AEPD (Spain) - PS/00028/2022: Difference between revisions

From GDPRhub
No edit summary
Line 81: Line 81:


=== Holding ===
=== Holding ===
First, the DPA found a violation of [[Article 5 GDPR|Article 5(1)(f) GDPR]], since the publication of the Excel sheet enabled unauthorised access to the personal data of the data subjects, in violation of the principle of confidentiality.  
''First'', the DPA found a violation of [[Article 5 GDPR|Article 5(1)(f) GDPR]], since the publication of the Excel sheet enabled unauthorised access to the personal data of the data subjects, in violation of the principle of confidentiality.  


Second, the DPA found a violation of [[Article 32 GDPR]]. The DPA held [[Article 32 GDPR]] requires the controller to have a complete protocol that must not only prevent the occurrence of the contingency, but, once it has occurred, react to the materialisation of the risk, so that the controller can guarantee the security of the processing. In this case, the controller failed to notice that the Excel sheet stayed online on the controller's website. The DPA also considered the fact that the controller did not involve IT services in this process, which the DPA considered 'obvious' in a situation like this. Furthermore, the DPA found that the controller had failed to make an appropriate assessment of the risks as a result of the breach. The controller also should have considered potential further risks as a result of the breach. The controller's argument that no data subjects were affected by the breach was disregarded by the DPA.   
''Second'', the DPA found a violation of [[Article 32 GDPR]]. The DPA held [[Article 32 GDPR]] requires the controller to have a complete protocol that must not only prevent the occurrence of the contingency, but, once it has occurred, react to the materialisation of the risk, so that the controller can guarantee the security of the processing. In this case, the controller failed to notice that the Excel sheet stayed online on the controller's website. The DPA also considered the fact that the controller did not involve IT services in this process, which the DPA considered 'obvious' in a situation like this. Furthermore, the DPA found that the controller had failed to make an appropriate assessment of the risks as a result of the breach. The controller also should have considered potential further risks as a result of the breach. The controller's argument that no data subjects were affected by the breach was disregarded by the DPA.   


Third, the DPA found a violation of [[Article 33 GDPR]], because the controller failed to assess the level of severity of the data breach after it had occurred. In this case, the DPA found that there were risks to the rights and freedoms of data subjects because of the breach. The controller should have notified the DPA, regardless of the fact whether harm had been caused to the data subjects.  
''Third'', the DPA found a violation of [[Article 33 GDPR]], because the controller failed to assess the level of severity of the data breach after it had occurred. In this case, the DPA found that there were risks to the rights and freedoms of data subjects because of the breach. The controller should have notified the DPA, regardless of the fact whether harm had been caused to the data subjects.  


On the basis of Articles 72 and 73 of the Spanish Data Protection Act - LOPDGDD, the DPA classified the infringements of [[Article 32 GDPR|Articles 32]] and [[Article 33 GDPR|33 GDPR]] as "serious" offences,  whilst the violation of [[Article 5 GDPR|Article 5(1)(f) GDPR]] was considered a "very serious" offence.  
On the basis of Articles 72 and 73 of the Spanish Data Protection Act - LOPDGDD, the DPA classified the infringements of [[Article 32 GDPR|Articles 32]] and [[Article 33 GDPR|33 GDPR]] as "serious" offences,  whilst the violation of [[Article 5 GDPR|Article 5(1)(f) GDPR]] was considered a "very serious" offence. The DPA issued warnings for all of the above violations.  
 
The DPA issued warnings for all of the above violations.  


== Comment ==
== Comment ==

Revision as of 16:23, 28 February 2023

AEPD - PS-00028-2022
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 5(1)(f) GDPR
Article 32 GDPR
Article 33 GDPR
72, 73, 77 Spanish Data Protection Act
Type: Complaint
Outcome: Upheld
Started: 31.03.2021
Decided:
Published: 03.02.2023
Fine: n/a
Parties: Getafe City Council
National Case Number/Name: PS-00028-2022
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: Mapez

The Spanish DPA imposed a warning to a local administration for violating Articles 5(1)(f), 32 and 33 GDPR. The administration had mistakenly published an Excel sheet containing personal data, which was also not properly removed after the data subject notified both the administration and the DPA.

English Summary

Facts

On 31 March 2021, the City Council of Getafe (controller) published an Excel sheet on its website. This Excel sheet contained personal data of vehicle owners who had requested an address change. The Excel sheet included several categories of data, such as name, surname, tax identification number, ID number and vehicle registration number. The Excel sheet had thirty-six entries, but the vast majority of the data subjects that were mentioned were included several times in the list. It later turned out that seventeen people were affected by the breach. The controller had wanted to publish a call for a plenary session, but instead published this Excel document by accident.

On 31 March 2021, the data subject informed both the controller and the Spanish DPA of this breach. After this, the controller unlinked the Excel sheet from its website, so that it would not be available when navigating the controller website. There was therefore no way to reach the Excel sheet any longer by navigating the controller's website. It became clear later that no specialised IT personnel had worked on this solution.

However, the Excel sheet itself was not deleted from the internet and stayed online as an "orphan document". This meant that the Excel sheet could still be accessed, when typing the exact URL of the Excel sheet in the browser. People, who were aware of the exact URL, could therefore potentially still access the Excel sheet. The DPA confirmed that it was still possible to access the file on the controller's website on 1 December 2021. The controller deleted the file on 24 January 2022.

Despite the fact that the Excel sheet stayed online for several months after the initial complaint, the controller stated that it was unlikely that any data had been retrieved by unauthorised third parties, because the Excel sheet could only be accessed through the exact URL and not through any linking on the controller's website. This was also the reason why the controller decided not inform the affected data subjects. Also, the controller had not identified any serious harm as a result of this data breach.

Holding

First, the DPA found a violation of Article 5(1)(f) GDPR, since the publication of the Excel sheet enabled unauthorised access to the personal data of the data subjects, in violation of the principle of confidentiality.

Second, the DPA found a violation of Article 32 GDPR. The DPA held Article 32 GDPR requires the controller to have a complete protocol that must not only prevent the occurrence of the contingency, but, once it has occurred, react to the materialisation of the risk, so that the controller can guarantee the security of the processing. In this case, the controller failed to notice that the Excel sheet stayed online on the controller's website. The DPA also considered the fact that the controller did not involve IT services in this process, which the DPA considered 'obvious' in a situation like this. Furthermore, the DPA found that the controller had failed to make an appropriate assessment of the risks as a result of the breach. The controller also should have considered potential further risks as a result of the breach. The controller's argument that no data subjects were affected by the breach was disregarded by the DPA.

Third, the DPA found a violation of Article 33 GDPR, because the controller failed to assess the level of severity of the data breach after it had occurred. In this case, the DPA found that there were risks to the rights and freedoms of data subjects because of the breach. The controller should have notified the DPA, regardless of the fact whether harm had been caused to the data subjects.

On the basis of Articles 72 and 73 of the Spanish Data Protection Act - LOPDGDD, the DPA classified the infringements of Articles 32 and 33 GDPR as "serious" offences, whilst the violation of Article 5(1)(f) GDPR was considered a "very serious" offence. The DPA issued warnings for all of the above violations.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

https://www.aepd.es/es/documento/ps-00028-2022.pdf