AEPD (Spain) - PS/00287/2020: Difference between revisions

From GDPRhub
mNo edit summary
No edit summary
Line 17: Line 17:
|Type=Complaint
|Type=Complaint
|Outcome=Upheld
|Outcome=Upheld
|Date_Decided=16.11.2021
|Date_Decided=02.12.2020
|Date_Published=
|Date_Published=
|Year=2021
|Year=2021

Revision as of 12:37, 23 March 2021

AEPD - PS/00287/2020
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 5(1)(f) GDPR
Article 32(1) GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided: 02.12.2020
Published:
Fine: 3000 EUR
Parties: Comercio Online Levante, S.L.
National Case Number/Name: PS/00287/2020
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: GDPR MASTer Project

The Spanish DPA (AEPD) imposed a fine of €3,000 to an online perfume shop for displaying personal data (including billing information and address) to a different client when the claimant tries to access their user account.

English Summary

Facts

On 21/01/2020 the claimant has filed a complaint with the AEPD describing the incident. The claimant provided a screen print which displays data from another client.

The claimant provided a copy of an email sent on the 26/04/2020 to the online shop informing of the incident.

The privacy policy of the online shop conforms with the GDPR, however the claimant indicates it is not possible to contact the online shop through the phone/email presented there.

Dispute

Holding

[To be filled in later]

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

                                                                                1/11








                                                  Procedure Nº: PS / 00287/2020

                RESOLUTION OF SANCTIONING PROCEDURE


Of the procedure instructed by the Spanish Agency for Data Protection and based on
to the following

                                  BACKGROUND


FIRST: Mrs. A.A.A. (hereinafter, the claimant) on 04/22/2020 filed
claim before the Spanish Agency for Data Protection. The claim is
directs against COMERCIO ONLINE LEVANTE, S.L. with NIF B12983292 (hereinafter,
the claimed). The reasons on which the claim is based are that when trying to access
your user account in perfumespremium.es appears the personal data of

another different user.
Provides screen printing showing the data of another client, with address
in Castelldefels, Barcelona.

SECOND: Upon receipt of the claim, the General Sub-Directorate of

Data Inspection proceeded to carry out the following actions:

On 06/04/2020, the claim submitted was forwarded to the claimant for analysis
and communication to the claimant of the decision adopted in this regard. Likewise, he is
required so that within a month it sent to the determined Agency

information:

       - The decision taken regarding this claim.
       - In the event of exercising the rights regulated in articles 15 to 22
       of the RGPD, accreditation of the response provided to the claimant.
       - Report on the causes that have motivated the incidence that has originated the

       claim.
       - Report on the measures adopted to prevent the occurrence of
       similar incidents, implementation dates and controls carried out to
       check its effectiveness.
       - Any other that you consider relevant.


There is no reply in the Agency to the transfer of the claim.

THIRD: On 09/06/2020, in accordance with article 65 of the LOPDGDD, the
Director of the Spanish Agency for Data Protection agreed to admit for processing the

claim filed by the claimant against the defendant.

FOURTH: On 10/08/2020, the Director of the Spanish Protection Agency
of Data agreed to initiate a sanctioning procedure for the claimed party, for the alleged
infractions of articles 5.1.f) and 32.1 of the RGPD, typified in article 83.5.a)
83.4.a) of the RGPD.


FIFTH: Notified the initiation agreement, the one claimed at the time of the present
resolution has not submitted a brief of allegations, so it is applicable
indicated in article 64 of Law 39/2015, of October 1, on the Procedure

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 2/11








Common Administrative of Public Administrations, which in its section f)
establishes that in case of not making allegations within the term provided on the
content of the initiation agreement, it may be considered a proposal for

resolution when it contains a precise statement about the responsibility
imputed, for which a Resolution is issued.

SIXTH: Of the actions carried out in this proceeding, there have been
accredited the following:


                                 PROVEN FACTS

FIRST: The 01/21/2020 has a written entry in the AEPD from the interested party in which
states that the website perfumespremium.es shows personal data,
addresses and billing of other users when I try to log in with their own

profile.

