AEPD (Spain) - EXP202305587: Difference between revisions
(Created page with "{{DPAdecisionBOX |Jurisdiction=Spain |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoES.jpg |DPA_Abbrevation=AEPD |DPA_With_Country=AEPD (Spain) |Case_Number_Name=EXP202305587 |ECLI= |Original_Source_Name_1=AEPD |Original_Source_Link_1=https://www.aepd.es/documento/ps-00221-2023.pdf |Original_Source_Language_1=Spanish |Original_Source_Language__Code_1=ES |Original_Source_Name_2= |Original_Source_Link_2= |Original_Source_Language_2= |Original_Source_Language__Code...") |
mNo edit summary |
||
(4 intermediate revisions by the same user not shown) | |||
Line 20: | Line 20: | ||
|Type=Other | |Type=Other | ||
|Outcome= | |Outcome=Violation found | ||
|Date_Started=18.03.2022 | |Date_Started=18.03.2022 | ||
|Date_Decided= | |Date_Decided= | ||
Line 63: | Line 63: | ||
}} | }} | ||
The DPA fined a processor €3 | The DPA fined a processor €3 million after it failed to conduct an adequate risk assessment and overlooked avoidable security vulnerabilities that resulted in a data breach affecting several of its companies and nearly 3 million data subjects. | ||
== English Summary == | == English Summary == | ||
=== Facts === | === Facts === | ||
On 15 March 2022, I-DE Redes Eléctricas Inteligentes, S.A.U. detected an attack on its GEA management portal (GEA portal), which is a web portal that manages service connections between the electric distribution network. I-DE is the Iberdrola Company’s (the processor) energy distribution brand and one of its several companies. The | On 15 March 2022, I-DE Redes Eléctricas Inteligentes, S.A.U. (I-DE) detected an attack on its GEA management portal (GEA portal), which is a web portal that manages service connections between the electric distribution network. I-DE is the Iberdrola Company’s (the processor) energy distribution brand and one of its several companies. The Spanish DPA (AEPD) categorised Iberdrola as a processor within the meaning of [[Article 4 GDPR#8|Article 4(8) GDPR]] because it provides IT and maintenance services to the companies belonging to the Iberdrola Group. It thus processes personal data maintained by the companies belonging to the group (such as I-DE), which are controllers with regards to their clients' data. | ||
Upon analysing the 16 March attack, I-DE determined that the breach extracted the personal data of 1.35 million of its clients and included names, surnames, email addresses, phone numbers, addresses, national identification card numbers and client codes. On 18 March 2022, I-DE notified the breach to the AEPD. | The day after the attack on I-DE's GEA portal, there was a general slowdown across the processor’s companies’ various websites. After 17 March 2022, no suspicious traffic was observed on the processor’s websites. Upon analysing the 16 March attack, I-DE determined that the breach extracted the personal data of 1.35 million of its clients and included names, surnames, email addresses, phone numbers, addresses, national identification card numbers and client codes. On 18 March 2022, I-DE notified the breach to the AEPD. | ||
Spanish law concerning the electricity sector requires that regulated activities (such as distribution of electricity) and unregulated activities (such as marketing) be unbundled. In accordance with such law, | Spanish law concerning the electricity sector requires that regulated activities (such as distribution of electricity) and unregulated activities (such as marketing) be unbundled. In accordance with such law, I-DE stated that it could only access the personal data of users of its electric service and thus did not have access to the information of data subjects managed by other distribution companies. Nonetheless, I-DE communicated the breach to other companies of the processor’s group on 28 March 2022, noting that it could have affected information referring to their clients. It included internal codes corresponding to the affected clients so that the companies could verify if those clients’ data had been compromised. Two companies, Iberdrola Clientes, S.A. and Curenergía Comercializador de Ultimo Recurso SA, subsequently reported to the AEPD that personal data of 92,550 and 1,515,000 clients was affected, respectively. They notified affected data subjects by 1 April 2022. | ||
The AEPD | The AEPD conducted investigations into the three companies as well as the processor. On 8 May 2023, it initiated sanctioning proceedings against the processor for potential violations of Articles 5(1)(f) and 32 GDPR. | ||
The processor made a number of procedural claims, including a request that its case be joined with the AEPD’s sanctioning proceedings of I-DE ([https://www.aepd.es/documento/ps-00145-2023.pdf EXP202205206]). It noted that the attack on the GEA portal was the common security incident that prompted both cases. The processor argued that keeping the cases separate could result in a double imputation on I-DE and the processor of the same facts without elucidating each’s degree of responsibility. | |||
With regard to the substantive violations, the processor argued that the cyberattacker, not the processor, was responsible for the breach’s spread to other companies. The processor also noted that it had mechanisms in place to detect the breach almost immediately, which enabled it to respond rapidly and which indicate compliance with [[Article 32 GDPR]]. | |||
With regard to the substantive violations, the processor argued that the cyberattacker, not the processor, was responsible for the breach’s spread to other companies. The processor also noted that it had mechanisms in place to detect the breach almost immediately, which enabled it to respond rapidly and which | |||
=== Holding === | === Holding === | ||
The AEPD found that the processor violated | The AEPD found that the processor violated [[Article 5 GDPR#1f|Article 5(1)(f)]] and [[Article 32 GDPR|32 GDPR]], and imposed a fine of €3,000,000. | ||
It began by rejecting the | It began by rejecting the processor’s request for joinder, finding that even though there was a common security incident, the cases involve distinct breaches of different sets of personal data. The AEPD also dismissed the processor's arguments that the AEPD violated | ||
In finding a violation of [[Article 32 GDPR|Article 32 GDPR]], the AEPD focused primarily on the inadequate separation between the processor's companies' data, as required under national law. In particular, I-DE's client codes were displayed in URLs and allowed the cyber attacker to connect client data to the processor's other companies. This corrupted the required separation between the companies' data. The AEPD also noted that the processor failed to demonstrate that it carried out a risk analysis with respect to its processing facilities. It | In finding a violation of [[Article 32 GDPR|Article 32 GDPR]], the AEPD focused primarily on the inadequate separation between the processor's companies' data, as required under national law. In particular, I-DE's client codes were displayed in URLs and allowed the cyber attacker to connect client data to the processor's other companies. This corrupted the required separation between the companies' data. The AEPD also noted that the processor failed to demonstrate that it carried out a risk analysis with respect to its processing facilities. Finally, the AEPD rejected the processor's argument that its quick response to the incident demonstrated compliance with [[Article 32 GDPR]]. It is not enough to have measures to react as soon as possible when confidentiality has been breached; the processor should also have had appropriate measures to prevent the violation to begin with. | ||
The AEPD also found that the processor violated [[Article 5 GDPR#1f|Article 5(1)(f) GDPR]]. It focused on the failure to protect confidentiality of the personal data affected. In addition to lacking the security measures discussed above, the processor also did not have technical measures in place, such as pseudonymisation, that corresponded to the detail of the personal data it was regularly processing. | The AEPD also found that the processor violated [[Article 5 GDPR#1f|Article 5(1)(f) GDPR]]. It focused on the failure to protect confidentiality of the personal data affected. In addition to lacking the security measures discussed above, the processor also did not have technical measures in place, such as pseudonymisation, that corresponded to the detail of the personal data it was regularly processing. | ||
== Comment == | == Comment == | ||
'' | The AEPD rejected the processor’s request for joinder with [https://www.aepd.es/documento/ps-00145-2023.pdf EXP202205206], an investigation against the controller, I-DE, arising out of the same incident. A [https://gdprhub.eu/index.php?title=AEPD_(Spain)_-_EXP202205206 summary of this case is available on the GDPRhub]. | ||
The processor also made a number of procedural claims in addition to those outlined in this summary, including the following: | |||
<u>Claim that the AEPD violated principles of legal certainy, good faith and legitimate expectations</u>: The processor argued that the AEPD violated principles of legal certainty, good faith and legitimate expectations established in Article 3(2)(e) of Spain's [https://www.boe.es/buscar/act.php?id=BOE-A-2015-10566 Law 40/2015]. In a letter sent in April 2022, the AEPD's Division of Technical Innovation indicated that "no further action is expected to be taken by this Agency" after its analysis of the security breach information. The AEPD's initiation of an investigation after sending this letter, the processor argued, violated [https://www.boe.es/buscar/act.php?id=BOE-A-2015-10566 Law 40/2015]. | |||
The AEPD rejected this argument because the letter did not reflect a decision, much less an archiving of the case. Indeed, the only organ of the AEPD that is competent to dispose of a case is the Director. | |||
<u>Claim that the AEPD violated the principle of non bis in idem and that the AEPD violated the principle of proportionality:</u> The processor argued that a sanction for both Article 5(1)(f) and 32 GDPR in this case would constitute a double violation of the GDPR, when in fact [[Article 5 GDPR#1f|Article 5(1)(f) GDPR]] is merely a concretion of [[Article 32 GDPR]]. | |||
The AEPD disagreed with this interpretation, considering that while [[Article 32 GDPR]] articulates security obligations and the need to implement technical measures, [[Article 5 GDPR#1f|Article 5(1)(f) GDPR]] deals with the principle of confidentiality. While this can occur as a result of insufficient security measures, it is not a necessary result of inadequate security measures. The established facts, the AEPD concluded, determine the commission of the two different infractions. | |||
== Further Resources == | == Further Resources == | ||
''Share blogs or news articles here!'' | ''Share blogs or news articles here!'' |
Latest revision as of 11:21, 30 April 2024
AEPD - EXP202305587 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 5(1)(f) GDPR Article 32 GDPR |
Type: | Other |
Outcome: | Violation found |
Started: | 18.03.2022 |
Decided: | |
Published: | |
Fine: | 3,000,000 |
Parties: | Iberdrola Clientes, S.A. |
National Case Number/Name: | EXP202305587 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Spanish |
Original Source: | AEPD (in ES) |
Initial Contributor: | lm |
The DPA fined a processor €3 million after it failed to conduct an adequate risk assessment and overlooked avoidable security vulnerabilities that resulted in a data breach affecting several of its companies and nearly 3 million data subjects.
English Summary
Facts
On 15 March 2022, I-DE Redes Eléctricas Inteligentes, S.A.U. (I-DE) detected an attack on its GEA management portal (GEA portal), which is a web portal that manages service connections between the electric distribution network. I-DE is the Iberdrola Company’s (the processor) energy distribution brand and one of its several companies. The Spanish DPA (AEPD) categorised Iberdrola as a processor within the meaning of Article 4(8) GDPR because it provides IT and maintenance services to the companies belonging to the Iberdrola Group. It thus processes personal data maintained by the companies belonging to the group (such as I-DE), which are controllers with regards to their clients' data.
The day after the attack on I-DE's GEA portal, there was a general slowdown across the processor’s companies’ various websites. After 17 March 2022, no suspicious traffic was observed on the processor’s websites. Upon analysing the 16 March attack, I-DE determined that the breach extracted the personal data of 1.35 million of its clients and included names, surnames, email addresses, phone numbers, addresses, national identification card numbers and client codes. On 18 March 2022, I-DE notified the breach to the AEPD.
Spanish law concerning the electricity sector requires that regulated activities (such as distribution of electricity) and unregulated activities (such as marketing) be unbundled. In accordance with such law, I-DE stated that it could only access the personal data of users of its electric service and thus did not have access to the information of data subjects managed by other distribution companies. Nonetheless, I-DE communicated the breach to other companies of the processor’s group on 28 March 2022, noting that it could have affected information referring to their clients. It included internal codes corresponding to the affected clients so that the companies could verify if those clients’ data had been compromised. Two companies, Iberdrola Clientes, S.A. and Curenergía Comercializador de Ultimo Recurso SA, subsequently reported to the AEPD that personal data of 92,550 and 1,515,000 clients was affected, respectively. They notified affected data subjects by 1 April 2022.
The AEPD conducted investigations into the three companies as well as the processor. On 8 May 2023, it initiated sanctioning proceedings against the processor for potential violations of Articles 5(1)(f) and 32 GDPR.
The processor made a number of procedural claims, including a request that its case be joined with the AEPD’s sanctioning proceedings of I-DE (EXP202205206). It noted that the attack on the GEA portal was the common security incident that prompted both cases. The processor argued that keeping the cases separate could result in a double imputation on I-DE and the processor of the same facts without elucidating each’s degree of responsibility.
With regard to the substantive violations, the processor argued that the cyberattacker, not the processor, was responsible for the breach’s spread to other companies. The processor also noted that it had mechanisms in place to detect the breach almost immediately, which enabled it to respond rapidly and which indicate compliance with Article 32 GDPR.
Holding
The AEPD found that the processor violated Article 5(1)(f) and 32 GDPR, and imposed a fine of €3,000,000.
It began by rejecting the processor’s request for joinder, finding that even though there was a common security incident, the cases involve distinct breaches of different sets of personal data. The AEPD also dismissed the processor's arguments that the AEPD violated
In finding a violation of Article 32 GDPR, the AEPD focused primarily on the inadequate separation between the processor's companies' data, as required under national law. In particular, I-DE's client codes were displayed in URLs and allowed the cyber attacker to connect client data to the processor's other companies. This corrupted the required separation between the companies' data. The AEPD also noted that the processor failed to demonstrate that it carried out a risk analysis with respect to its processing facilities. Finally, the AEPD rejected the processor's argument that its quick response to the incident demonstrated compliance with Article 32 GDPR. It is not enough to have measures to react as soon as possible when confidentiality has been breached; the processor should also have had appropriate measures to prevent the violation to begin with.
The AEPD also found that the processor violated Article 5(1)(f) GDPR. It focused on the failure to protect confidentiality of the personal data affected. In addition to lacking the security measures discussed above, the processor also did not have technical measures in place, such as pseudonymisation, that corresponded to the detail of the personal data it was regularly processing.
Comment
The AEPD rejected the processor’s request for joinder with EXP202205206, an investigation against the controller, I-DE, arising out of the same incident. A summary of this case is available on the GDPRhub.
The processor also made a number of procedural claims in addition to those outlined in this summary, including the following:
Claim that the AEPD violated principles of legal certainy, good faith and legitimate expectations: The processor argued that the AEPD violated principles of legal certainty, good faith and legitimate expectations established in Article 3(2)(e) of Spain's Law 40/2015. In a letter sent in April 2022, the AEPD's Division of Technical Innovation indicated that "no further action is expected to be taken by this Agency" after its analysis of the security breach information. The AEPD's initiation of an investigation after sending this letter, the processor argued, violated Law 40/2015.
The AEPD rejected this argument because the letter did not reflect a decision, much less an archiving of the case. Indeed, the only organ of the AEPD that is competent to dispose of a case is the Director.
Claim that the AEPD violated the principle of non bis in idem and that the AEPD violated the principle of proportionality: The processor argued that a sanction for both Article 5(1)(f) and 32 GDPR in this case would constitute a double violation of the GDPR, when in fact Article 5(1)(f) GDPR is merely a concretion of Article 32 GDPR.
