AEPD (Spain) - PS/00028/2022: Difference between revisions

From GDPRhub
No edit summary
(Thank you for your summary! We've provided the following feedback: Provided GDPR links / added small details to the facts, such as the fact that the Excel sheet was not the intended file / added context to the violation of Article 32 GDPR.)
Line 67: Line 67:
}}
}}


The Spanish DPA imposed a warning to a local administration for violating Articles 5(1)(f), 32 and 33 GDPR by making available online during several months the personal data of data subjects without their consent.
The Spanish DPA imposed a warning to a local administration for violating [[Article 5 GDPR|Articles 5(1)(f)]], [[Article 32 GDPR|32]] and [[Article 33 GDPR|33 GDPR]]. The administration had mistakenly published an Excel sheet containing personal data, which was also not properly removed after the data subject notified both the administration and the DPA.  


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
On 31 March 2021, the City Council of Getafe (controller) accidentally published an Excel sheet on its website. This Excel sheet contained personal data of vehicle owners who had requested an address change. The Excel sheet included several categories of data, such as name, surname, tax identification number, ID number and vehicle registration number. The Excel sheet had thirty-six entries, but the vast majority of the data subjects that were mentioned were included several times in the list.
On 31 March 2021, the City Council of Getafe (controller) accidentally published an Excel sheet on its website. This Excel sheet contained personal data of vehicle owners who had requested an address change. The Excel sheet included several categories of data, such as name, surname, tax identification number, ID number and vehicle registration number. The Excel sheet had thirty-six entries, but the vast majority of the data subjects that were mentioned were included several times in the list. It later turned out that seventeen people were affected by the breach. The controller wanted to publish a call for a plenary session, but instead published this Excel document by accident.  


On 31 March 2021, the data subject informed both the controller and the Spanish DPA of this breach. After this, the controller unlinked the Excel sheet from its website, so that it would not be available when navigating the controller website. There was therefore no way to reach the Excel sheet any longer, navigating the controller's website. However, the Excel sheet itself was not deleted from the internet and stayed online as an "orphan document" until 24 January 2022. This meant that the Excel sheet could still be accessed, when typing the exact URL in the browser. People who were aware of the exact URL, could therefore still access the Excel sheet.  
On 31 March 2021, the data subject informed both the controller and the Spanish DPA of this breach. After this, the controller unlinked the Excel sheet from its website, so that it would not be available when navigating the controller website. There was therefore no way to reach the Excel sheet any longer, navigating the controller's website. It became clear later that no specialised IT personnel was involved in this solution.


Despite the fact that the Excel sheet stayed online for several months after the initial complaint of the applicant, the controller stated that it was unlikely that any data had been retrieved by unauthorised third parties, because the Excel sheet could only be accessed through the exact URL and not through any linking on the controller's website. Also, the controller had not identified any serious harm as a result of this data breach.
However, the Excel sheet itself was not deleted from the internet and stayed online as an "orphan document". This meant that the Excel sheet could still be accessed, when typing the exact URL in the browser. People, who were aware of the exact URL, could therefore potentially still access the Excel sheet. The DPA confirmed that it was still possible to access the file on the controller's website on 1 December 2021. The controller deleted the file on 24 January 2022. 
 
Despite the fact that the Excel sheet stayed online for several months after the initial complaint, the controller stated that it was unlikely that any data had been retrieved by unauthorised third parties, because the Excel sheet could only be accessed through the exact URL and not through any linking on the controller's website. This was also the reason why the controller decided not inform the affected data subjects. Also, the controller had not identified any serious harm as a result of this data breach.


=== Holding ===
=== Holding ===
First, the DPA found a violation of [[Article 5 GDPR|Article 5(1)(f) GDPR]], since the publication of the Excel sheet online enabled unauthorised access to the personal data of the data subjects, in violation of the principle of confidentiality.  
First, the DPA found a violation of [[Article 5 GDPR|Article 5(1)(f) GDPR]], since the publication of the Excel sheet enabled unauthorised access to the personal data of the data subjects, in violation of the principle of confidentiality.  
 
Second, the DPA found a violation of [[Article 32 GDPR]]. The DPA held Article 32 GDPR requires the controller to have a complete protocol that must not only prevent the occurrence of the contingency, but, once it has occurred, react to the materialisation of the risk, so that the controller can guarantee the security of the processing. In this case, the controller failed to notice that the Excel sheet stayed online on the controller's website. The DPA also considered the fact that the controller did not involve IT services in this process, which the DPA considered 'obvious' in a situation like this. Furthermore, the DPA found that the controller had failed to make an appropriate assessment of the risks as a result of the breach. The controller  also should have considered potential further risks as a result of the breach. The controller's argument that no data subjects were affected by the breach was also disregarded by the DPA. 


Second, the DPA found a violation of Article 32 GDPR, because the controller failed to properly remove the Excel sheet from its website and did not involve its own IT services in the process. Furthermore, the DPA found that the controller had failed to make an appropriate assessment of the risks as a result of the breach. The controller should have considered potential further risks.  
Third, the DPA found a violation of [[Article 33 GDPR]], because the controller failed to assess the level of severity of the data breach after it had occurred. In this case, the DPA found that there were risks to the rights and freedoms of data subjects because of the reach. The controller should have notified the DPA, regardless of the fact whether harm had been caused to the data subjects.  