SECOND: The claimant provides a screen impression of the aforementioned web page in the
that the data of another client is observed, with address in Castelldefels, Barcelona.

THIRD: The claimant provides a copy of the e-mail sent to perfumespremium.es

on 04/26/2020 in which it states the following:

To: info @ perfumespremium.com

Good evening, when trying to enter my profile to check the processing of my

requested, puts me in the profile of other users, showing me their personal data,
billing address and order history. I need to know how my order is going and its
arrival date as I cannot keep track of it.

Order number: Order # 8000042803


FOURTH: The privacy policy of the claimed person is provided in accordance with the
new RGPD, although the complainant indicates that there is no way to contact the
company or through the contact telephone number or email indicated in
their website.


                            FOUNDATIONS OF LAW

                                            I
       By virtue of the powers that article 58.2 of the RGPD recognizes to each
control authority, and as established in articles 47 and 48 of the LOPDGDD,

the Director of the Spanish Data Protection Agency is competent to initiate
and to solve this procedure.

                                            II
       Law 39/2015, of October 1, on the Common Administrative Procedure of

the Public Administrations, in its article 64 “Agreement of initiation in the
procedures of a sanctioning nature ”, provides:



C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 3/11








       "1. The initiation agreement will be communicated to the instructor of the procedure, with
transfer of how many actions exist in this regard, and the interested parties will be notified,
understanding in any case the accused as such.

       Likewise, the initiation will be communicated to the complainant when the regulations
regulating the procedure so provide.

       2. The initiation agreement must contain at least:

       a) Identification of the person or persons allegedly responsible.

       b) The facts that motivate the initiation of the procedure, its possible
       qualification and the sanctions that may correspond, without prejudice to what
       result of the instruction.
       c) Identification of the instructor and, where appropriate, Secretary of the procedure, with
       express indication of the regime of challenge of the same.

       d) Competent body for the resolution of the procedure and regulation that
       attributes such competence, indicating the possibility that the alleged
       responsible can voluntarily acknowledge their responsibility, with the
       effects provided for in article 85.
       e) Provisional measures that have been agreed by the body
       competent to initiate the sanctioning procedure, without prejudice to those that

       can be adopted during the same in accordance with article 56.
       f) Indication of the right to make allegations and to the hearing in the
       procedure and the deadlines for its exercise, as well as an indication that, in
       case of not making allegations within the term provided on the content of the
       initiation agreement, this may be considered a resolution proposal

       when it contains a precise statement about liability
       charged.

       3. Exceptionally, when at the time of issuing the initiation agreement
there are not enough elements for the initial qualification of the facts that motivate

the initiation of the procedure, the aforementioned qualification may be carried out in a phase
later by preparing a Statement of Charges, which must be notified to
the interested".

       In application of the previous precept and taking into account that they have not
formulated allegations to the initiation agreement, it is necessary to resolve the procedure initiated.


                                                III
       Article 58 of the RGPD, Powers, states:

       "two. Each supervisory authority shall have all of the following powers

corrective measures listed below:

       (…)
       i) impose an administrative fine in accordance with article 83, in addition or in
       instead of the measures mentioned in this section, according to the

       circumstances of each particular case;
       (…) "



C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 4/11








       First of all, article 5 of the RGPD establishes the principles that must be
govern the processing of personal data and mention among them that of "integrity and
confidentiality ”.


       The aforementioned article points out that:

       "1. The personal data will be:

       (…)

       f) treated in such a way as to guarantee adequate security of the
       personal data, including protection against unauthorized processing or
       illicit and against its loss, destruction or accidental damage, through the application
       appropriate technical or organizational measures ('integrity and
       confidentiality »)”.

       (…)

       Article 5, Duty of confidentiality, of the new Organic Law 3/2018, of 5
December, Protection of Personal Data and guarantee of digital rights
(hereinafter LOPDGDD), states that:


       "1. Those responsible and in charge of data processing as well as all
people who intervene in any phase of this will be subject to the duty of
confidentiality referred to in article 5.1.f) of Regulation (EU) 2016/679.

