AEPD (Spain) - EXP202200399: Difference between revisions
(Created page with "{{DPAdecisionBOX |Jurisdiction=Spain |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoES.jpg |DPA_Abbrevation=AEPD |DPA_With_Country=AEPD (Spain) |Case_Number_Name=PS-00...") |
No edit summary |
||
| Line 70: | Line 70: | ||
=== Facts === | === Facts === | ||
The data subject filed a complaint at the DPA against the controller, a producer children's educational magazines | The data subject filed a complaint at the DPA against the controller, a producer of children's educational magazines. The controller sent the data subject an e-mail informing it about unauthorized access by an unauthorized third party to the database of the controller. This database contained location-information and contact-details of data subjects. This data was originally collected through a registration form FOR. Nearly 470,000 people were affected by this data breach, according to the controller. | ||
On 22 October 2021 the controller received an email signed by an external person, who identified himself as an alleged researcher, informing that he had managed to access the company's data as a result of a vulnerability in the website, providing as proof a screenshot with the names of the tables in the database and without providing proof of the data leak. This was therefore a case of ethical hacking without malicious intent. | On 22 October 2021 the controller received an email signed by an external person, who identified himself as an alleged researcher, informing that he had managed to access the company's data as a result of a vulnerability in the website, providing as proof a screenshot with the names of the tables in the database and without providing proof of the data leak. This was therefore a case of ethical hacking without malicious intent. | ||
The controller hired a security contractor to fix the issues. The controller | |||
The controller hired a security contractor to fix the issues. The controller stated that it had fixed all the vulnerabilities that had made the unauthorized access possible. It had also implemented security incident protocols and had provided encryption for the stored information. | |||
| Line 78: | Line 81: | ||
=== Holding === | === Holding === | ||
The DPA held that the personal data of the data subject had been unlawfully disclosed to a third party from the database of the controller. The DPA held that the controller had therefore violated Article 5(1)(f) of the GDPR. The DPA considered several aggravating factors, such as the fact that in some cases, the leaked data was of minor children. | The DPA held that the personal data of the data subject had been unlawfully disclosed to a third party from the database of the controller. The DPA held that the controller had therefore violated Article 5(1)(f) of the GDPR. The DPA considered several aggravating factors, such as the fact that in some cases, the leaked data was of minor children. | ||
The DPA also held that the controller failed to implement appropriate technical and organizational measures to ensure an adequate level of security. Therefore, the controller also breached Article 32 of the GDPR. The risk analysis that the controller provided was the output of the ‘GESTIONA EIDP’ tool of the DPA itself. The DPA held that this tool only provided guidance for basic elements about risk analysis for processing operations and impact assessments. The DPA held that there was no link between the measures that were implemented by the controller and the risk analysis. Therefore, it could not be held the measures were deployed to mitigate a certain level of risk. The DPA considered again the fact that the leaked data was of minor children and considered this an aggravating factor. | The DPA also held that the controller failed to implement appropriate technical and organizational measures to ensure an adequate level of security. Therefore, the controller also breached Article 32 of the GDPR. The risk analysis that the controller provided was the output of the ‘GESTIONA EIDP’ tool of the DPA itself. The DPA held that this tool only provided guidance for basic elements about risk analysis for processing operations and impact assessments. The DPA held that there was no link between the measures that were implemented by the controller and the risk analysis. Therefore, it could not be held the measures were deployed to mitigate a certain level of risk. The DPA considered again the fact that the leaked data was of minor children and considered this an aggravating factor. | ||
The DPA also found that the controller violated Article 33 of the GDPR. The DPA stated that The controller knew it had suffered a data breach on 28 October 2021 and informed the DPA at 11 November 2021. The controller had therefore notified the DPA almost two weeks after the data breach. The DPA considered again the fact that the leaked data was of minor children and considered this an aggravating factor. | The DPA also found that the controller violated Article 33 of the GDPR. The DPA stated that The controller knew it had suffered a data breach on 28 October 2021 and informed the DPA at 11 November 2021. The controller had therefore notified the DPA almost two weeks after the data breach. The DPA considered again the fact that the leaked data was of minor children and considered this an aggravating factor. | ||
The DPA fined the controller €52,000 for the combined violations, which was reduced to €31,200. | The DPA fined the controller €52,000 for the combined violations, which was reduced to €31,200. | ||
Revision as of 10:10, 3 October 2022
| AEPD - PS-00246-2022 | |
|---|---|
 | |
| Authority: | AEPD (Spain) |
| Jurisdiction: | Spain |
| Relevant Law: | Article 5(1)(f) GDPR Article 32 GDPR Article 33 GDPR |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | 18.07.2022 |
| Decided: | |
| Published: | 27.09.2022 |
| Fine: | 31200 |
| Parties: | n/a |
| National Case Number/Name: | PS-00246-2022 |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | Spanish |
| Original Source: | AEDP (in ES) |
| Initial Contributor: | n/a |
The Spanish DPA fined a magazine company €52,000 (reduced to €31,200), for violating Articles 5(1)(f), 32, and 33 GDPR by unlawfully providing access to personal data to a third party and failing to notify the DPA on time about the data breach.
English Summary
Facts
The data subject filed a complaint at the DPA against the controller, a producer of children's educational magazines. The controller sent the data subject an e-mail informing it about unauthorized access by an unauthorized third party to the database of the controller. This database contained location-information and contact-details of data subjects. This data was originally collected through a registration form FOR. Nearly 470,000 people were affected by this data breach, according to the controller.