Third, the DPA found a violation of Article 33 GDPR, because the controller failed to assess the level of severity of the data breach. In this case, the DPA found that such a confidentiality breach as in the present case would have justified a notification to the DPA, which the controller did not undertake.
On the basis of Articles 72 and 73 of the Spanish Data Protection Act - LOPDGDD, the DPA classified the infringements of [[Article 32 GDPR|Articles 32]] and [[Article 33 GDPR|33 GDPR]] as "serious" offences, whilst the violation of [[Article 5 GDPR|Article 5(1)(f) GDPR]] was considered a "very serious" offence.  


On the basis of Articles 72 and 73 of the Spanish Data Protection Act - LOPDGDD, the DPA classified the infringement of Articles 32 and 33 GDPR as "serious" offences,  whilst the violation of Article 5(1)(f) was considered a "very serious" offence. The DPA issued a warning pursuant to Article 77 LOPDGDD.
The DPA issued warnings for all of the above violations.  


== Comment ==
== Comment ==

Revision as of 09:55, 28 February 2023

AEPD - PS-00028-2022
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 5(1)(f) GDPR
Article 32 GDPR
Article 33 GDPR
72, 73, 77 Spanish Data Protection Act
Type: Complaint
Outcome: Upheld
Started: 31.03.2021
Decided:
Published: 03.02.2023
Fine: n/a
Parties: Getafe City Council
National Case Number/Name: PS-00028-2022
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: Mapez

The Spanish DPA imposed a warning to a local administration for violating Articles 5(1)(f), 32 and 33 GDPR. The administration had mistakenly published an Excel sheet containing personal data, which was also not properly removed after the data subject notified both the administration and the DPA.

English Summary

Facts

On 31 March 2021, the City Council of Getafe (controller) accidentally published an Excel sheet on its website. This Excel sheet contained personal data of vehicle owners who had requested an address change. The Excel sheet included several categories of data, such as name, surname, tax identification number, ID number and vehicle registration number. The Excel sheet had thirty-six entries, but the vast majority of the data subjects that were mentioned were included several times in the list. It later turned out that seventeen people were affected by the breach. The controller wanted to publish a call for a plenary session, but instead published this Excel document by accident.

On 31 March 2021, the data subject informed both the controller and the Spanish DPA of this breach. After this, the controller unlinked the Excel sheet from its website, so that it would not be available when navigating the controller website. There was therefore no way to reach the Excel sheet any longer, navigating the controller's website. It became clear later that no specialised IT personnel was involved in this solution.

However, the Excel sheet itself was not deleted from the internet and stayed online as an "orphan document". This meant that the Excel sheet could still be accessed, when typing the exact URL in the browser. People, who were aware of the exact URL, could therefore potentially still access the Excel sheet. The DPA confirmed that it was still possible to access the file on the controller's website on 1 December 2021. The controller deleted the file on 24 January 2022.

Despite the fact that the Excel sheet stayed online for several months after the initial complaint, the controller stated that it was unlikely that any data had been retrieved by unauthorised third parties, because the Excel sheet could only be accessed through the exact URL and not through any linking on the controller's website. This was also the reason why the controller decided not inform the affected data subjects. Also, the controller had not identified any serious harm as a result of this data breach.

Holding

First, the DPA found a violation of Article 5(1)(f) GDPR, since the publication of the Excel sheet enabled unauthorised access to the personal data of the data subjects, in violation of the principle of confidentiality.

Second, the DPA found a violation of Article 32 GDPR. The DPA held Article 32 GDPR requires the controller to have a complete protocol that must not only prevent the occurrence of the contingency, but, once it has occurred, react to the materialisation of the risk, so that the controller can guarantee the security of the processing. In this case, the controller failed to notice that the Excel sheet stayed online on the controller's website. The DPA also considered the fact that the controller did not involve IT services in this process, which the DPA considered 'obvious' in a situation like this. Furthermore, the DPA found that the controller had failed to make an appropriate assessment of the risks as a result of the breach. The controller also should have considered potential further risks as a result of the breach. The controller's argument that no data subjects were affected by the breach was also disregarded by the DPA.

Third, the DPA found a violation of Article 33 GDPR, because the controller failed to assess the level of severity of the data breach after it had occurred. In this case, the DPA found that there were risks to the rights and freedoms of data subjects because of the reach. The controller should have notified the DPA, regardless of the fact whether harm had been caused to the data subjects.

On the basis of Articles 72 and 73 of the Spanish Data Protection Act - LOPDGDD, the DPA classified the infringements of Articles 32 and 33 GDPR as "serious" offences, whilst the violation of Article 5(1)(f) GDPR was considered a "very serious" offence.

The DPA issued warnings for all of the above violations.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

https://www.aepd.es/es/documento/ps-00028-2022.pdf