       2. The general obligation indicated in the previous section will be complementary

of the duties of professional secrecy in accordance with its applicable regulations.

       3. The obligations established in the previous sections will be maintained
even when the relationship of the obligated party with the person in charge or manager has ended
treatment ”.


                                               IV
       The documentation in the file shows that the defendant,
violated article 5 of the RGPD, principles relating to treatment, in relation to the
Article 5 of the LOPGDD, duty of confidentiality, by allowing access to the
claimant to the personal data of a third person when accessing their account

user in perfumespremium.es where the personal data of another client appear.

       This duty of confidentiality, previously the duty of secrecy, must
It should be understood that its purpose is to prevent leaks of the data not
consented to by the holders thereof.


        Therefore, this duty of confidentiality is an obligation incumbent upon not
only to the person responsible and in charge of the treatment but to everyone who intervenes in
any phase of the treatment and complementary to the duty of professional secrecy.


                                               V
       Article 83.5 a) of the RGPD, considers that the infringement of "the principles
basic to the treatment, including the conditions for consent in accordance with
of articles 5, 6, 7 and 9 ”is punishable, in accordance with section 5 of the

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 5/11








mentioned article 83 of the aforementioned RGPD, “with administrative fines of € 20,000,000
at most or, in the case of a company, of an amount equivalent to 4% as
maximum total annual global business volume of the previous financial year,

opting for the highest amount ”.

       On the other hand, the LOPDGDD, for prescription purposes, in its article 72 indicates:
"Violations considered very serious:

       1. In accordance with the provisions of article 83.5 of the Regulation (EU)

2016/679 are considered very serious and will prescribe after three years the infractions that
suppose a substantial violation of the articles mentioned in that and, in
in particular, the following:

       a) The processing of personal data violating the principles and guarantees

established in article 5 of Regulation (EU) 2016/679.
       (…) "

                                                SAW
       Second, it should be noted that the security of personal data
It is regulated in articles 32, 33 and 34 of the RGPD.


          Article 32 of the RGPD "Security of treatment", establishes that:

        "1. Taking into account the state of the art, the application costs, and the
nature, scope, context and purposes of the treatment, as well as risks of

variable probability and severity for people's rights and freedoms
physical, the person in charge and the person in charge of the treatment will apply technical measures and
appropriate organizational arrangements to ensure a level of security appropriate to the risk,
that in your case include, among others:


       a) pseudonymisation and encryption of personal data;
       b) the ability to guarantee confidentiality, integrity, availability and
       permanent resilience of treatment systems and services;
       c) the ability to restore availability and access to data
       personnel quickly in the event of a physical or technical incident;
       d) a process of regular verification, evaluation and assessment of effectiveness

       of the technical and organizational measures to guarantee the safety of the
       treatment.

       2. When evaluating the adequacy of the security level, particularly the
take into account the risks presented by the data processing, in particular as

consequence of accidental or illegal destruction, loss or alteration of data
personal data transmitted, preserved or otherwise processed, or the communication or
unauthorized access to such data.

       3. Adherence to a code of conduct approved in accordance with article 40 or to a

certification mechanism approved under article 42 may serve as an element
to demonstrate compliance with the requirements established in section 1 of the
this article.


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 6/11








       4. The controller and the data controller will take measures to
ensure that any person acting under the authority of the controller or the
manager and have access to personal data can only process said data

following instructions of the person in charge, unless it is obliged to do so by virtue of the
Law of the Union or of the Member States ”.