The AEPD disagreed with this interpretation, considering that while Article 32 GDPR articulates security obligations and the need to implement technical measures, Article 5(1)(f) GDPR deals with the principle of confidentiality. While this can occur as a result of insufficient security measures, it is not a necessary result of inadequate security measures. The established facts, the AEPD concluded, determine the commission of the two different infractions.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/99 File No.: EXP202305587 RESOLUTION OF SANCTIONING PROCEDURE From the procedure instructed by the Spanish Data Protection Agency and based to the following Content BACKGROUND................................................. .................................................. .......3 FIRST:................................................ .................................................. ...............3 SECOND:................................................ .................................................. ..............3 THIRD:................................................ .................................................. ...............4 ROOM:................................................ .................................................. .................4 FIFTH:................................................ .................................................. ..................4 SIXTH:................................................ .................................................. ....................4 SEVENTH:................................................ .................................................. ................5 EIGHTH:................................................ .................................................. .....................5 Regulatory framework................................................ .................................................. ...5 Systems and database architecture. GEA Application.................................7 Regarding the chronology of the events. Actions taken in order to minimize adverse effects and measures adopted for their final resolution.....10 Regarding the causes that made the gap possible................................................13 Regarding the treatment manager contract................................................... .18 Regarding security measures................................................... ....................18 Regarding communication to those affected................................................... ...........25 Information on the recurrence of these events and number of analogous events events over time.............................................. .......................................25 PROVEN FACTS................................................ ................................................28 FIRST: First notification of personal data breach................................28 SECOND: Circumstances of the attack................................................... .......................31 THIRD: About the GEA application of I-DE.............................................. ...................35 FOURTH: About systems and database architecture. Access from Applications................................................. .................................................. ...........35 FIFTH: Causes that made the gap possible................................................ ...........37 C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 2/99 SIXTH: Security measures established in the Database..............................................38 SEVENTH: immediate measures after the breach................................................... ..............38 EIGHTH: IBERDROLA as data processor with respect to IBERCLI and CURENERGY................................................. .................................................. ......39 NINTH: Risk analysis of the treatment affected by the data breach personal................................................ .................................................. .............41 TENTH: Number of people affected and type of data affected...................................42 LEGAL FUNDAMENTALS................................................. ...................................42 Competence................................................. .................................................. ........42 Previous questions................................................ .................................................. .42 Regarding the request for accumulation and the suspension of the deadline to formulate allegations................................................. .................................................. ...........43 Response to the allegations to the Startup Agreement................................................... ..........Four. Five FIRST: ON THE ACCUMULATION OF PROCEDURES.................45 SECOND. – ABOUT THE SPECIAL CIRCUMSTANCES THAT OCCURRED IN RELATIONSHIP WITH THE PROCESSING OF THIS FILE AND THE VIOLATION OF THE PRINCIPLES OF GOOD FAITH, LEGITIMATE TRUST AND LEGAL SECURITY................................................ .......................................Four. Five THIRD.- ON THE ADDITIONAL AFFECTION OF THE PRINCIPLES OF THE SANCTIONAL LAW DERIVED FROM THE INTERPRETATION CARRIED OUT BY LAAEPD................................................... ...................................51 FOURTH.- REGARDING THE ALLEGED VIOLATION BY IBERDROLA OF THE ARTICLE 32 OF THE RGPD................................................ ....................................60 FIFTH. – ON THE ALLEGED VIOLATION OF THE PRINCIPLE OF SECURITY................................................. .................................................. .....65 SIXTH. – ON THE VIOLATION OF THE PRINCIPLE OF PROPORTIONALITY TO THE DETRIMENT OF IBERDROLA'S RIGHTS .................................................. .................................................. .........................66 Response to the allegations to the Proposed Resolution................................................69 FIRST: Regarding the defenselessness generated by IBERDROLA as a consequence of not having agreed on the accumulation of procedures EXP202305587 and EXP202205206................................................ .................................................. ..70 SECOND: About the previous acts of the AEPD and the violation of the principles of good faith, legitimate trust and legal certainty................................70 THIRD: About the arguments supported by the Proposed Resolution to consider that bis in idem does not occur................................................. ..............76 C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 3/99 FOURTH: On the application of the principles of the right to sanctions to activity of the AEPD and the concurrence of a media contest................................79 FIFTH: Regarding the lack of violation by I-DE of article 32 of the RGPD .................................................. .................................................. .........................84 SIXTH: Regarding the absence of violation of the principle of confidentiality and integrity................................................. .................................................. ...........95 SEVENTH: Regarding the violation of the principle of proportionality to the detriment of the rights of IBERDROLA................................................ ................................99 Integrity and confidentiality................................................ ...................................105 Classification of the violation of article 5.1.f) of the RGPD................................................... ..107 Penalty for violation of article 5.1.f) of the RGPD................................................. ......108 Article 32 of the GDPR................................................ ................................................110 Classification of the violation of article 32 of the RGPD................................................. ....113 Penalty for violation of article 32 of the RGPD................................................. .......114 BACKGROUND FIRST: On March 18, 2022, the Technological Innovation Division of this Spanish Data Protection Agency (hereinafter AEPD or the Agency) a security breach of personal data sent by I-DE REDES ELÉCTRICAS INTELLIGENTES, S.A.U. with NIF A95075578 (hereinafter, I-DE) as responsible for the treatment, in which you inform this Agency of the following: On the afternoon of March 15, 2022, an attack was detected against the information management website. connections (GEA) of I-DE. (…). At this time, no condition has yet been identified. personal information. The next day, March 16, a brute force attack is detected directed against the same target (GEA) as the incident the previous day. It repels taking action. On March 17, GEA reopens and analyzes the activity record and it is concluded that there has been extraction of personal data. It is indicated that the number affected is 4.5 million clients of this company. SECOND: On March 29, 2022, I-DE presents a new notification expanding the information about the security breach reported on the 18th of the same month, in which indicates that, after the forensic analysis of the incident, the number of its clients whose data 1.35 million have been affected and it is also probable that there is data affected clients of other companies in the Iberdrola group, since the attacker, could potentially have exceeded information security conditions exclusive of I-DE, jumping to ranges of information from other companies, which has already C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 4/99 been transmitted to the Company's Systems management for detailed analysis of other conditions in other companies or businesses of the Iberdrola group. Likewise, they indicate that the exact start date of the breach is March 7, 2022. and report that the breach has not yet been communicated to the affected people and which, at the latest, will be informed by March 31, 2022. Along with the notification, the following is provided: - Report “GEA cyber incident. Incident description and actions”, in which describes the attack suffered and also includes the text of the communication that will be sent to those affected. THIRD: On March 29, 2022, CURENERGIA MARKETER OF ULTIMO RECURSO SA, with N.I.F. A95554630 (hereinafter CURENERGÍA) presents security breach notification, in which it indicates that it was aware of it on 28 March 2022 that it has been affected by the security breach suffered by I-DE, indicating the violation of the confidentiality of the personal data of 1,550,000 of its clients, whom it has not yet informed but will do so no later than 03/31/2022. ROOM: On March 29, 2022, IBERDROLA CLIENTES, S.A., with N.I.F. A95758389 (hereinafter IBERCLI) presents a security breach notification, in the which indicates that it has been aware on March 28, 2022 that it has been affected for the security breach suffered by I-DE, indicating the violation of the confidentiality of the personal data of 85,000 of its clients, whom it still has not reported but will do so no later than 03/31/2022. FIFTH: Since April 2, 2022, claims for clients affected by the security incident, which have been progressively admitted for processing since May 9, 2022. SIXTH: On April 6, 2022, IBERCLI presents an extension of the notification of gap in which it reports that the people affected by it are 1,515,000 and that they have been informed of it on March 31, 2022 by communication addressed personally to each affected person (postcard, email, SMS or similar). Along with the notification, the following is provided: - Report “Cyberattack incident 03/28/2022. Incident description and Actions" - Annex Communication to interested parties C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 5/99 SEVENTH: On April 6, 2022, CURENERGÍA presents an extension of the notification of gap in which it reports that the people affected by it are 92,550 and that They have been informed of the same on March 31, 2022 by communication addressed personally to each affected person (postcard, email, SMS or similar). Along with the notification, the following is provided: - Report “Cyberattack incident 03/28/2022. Incident description and Actions" - Annex Communication to interested parties EIGHTH: The General Subdirectorate of Data Inspection proceeded to carry out prior investigative actions to clarify the facts in issue, by virtue of the functions assigned to the control authorities in the article 57.1 and the powers granted in article 58.1 of the Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter GDPR), and in accordance with the provisions of Title VII, Chapter I, Second Section, of the LOPDGDD, having knowledge of the following points: During these actions, the following entities have been investigated: - I-DE REDES ELECTRICAS INTELLIGENTES S.A. with NIF A95075578 (in forward, I-DE) - IBERDROLA S.A. with NIF A48010615 (hereinafter IBERDROLA) - IBERDROLA CLIENTES S.A.U. with NIF A95758389 (hereinafter, IBERCLI) - CURENERGIA COMERCIALIZADOR DE ULTIMO RESURSO S.A. with NIF A95554630 (hereinafter, CURENERGIA) Regulatory framework - The regulations governing the electricity sector, Law 54/1997, of November 27, of the Electrical Sector, imposes an obligation of total separation between the regulated activities, such as distribution, and liberalized activities, such as marketing. - The right that consumers of electrical energy have to access and connection to the transportation and distribution networks of electrical energy in the Spanish territory is specifically included in Law 24/2013, of 26 December, from the Electrical Sector. Distribution companies and marketing companies are two differentiated entities in the field of the Electrical Sector. In this sense the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 6/99 Law 24/2013, of December 26, of the Electrical Sector defines them as subjects different. - In accordance with the regulation of the electrical sector, the consumer, to receive electricity at your home, you need to be the holder of two contracts differentiated in relation to their point of supply (CUPS): On the one hand, the energy purchase contract, “contract of supply”, which is signed between a consumer and a company electricity marketer. Although it is also possible that the consumer acquires the electricity directly on the market, without the need for marketer, is not typical of natural person clients but of large electricity consuming companies, indicate I-DE, IBERCLI and CURENERGÍA in their response. On the other hand, the network access or distribution or transportation contract, “ATR contract”, which the consumer signs with the intermediation as agent of the marketing company with which it has contracted the purchase of electrical energy. Although you can also subscribe directly with the owner company of the network, is not typical of natural person clients but of large electricity consuming companies, indicate I-DE, IBERCLI and CURENERGÍA in their response. - When a customer wants to contract electricity at a supply point or make any contractual modification, said client goes to a marketing company, who on behalf of the client and as his agent contracts on its behalf the ATR contract, access contract to the distribution. Any contractual modification requested by a marketer to a distributor is made through XML digital requests complying with the exchange formats between agents established by the National Commission of Markets and Competition (CNMC), by virtue of the Resolution of 20 December 2016, which approves the formats of the data files exchange of information between energy distributors and marketers electricity and natural gas, and Resolution of December 17, 2019, by which New formats for information exchange files are approved between distributors and marketers and the Resolution of 20 December is modified. December 2016. Taking into account the above: - I-DE, electricity distributor of the Iberdrola group, states that can only access the data of its clients, that is, users of the electrical service whose supply point is within the network whose management, as a distributor, corresponds to you and not to those managed by other distribution companies. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 7/99 In relation to the users of your network, you know the information of the marketer of each consumer as a consequence of the signature with him (or with the marketer as agent of the consumer) of the ATR contract. - I-DE indicates that it would not have the capacity to know any type of information related to those who, being clients of IBERCLI or CURENERGIA, electric energy marketers of the Iberdrola group in the free market and regulated market, respectively, were not of this distributor. Systems and database architecture. GEA application (…) (…): - (…): (…) - (…). (…) (…): - (…). (…). - (…). (…). (…). (…). (…). (…). IBERDROLA indicates that the audit to verify the logical separation of the access to information by I-DE has its cause in what is established in the regulatory regulations of the electrical sector, which imposes an obligation of separation total between regulated activities, such as distribution, and liberalized activities, such as is marketing, so that distribution companies must prove the aforementioned separation. I-DE informs that, annually, it issues a report that is presented to the Ministry for the Ecological Transition and the Demographic Challenge (MITERD) and the National Commission of Markets and Competition (CNMC) to account for compliance with the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 8/99 obligations regarding separation of activities by the companies of the group formed by Iberdrola España and the companies in which it participates with regulated activities, that is, the company I-DE REDES ELÉCTRICAS INTELIGENTES, S.A.U., article 12.2 b) of the Electricity Sector Law and article 14 of the Code of separation of Activities of the Companies of the Iberdrola Spain Group with Regulated Activities (“CSA”) available on the Iberdrola Spain website, during exercise. (…). (…): “(…) Scope of work (…) (…). Procedures performed (…): - (…) - (…) (…) (…) Conclusions (…). (…). (…).” Regarding the chronology of the events. Actions taken in order to minimize the adverse effects and measures adopted for their final resolution. I-D states the following: - On March 15, in the afternoon, an attack was detected against the management website I-DE attacks, (GEA), the sequence of events being the following: (…). (…). (…). (…). (…). (…). - On the morning of March 16, 2022, there is a general slowdown access to various Iberdrola group websites. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 9/99 (…). (…). (…). (…). (…). (…). (…). - Starting March 17, 2022: (…). As of the 17th, no suspicious traffic or impact has been observed in none of the Iberdrola group's internet service systems. From the analysis of the activity log of the GEA application of the last days it is concluded on March 17 that a exfiltration, between March 7 and 15, 2022, of approximately 4.5 million interested parties (natural persons). (…). On March 28, 2022, the Systems Directorate communicates to IBERCLI and CURENERGIA the existence of a security incident in the I-DE systems that could have affected the information referring to the clients of these companies and includes information regarding the internal customer codes of those affected, so that the companies verify if data corresponding to Your clients. Information analyzed by IBERCLI and CURENERGIA verify that the security breach has affected personal data of clients of said companies. (…). - Likewise, I-DE states and certifies that since it became aware of the incident, the necessary actions were put into practice to, in coordination with affected organizations, comply with internal protocols established for this purpose and the applicable legislation, and which include the following Actions: Communication to INCIBE-CERT, National Institute of Cybersecurity in Spain, as a response team to security incidents Iberdrola reference computing. Communication to the Cybernetic Coordination Office, under the RDL 12/2018 on security of networks and information systems that refers the cybersecurity incident to the National Police for investigation, Communication to the National Center for Infrastructure Protection Criticisms under Law 08/2011 on Infrastructure Protection Critics. Presentation of a complaint to the National Police (Central Unit of Cybercrime) and the document presented by I-DE together with the same. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 10/99 Notification of the security breach to the AEPD and those affected. - In summary, the monitoring systems allowed the detection of a abnormal volume of traffic, a traffic analysis activity was launched greater detail and the immediate measures that were adopted were: (…). (…). (…). (…). (…). (…). (…). -IBERCLI and CURENERGIA state that the cessation of the incident occurred even before they were aware that it had affected personal data referring to its clients, resulting in said cessation of the additional security measures implemented by the Systems Directorate (of IBERDROLA) in the GEA application, aimed at preventing, from access to the itself could be exfiltrated by entering a random code information of the Database referring to clients of other Group entities. Regarding the causes that made the gap possible - (…). (…). (…): (…). (…). (…): (…) (…): (…) (…) (…) (…) either (…) (…). C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 11/99 (…) (…) - (…) Regarding the affected data - Exfiltrated customer data (…): (…) - (…): (…) - (…): (…). - (…). - (…). (…). - (…). - (…). On March 28, 2022, the Systems Management notifies IBERCLI and CURENERGIA the existence of a security incident in the security systems I-DE that may have affected the information referring to the clients of these companies and includes information referring to internal customer codes of those affected, so that the companies verify if they have been able to see compromised data corresponding to their clients. IBERCLI and CURENERGÍA verify that the security breach has affected personal data of 1,515,000 and 92,550 clients, respectively. Regarding the data processor contract - The Group's Framework Agreement for the Protection of Personal Data is provided Iberdrola in which the scope of the provision of services to the Group companies carried out by IBERDROLA. This agreement has been updated in its Annex II, said update being pending formalization. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 12/99 Likewise, the Declaration of Acceptance of Iberdrola España S.A.U. is provided. of its adhesion to the Framework Agreement for the Protection of Personal Data of the Iberdrola Group, the aforementioned entity acting, in accordance with what is indicated in the second clause, in his own name and right and on behalf of the companies belonging to its corporate group over which it has direct or indirectly control, among which are I-DE, IBERCLI and CURENERGY. - IBERCLI and CURENERGIA provide a copy of the record of the activities of processing of personal data corresponding to the affected treatments through the gap: (…). (…). - IBERDROLA provides a copy of the records of the treatment activities corresponding to the treatments “Support and Maintenance of IT Infrastructures” and “Application Development (SWF)”, which is carried out in your status as the person in charge of the treatment, with respect to various treatments of the Group companies, among which are those affected by the security breach. Regarding security measures Regarding the risk analysis carried out on the treatment activity that has suffered the security breach before the breach occurred: - IBERDROLA states in a response letter that the Iberdrola Group has adopted a risk analysis methodology for data processing personal data that is implemented in an automated way in the company itself. corporate tool for recording treatment activities, so that In the registration process itself, the risk level of the treatment is determined. - In the case of treatments for which IBERDROLA acts as person in charge of the treatment, points out that the methodology involves carrying out the risk analysis in relation to each of the treatments with respect to those for which IBERDROLA holds said condition, so that this analysis is developed by the entity responsible for the treatment in collaboration with IBERDROLA - For this reason, the result of the risk analysis related to the specific treatments (…) are included in the Activity Records Treatment of I-DE and those of IBERCLI and CURENERGIA, having been communicated its results to IBERDROLA. (…). -Security measures implemented prior to the gap in treatments of data where it has occurred: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 13/99 I-DE, IBERCLI and CURENERGIA indicate in their responses that prior to the incident, the following common security measures were implemented to the IT infrastructure of the Iberdrola Group: - (…). - (…). - (…). - (…). - (…). - (…). - (…). - (…). Likewise, like IBERDROLA, they also describe the security measures specific to the GEA system: (…): (…) (…). (…) (…): - (…). (…): - (…). -Reason why the security measures implemented have not prevented the incident: (…): - (…). - (…) - (…). - (…). - (…). - (…). - (…). C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 14/99 - (…). - (…). Measures adopted to avoid, as far as possible, incidents such as the one that occurred - (…) (…) Regarding communication to those affected On March 28, 2022, the IBERDROLA Systems Management notifies IBERCLI and CURENERGIA the existence of a security incident in the systems of I-DE that could have affected the information referring to the clients of these companies and includes information referring to the internal customer codes of the affected, so that companies verify if they have been compromised data corresponding to their clients. IBERCLI and CURENERGÍA state that after analyzing the information by their respective systems teams verify that the security breach has affected data personal of 1,515,000 and 92,550 clients, respectively. Likewise, they resolve to notify those affected of the security breach. The notification to those affected was carried out, between March 31 and April 1, 2022, at the clients whose email address was available, by sending massive electronic communications; and by postal mail to the rest on the 4th and April 5, 2022. - The three companies provide the communication model sent to those affected and it is verified that it complies with what is specified in article 34 of the RGPD. Information on the recurrence of these events and number of analogous events events in time. IBERDROLA states that apart from the security incident that is the subject of this procedure, no other procedure of a similar nature has occurred. NINTH: The IBERDROLA entity is a large company with a turnover of ***QUANTITY.1 euros in the year 2021 and ***QUANTITY.2 euros in the year 2022, according to a report from the Axesor entity. TENTH: On May 8, 2023, the Director of the Spanish Agency for Data Protection agreed to initiate sanctioning proceedings against the claimed party, in accordance with the provisions of articles 63 and 64 of Law 39/2015, of October 1, of the Common Administrative Procedure of Public Administrations (in hereinafter, LPACAP), for the alleged violation of Article 5.1.f) of the RGPD and Article 32 of the RGPD, typified in Article 83.5 of the RGPD and Article 83.4 of the RGPD. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 15/99 The aforementioned initiation agreement in accordance with the rules established in Law 39/2015, of October 1, of the Common Administrative Procedure of Administrations Public (hereinafter, LPACAP). ELEVENTH: On May 24, 2023, IBERDROLA presents written by the one who requests the accumulation of this file with EXP202205206, as well such as the suspension of the deadline for the issuance of allegations until resolve on this request, indicating the following: IBERDROLA understands that the facts that serve as a basis for the exercise of power sanctioning that the Agency tries to exercise are or have a unique basis that affects the two sanctioning files that have been opened as differentiated, for which requests the accumulation of both sanctioning procedures when understanding that there is a necessary connectivity between them, that is, that it is a same situation that can result in the responsibility of both. Understand by IBERDROLA that the terms of said responsibility, total, partial, in degree of author, collaborator or anyone else who comes from criminal references only can be seen if the procedure is analyzed as a whole. IBERDROLA maintains that the lack of accumulation in the present case could imply a double imputation to two entities of the same facts, which the more many belong to the same business group, specifically the Iberdrola group of which IBERDROLA is the parent company. If both files are not consolidated, IBERDROLA states that it would prevent clarify the degree of responsibility of each of them, since the facts would be analyzed separately and without evaluating the alleged action simultaneous, in terms of responsibility, of the two entities against which both procedures are directed. In this way, a double imputation of the same facts to both entities without assessing whether or not it is shared or if the sanctioning reproach directed separately against both does not should be subject to reduction as a consequence of this supposed concurrence of responsibility. With this, it is limited, in the terms established in the jurisprudence constitutional that is reproduced below, the right to the defense of IBERDROLA, by not being able to analyze the concurrent circumstances in the case of a unified form as a consequence of the fragmentation caused by the opening of two different procedures. IBERDROLA understands that the budgets established in article 57 are met of Law 39/2015, of October 1, on the Common Administrative Procedure of the Public Administrations (hereinafter, LPACAP) that justify the accumulation of the procedures, as well as the individualization of the relevance of their application to the present assumption: A) Existence of "intimate connection" or "substantial identity." IBERDROLA points out that, in the present case, on March 18, 2022, a personal data security breach, initially reported by I-DE. Is This same security breach determines the opening of the present C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 16/99 procedure in which responsibility is attributed to IBERDROLA, as well as that of that which is intended to accumulate with the present, open to elucidate the responsibility of I-DE. IBERDROLA indicates that connectivity, in the present case, derives, therefore, from that it is about purifying responsibility of two legal entities, but for the same fact: it is the Agency itself that makes it clear that it is a single breach of security and that on it is the one on which, where appropriate, the subjective responsibilities of IBERDROLA, in this procedure, and of I-DE in the procedure whose accumulation is requested. Therefore, IBERDROLA concludes that, since there are only a few facts for which imputes responsibility both to it and to I-DE, it is evident that the joint assessment of the same in order to determine if there is a liability joint or separate of both entities, as well as whether the liability would be for different title in each case. B) That the processing and resolution of the procedure corresponds to the same body. IBERDROLA points out that, together with the previous requirement, the LPACAP imposes respect to the general principle of competence of the body that must issue the resolution, a requirement which is fulfilled in the present case, given that the Law attributes the jurisdiction to the processing of both procedures to a single sanctioning body, so with accumulation is not lost or that competence is blurred as a consequence of the potential existence of different instructional bodies. In IBERDROLA's opinion, the essential effect of the accumulation of files is to that all issues to be resolved must be examined in a single procedure and decided in a single final act that jointly assesses the responsibilities of all those involved. IBERDROLA points out that the scheme it has just analyzed has, without a doubt, special characteristics in the sanctioning area due to the structure itself and the trial of value that it contains. He brings up several Rulings of the Constitutional Court to point out that the main principles and constitutional guarantees of the criminal order and criminal process must be observed, with certain nuances, in the administrative procedure sanctioning system such as the right to be informed of the accusation (SSTC 31/1986, 190/1987, 29/1989) and to use the relevant means of evidence for the defense (SSTC 2/1987, 190/1987 and 212/1990), as well as the right to the presumption of innocence (SSTC 13/1982, 36 and 37/1985, 42/1989, 76/1990 and 138/1990), rights fundamental, all of them that have been incorporated by the legislator into the regulations regulating the common administrative procedure. IBERDROLA understands that the fragmentation of the procedure into two procedures separated substantially affects the determination and verification of the facts relevant in it, as well as the delimitation of the potential responsibilities that may correspond to the entities to which the procedures whose accumulation is requested. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 17/99 IBERDROLA therefore concludes that accumulation is a requirement of adequate instruction and the guarantee of the right of defense and that the separate processing of two disciplinary proceedings against two different legal entities for the same facts is detrimental to their interests. IBERDROLA understands that the lack of accumulation in the present case could imply a double imputation to IBERDROLA and I-DE, as has been said, of the same facts, without the accumulation allowing us to elucidate what the degree of responsibility of each one of them, since the facts would be analyzed in a separately and without going into assessing the supposed simultaneous action, in terms of responsibility, of the two entities against which both procedures are directed. Understands that maintaining the separation of procedures means in terms procedural a division of the cause that conditions the instructional action and of proposal because different instructions, evaluations and tests appear potentially different and, therefore, criteria that can be, equally, differentiated. For all of the above, IBERDROLA requests the accumulation of the two files cited and that the suspension of the deadline is also considered expressly requested for the formalization of allegations until the incident of accumulation that is proposed in accordance with this document. Likewise, IBERDROLA understands that, taking into account the nature of the request and the impact on the investigation of the files in question and, finally, on the right of defense of the interested parties in both procedures, by affecting substantially to the content of the allegations that IBERDROLA could make in the assumption of agreeing to the aforementioned accumulation, with the consequent reduction of their right to effective judicial protection in the form of using the means of proof necessary for the adequate defense of your rights, we request expressly suspends the deadline for formalizing allegations of so that they can be carried out in accordance with the instruction criteria that we are requesting. Therefore, IBERDROLA requests the suspension of the deadline for the formalization of allegations until the accumulation incident that arises is resolved in accordance with this writing. TWELFTH: On January 30, 2024, IBERDROLA presented a written allegations to the Proposed Resolution of the sanctioning procedure. THIRTEENTH Of the actions carried out in this procedure and the documentation recorded in the file, the following have been accredited: PROVEN FACTS C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 18/99 FIRST: First notification of personal data breach 1.-Notifications of personal data breach made by I-DE: A) On March 18, 2022, the Innovation Division was notified Technology of this Spanish Data Protection Agency (hereinafter AEPD or the Agency) a security breach of the personal data sent by I-DE REDES ELÉCTRICAS INTELLIGENTES, S.A.U. with NIF A95075578 (hereinafter, I-DE) as responsible for the treatment, in which it informs this Agency of the following: (…). It is indicated that the number of affected people is 4.5 million clients of this company. A) Dated March 29, 2022 (Registration number: REGAGE22e00010072289) I-DE presents a new notification expanding the information about the reported personal data breach, through the contribution of the report “GEA cyber incident. Incident description and Actions." dated March 28, 2022, according to which: “I-DE, within the provision of services to its clients, offers a web application called File Management and Connections (GEA): ***URL.1 This service allows customers or their representatives (installers) to carry out the relevant procedures for the process of a connection to the network. In the course of the application sessions, there is an exchange of client data information that is subject to the application's own security filters, so that each client (or delegated representative) will only be able to access the information that corresponds to the security and intended access profiles. It indicates that the number of affected I-DE clients is 1,350,000 Indicates the start date of the gap as March 7, 2022 Reports that the breach has not yet been communicated to the affected people and which, at the latest, will be informed by March 31, 2022. Likewise, in the aforementioned report “GEA cyber incident. Incident description and actions indicated: “6. Analysis of the extracted information Based on the information from the forensic analysis, i-DE has carried out an analysis of the records of potentially extracted information. From the file sent to i-DE with the clients affected by the security breach that contains 4.5 million records of natural persons, it has been proven that Approximately 1.3 million are i-DE customers. The attacker could potentially have exceeded the security conditions of the exclusive information from i-DE, jumping to ranges of information from other companies. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 19/99 Given the nature of the database architecture (which, having separation logic, shares common physical elements), this could mean that other data from clients were from companies other than i-DE, which is transmitted to the management of Company systems for detailed analysis of other conditions in other companies or businesses of the Iberdrola group.” 