measures. In its capacity as a controller for large amounts of personal data concerning a large number of people, the controller should have foreseen the risks and implemented measures which could have prevented the cyberattack.
As aggravating factors, the AEPD higlights the amount of personal data leaked and the number of people affected by the breach. Further, it highlighted that a Data Protection Impact Assessment of 2018 which was submitted by the controller, listed precisely those shortcoming in the security system which then enabled the data breach. The failure to remedy these issues over a period of two years until the data breach clearly demonstrated negligent behaviour on the part of the controller for the AEPD.
Mitigating factors were that the controller drew no benefit from the data breach and that the controller diligently notified the AEPD of the data breach.
The AEPD imposed a fine of €4,000,000 for the infringement of Article 5(1)(f) GDPR and a fine of €2,500,000 for the infringement of Article 32 GDPR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