       The violation of article 32 of the RGPD is typified in article
83.4.a) of the aforementioned RGPD in the following terms:


       "4. Violations of the following provisions will be sanctioned, in accordance with
with paragraph 2, with administrative fines of maximum EUR 10 000 000 or,
in the case of a company, an amount equivalent to a maximum of 2% of the
total annual global business volume of the previous financial year, opting for
the highest amount:


       a) the obligations of the controller and the processor pursuant to articles 8,
       11, 25 to 39, 42 and 43.
       (…) "



       For its part, the LOPDGDD in its article 71, Infractions, states that:
“The acts and conducts referred to in sections 4, constitute offenses.
5 and 6 of article 83 of Regulation (EU) 2016/679, as well as those resulting
contrary to the present organic law ”.


       And in its article 73, for the purposes of prescription, it qualifies as "Infractions
considered serious ”:

       "Based on the provisions of article 83.4 of Regulation (EU) 2016/679
are considered serious and will prescribe after two years the infractions that suppose a

substantial violation of the articles mentioned therein and, in particular, the
following:

       (…)
       g) The breach, as a consequence of the lack of due diligence,
       of the technical and organizational measures that have been implemented in accordance with

       as required by article 32.1 of Regulation (EU) 2016/679 ”.
       (…) "

       The facts revealed in this claim materialize
in the access to the personal data of a third person user client of the

claimed when accessing your account in perfumespremium.es violating the measures
technical and organizational.

                                           VII
       The GDPR defines personal data security breaches as

“All those security violations that cause the destruction, loss or
accidental or illegal alteration of personal data transmitted, stored or processed
otherwise, or unauthorized communication or access to said data ”.


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 7/11








       From the documentation in the file, it is proven that the claimed person has
Article 32 of the RGPD has been violated, when a security incident occurs in your
system allowing access to personal data of third parties, when accessing your account
the claimant in perfumespremium.es, where the data of another
customer with breach of security measures.


       It should be noted that the RGPD in the aforementioned precept does not establish a list of
the security measures that are applicable according to the data that are
object of treatment, but establishes that the person in charge and the person in charge of the
treatment will apply technical and organizational measures that are appropriate to the risk
involved in the treatment, taking into account the state of the art, the costs of

application, the nature, scope, context and purposes of the treatment, the risks of
probability and seriousness for the rights and freedoms of the persons concerned.

       Likewise, security measures must be adequate and
proportionate to the risk detected, noting that the determination of the measures

technical and organizational must be carried out taking into account: pseudonymisation and
encryption, the ability to ensure confidentiality, integrity, availability, and
resilience, the ability to restore availability and access to data after a
incident, verification process (not audit), evaluation and assessment of the
effectiveness of the measures.


       In any case, when evaluating the adequacy of the security level, the
particularly take into account the risks presented by data processing, such as
consequence of accidental or illegal destruction, loss or alteration of data
personal data transmitted, preserved or otherwise processed, or the communication or
unauthorized access to said data and that could cause damages
physical, material or immaterial.


       In this same sense, recital 83 of the RGPD states that:

       “(83) In order to maintain security and prevent the treatment from infringing the
provided in this Regulation, the person in charge or the person in charge must evaluate
the risks inherent to the treatment and apply measures to mitigate them, such as the

encryption. These measures must guarantee an adequate level of security, including the
confidentiality, taking into account the state of the art and the cost of its application
with respect to the risks and the nature of the personal data that must
protect yourself. When assessing risk in relation to data security, you should
take into account the risks arising from the processing of personal data,
such as accidental or illegal destruction, loss or alteration of personal data

transmitted, preserved or otherwise processed, or communication or access does not
authorized to said data, susceptible in particular to cause damages
physical, material or immaterial ”.

       In the present case, as stated in the facts and in the framework of the

investigation file E / 03847/2020, the AEPD transferred to the defendant the
06/04/2020, the claim submitted for analysis requesting the contribution of
information related to the incident claimed, without it having been received in this
body any response.


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 8/11








       The responsibility of the claimed person is determined by the incidence of
security demonstrated by the claimant, since he is responsible for taking
decisions aimed at effectively implementing technical measures and

appropriate organizational arrangements to ensure a level of security appropriate to the risk
to ensure the confidentiality of the data, restoring its availability and preventing
access to them in the event of a physical or technical incident. However, from the
documentation provided it is clear that the entity has not only breached this
obligation, but also the adoption of measures in this regard is unknown, despite
of having given him transfer of the claim presented.