2. Notifications of personal data breach made by IBERCLI: A) dated March 29, 2022 (Registration number: REGAGE22e00010094106), IBERCLI presents notification of gap security, in which it indicates that it has been aware on March 28, 2022 that it has been affected by the security breach suffered by I-DE, indicating the violation of the confidentiality of the personal data of 1,550,000 its clients, whom it has not yet informed but will do so no later than 03/31/2022. A) Dated April 6, 2022 (Registration number: REGAGE22e00011889434), IBERCLI presents modification of the data breach notification personal data made on March 29, 2022, in which it reports that the people affected by it are 1,515,000 and they have been informed of the same on March 31, 2022 through directed communication personally to each affected person (postal, email, SMS or similar). Along with the notification, the following is provided: -Report “Cyberattack incident 03/28/2022. Incident description and Actions" -Annex Communication to interested parties 3. Notification of personal data breach made by CURENERGIA: A) Dated March 29, 2022 (Registration number: REGAGE22e00010095169), CURENERGÍA presents notification of breach of security, in which it indicates that it has been aware on March 28, 2022 that it has been affected by the security breach suffered by I-DE, indicating the violation of the confidentiality of the personal data of 85,000 of its clients, whom it has not yet informed but will do so no later than 03/31/2022. A) Dated April 6, 2022 (Registration number: REGAGE22e00011892653), CURENERGÍA presents modification of the data breach notification personal data made on March 29, 2022, in which it reports that the people affected by it are 92,550 and they have been informed of the same on March 31, 2022 through personally addressed communication to each affected person (postal, email, SMS or similar). Along with the notification, the following is provided: -Report “Cyberattack incident 03/28/2022. Incident description and Actions" C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 20/99 -Annex Communication to interested parties SECOND: Circumstances of the attack 1.As indicated in the summary of the report “GEA cyber incident. Description incident and actions.” provided by IBERDROLA in the written response to the information request made by this AEPD, during the actions preliminary investigation, presented on January 24, 2023 (Number of registration: REGAGE23e00004670187), and as also indicated in the report “GEA cyber incident. Incident description and actions.” dated March 28, 2022” and provided by I-DE along with the second personal data breach notification, The chronology of the attack is as follows: - “On March 15, in the afternoon, an attack was detected against the information management website. I-DE connections, (GEA) (…) (…) (…) (…). (…). - On March 16, 2022, in the morning, a general slowdown occurs access to various Iberdrola group websites. (…) - Starting March 17: (…). As of the 17th, no suspicious traffic or impact has been observed in none of the Iberdrola group's internet service systems From the analysis of the activity log of the GEA application of the last days it is concluded on March 17 that a exfiltration, between March 7 and 15, 2022, of approximately 4.5 million interested parties (natural persons). Provided to I-DE by the Systems Directorate the information related to the client codes of the interested parties, it communicates on date 28 March 2022 that, of the same, only 1.34 million records correspond to I-DE clients. On March 28, 2022, the Systems Directorate communicates to IBERCLI and CURENERGIA the existence of a security incident in the I-DE systems that could have affected the information referring to the clients of these companies and includes information regarding the internal customer codes of those affected, so that the companies C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 21/99 verify whether data corresponding to Your clients. Information analyzed by IBERCLI and CURENERGIA verify that the security breach has affected personal data of clients of said companies. (…) 2.As indicated by IBERCLI, in the report “Cyberattack incident 03/28/2022. Description incident and actions.” dated April 4, 2022” and provided together with the second notification of personal data breach, the chronology of the events is the following: "3. Facts Elements relating exclusively to the cyber attack are excluded from this story. to the i-DE GEA website, given that, as we know, the AEPD has already been informed of they. The events therefore begin from the moment in which, on the part of IBERCLI, it is knowledge of having been affected by the cyber attack: 1. On March 28, i-DE Systems received a notification indicating that, as a result of the analysis carried out by said company, it has been observed that among the affected clients there are those who do not correspond with i-DE customer codes. 2. After urgently analyzing the information given to us, we conclude that a total of 1.5 million IBERCLI clients have been affected, despite that the database architecture has implemented security measures logical separation and each society, by application, only has the capacity to access your own clients. 3. Once the impact of IBERCLI data has been confirmed, on 03/29, we proceed to notify the AEPD. 4. Work begins in parallel on notification to interested parties. Bliss notification is made in waves between 03/31 (400.00 notifications by email approx.), 01/04 (rest of email notifications) and 04/04 (sending of letters for clients for whom email is not available). It establishes a service device for affected customers, with a toll-free number and a specific email, and the usual channels are reinforced by giving instructions to address specific questions about the incident. It is included Attached is a copy of the communication sent. 5. IBERCLI has been integrated into a plan at the Iberdrola group level, in which technical and organizational measures adopted to avoid, as far as possible, possible, security incidents like the one that happened. It has been released for everyone Iberdrola group an urgent securitization plan, consisting of: to. Prevention (Infrastructure Controls) C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 22/99 b. Vulnerability detection c. Remediation of detected vulnerabilities d. Review of emergency protocols 6. The scope of digital surveillance established for the i-DE incident, no publication having been detected to date in open sources or dark web” 3. As indicated by CURENERGIA, in the report “Cyberattack incident 03/28/2022. Incident description and actions.” dated April 4, 2022” and provided together with the second notification of a personal data breach, the chronology of the events is The next: "3. Facts Elements relating exclusively to the cyber attack are excluded from this story. to the i-DE GEA website, given that, as we know, the AEPD has already been informed of they. The events therefore begin from the moment in which, on the part of CURENERGIA, is aware of having been affected by the cyber attack: 1. On March 28, i-DE Systems received a notification indicating that, as a result of the analysis carried out by said company, it has been observed that among the affected clients there are those who do not correspond with i-DE customer codes. 2. After urgently analyzing the information given to us, we conclude that a total of 92,550 CURENERGIA clients have been affected, Although the database architecture has implemented security measures logical separation and each society, by application, only has the capacity to access your own clients. 3. Confirmed the impact of CURENERGIA data, on 03/29, we proceed to notify the AEPD. 4. Work begins in parallel on notification to interested parties. Bliss Notification is made in waves between 03/31, 04/01 and 04/04 (for email or by sending letters to clients for whom email is not available). HE establishes a service device for affected customers, with a number free and a specific email, and the channels are reinforced giving instructions to answer specific queries about the incident. A copy of the communication sent is included in the annex. 5. CURENERGIA has been integrated into a plan at the Iberdrola group level, in which which includes technical and organizational measures adopted to avoid, as far as possible, security incidents like the one that happened. It has been released for everyone Iberdrola group an urgent securitization plan, consisting of: to. Prevention (Infrastructure Controls) C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 23/99 b. Vulnerability detection c. Remediation of detected vulnerabilities d. Review of emergency protocols 6. The scope of established digital surveillance is extended to CURENERGIA for the i-DE incident, with no detection of any publication in open sources or dark web” THIRD: About the GEA application of I-DE -i-de and IBERDROLA, in their written responses to requests made by this AEPD, indicate: -The GEA application is an i-DE web application that is used for the Management of Electrical Connections, this application is published on the Internet for access by part of the users (customers, installers, etc.) involved in the management process of those connection files: ***URL.1 -This service allows customers or their representatives (installers) to carry out the relevant procedures for the process of a connection to the network. In the course of the application sessions, there is an exchange of client data information that is subject to the application's own security filters, so that each client (or delegated representative) will only be able to access the information that corresponds to the security and access profiles intended -(…): ***URL.2 FOURTH: About systems and database architecture. Access from Applications. IBERDROLA, as the person in charge of processing and managing the database where The three affected companies store the personal data of their clients, indicates what following: “(…) (…).” FIFTH: Causes that made the gap possible IBERDROLA, in its response document presented on January 24, 2023, indicates: (…) C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 24/99 (…). (…). (…): • (…) • (…) • (…) • (…) • (…) • (…) • (…) • (…) • (…) (…) (…) SIXTH: Security measures established in the Database IBERDROLA, regarding the security measures established in the database, In its response document presented on January 24, 2023, it indicates what following: “(…).” SEVENTH: immediate measures after the breach IBERDROLA, in its response document submitted on January 24, 2023, indicates the following: “(…).” EIGHTH: IBERDROLA as data processor with respect to IBERCLI and CURENERGY In response to the information request made by this AEPD to IBERDROLA during the period of prior investigations related to the contracts signed in relation to data protection regarding the provision of services IT and security support provided to I-DE, IBERCLI and CURENERGIA, IBERDROLA, in its response document presented on January 24, 2023 (Registration number: REGAGE23e00004670187), indicates: - “It is provided as document No. 1, Framework Agreement for the protection of personal data for the Iberdrola Group, which details the scope of the provision of services to the Group companies carried out by my client, with the requirements established in article 28 of the General Data Protection Regulation. This C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 25/99 Agreement has been updated in its Annex II, which is provided as document number 1bis, with said update pending formalization. Likewise, a declaration of acceptance of Iberdrola España, S.A.U. of its accession to the aforementioned Framework Agreement, acting the aforementioned entity, as indicated in the second clause, in its own name and right and on behalf of the companies belonging to its corporate group on the that directly or indirectly holds control, among which are the three entities to which the information request refers. The aforementioned “Framework Agreement for the protection of personal data for the Iberdrola Group”, signed on May 18, 2018, is signed, on the one hand, by IBERDROLA and, on the other, by “the companies integrated into the group whose dominant entity, in the sense established by law, it is IBERDROLA (hereinafter Iberdrola Group) that signs the Declaration of Acceptance that appears as Annex I to this contract...". In said agreement (hereinafter PDP Framework Agreement), the following is indicated: In point 1 of “Explain”: “That the parties have signed a Framework Agreement for the Provision of Services Corporate which regulates the provision of corporate services of (…) systems (…) under the Single Corporation Model by IBERDROLA to the beneficiary Iberdrola Group companies (…) Point 11 “Therefore, this Data Protection Framework Agreement is established Personal under which access and processing of personal data is legitimized by IBERDROLA and the Group Companies (service providers) on behalf of other Group Companies (recipients of the service), complying with the different applicable personal data protection legislations, especially the RGPD and the Spanish legislation that governs the processing of personal data by part of IBERDROLA” In the “CLAUSES” section, it is indicated: SECOND CLAUSE. In its second paragraph it states: “(…)” This Annex, among other services, includes “Operation and support”, “Development” and “Systems Management” In CLAUSE SEVEN “Guarantees in the processing of personal data”, it is stated indicates: “7.5.- Obligations of the Data Processor. e) Security Measures. In accordance with the GDPR, apply appropriate technical and organizational measures to guarantee an adequate level of risk, taking into account the state of the technique, the costs of implementation, and the nature, scope, context and C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 26/99 purposes of treatment, as well as risks of varying probability and severity for the rights and freedoms of natural persons. The security measures to be implemented are those indicated in Annex III of this PDP Framework Agreement” In response to the request for a copy of the registry referred to in article 30 of the RGPD, regarding the personal data processing activities of the aforementioned companies carried out under its responsibility, IBERDROLA responds: “The Records of Activities of Treatment corresponding to the treatments "Support and Maintenance of IT Infrastructures” and “Application Development (SWF)”, carried out by me principal in his capacity as person in charge of the treatment, with respect to various treatments of the companies of the Iberdrola Group, among which are the Affected by the security breach: • (…) • (…) Likewise, IBERDROLA indicates that “The Systems Management of the Iberdrola Group manages and operates the physical equipment that houses the information, providing service to the different companies of the Group”. NINTH: Risk analysis of the treatment affected by the data breach personal At the request of this AEPD for a copy of the risk analysis on the rights and freedoms of natural persons carried out on the processing activity that has suffered the security breach prior to the incident, both IBERCLI and CURENERGÍA provided the same document which is the scheme followed within of the Iberdrola Group for the assessment of risk in data processing personal and that is carried out in accordance with it: (…) Likewise, both companies attach a document explaining the logic followed for calculating the risk level according to this methodology, called “Logic “Risk Level calculation” They explain that this methodology is implemented in an automated way in the own corporate tool for recording treatment activities, so that In the registration process itself, the risk level of the treatment is determined. So that, The application of said methodology in relation to the treatment (…) showed as result in a MEDIUM risk level. This document analyzes circumstances or threats in the sense of indicated scheme, which are transferred to the Registry of Treatment Activities. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 27/99 TENTH: Number of people affected and type of data affected IBERCLI clients affected: 1,515,000 CURENERGIA clients affected: 92,550 Type of data affected: (…) FOUNDATIONS OF LAW Yo Competence In accordance with the powers that article 58.2 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter RGPD), grants each control authority and as established in articles 47, 48.1, 64.2 and 68.1 of the Organic Law 3/2018, of December 5, on Protection of Personal Data and guarantee of digital rights (hereinafter, LOPDGDD), is competent to initiate and resolve this procedure the Director of the Spanish Protection Agency of data. Likewise, article 63.2 of the LOPDGDD determines that: "The procedures processed by the Spanish Data Protection Agency will be governed by the provisions in Regulation (EU) 2016/679, in this organic law, by the provisions regulations dictated in its development and, insofar as they do not contradict them, with a subsidiary, by the general rules on administrative procedures." II Previous issues In the present case, in accordance with the provisions of article 4.1 of the RGPD, there is the processing of personal data, since IBERDROLA carries out, among other treatments, the collection, conservation, consultation, use, deletion, etc., of personal data of natural persons, such as: name, surnames, ID, postal address, telephone number, email address, bank details, data relating to electricity supply and consumption, current account, etc IBERDROLA carries out this activity in its capacity as person in charge of the treatment, in accordance with article 4.8 of the GDPR, since it processes these personal data by account of other companies belonging to the Iberdrola Group to which it lends, among others, Support and Maintenance services for IT Infrastructures and Development of applications (SWF). Specifically, in the case at hand, it provides these services as the person in charge of processing, among others, I-DE, CURENERGÍA AND IBERCLI. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 28/99 Article 4 section 12 of the GDPR broadly defines “violations of security of personal data” (hereinafter security breach) as “all those security violations that cause the destruction, loss or alteration accidental or unlawful personal data transmitted, preserved or otherwise processed form, or unauthorized communication or access to said data. In the present case, there is a personal data security breach in the circumstances indicated above, categorized as a breach of confidentiality, by a computer attack has occurred in a web application of one of the companies of the Iberdrola Group and that has caused illicit access by a third party not authorized to personal data from two other companies of the same Group and that were stored in the database shared by different companies of the group and which is administered and managed by IBERDROLA. Therefore, the gap security suffered has affected personal data processed by IBERDROLA in its status of person in charge of treatment. III Regarding the request for joinder and the suspension of the deadline to formulate allegations Regarding the request for accumulation of this file and EXP202205206 carried out by IBERDROLA, it should be noted that article 57 of the LPACAP establishes: “The administrative body that initiates or processes a procedure, whichever has been the form of his initiation, he may dispose, ex officio or at the request of part, its accumulation to others with whom it maintains a substantial or intimate identity connection, provided that it is the same body that must process and resolve the procedure. There will be no appeal against the accumulation agreement.” (emphasis is ours) Therefore, it is a possibility that the Administration has, not being obliged to proceed with the accumulation if requested. However, this does not prevent Motivate below the reasons why it has been considered appropriate. process both sanctioning procedures separately. Thus, although the two sanctioning files, one directed against I-DE and the other against IBERDROLA, S.A., start from the same security incident (the attack on the application GEA, I-DE web application), it has produced two personal data breaches different and differentiated, as reflected in the Factual Background of the present proposal, especially in the Eighth Factual Background, where reviews the information collected during the preliminary actions phase of investigation carried out by this AEPD. Thus, on the one hand, the attack occurred through an I-DE web application, taking advantage of a vulnerability in it and that allowed access to the database I-DE data and which affected the confidentiality of 1,350,000 I-DE clients. By Therefore, the sanctioning procedure related to EXP202205206 is directed exclusively C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 29/99 to I-DE as responsible for the processing of the personal data of its clients and as a result of an existing vulnerability in one of your web applications. On the other hand, not only personal data of I-DE was affected in the cyberattack, but, when accessing the I-DE database, which was hosted in a system in which databases from other companies in the same group coexist, the attacker taking advantage of database vulnerabilities gained access to the databases of two other companies, IBERCLI and CURENERGÍA, affecting the confidentiality of personal data of clients of the latter two. These different Databases of different companies are hosted or carried out in one system maintained and supported exclusively by IBERDROLA, which, consequently, is responsible for processing all of them, that is, I-DE, IBERCLI and CURENERGÍA. This fact has led to the initiation of this sanctioning procedure against IBERDROLA, but due to its responsibility as IBERCLI's data processor and CURENERGÍA and exclusively for the personal data breach that has affected only the personal data of the clients of these two companies marketing companies and only taking into account the responsibility that may have IBERDROLA regarding the configuration of the database it manages regarding of these two affected companies. In this sense, this impact on personal data of clients hosted in databases I-DE data cannot be part of this sanctioning procedure directed exclusively to IBERDROLA, since I-DE is not responsible for the data personal data of affected clients who belong to other companies, nor of the possible failure to adopt adequate measures to protect the confidentiality of the personal data of other companies hosted in a database managed IBERDROLA as the person in charge of the treatment. Therefore, the management of the databases must be analyzed independently. carried out by IBERDROLA with respect to these third companies, without being able to respond to I-DE for possible breaches of data protection regulations in said management. Therefore, the sanctioning procedures being directed at different subjects (two different companies), the personal data of clients from different companies may be affected. companies, I-DE having nothing to do with the data of other clients, be processed due to vulnerabilities or non-compliance with respect to different systems (in one a web application, from I-DE, in this, a database managed by IBERDROLA), etc., is Therefore, this AEPD has not considered accumulating the two files, but rather process the two sanctioning procedures separately, as it is clearly separate the responsibility attributed to each one, as well as dealing with gaps of different personal data and that affect personal data processed by different responsible parties. Likewise, this does not make IBERDROLA defenseless because at all times knows the facts of which he is accused, the infringement that they entail, the responsibility that has been incurred, as well as that it has had and has the opportunity to formulate allegations and present whatever documentation is deemed appropriate in defense of your interests permitted by applicable legislation. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 30/99 Finally, regarding the request for suspension of the deadline to formulate allegations to the Startup Agreement until a decision is made on the accumulation of the two procedures, it means that this possibility does not exist even in the applicable regulations of data protection (RGPD AND LOPDGDD) nor in the LPACAP. On the contrary, in What this last law establishes is the obligation that the procedures that must be completed by the interested parties are mandatory: “Article 73. Compliance with procedures. 1. The procedures that must be completed by the interested parties must be made within a period of ten days from the day following the notification of the corresponding act, except in the case that the corresponding norm states set a different deadline.” Therefore, the request for suspension is not applicable, as this does not legally exist. possibility, nor has it had any effect, having not been suspended, in consequently, the deadline for formulating allegations. IV Response to allegations to the Startup Agreement In response to the allegations presented, the following is stated: FIRST: ON THE ACCUMULATION OF PROCEDURES IBERDROLA reiterates the accumulation request again and refers to the request presented for this purpose on May 24, 2023. In this regard, it is appropriate to refer to what was argued in the Legal Basis above, in which a due answer to this question is given. SECOND. – ABOUT THE SPECIAL CIRCUMSTANCES THAT OCCURRED IN RELATIONSHIP WITH THE PROCESSING OF THIS FILE AND THE VIOLATION OF THE PRINCIPLES OF GOOD FAITH, LEGITIMATE TRUST AND LEGAL SECURITY IBERDROLA alleges that this AEPD has violated the principles of legal certainty, good faith and legitimate trust established in article 3.2 e) of Law 40/2015, of 1 of October, of the Legal Regime of the Public Sector (hereinafter LRJSP) since by letter dated April 18, 2022, from the Innovation Division Technology of the AEPD, it is indicated, in relation to the additional information provided by I-DE regarding the personal data breach suffered by her, which “After the analysis Based on the additional information provided, the security breach has been updated in the record of notifications of security breaches and the start of others is not expected actions by this Agency.” However, later and without record no subsequent action until the date of the first information request which is addressed to I-DE (writing signed on July 8, 2022 by the acting Inspector) from which the initiation by the AEPD of actions of investigation, without any agreement or decision in this regard. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 31/99 IBERDROLA understands that this shows that it was not appropriate to carry out additional investigation related to the gap since the AEPD when signing the referred letter of April 18 considered appropriate the statements made by I-DE, IBERCLI and CURENERGIA, not appreciating in the gap the concurrence of any element that would justify carrying out investigative actions aimed at determining whether an alleged violation of the data protection regulations. However, IBERDROLA continues, the AEPD on May 9, 2022, agrees to the admission to processing of claims (formulated prior to April 18, 2022) and the initiation of prior investigation actions, but without it being stated in the file no action or circumstance related to this case that would have been contributed or occurred in the period between April 18 and the date of admission to processing and that justifies the start of the same. Likewise, IBERDROLA understands that the letter of May 18, 2022 implies that the AEPD considered that the information received from her about the breach was sufficient to understand that it did not participate in I-DE or in IBERDROLA or in any other of the entities that had proceeded to notify the incident any responsibility for an alleged breach of data protection regulations, which determined the filing of a file that, however, the AEPD decides to open days afterwards without any indication that implies a substantial change in the nature, circumstances or severity of the breach. From this IBERDROLA concludes that The AEPD adopted a decision that directly contradicts the previous one adopted just 20 days before. In this regard, it should be noted, first of all, that the aforementioned letter of May 18 of 2022 was aimed solely at I-DE and in relation to notifications carried out by the same to the Technological Innovation Division of this AEPD as consequence of a personal data breach suffered by her. Therefore, said writing in no way refers to the personal data breach. suffered by IBERCLI and CURENERGIA and for which this procedure is processed sanctioning IBERDROLA as the person in charge of processing them, by far Now try to extend it to this file. It is stated in the proposed resolution that, however, and for the sake of completeness of the above, regardless of whether the personal data breach reported by I-DE caused the breach suffered by IBERCLI and CURENERGÍA, we proceed to respond to the erroneous interpretation that IBERDROLA makes in relation to the aforementioned letter. Thus, said letter is signed in a generic way by the AEPD, it comes from the Division of Technological Innovation, which is responsible for receiving notifications of the personal data breaches and record them in the registry that maintains this purpose, and in the which indicated the following: “In relation to the additional information provided through check-in REGAGE22e00010072289, relating to a personal data breach in a C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 32/99 treatment of I-DE REDES ELECTRICAS INTELLIGENTES S.A.U. we inform that: After analyzing the additional information provided, the security breach has been updated in the security breach notification log and not The initiation of other actions by this Agency is expected. However, we remind you of the need to investigate the causes of the incident until we understand how and why it has happened, and the obligation to take the timely actions to prevent it from happening again and minimize the impact potential on those affected, as well as the obligation to document any security incident that may affect personal data such as facts related to them and the corrective measures provided as and as established in article 33.5 of the RGPD. If over time you obtain indications that imply a change substantial in the nature, circumstances or severity of the breach, may make a new complete notification through our electronic office https://sedeagpd.gob.es/sede-electronica-web/. Likewise, we inform you that in the following link you have at your disposal the guide for managing and reporting data security breaches personal information published by this Agency: https://www.aepd.es/media/guias/guia- security-breaches.pdf” The heading includes “TECHNOLOGICAL INNOVATION DIVISION” On the left side of the document it is indicated that “Signed electronically by: Spanish Data Protection Agency. As of 04/18/2022” It is not signed by the Director of the Agency, it has no operative part in which something is agreed upon or resolved, nor does it have any indication of any recourse against the same. Therefore, and contrary to what I IBERDROLA affirms, this writing has no character decision-making, nor for its content, which only contains a forecast and which in some can be understood as assuming that this AEPD has assessed and decided that it does not participated in I-DE nor in IBERDROLA (although we insist that it is directed exclusively to I-DE) any responsibility for an alleged breach of the regulations of data protection, which means the archiving of some actions - as has wanted to understand IBERDROLA - nor because of its shape, because not even formally reflects a decision, much less a resolution to file any action, because for this to be so, the only competent body for this is the current Director of the AEPD. Thus, Article 13 of the AEPD Statute, approved By Royal Decree 389/2021, of June 1, the functions of the Presidency: 1. The Presidency of the Spanish Data Protection Agency is responsible for: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 33/99 d) Issue the resolutions and guidelines required for the exercise of functions of the Agency, in particular those derived from the exercise of powers provided for in article 57 of Regulation (EU) 2016/679 of Parliament European Parliament and of the Council, of April 27, 2016, and the exercise of powers of investigation and corrective powers provided for in article 58 of the cited Regulation. Therefore, to proceed with the archiving of investigation proceedings, it is required, first, that they have been initiated (either because a claim has been admitted for processing, either on their own initiative, which in both cases requires an express resolution signed by the Director), which had not happened at the time of issuance of the aforementioned writing from the Technological Innovation Division and, secondly, it is necessary again an express resolution on the part of the Director archiving said actions to understand, now, that from the information collected in said investigations, the existence of a violation of the regulations of data protection, which had not occurred. In the present case, after notification of the personal data breach by I-DE, CURENERGIA and IBERCLI, several claims were filed by people affected by it, which were admitted for processing jointly by the AEPD in compliance with article 64 LOPDGDD: Article 64. Form of initiation of the procedure and duration. 1. When the procedure refers exclusively to the lack of attention of a request to exercise the rights established in articles 15 to 22 of Regulation (EU) 2016/679, will begin by agreement of admission to processing, which will be adopted in accordance with the provisions of article 65 of this law organic. In this case, the period to resolve the procedure will be six months to count from the date on which the claimant was notified of the agreement admission to processing. After this period, the interested party may consider estimated your claim. 2. When the procedure aims to determine the possible existence of a violation of the provisions of Regulation (EU) 2016/679 and in this organic law, it will begin through a start-up agreement adopted on its own initiative or as a result of a complaint. If the procedure is based on a claim made before the Agency Spanish Data Protection Authority, in advance, will decide on your admission for processing, in accordance with the provisions of article 65 of this law organic. When the rules established in article 60 of the Regulation (EU) 2016/679, the procedure will begin by adopting of the draft agreement to initiate the sanctioning procedure, of which will give formal knowledge to the interested party for the purposes provided for in article 75 of this organic law. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 34/99 The claim is admitted for processing, as well as in the cases in which the Spanish Data Protection Agency acts on its own initiative, with prior to the initiation agreement, there may be a phase of actions prior investigation, which will be governed by the provisions of article 67 of this organic Law. Article 67. Previous investigation actions. 1. Before the adoption of the agreement to initiate the procedure, and once admitted for processing the claim if there is one, the Spanish Agency of Data Protection may carry out prior investigation actions to in order to achieve a better determination of the facts and circumstances that justify the processing of the procedure. The Spanish Data Protection Agency will act in any case when it is requires research into treatments that involve massive trafficking of personal information. 2. Previous investigation actions will be subject to the provisions of the Section 2 of Chapter I of Title VII of this organic law and may not have a duration greater than twelve months from the date of the agreement of admission to processing or the date of the agreement by which its initiation is decided when the Spanish Data Protection Agency acts on its own initiative or as a consequence of the communication that had been sent to you by the supervisory authority of another Member State of the European Union, in accordance with the article 64.3 of this organic law. (emphasis is ours) From said regulations it is not inferred in any way that the AEPD has to justify the manner that IBERDROLA requires the initiation of prior actions in the sense that there must be something new or some new circumstance or that the claims have had to provide new and different circumstances regarding the documentation provided by I-DE in its notification of the breach to this Agency, since This is not required by the indicated regulations, in addition to the fact that it cannot be claimed that those affected contribute something new, apart from knowing that the confidentiality of your personal data due to a cyber attack, the circumstances of which they don't know. Precisely the previous investigative actions are carried out to clarify the facts and circumstances of what happened, gathering more information in order to be able to determine or not the existence of a possible violation of the regulations in data protection matters. In this sense, the beginning of previous investigations and its realization, the power of the AEPD with or without claims, does not prejudge anything, but that allows gathering the necessary information to determine whether or not there are indications of infringement. Even after said investigation, the proceedings may be archived to understand, in view of the information collected, that there are no indications of infringement. Which, in the present case, has not happened. What the regulations do indicate is that, after the presentation of claims, this Agency must decide whether to admit them for processing or not, having finally decided on their admission through, this time, an Admission Agreement for processing, signed by the Director of the Agency dated May 9, 2022. And, as indicated in article 67.2 C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 35/99 referenced LOPDGDD, the AEPD can carry out prior actions of investigation in order to achieve a better determination of the facts and the circumstances. It is a power attributed to it by the RGPD and the LOPDGDD. Likewise, and to make matters worse, even in the event of there being no claims existed, the document from the Technological Innovation Division did not nor would it have been an obstacle or obstacle to the exercise of the powers of investigation that the AEPD has in accordance with the aforementioned article 64.2 that determines that “The claim is admitted for processing, as well as in the cases in which The Spanish Data Protection Agency acts on its own initiative, with character Prior to the initiation agreement, there may be a phase of prior actions of investigation…" Therefore, this sanctioning procedure has not been initiated due to the content or by some new information provided in the claims, but by the information and documentation obtained after the period of prior investigation actions, to the possible violations of protection regulations can be inferred from it. of data. On the other hand, IBERDROLA brings up the Supreme Court's ruling of 22 of February 2016 (resource 4048/2013), understanding that it is fully applicable to the case, which indicates: “According to the facts briefly stated, we can consider legitimate trust has been injured, since the Administration cannot adopt decisions that contravene the perspectives and hopes founded on the own previous decisions of the Administration. When you trust the stability of his criteria, evidenced in multiple previous acts in a same sense, which leads the administrator to adopt certain decisions, trust is generated based on the consistency of behavior administrative, which cannot be defrauded through an act amazing. […] It is worth keeping in mind that legitimate trust requires, ultimately, the concurrence of three essential requirements. Namely, that it is based on signs undeniable and external (1); that the hopes generated in the administered they must be legitimate (2); and that the final conduct of the Administration is contradictory with previous acts, is surprising and incoherent (3). Exactly what happens in the case examined, based on the facts previously reported. Let us remember that, with respect to legitimate trust, we have been declaring reiterated, by all, Judgment of December 22, 2010 (appeal contentious-administrative no. 257 / 2009), that << the principle of good faith protects the legitimate trust that may have been reasonably placed in the behavior of others and imposes the duty of coherence in the own behavior. Which is to say that the principle implies the requirement of a duty of behavior that consists of the need to to observe, with a view to the future, the behavior that previous acts predicted and accept the binding consequences that arise from one's own actions constituting a case of injury to the legitimate confidence of the parties "come contra factum propium >> (emphasis added) C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 36/99 In this regard, it is meant that the doctrine established therein is not application to the present case, since, as indicated above, it has not been a decision of this Administration, neither by its form nor by its content, nor have they caused confidence in the stability of his criteria, since there has been no criterion in this regard, much less evidenced in multiple previous acts in a same sense, so the action of this Agency in relation to the alleged has not supposed a final conduct of her that is contradictory with previous acts that be surprising or incoherent, in the sense of the Court's doctrine. Finally, regarding the reference made by IBERDROLA regarding the fact that in the Agreement of the Director of the AEPD, of May 9, 2022, by which processing the claims made against IBERCLI, in which reference is made to the file AT/02233/2022, of which IBERDROLA indicates that it does not know what this is file, requesting that it be indicated whether any other file has been opened type of procedure against her and to whose file she has not been given access, It should be noted that the claims received are grouped under the aforementioned file. by those affected by the personal data breach suffered, which were admitted to processed jointly through the aforementioned Agreement, not assuming any file or procedure directed against IBERDROLA or against any of the member companies of the Iberdrola Group. In this regard, it is recalled again that said claims, being based on a personal data breach, they are only admitted for processing and this entails, as has been pointed out, the possibility of initiating investigative actions for the clarification of the facts and everything that happened, the documentation being and everything collected during said actions, which has motivated, exclusively, the initiation of this sanctioning procedure, and not the aforementioned claims, therefore that they are not part of this procedure. Likewise, it is reported that no no further processing is carried out beyond communicating (which does not notify) the claimants of the initiation, in this case, of a sanctioning procedure and also the resolution that falls on it. . For the above reasons, the claim made is rejected. THIRD.