On 22 October 2021 the controller received an email signed by an external person, who identified himself as an alleged researcher, informing that he had managed to access the company's data as a result of a vulnerability in the website, providing as proof a screenshot with the names of the tables in the database and without providing proof of the data leak. This was therefore a case of ethical hacking without malicious intent.
The controller hired a security contractor to fix the issues. The controller stated that it had fixed all the vulnerabilities that had made the unauthorized access possible. It had also implemented security incident protocols and had provided encryption for the stored information.
Holding
The DPA held that the personal data of the data subject had been unlawfully disclosed to a third party from the database of the controller. The DPA held that the controller had therefore violated Article 5(1)(f) of the GDPR. The DPA considered several aggravating factors, such as the fact that in some cases, the leaked data was of minor children.
The DPA also held that the controller failed to implement appropriate technical and organizational measures to ensure an adequate level of security. Therefore, the controller also breached Article 32 of the GDPR. The risk analysis that the controller provided was the output of the ‘GESTIONA EIDP’ tool of the DPA itself. The DPA held that this tool only provided guidance for basic elements about risk analysis for processing operations and impact assessments. The DPA held that there was no link between the measures that were implemented by the controller and the risk analysis. Therefore, it could not be held the measures were deployed to mitigate a certain level of risk. The DPA considered again the fact that the leaked data was of minor children and considered this an aggravating factor.
The DPA also found that the controller violated Article 33 of the GDPR. The DPA stated that The controller knew it had suffered a data breach on 28 October 2021 and informed the DPA at 11 November 2021. The controller had therefore notified the DPA almost two weeks after the data breach. The DPA considered again the fact that the leaked data was of minor children and considered this an aggravating factor.
The DPA fined the controller €52,000 for the combined violations, which was reduced to €31,200.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/19 File No.: EXP202200399 RESOLUTION OF TERMINATION OF THE PROCEDURE FOR PAYMENT VOLUNTEER Of the procedure instructed by the Spanish Agency for Data Protection and based on to the following BACKGROUND FIRST: On July 18, 2022, the Director of the Spanish Agency for Data Protection agreed to initiate a sanctioning procedure against BAYARD REVISTAS, S.A. (hereinafter, the claimed party), through the Agreement that is transcribed: << File No.: EXP202200399 AGREEMENT TO START A SANCTION PROCEDURE Of the actions carried out by the Spanish Agency for Data Protection (AEPD) and based on the following: FACTS FIRST: D.A.A.A. (hereinafter, the complaining party) dated November 27, 2021 filed a claim with the Spanish Data Protection Agency. The claim is directed against BAYARD REVISTAS, S.A with NIF A78874054 (in forward, BAYARD). The grounds on which the claim is based are as follows: The complaining party informs this Agency that he has received an email by the person in charge of the web portal ***URL.1, in which he was informed about the unauthorized access to the database by an unauthorized third party, being responsible BAYARD. According to the email, location and contact data of the people who had provided their information on the website through the form of Registration. The person in charge assures that he has solved all the vulnerabilities that have enabled the attack, has implemented the protocols to follow in the event of an incident related to data protection, and has adopted a series of measures, including which is the encryption of stored information. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 2/19 Attached to this claim is the screenshot of the email received on November 19, 2021, warning of the breach. SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5 December, of Protection of Personal Data and guarantee of digital rights (in hereinafter LOPDGDD), said claim was transferred to BAYARD, so that proceed to its analysis and inform this Agency within a month of the actions carried out to adapt to the requirements set forth in the regulations of Data Protection. The transfer was sent on January 21, 2022 by electronic notification, in accordance with article 41 of Law 39/2015, of October 1, on the Procedure Common Administrative of Public Administrations (LPACAP). This notification was automatically rejected after ten days had elapsed natural from its availability for access according to paragraph 2, article 43, of Law 39/2015, of October 1, of the Common Administrative Procedure of the Public administrations; reiterating the transfer by certified mail, dated 01 of February 2022, resulting in the latter with an "unknown" status without the possibility of locate the person in charge. THIRD: On February 23, 2022, in accordance with article 65 of the LOPDGDD, the claim filed by the claimant was admitted for processing. FOURTH: The General Subdirectorate for Data Inspection proceeded to carry out of previous investigative actions to clarify the facts in matter, by virtue of the investigative powers granted to the authorities of control in article 57.1 of Regulation (EU) 2016/679 (General Regulation of Data Protection, hereinafter RGPD), and in accordance with the provisions of the Title VII, Chapter I, Second Section, of the LOPDGDD, dated March 1, 2022 BAYARD information was required, in order to clarify the aspects related to the security breach giving rise to the claim filed. The request for information was sent by electronic notification, in accordance with to article 41 of Law 39/2015, of October 1, on Administrative Procedure Common Public Administrations (LPACAP). Although this notification was automatically rejected after ten calendar days from its availability for access according to paragraph 2, Article 43 of Law 39/2015, of October 1, on Administrative Procedure Common of Public Administrations; reiterating the transfer by mail certified, dated March 14, 2022, but using a different fiscal address to the one used in the transfer, address obtained from the website of the person in charge, resulting this last successful request with an acknowledgment date of March 22, 2022. FIFTH: On April 6, 2022, a response to said request for information is received. SIXTH: Within the framework of the aforementioned preliminary investigation actions, again, request for information dated April 25 of that same year. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es