       In accordance with the foregoing, it is estimated that the claimed would be
also allegedly responsible for the violation of the RGPD: the violation of the
article 32, offense typified in article 83.4.a).


                                           VIII
       In order to establish the administrative fine to be imposed, they must
observe the provisions contained in articles 83.1 and 83.2 of the RGPD, which
they point out:

       "1. Each supervisory authority will guarantee that the imposition of fines

administrative under this article for the infractions of this
Regulations indicated in paragraphs 4, 5 and 6 are in each individual case
effective, proportionate and dissuasive.

       2. Administrative fines will be imposed, depending on the circumstances

of each individual case, as an additional or substitute title for the measures contemplated
in Article 58, paragraph 2, letters a) to h) and j). When deciding to impose a fine
administrative and its amount in each individual case will be duly taken into account:

       a) the nature, severity and duration of the offense, taking into account the

       nature, scope or purpose of the processing operation in question
       as well as the number of affected stakeholders and the level of damage and
       damages they have suffered;
       b) intentionality or negligence in the infringement;
       c) any measure taken by the person in charge or in charge of the treatment
       to alleviate the damages suffered by the interested parties;

       d) the degree of responsibility of the person in charge or the person in charge of the
       treatment, taking into account the technical or organizational measures that have
       applied by virtue of articles 25 and 32;
       e) any previous infringement committed by the person in charge or the person in charge of the
       treatment;

       f) the degree of cooperation with the supervisory authority in order to establish
       remedy the violation and mitigate the possible adverse effects of the violation;
       g) the categories of personal data affected by the infringement;
       h) the way in which the supervisory authority learned of the infringement, in
       particular if the person in charge or the person in charge notified the infraction and, in such case,

       what extent;
       i) when the measures indicated in article 58, paragraph 2, have been
       previously ordered against the person responsible or the person in charge
       in relation to the same matter, compliance with said measures;

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 9/11








        j) adherence to codes of conduct under article 40 or to mechanisms
        certification approved in accordance with Article 42, and
        k) any other aggravating or mitigating factor applicable to the circumstances of the

        case, such as financial benefits obtained or losses avoided, direct
        or indirectly, through the infringement.

In relation to letter k) of article 83.2 of the RGPD, the LOPDGDD, in its article 76,
"Sanctions and corrective measures", establishes that:


        "two. In accordance with the provisions of article 83.2.k) of Regulation (EU)
2016/679 may also be taken into account:

        a) The continuing nature of the offense.
        b) The linking of the activity of the offender with the performance of treatments

        of personal data.
        c) The benefits obtained as a result of the commission of the offense.
        d) The possibility that the affected person's conduct could have led to the
        commission of the offense.
        e) The existence of a merger process by absorption after the commission
        of the infringement, which cannot be attributed to the absorbing entity.

        f) Affecting the rights of minors.
        g) Have, when not mandatory, a delegate for the protection of
data.
        h) The submission by the person in charge or in charge, with character
        voluntary, to alternative dispute resolution mechanisms, in those

        cases in which there are controversies between those and any
        interested."

        In accordance with the transcribed precepts, in order to set the amount of the
sanction to be imposed in the present case for the offense typified in article 83.5.a)

of the RGPD for which the claimed person is responsible, the
following factors:

        The scope in a local environment of the treatment carried out by the entity
claimed.


        The number of affected is unknown although the claim only comes from
only one person.

        The measures taken by the defendant to prevent them from being
produce similar incidents, since before the information request of the

Agency has not responded to it, which in turn affects the absence of
cooperation with the supervisory authority in order to remedy the infringement and
mitigate the possible adverse effects of it.

        There is no evidence that the entity acted fraudulently, although

the performance reveals a serious lack of diligence.

        The linking of the offender's activity with the performance of treatment of
Personal data.