- ON THE ADDITIONAL AFFECTION TO THE PRINCIPLES OF THE SANCTIONING RIGHT ARISING FROM THE INTERPRETATION MADE BY LAAEPD IBERDROLA alleges in this section that the Startup Agreement incurs important violations of the principles of administrative sanctioning law, since it implies the imposition of two infractions whose content is, in reality, identical or with respect to which, at least, it is possible to appreciate the subsumption of one of them in the other: 1.Violation of the non bis in idem principle IBERDROLA alleges that in the Initiation Agreement the AEPD considers that the security implemented by it have not been, in its opinion, adequate and that this C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 37/99 implies a double violation of the RGPD, on the one hand, it understands that IBERDROLA does not has adopted the appropriate technical and organizational measures required by article 32 of the GDPR; and, on the other hand, it considers that the principle of security has been violated, breaking, supposedly, article 5.1 f) of the GDPR, of which article 32 is nothing more than a mere concretion. IBERDROLA understands that this means that two different sanctions are imposed, respectively, considering that it lacks adequate security measures and because it understands that, due to the lack of such measures, a gap of confidentiality of personal data. And, furthermore, it establishes for both assumptions infringements, circumstances modifying the liability of IBERDROLA identical at all points, both in their determination and in the legal foundation of its imposition. IBERDROLA points out that it follows that the AEPD considers that the same fact (the alleged insufficiency of security measures) would constitute two infringements of the same protected legal good (the adequate guarantee of the rights and freedoms of the interested parties). And this, because it would sanction, on the one hand, the absence of the security measures that the AEPD considers necessary to adopt and, therefore, another, the principle of security and confidentiality, which requires the adoption of such measures. Therefore, IBERDROLA maintains that, incurring the triple identity of subject, fact and protected legal good, there is no doubt that the principle of non bis has been violated in idem, so it would only be possible to charge and punish for a single infraction, which in this case would only be for article 32, since it would only be possible to appreciate the supposed insufficiency of security measures. Faced with this, it is necessary to explain the difference between the violation of art. 5.1.f and the article 32 of the RGPD, which will be expanded in the following point regarding the allegation regarding the existence of media competition, as well as the different classification in sections even different from art. 83 of the GDPR and the different qualification of both the effects of prescription in the LOPDGDD. The art. 5.1.f) of the RGPD is violated when there is a loss of confidentiality, integrity or availability of personal data, which may occur or not due to the absence or deficiency of security measures. This principle only determines the channel through which the maintenance of confidentiality, integrity or availability when explicit “through the application of appropriate technical and organizational measures”, which are not Strictly security. IBERDROLA indicates that the appropriate technical and organizational measures to which mentions the art. 5.1.f) RGPD are the security measures of art. 32 of the GDPR. This would be to simplify the essence of the GDPR whose compliance is not limited to implementation of technical and organizational security measures; would mean, in our case, reduce the guarantee required through the principle of integrity and confidentiality to its achievement only with security measures. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 38/99 When art. 5.1.f) of the GDPR refers to technical or organizational measures appropriate to guarantee the rights and freedoms of the interested parties within the framework of The management of regulatory compliance with the RGPD does so in the sense provided in the art. 25 of the GDPR regarding privacy by design. This precept determines that, “Taking into account the state of the art, the cost of the application and the nature, scope, context and purposes of the processing, as well as the risks of varying probability and severity that the treatment entails for the rights and freedoms of natural persons, the person responsible for the treatment will apply, both at the time of determining the means of treatment as well as at the time of the treatment itself, appropriate technical and organizational measures, such as pseudonymization, designed to effectively apply the principles of data protection, such as data minimization, and integrate safeguards necessary in the treatment, in order to comply with the requirements of this Regulation and protect the rights of the interested parties” (emphasis is our) It should be noted that there are multiple technical or organizational measures that are not security and that the person responsible for the treatment can implement as a channel to guarantee this principle. However, art. 32 of the GDPR includes the obligation to implement measures appropriate technical and organizational security measures to ensure a level of security appropriate to the risk. Of security. Just for security. Furthermore, its objective is to guarantee a level of security appropriate to the risk. regardless of whether a security breach has occurred, while that in the case of article 5.1.f) of the RGPD, confidentiality and integrity and materializes, in this case, with the loss of confidentiality of the data. As can be seen, the two articles pursue different purposes, although they may be related. Already entering fully into the examination of the non bis in idem, the Court's Judgment National of July 23, 2021 (rec. 1/2017) provides that, “(…) In accordance with the legislation and jurisprudence set forth, the non bis in idem principle prevents punishing the same subject twice for the same act with support in the same foundation, the latter understood as the same legal interest protected by the sanctioning regulations in question. In fact, when there is the triple identity of subject, fact and foundation, the sum of sanctions creates a sanction unrelated to the judgment of proportionality carried out by the legislator and materializes the imposition of a sanction not legally provided for, which also violates the principle of proportionality. But in order to speak of "bis in idem" a triple identity must occur. between the terms compared: objective (same facts), subjective (against the same subjects) and causal (for the same basis or reason for punishing): a) Subjective identity assumes that the affected subject must be the same, regardless of whatever the nature or judicial or administrative authority that prosecutes and with C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 39/99 independence of who the accuser or specific body is that has resolved, or that be tried alone or in conjunction with other affected parties. b) Factual identity assumes that the facts prosecuted are the same, and rules out the cases of real competition of infractions in which we are not faced with the same illegal act but before several. c) The identity of the foundation or cause implies that the sanctioning measures do not can coincide if they respond to the same nature, that is, if they participate in a same teleological foundation, what happens between penal and administrative sanctions, but not between the punitive and the merely coercive.” Taking as reference what was previously explained, the principle has not been violated non bis in idem, since, although roughly understood the facts are detected consequence of a personal data breach, the violation of art. 5.1.f) of the GDPR takes the form of a clear loss of confidentiality and availability, the violation of the art. 32 of the GDPR boils down to the absence and deficiency of security measures (security only) detected, present regardless of data breach personal. And all this in the face of the allegations made by IBERDROLA, which considers that in Both precepts require a single conduct, which is to implement security. appropriate. It is not true, since art. 5.1.f) of the RGPD is not restricted to the guarantee of security appropriate to the risk, but rather to guarantee the integrity and confidentiality. And not only through security measures, but through all kinds of appropriate technical or organizational measures. As has been indicated, through art. 5.1.f) of the RGPD, a loss of integrity and confidentiality, and through art. 32 of the RGPD the absence and/or deficiency of the security measures implemented by the person responsible for the treatment. Absent or deficient security measures, we add, that violate the GDPR regardless of whether the loss of data had not occurred. confidentiality and integrity. Finally, regarding the application of identical aggravating factors in both infractions, We must mean that the circumstances provided for in art. 83.2 of the GDPR and the provided in art. 76.2 of the LOPDGDD are the only ones that can be applied by AEPD for any infraction. The determining factor in this case, with respect to that provided for in art. 83.2.b) of the GDPR does not is that they coincide in their use, but rather the foundation established for their consideration. Having said all that, it is not considered that there is a violation of the principle of non bis in idem, enshrined in article 25 of the Spanish Constitution. 2. Subsidiarily, existence of medial competition between the two imputed conducts to IBERDROLA C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 40/99 IBERDROLA alleges that, on the other hand, the Initiation Agreement identifies (and intends to sanction) a plurality of infractions that, supposedly, he would have committed (what is flatly denied) when, in reality, one of them would be subsumed and embedded in the other, giving rise to a medial contest in the terms provided in the article 29.5 of the LRJSP. IBERDROLA understands that both infractions cannot be sanctioned, given that the commission of the alleged violation of article 32.1 of the RGPD would determine the alleged violation of article 5.1.f) of the same legal text and would be sanctioned for the same facts, since it considers that the alleged violation of article 5.1 f) would necessarily and inseparably bring about the alleged lack of implementation diligent of the measures referred to in article 32.1 of the RGPD. IBERDROLA brings up certain jurisprudence (for all, the Judgment 339/2015 of September 25, 2015 of the National Court - appeal 262/2014 - which cites the Supreme Court Sentence of February 8, 1999, -recourse 9/1996-): “the application of the medial competition requires a necessary referral of some infractions respect to the others and vice versa, so it is essential that some do not can be committed without executing the others.” Thus, there must exist “such a relationship between the infringements concerned that one of them necessarily derives from the other, so that the commission of one is not possible without executing the other” (for all, the Judgment of the National Court of December 26, 2013, - appeal 416/2012). Thus I-DE concludes that it is evident that such a relationship exists between the two infringements who intend to accuse her. In this regard, it means, as noted above, that art. 32 of the GDPR, although related to art. 5.1.f) of the GDPR does not circumscribe the principle In its whole. Thus, Article 5.1.f) of the GDPR is one of the principles relating to processing. The principles relating to the treatment are, on the one hand, the starting point and the clause of closure of the legal data protection system, constituting true informing rules of the system with an intense expansive force; on the other hand, at have a high level of specificity, they are mandatory standards that are susceptible of being infringed. Well, art. 5.1.f) of the RGPD includes the principle of integrity and confidentiality and determines that personal data will be processed in such a way as to guarantee adequate security of personal data, including protection against unauthorized or illicit treatment and against its loss, destruction or accidental damage, through the application of appropriate technical or organizational measures of all kinds, not just security. Moreover, art. 32 of the GDPR regulates how the security of the processing in relation to the specific security measures that must be implement, in such a way that taking into account the state of the art, the costs of application, and the nature, scope, context and purposes of the processing, as well as risks of varying probability and severity to the rights and freedoms of natural persons, the person responsible and the person in charge of the treatment will apply measures appropriate technical and organizational measures to guarantee a level of security appropriate to the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 41/99 risk that includes, among other issues, the ability to guarantee the data confidentiality. As has been noted, this provision, art. 32 of the GDPR, although related to the art. 5.1.f) of the GDPR does not circumscribe the principle in its entirety. The art. 5.1.f) of the GDPR strictly requires that confidentiality be guaranteed, and requires for its application a loss of confidentiality. We can find cases in which there are inadequate measures without resulting in a loss of integrity and confidentiality. Proof of this is not only this difference between the violation of art. 5.1.f and the article 32 of the RGPD, but the different classification in sections even different from the art. 83 of the GDPR and the different qualification of both for the purposes of prescription in the LOPDGDD. In the case examined, as stated in the proven facts, there is a clear loss of confidentiality revealed through a clear result: produced illegitimate access by an unauthorized third party to personal data. Likewise, as has been indicated, art. 5.1.f) of the RGPD is violated when produces a loss of confidentiality or integrity of personal data, which which may or may not occur due to the absence or deficiency of strictly safety measures. security. This principle only determines the channel through which the maintenance of confidentiality, integrity or availability when explicit “through the application of appropriate technical and organizational measures”, which are not Strictly security. IBERDROLA indicates that the appropriate technical and organizational measures to which Article 5.1.f mentions the security measures of art. 32 of the GDPR. This would be to simplify the essence of the GDPR whose compliance is not limited to implementation of technical and organizational security measures; would mean, in our case, reduce the guarantee required through the principle of integrity and confidentiality to its achievement only with security measures. As noted above, when art. 5.1.f) of the GDPR refers to appropriate technical or organizational measures to guarantee the rights and freedoms of interested parties within the framework of GDPR regulatory compliance management. does in the sense provided in art. 25 of the GDPR regarding privacy from design. We reiterate that there are multiple technical or organizational measures that are not security and that the person responsible for the treatment can implement as a channel to guarantee this principle. And all this in the face of the allegations made to the contrary by IBERDROLA that considers that in both precepts a single conduct is required, which is to implement the adequate security. It is not true, since art. 5.1.f) of the RGPD is not restricted to C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 42/99 the guarantee of security appropriate to the risk, but rather the guarantee of the integrity and availability. And not only through security measures, but through all kinds of appropriate technical or organizational measures. As we have indicated, through art. 5.1.f) of the RGPD, a loss of integrity and confidentiality and through art. 32 of the RGPD the absence and deficiency of the security measures implemented by the person responsible for the treatment. Measures absent or deficient security measures, we add, that violate the RGPD regardless of whether or not a loss of confidentiality has occurred and integrity. In the present case, the aforementioned article 32 has been violated regardless of whether ultimately suffered a breach of confidentiality or not, because the conduct reprehensible and that violates said precept is the lack or inadequacy of those measures, in themselves, that is, it is infringed and punished for it regardless of whether Whether or not a personal data breach has occurred. Which does not prevent, in In the event of a personal data breach materializing, this circumstance as an aggravating circumstance, in accordance with the RGPD. On the other hand, in the present case, so that we are faced with a violation of the article 5.1.f) it has been and is an unavoidable requirement that the confidentiality of the data be violated personal (which does not happen with the violation of article 32) Regarding the media competition, it should be noted that article 29 of the LRJSP does not It is applicable to the sanctioning regime imposed by the RGPD. And this is because: 1. The GDPR is a complete system. The GDPR is a community standard directly applicable in the Member States, which contains a new, complete and global system intended to guarantee the protection of personal data in a uniform manner throughout the European Union. In relation, specifically and also, to the sanctioning regime provided in the same, its provisions are applicable immediately, directly and integral, providing for a complete system without gaps that must be understood, be interpreted and integrated in an absolute, complete, integral manner, thus leaving the Its ultimate purpose is the effective and real guarantee of the Fundamental Right to Personal data protection. The opposite determines the loss of guarantees of the rights and freedoms of citizens. In fact, a specific example of the lack of loopholes in the system of GDPR is article 83 of the GDPR that determines the circumstances that can operate as aggravating or mitigating circumstances with respect to an infringement (art. 83.2 of the RGDP) or that specifies the existing rule regarding a possible medial competition (art. 83.3 of the GDPR). To the above we must add that the RGPD does not allow the development or realization of its provisions by the legislators of the Member States, safe from what the European legislator himself has specifically provided for, delimiting it in a very specific (for example, the provision of art. 83.7 of the RGPD). The LOPDGDD only C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 43/99 develops or specifies some aspects of the RGPD as far as it allows and with the scope that it allows. This is because the intended purpose of the European legislator is to implement a uniform system throughout the European Union that guarantees the rights and freedoms of natural persons, that corrects behavior contrary to the RGPD, that encourages compliance, which enables the free circulation of this data. In this sense, recital 2 of the RGPD determines that, “(2) The principles and rules relating to the protection of natural persons in what regarding the processing of your personal data must, whatever their nationality or residence, respect their fundamental freedoms and rights, in particularly the right to the protection of personal data. The present Regulation aims to contribute to the full realization of an area of freedom, security and justice and an economic union, to economic and social progress, to reinforcement and convergence of economies within the internal market, as well as well-being of natural persons.” (emphasis is ours) Recital 13 of the GDPR continues to indicate that, “(13) To ensure a consistent level of protection of natural persons throughout the Union and avoid divergences that hinder the free circulation of personal data within the internal market, a regulation is necessary that provides security legal and transparency to economic operators, including microenterprises and small and medium-sized businesses, and offer individuals of all Member States the same level of enforceable rights and obligations and responsibilities for those responsible and in charge of the treatment, in order to ensure consistent supervision of the processing of personal data and sanctions equivalents in all Member States, as well as effective cooperation between the supervisory authorities of the different Member States. The good functioning of the internal market requires that the free circulation of data personal property in the Union is not restricted or prohibited for reasons related to protection of natural persons with regard to data processing personal”. (emphasis is ours) In this system, the determining factor of the GDPR is not the fines. The corrective powers of the control authorities provided for in art. 58.2 of the RGPD conjugated with the provisions of art. 83 of the GDPR show the prevalence of corrective measures against fines. Thus, art. 83.2 of the GDPR says that “Administrative fines will be imposed, in depending on the circumstances of each individual case, in addition to or in lieu of the measures contemplated in article 58, paragraph 2, letters a) to h) and j). In this way the corrective measures, which are all those provided for in art. 58.2 of RGPD except the fine, have prevalence in this system, the fine being relegated economic to cases in which the circumstances of the specific case determine that a fine be imposed together with corrective measures or in lieu of the themselves. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 44/99 And all this with the purpose of forcing compliance with the RGPD, avoiding non-compliance, encourage compliance and ensure that infringement is not more profitable than non-compliance. For this reason, art. 83.1 of the RGPD prevents that “Each supervisory authority will guarantee that the imposition of administrative fines pursuant to this article for the infringements of this Regulation indicated in paragraphs 4, 5 and 6 are in each individual case effective, proportionate and dissuasive.” (emphasis is our) For this system to work with all its guarantees, it is necessary that several elements are deployed in an integral and complete manner. The application of foreign rules to the RGPD regarding the determination of fines in each of the States members applying their national law, whether due to aggravating circumstances or mitigating circumstances not provided for in the RGPD -or in the LOPDGDD in the Spanish case-, whether due to the application of a media contest different from that provided in the RGPD, it would remain effectiveness to the system that would lose its meaning, its teleological purpose, resulting in the fines imposed for different violations would no longer be effective, proportionate and dissuasive. And in this way the interested parties would also be robbed. of the effective guarantee of their rights and freedoms, weakening the uniform application of the GDPR. Mechanisms for the protection of rights and freedoms of citizens and would be contrary to the spirit of the RGPD. The GDPR is endowed with its own principle of proportionality that must be applied in its strict terms. 2. There is no legal loophole, there is no supplementary application of art. 29 of the GDPR. In addition to the above, it means that there is no legal gap regarding the application of the media contest. Neither the RGPD allows nor the LOPDGDD provides for the supplementary application of the provisions of art. 29 of the LRJSP. There is also no subsidiary application of art. 29 of the GDPR. In Title VIII of the LOPDGDD regarding “Procedures in case of possible violation of the regulations of data protection", article 63 that opens the Title provides that "The Procedures processed by the Spanish Data Protection Agency will be governed by the provisions of Regulation (EU) 2016/679, in this organic law, by the regulatory provisions dictated in its development and, as far as they are not contradict, on a subsidiary basis, by the general rules on the administrative procedures." Although there is a clear referral to the LPACAP, it is not establishes in no way a subsidiary application with respect to the LRJSP that does not contains in its articles any provision relating to administrative procedure some. In the same way that the AEPD is not applying the aggravating and mitigating circumstances provided in art. 29 of the LRJSP, since the RGPD establishes its own, therefore, There is no legal loophole or subsidiary application of the same, nor is it possible to apply section relating to media competition and for identical reasons. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 45/99 In any case, the judicial precedents cited by the plaintiff regarding the competition medial come from the application of the LOPD of the year 99 that transposed the Directive 95/46/EC, the RGPD establishing a clearly different system. At that time, article 115 of Royal Decree 1720/2007, of December 21, which approves the Regulations for the development of Organic Law 15/1999, of December 13, of protection of personal data, it did provide for a supplementary application of the Law 30/1992, of November 26, on the Legal Regime of Administrations Public and Common Administrative Procedure. Thirdly, and now focusing on the specific case examined, and without prejudice From the above, it should be noted that there is no medial competition. Article 29.5 of the LRJSP establishes that “When the commission of an infraction results necessarily the commission of another or others, only the sanction should be imposed corresponding to the most serious infraction committed.” Well, the medial competition takes place when in a specific case the commission of an infraction is a necessary means to commit a different one. The established facts determine the commission of two different infractions, without the violation of article 32 of the RGPD (security of processing), as stated the appellant, is the necessary means by which the violation of the article 5.1.F) of the RGPD (principle of confidentiality). In conclusion, from all this and against everything argued, it has been proven that I-DE was not diligent because it did not adequately guarantee confidentiality of the personal data of its clients, as well as that it did not have the measures appropriate technical and organizational measures to ensure an appropriate level of security. For the above reasons, the allegation is rejected. FOURTH.- REGARDING THE ALLEGED VIOLATION BY IBERDROLA OF THE ARTICLE 32 OF THE GDPR IBERDROLA alleges that it is not satisfied that the Startup Agreement indicates that did not have the appropriate security measures to guarantee complete separation between the personal data of the different companies with respect to the which acts as the person in charge of the treatment, since it maintains that, as it has been demonstrating in the responses given to the AEPD in the different information requirements, it has been proven that it had implemented robust security systems that (…). IBERDROLA proceeds below to detail again how access to the information contained in the database by the different applications. Thus, as indicated, the database where the personal data of clients of the different companies of the Iberdrola Group is (…). However, (…) (…): C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 46/99 -(…). -(…). Therefore, although it is indicated that the client code is not accessible to users, it does not It is less true that, if a transaction is generated with the CUSTOMER table using the “client code”, this means that it does not have the previous filter of “Company Code”, and then Yes, you can access personal data from other companies once the code customer indicated in the URL corresponds to the customer of another company with the that only has this logical separation. Therefore, it was being allowed, By modifying the client code in the URL of this web application, data will be accessed personal data of clients of other companies with which there is no relationship and against which it is mandatory to safeguard their confidentiality against unauthorized third parties. That is, with or without cyberattack, what is reflected is that, modifying that code in the url, the implemented logical separation was circumvented. Therefore, it was not appropriate. or was insufficient, which represents a violation of art. 32, as it reflects a lack or insufficiency of appropriate measures to ensure adequate security, according to the risk, in the processing of personal data. IBERDROLA seems to maintain that the responsibility for this lies with the cybercriminal for taking advantage of a vulnerability in a web application. However, if the logical separation had been adequate (or if physical separation had existed), the attack would have been restricted exclusively to I-DE clients. The vulnerability exploited by the attacker was that the client code was displayed in the URL and that, in addition, it was allowed to modify said URL by making calls to the table CUSTOMER and thus access the personal data stored in that table. That later this would also allow access to personal data of clients from other companies. companies is a consequence of a poor logical separation in the database. This deficiency is precisely in allowing GEA's internal code, the “COD_CLIENTE” will generate transactions with the CLIENT table and will not have the filter previous “Company Code”. This was allowed because that's how it was set up (and therefore IBERDROLA declarations, as is also established in the applications from the rest of the companies that share the CUSTOMER table and the same logical separation) Therefore, the cybercriminal did not exploit that vulnerability in the logical separation in the affected board, but ran into it. In this sense, it is not acceptable that, under any circumstances, it can be accessed from an application from one company to the personal data of clients of other companies. This is the responsibility of IBERDROLA since, as the person in charge of treatment, manages the Group's database. On the other hand, IBERDROLA alleges that the AEPD has linked the alleged non-compliance with article 32 with the production of the result that occurred as consequence of the concurrence of a series of factors that were unpredictable and that were detected and resolved immediately. He concludes therefore that the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 47/99 AEPD is imposing, with regard to the adoption of security measures, an obligation of result, but which is nevertheless an obligation of means. In this regard, it brings up or stated by the Supreme Court in its ruling of February 15, 2022 (cassation appeal 7359/2020), which clearly states clear way that the obligation imposed by data protection regulations personnel, to adopt technical and organizational measures aimed at guaranteeing the confidentiality, availability and integrity of the information, is an obligation of means and not result. In this regard, it should be noted that the aforementioned Judgment effectively indicates, above all security measures regarding data protection, that “… the obligation that falls on the person responsible and on the person in charge of the treatment with respect to the adoption of necessary measures to guarantee the security of personal data personnel is not an obligation of result but of means, without the obligation being enforceable. infallibility of the measures adopted. Only the adoption and implementation of technical and organizational measures, which according to the state of the technology and in relation to the nature of the processing carried out and the data personal data in question, reasonably allow to avoid its alteration, loss, “unauthorized treatment or access.” (emphasis is ours) However, the Judgment continues indicating, in the specific case analyzed in same, that “…the program used to collect customer data does not contained no security measures that would allow checking whether the address of email entered was real or fictitious and whether it really belonged to the person whose data was being processed and gave consent for it. The state of the technique at the time these events occurred made it possible to establish measures aimed at verifying the veracity of the email address, conditioning the continuation of the process for the user to receive the contract at the address provided and only from it provide the necessary consent for its collection and treatment. Measures that were not adopted in this case. (…) So, at the time these events occurred, there were technical measures related to the registration process, which would have prevented the filtration of personal data produced. This implies that the technical measures adopted did not comply with the security conditions in the terms required in art. 9.1 of the LO 15/1999, therefore incurring the infringement provided for in art. 44.3.h) consisting of "Maintain the files, premises, programs or equipment that contain personal data without due security conditions that via regulations are determined [...]". (…) It is stated that the technical security measures referred to the program IT was the responsibility of Telefónica Consumer Finance, which designed the program and was the responsible for the file and the treatment, and that the sanctioned company only acted on its behalf, collecting data from clients who opted for the financing. The truth is that the person in charge of the treatment - the natural or legal person that, alone or jointly with others, processes personal data on behalf of the responsible for the treatment, art. 4 section 8 of the Regulation, such as art. 3.g) of the LOPD 15/1999, and the collection of data implies processing (art. 3.c),-also must adopt the necessary technical and organizational measures to C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 48/99 guarantee the security of personal data, as provided in art. 32.1 of Regulation (EU) 2016/679 of the Parliament and of the Council and art. 9.1 of the LOPD and is subject to the sanctioning regime established in the Law (art. 43 of the LOPD 15/1999). The appellant company processed customer data on behalf of the person responsible for the file so she implemented and used said program being knowledgeable, or would have should be, that it lacked the necessary security measures…” (the emphasis is ours) Therefore, although it is inferred from the Judgment that the obligations established by the Article 32 of the GDPR are media, it also makes it clear that, if at the time of When the incident occurred, there were adequate technical measures to avoid or mitigate the effects thereof and were not applied, this represents a breach of the aforementioned obligation imposed by the RGPD and, therefore, a violation of it. In the present case, as has been pointed out, there was a vulnerability or poor configuration of access to the database managed by IBERDROLA as person in charge of the treatment, which was also avoidable because it could have configured in another way or, as you have indicated that you plan to do, proceed to separate the systems that make use of the common data infrastructure center, that is, proceed to store the personal data of the companies affected in exclusive and separate tables. This clearly shows a breach of article 32 of the RGPD, for as requires appropriate measures to guarantee a level of security appropriate to the risk, and all this taking into account the state of the art, the application costs and the nature, scope, context and purposes of the processing. IBERDROLA also alleges that the security breach is not caused by what insufficient of the measures adopted, but of the intense activity carried out by a third party with the sole intention of carrying out the cyber attack that caused harm not not only from the clients of the Group companies, but from the companies themselves that they suffered. Faced with this, it should be noted that total infallibility of the measures that can be taken to ensure adequate protection in the processing of personal data. However, once the attack occurs, it must evaluate the diligence of those responsible and in charge in the application of the measures appropriate technical and organizational measures to guarantee a level of security appropriate to the risk, taking into account the state of the art, the costs of application, the nature, scope, context and purposes of the processing. In the present case, IBERDROLA did not have, at the time of the breach data protection, with appropriate measures in relation to the risks of the processing for the protection of personal data, since as indicated, There was a vulnerability in the configuration of access to the database managed by IBERDROLA as data processor. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 49/99 Finally, in accordance with the Judgment of June 22, 2021- Rec. 1210/2018, and the Judgment of November 5, 2011 - Rec. 1796/2019, in which the subjective or culpable element, it is insisted that the guilt of the plaintiff cannot be considered excluded or attenuated by the fact that the fraudulent action of a third party, since the responsibility of the plaintiff does not derives from his actions, but from his own. Finally, IBERDROLA points out that it had implemented mechanisms that allowed the almost immediate detection of the personal data breach suffered, adopting immediately, so he understands that his quick action is a clear example of that by the same was given, and is given, complete compliance with the provisions of the article 32.1 c) of the GDPR, when it refers to “the ability to restore the Availability and access to personal data quickly in the event of an incident physical or technical”, something that, however, has not been sufficiently valued by part of the Initiation Agreement. In this regard, both in the Initiation Agreement and in this proposal it has been taken into account that IBERDROLA, through the Systems Department, reacted as as quickly as possible and proceeded to take measures aimed at repelling the attack and to avoid its repetition, considering it as an extenuating circumstance in accordance with article 83.2.c) RGPD. Finally, IBERDROLA indicates that article 82.2 of the RGPD establishes in its section second that “[a] manager will only be liable for damages and losses caused by the treatment when you have not complied with the obligations of the present Regulations specifically addressed to those in charge or have acted outside or against the legal instructions of the person responsible.” Although IBERDROLA points out that this standard is included within the provisions contained in the RGPD related to the right to compensation and responsibility, considers that if a person in charge of the treatment, as is your case, must be responsible for the damages that eventually the interested parties could have suffered as a consequence of the treatment in the event of that you have complied with the obligations that, as a processor, the RGPD imposes on you, nor would it be possible to demand any responsibility from him in the area sanctioner. Therefore, IBERDROLA reminds that it has fully complied with the obligations that the RGPD imposes on it as the person in charge of processing i-DE, IBERCLI and CURENERGIA, following in all cases its instructions and adopting, in particular, the security measures required to prevent the loss of availability, integrity or availability of the data for which each of them is responsible said companies, which would determine the necessary archiving of this procedure. In light of this, it is appropriate to refer to everything indicated above in this document. Basis of Law, as it reflects that IBERDROLA, as in charge of treatment that administers and manages the database affected by the cyberattack, not fulfilled its obligations in relation to the adoption of technical measures and C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 50/99 appropriate organizational measures to guarantee a level of security appropriate to the risk, which, where applicable, included, among others, the ability to guarantee confidentiality, permanent integrity, availability and resilience of security systems and services processing as required by article 32 of the GDPR. For the above reasons, the claim made is rejected. FIFTH. – ON THE ALLEGED VIOLATION OF THE PRINCIPLE OF SECURITY In this section, IBERDROLA alleges that it has not been proven, not even indicatively, the fraudulent use of personal data, limiting the Agreement of I begin to consider that there is a very high risk nor that it has materialized in the practice. In this regard, it is worth clarifying that what is being attributed to IBERDROLA is the violation of the principle of confidentiality since it is clear that, after suffering