AEPD (Spain) - PS/00028/2022: Difference between revisions
(Created page with "{{DPAdecisionBOX |Jurisdiction=Spain |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoES.jpg |DPA_Abbrevation=AEPD |DPA_With_Country=AEPD (Spain) |Case_Number_Name=PS-00...") |
m (→Facts) |
||
Line 73: | Line 73: | ||
=== Facts === | === Facts === | ||
On 31 March 2021, the City Council of Getafe (the controller) published by mistake on its website an excel sheet containing the personal data of the vehicle owners that had requested a change of address in the previous week (the data subjects). The excel sheet included the name, surname, address, date of birth, tax identification number, ID number, vehicle registration number, and date of registration of vehicle of the data subjects. The excel sheet had thirty-six entries, but the vast majority of the data subjects that were mentioned were included several times in the list. | On 31 March 2021, the City Council of Getafe (the controller) published by mistake on its website an excel sheet containing the personal data of the vehicle owners that had requested a change of address in the previous week (the data subjects). The excel sheet included the name, surname, address, date of birth, tax identification number, ID number, vehicle registration number, and date of registration of vehicle of the data subjects. The excel sheet had thirty-six entries, but the vast majority of the data subjects that were mentioned were included several times in the list. | ||
On 31 March 2021, A.A.A. (the applicant), notified the breach to controller and the AEPD. The controller unlinked the excel sheet from the website, so that it would not be available when using the navigation route on the portal. However, the excel sheet itself was not deleted from the internet and stayed online as an "orphan document" until 24 January 2022, which could be retrieved when typing the exact URL in the browser. | On 31 March 2021, A.A.A. (the applicant), notified the breach to controller and the AEPD. The controller unlinked the excel sheet from the website, so that it would not be available when using the navigation route on the portal. However, the excel sheet itself was not deleted from the internet and stayed online as an "orphan document" until 24 January 2022, which could be retrieved when typing the exact URL in the browser. | ||
During the procedure, the controller submitted that it had originally intended to publish a call for the plenary session of the City Council, and instead published the excel sheet by mistake. Despite the fact that the excel sheet stayed online during several months after the initial complaint of the applicant, the controller submitted that it was unlikely that the data had been retrieved, as the excel sheet could only be accessed through the exact URL and not through a link on the website. According to the controller, no serious harm had been identified following the data breach. | During the procedure, the controller submitted that it had originally intended to publish a call for the plenary session of the City Council, and instead published the excel sheet by mistake. Despite the fact that the excel sheet stayed online during several months after the initial complaint of the applicant, the controller submitted that it was unlikely that the data had been retrieved, as the excel sheet could only be accessed through the exact URL and not through a link on the website. According to the controller, no serious harm had been identified following the data breach. | ||
Revision as of 17:45, 20 February 2023
AEPD - PS-00028-2022 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 5(1)(f) GDPR Article 32 GDPR Article 33 GDPR 72, 73, 77 Spanish Data Protection Act |
Type: | Complaint |
Outcome: | Upheld |
Started: | 31.03.2021 |
Decided: | |
Published: | 03.02.2023 |
Fine: | n/a |
Parties: | Getafe City Council |
National Case Number/Name: | PS-00028-2022 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Spanish |
Original Source: | AEPD (in ES) |
Initial Contributor: | Mapez |
The Spanish DPA imposed a warning to a local administration for violating Articles 5(1)(f), 32 and 33 GDPR by making available online during several months the personal data of data subjects without their consent.
English Summary
Facts
On 31 March 2021, the City Council of Getafe (the controller) published by mistake on its website an excel sheet containing the personal data of the vehicle owners that had requested a change of address in the previous week (the data subjects). The excel sheet included the name, surname, address, date of birth, tax identification number, ID number, vehicle registration number, and date of registration of vehicle of the data subjects. The excel sheet had thirty-six entries, but the vast majority of the data subjects that were mentioned were included several times in the list.
On 31 March 2021, A.A.A. (the applicant), notified the breach to controller and the AEPD. The controller unlinked the excel sheet from the website, so that it would not be available when using the navigation route on the portal. However, the excel sheet itself was not deleted from the internet and stayed online as an "orphan document" until 24 January 2022, which could be retrieved when typing the exact URL in the browser.
During the procedure, the controller submitted that it had originally intended to publish a call for the plenary session of the City Council, and instead published the excel sheet by mistake. Despite the fact that the excel sheet stayed online during several months after the initial complaint of the applicant, the controller submitted that it was unlikely that the data had been retrieved, as the excel sheet could only be accessed through the exact URL and not through a link on the website. According to the controller, no serious harm had been identified following the data breach.
Holding
The AEPD qualified the upload of the excel file as a confidentiality breach and identified three subsequent infringing conducts: infringement of Article 5(1)(f) and Article 32 for not handling the data with the appropriate level of security, and of Article 33 for not notifying the data breach to the AEPD.
With regards to Article 5(1)(f), the AEPD found that the publication of the excel sheet online enabled unauthorised access to the personal data of the data subjects, in violation of the principle of confidentiality.
With regards to Article 32, the AEPD found that the controller failed to properly take out the excel sheet and did not involve the IT services in the process. Furthermore, the AEPD found that the controller had failed to make an appropriate assessment of the risks generated by the initial breach of confidentiality, and should have considered potential further risks to prevent its persistence. The AEPD noted that although the controller was aware of the persistence of the data breach, all the details of the infringement were probably not known.
With regards to Article 33, the AEPD found that the controller had failed to assess the level of severity of the data breach and the risks to the rights and freedoms of the data subjects. In the case at hand, the AEPD found that such confidentiality breach would have justified a notification to the AEPD, which the controller did not undertake.
On the basis of Articles 72 and 73 of the Ley Orgánica 3/2018 de 5 de diciembre, de Protección de Datos Personales y garantía de los derechos digitales (Spanish Data Protection Act - LOPDGDD), the AEPD classified the infringement of Article 32 and 33 as "serious" offences whilst the breach of Article 5(1)(f) was considered a "very serious" offence. The AEPD issued a warning decision to the controller in accordance with the special regime of administrative fines applicable to local administrations (Article 77 LOPDGDD).
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
https://www.aepd.es/es/documento/ps-00028-2022.pdf