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 10/11









       The claimed entity is a small business.


       - Secondly, in order to set the amount of the penalty to be imposed in the
present case for the offense typified in article 83.4.a) of the RGPD, it is considered
concurrent the following factors:

       The scope in a local environment of the treatment carried out by the entity
claimed.


       The number of affected is unknown although the claim only comes from
only one person.

       The measures taken by the defendant to prevent them from being

produce similar incidents, since before the information request of the
Agency has not responded to it, which in turn affects the absence of
cooperation with the supervisory authority in order to remedy the infringement and
mitigate the possible adverse effects of it.

       There is no evidence that the entity acted fraudulently, although

the performance reveals a serious lack of diligence.

       The linking of the offender's activity with the performance of treatment of
Personal data.


       The claimed entity is a small business.

       Therefore, in accordance with the applicable legislation and assessed the criteria of
graduation of sanctions whose existence has been proven,


       The Director of the Spanish Data Protection Agency RESOLVES:

FIRST: IMPOSE COMERCIO ONLINE LEVANTE, S.L., with NIF B12983292,
for an infringement of article 5.1.f) of the RGPD, typified in article 83.5.a) of the
RGPD, a penalty of € 1,000 (one thousand euros).


SECOND: IMPOSE COMERCIO ONLINE LEVANTE, S.L., with NIF B12983292,
for an infringement of article 32.1 of the RGPD, typified in article 83.4.a) of the
RGPD, a penalty of € 2,000 (two thousand euros).

THIRD: NOTIFY this resolution to COMERCIO ONLINE LEVANTE, S.L.


FOURTH: Warn the sanctioned person that the sanction imposed by a
Once this resolution is enforceable, in accordance with the provisions of the
art. 98.1.b) of Law 39/2015, of October 1, on Administrative Procedure
Common of Public Administrations (hereinafter LPACAP), within the payment period
voluntary established in art. 68 of the General Collection Regulations, approved

by Royal Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003,
of December 17, by means of their entry, indicating the NIF of the sanctioned person and the number
procedure that appears in the heading of this document, in the account

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 11/11








restricted number ES00 0000 0000 0000 0000 0000, opened in the name of the Agency
Spanish Data Protection in the banking entity CAIXABANK, S.A .. In case
Otherwise, it will be collected in the executive period.


Received the notification and once executive, if the date of execution is found
Between the 1st and the 15th of each month, both inclusive, the deadline for making the payment
volunteer will be until the 20th of the following or immediately subsequent business month, and if
between the 16th and the last day of each month, both inclusive, the payment term
It will be until the 5th of the second following or immediate business month.


In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once it has been notified to the interested parties.

Against this resolution, which ends the administrative procedure in accordance with art. 48.6 of the

LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the
Interested parties may optionally file an appeal for reconsideration before the
Director of the Spanish Agency for Data Protection within a month to
counting from the day after the notification of this resolution or directly
contentious-administrative appeal before the Contentious-Administrative Chamber of the
National High Court, in accordance with the provisions of article 25 and section 5 of

the fourth additional provision of Law 29/1998, of July 13, regulating the
Contentious-administrative jurisdiction, within two months from the
day following notification of this act, as provided in article 46.1 of the
referred Law.


Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPACAP,
may provisionally suspend the final resolution through administrative channels if the
interested party expresses his intention to file contentious-administrative appeal.
If this is the case, the interested party must formally communicate this fact through
writing addressed to the Spanish Agency for Data Protection, presenting it through

of the Electronic Registry of the Agency [https://sedeagpd.gob.es/sede-electronica-
web /], or through any of the other records provided for in art. 16.4 of the
cited Law 39/2015, of October 1. You must also transfer to the Agency the
documentation that proves the effective filing of the contentious appeal-
administrative. If the Agency was not aware of the filing of the appeal
contentious-administrative within a period of two months from the day following the

notification of this resolution would terminate the precautionary suspension.


                                                                        Mar Spain Martí
                               Director of the Spanish Agency for Data Protection












C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es