an attack computer against the GEA website of the I-DE company, in addition to producing access illegal access to personal data processed by it, there was also illegitimate access to personal data -and the extraction thereof- by an unauthorized third party, which It meant the loss of confidentiality and control of numerous personal data (…) and that affected 4,515,000 IBERCLI clients and 92,550 CURENERGIA clients. This represents a breach of the duty to guarantee the confidentiality of the data. personal, since as has been indicated, article 5.1.f) indicates that they must be treated in such a way as to ensure adequate security of personal data, including protection against unauthorized or unlawful processing. Regarding the high risk that these data, in the hands of cybercriminal/s, were used fraudulently, this was indicated to express what involves the loss of confidentiality, but is not necessary in any way, to understand violated article 5.1.f) that said risks of fraudulent use are materialize, because what has materialized with the gap is the loss of confidentiality of personal data, which is what is exclusively attributed. On the other hand, IBERDROLA once again insists in this section regarding its understanding that the AEPD considered the breach reported by it to be archived and that the claims were not provide nothing new and, therefore, nothing seems to justify the reopening of the investigation when it had been archived. In this regard, it is appropriate to refer to everything already argued in relation to this in the Second section of this Legal Basis. Therefore, the claim made is rejected. SIXTH. – ON THE VIOLATION OF THE PRINCIPLE OF PROPORTIONALITY TO THE DETRIMENT OF THE RIGHTS OF IBERDROLA C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 51/99 IBERDROLA alleges that the sanctions imposed violate the principle of proportionality, since the AEPD, to determine the amount of the sanctions, has resorted to completely generic criteria. Thus, regarding the alleged negligence in its actions, IBERDROLA indicates that has proven that the events that occurred occurred at a specific time and that were resolved very quickly, so the measures adopted before the incident mitigated its effects. This immediate solution to the incident, which shows that they did have planned actions in the event of a possible attack on their systems. Faced with this, it should be noted that the appropriate technical and organizational measures to guarantee a level of security appropriate to the risk that for the rights and freedoms of natural persons may have the processing of personal data They cannot in any way be only reactive measures, that is, to solve immediately a personal data breach. Thus, article 32 of the GDPR not only indicates that they must guarantee adequate security, but also that said Measures should include the ability to ensure the confidentiality, integrity, ongoing availability and resilience of treatment systems and services (letter b of article 32.1 GDPR). Therefore, it is not enough to have measures to react as soon as possible when confidentiality has been breached, we must have also appropriate prior measures to prevent said violation. And this because Equally or more important are the measures aimed at safeguarding confidentiality, the integrity and availability of personal data, that is, the measures preventive measures aimed at avoiding any violation of this. Therefore, it cannot be accepted that the measures that IBERDROLA had implemented were adequate in that they allowed the incident to be resolved later, since This only demonstrates the existence of corrective measures. However, what allowed those reactive measures was the cessation of the attack once it had occurred and the restoration of the service, that is, regarding the protection of personal data avoided a greater impact and this has already been taken into account as a mitigating factor in the present sanctioning procedure, but in no way can they solve the loss of confidentiality of the affected personal data, since it is already had materialized. That is, the confidentiality of personal data is guaranteed above all with precautionary measures. In this sense, it has already been indicated in the response to the allegation Fourth of this Legal Basis the absence of technical measures and appropriate organizational measures to ensure proper separation of data personal data of clients from at least three different companies. Therefore, all of this only reflects a lack of diligence on the part of IBERDROLA when it comes to guaranteeing security adequate to the risk of data processing carried out. In this sense, it should not be forgotten that in the affected database personal data of millions of people are stored clients, which involves large-scale treatment, which, in turn, are accessed from web applications, that is, from the Internet, which requires security measures suitable for this and specifically aimed at ensuring that there is no illegitimate access to said personal data. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 52/99 On the other hand, IBERDROLA indicates that it does not agree with it being considered as aggravating the linking of their activity with the performance of data processing personal, since he understands that his behavior is getting worse because he belongs to the electrical sector and that therefore special diligence must be required, and that this once again violates the principle of proportionality. Faced with this, it means that their behavior is not aggravated by belonging to the sector electrical, but because its activity, the development of its business, involves and requires continuous and abundant processing of personal data, as demonstrated by the fact that it processes data from millions of people. Therefore, as indicated in the Startup Agreement, IBERDROLA is a company accustomed to the processing of personal data, which entails, once again, the requirement of a higher degree of diligence. On the other hand, it is noted that article 83.2 of the RGPD provides that “When deciding the imposition of an administrative fine and its amount in each individual case will be due account: (…) k) any other aggravating or mitigating factor applicable to the circumstances of the case…". In this sense, the Spanish legislator has considered including in article 76 of the LOPDGDD that: “2. In accordance with the provisions of article 83.2.k) of the Regulations (EU) 2016/679 may also be taken into account: (…) b) The linking of the offender's activity with the performance of treatments of personal data.” This Agency simply takes into consideration that circumstance, provided for by the legislator, when deciding the imposition of the administrative fine. It should be noted that, for the purposes of deciding the imposition of a fine, it cannot have administrative, the same consideration as an infraction produced by a natural person or a small company not accustomed to the processing of personal data, which a large company like IBERDROLA, accustomed to the processing of personal data of millions of clients, with a long history behind them in this regard. By assumption that the violation is considered to be more serious for the purposes of imposing a fine if the person responsible for the treatment is among the latter, as is the case of IBERDROLA On the other hand, it alleges the lack of proportionality comparing it with the file PS/00179/2020, in which it indicates that he was only fined 500,000 euros despite that not only was confidentiality breached, but that the breach was not notified to the AEPD, something that IBERDROLA has done, but, nevertheless, the sanction is considerably smaller. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 53/99 In this regard, it should be noted, on the one hand, that in terms of data protection the technical and organizational security measures to be adopted by those responsible for the treatment and other obligations to comply required by the RGPD, must be the appropriate in relation to the specific risks posed by the specific treatments carried out by each person responsible. Therefore, when analyzing the diligence of some and others in compliance with the regulations must be based on the circumstances of each case, taking into account the nature, scope, context and purposes of each treatment, therefore there are no identical cases. On the other hand, article 83 establishes that 1. Each supervisory authority shall ensure that the imposition of fines administrative sanctions under this article for violations of this Regulations indicated in sections 4, 5 and 6 are in each individual case effective, proportionate and dissuasive. 2. Administrative fines will be imposed, depending on the circumstances of each individual case…” (The emphasis is ours) Therefore, it is necessary to attend to the circumstances of each individual case, there being no two identical files and, therefore, with equal results. As an example, in the file that brings up those affected were less than half than in the case which concerns us now; the violation of art. 32 of the GDPR, it was for another type of insufficiency in measures to guarantee adequate safety for the treatment; These were events that occurred in 2018, the year in which it became mandatory GDPR compliance, which is not the same as four years later; it is not the same knowledge of the technique a few years before and after, especially due to the rapid progress of it, etc. Likewise, it is pointed out that there are many other files after and before the present in which the violation of the confidentiality of data such as the violation of security measures of the article 32 of the RGPD, although, as has been pointed out, the specific circumstances of the case. Finally, and for completeness, it is not appropriate to demand equality in illegality. The Jurisprudence is clear on this. Thus, the Judgment of the National Court of April 28, 2023 (SAN 04/28/2023 REC. 409/2021 indicates that “A deal is referred to discriminatory sanction since that fine or economic sanction can be replaced by the measures of art. 58 GDPR, less burdensome measures as could be the warning. And refers to other infractions committed by other entities. Of course the plaintiff tries to compare this situation with another sanctioning procedure that is mentioned, but we are not dealing with a deal discriminatory or that the principle of equality is violated since it is a principle that only operates within the framework of legality when equal factual situations have a different treatment without reasonable justification. As the STS of January 20 points out 2004, "equality must be preached within the law, so that if the action correct of the Administration is the one now prosecuted, as we have declared, the invoked as contrary to it was not and, consequently, it cannot be used to request that equal treatment be applied to the appellant, since, as this Chamber of the Court C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 54/99 Supreme Court has declared in its sentences of June 16, 2003, July 14, 2003 and October 20, 2003 that "the principle of equality has no significance for protect a situation contrary to the legal system", and this, as indicated by the Sentencing chamber, regardless of the fact that the administrative action has not been proven alleged as contradictory to the present one". In the same sense, the STS of April 2, 2014 (Rec. 1916/2010) indicates that "the legality prevails over a possible injury to the principle of equality." In this case, We are facing an administrative infraction that is intended to be compared with another that has had a different solution, but from what is observed in the allegation that is formulated the plaintiff can hardly make a comparison of a situation and another. Let us remember that according to the consolidated constitutional doctrine for To appreciate the occurrence of a violation of the principle of equality, there must be the following assumptions: 1) provision of an ideal comparison term demonstrative of the substantial identity of the legal situations that have received different treatment, 2) that the unequal treatment is not based on objective reasons that justify, and 3) that the comparative trial is carried out within the framework of legality, since it is not possible to invoke the principle of equality in illegality to perpetuate situations contrary to what is provided for by the legal system. Thus things, the conduct for which the plaintiff has been sanctioned and which is contrary to law does not allow its responsibility to be further attenuated by the fact that in other assumptions, which are unknown, the sanction imposed was not economic and considered more beneficial.” For all the above reasons, the claim made is rejected. V Response to the allegations to the Proposed Resolution In response to the allegations presented by IBERDROLA, it should be noted that following: FIRST: Regarding the defenselessness generated by IBERDROLA as a consequence of not the accumulation of procedures EXP202305587 and EXP202205206 IBERDROLA once again ratifies the allegations regarding the Startup Agreement regarding his request for the consolidation of both files, also indicating that with Regardless of whether article 57 of the LPACAP indicates a “may”, the power granted must be considered in all cases enforceable to the Administration when the non-accumulated processing of the procedures may negatively affect the rights of those included in them, IBERDROLA insisting that the non accumulation attentive to their right to defense. In this regard, it should be noted, first of all, that it has already been answered in the proposal resolution regarding the request for consolidation of the two files referenced, response that is transcribed in full in the Legal basis III of this Resolution to which reference should be made in its C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 55/99 whole. Therefore, although it is true that it is a power of the Administration to proceed to the accumulation or not, it is also true that the reasons and reasons were argued. reasons why it was not appropriate or appropriate to accumulate both sanctioning procedures. Likewise, IBERDROLA maintains that non-accumulation makes it defenseless since understands that her access to the information that the AEPD has provided for consider two alleged infractions committed has been limited to those elements that the AEPD has considered appropriate to incorporate into this file without to have a complete vision of the facts nor, consequently, of the motives that induce the AEPD to impose such sanctions. Faced with this, it should be noted that it is unknown what information or circumstances believe IBERDROLA that it does not know, because it has known at all times and complete the facts and all the circumstances in relation to them. In addition, has been aware at all times of the infractions that are attributed to him by such events and the sanctions that could arise from them, and has been able allege and present whatever documentation you have considered relevant throughout the present sanctioning procedure. Therefore, the requested non-accumulation does not cause you any defenselessness nor does it affect you. negatively to any of your procedural rights In relation to the rest of the arguments raised by IBERDROLA to demand the accumulation, as these are reproductions of those exposed in the Initiation Agreement, It is appropriate to refer to the response given by this Agency and which appears, as has been indicated, transcribed in Legal Basis III of this Resolution. SECOND: About the previous acts of the AEPD and the violation of the principles of good faith, legitimate trust and legal certainty. IBERDROLA insists again that the letter of April 18, 2022 that was directed I-DE from the Technological Innovation Division of this Agency has decision-making nature and that this prevents or should have prevented any action of subsequent investigation of the personal data breach suffered which, in addition, violates the principles of good faith, legitimate trust and legal certainty. Firstly, IBERDROLA was already told in response to the allegations Start Agreement that the aforementioned communication from the Technological Innovation Division of this Agency was addressed only to I-DE and in relation to the notifications made by it to the aforementioned Division as a consequence of a breach of personal data suffered by her. Therefore, said writing in no way referred to the personal data breach. suffered by IBERCLI and CURENERGIA and notified to this Agency by these companies and by which this sanctioning procedure is processed against IBERDROLA as responsible for their treatment, no matter how much she now tries to extend it to this file. It is for this reason that said writing does not appear in this document. sanctioning procedure, so it is not appropriate to accept, as alleged IBERDROLA, that said absence has caused defenselessness. However, the same C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 56/99 was provided by IBERDROLA together with its written allegations to the Startup Agreement and In the proposed resolution he was responded to and argued about the erroneous IBERDROLA's interpretation of the content and nature of the aforementioned written. IBERDROLA also indicates the following: “However, it is the Proposed Resolution itself that reveals the close connection between the letter addressed to i-DE (whose omission of the This file would only create defenselessness for my client) and the present procedure when, immediately afterwards, he adds that “however the personal data breach reported by I-DE was derived from the breach suffered by IBERCLI and CURENERGÍA, we proceed to respond to the erroneous interpretation that carried out by IBERDROLA in relation to the aforementioned document.” With this, the AEPD expressly recognizes that, even though the letter was addressed to i-DE There is an intimate and indissoluble relationship between both procedures, given that the breach that is attributed to my client is a direct cause of the vulnerability produced in the GEA application. In this way, it is evident that if the AEPD considered sufficient clarifications made by i-DE in the notification related to the gap which is the cause of this file, and it is clear that without said gap the one now analyzed would not have taken place, the consideration of the cause as not susceptible to prior investigation, must have as its only consequence the file of the procedure referring to what is only the effect of that cause previously considered sufficiently justified” In this regard, it is pointed out that what we wanted to indicate is that the same incident (cyber attack) two different personal data breaches resulted. An affecting to personal data of I-DE clients and due to a vulnerability in its web application. AND another affecting clients of IBERCLI and CURENERGÍA because they store the three companies the personal data of their respective clients in a database managed by IBERDROLA as the person in charge of the treatment and on the occasion of a vulnerability in the logical separation in said database. Notwithstanding the above, just as was responded to in the Proposal for Resolution on IBERDROLA's arguments in relation to the statement of April 18, 2022, and as he continues to understand that this writing affects the present sanctioning procedure - which has already been indicated that it is not - responds to continuation in relation to the new arguments put forward by IBERDROLA regarding the same. Thus, IBERDROLA indicates that one of the functions of the Innovation Division Technology of this Agency is to “analyze and classify security breaches and, where appropriate, propose with reasons to the Presidency the initiation of a investigation when there are indications of the commission of an infraction” (article 31 e) of the AEPD Statute). IBERDROLA adds that the aforementioned document is signed by the “AEPD”, which means which must be understood as signed by the Director, since the “legal representation and C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 57/99 “institutional” of the Agency corresponds solely and exclusively to the Director, as as established in article 13.1b) of the AEPD Statute. From this IBERDROLA concludes that, having been analyzed by the Division of Technological Innovation the information communicated by it about the gap of security, understood that it was not appropriate to raise any type of complaint to the Director of the AEPD motivated proposal in relation to the same, as I do not consider the provisions violated in the GDPR, this resulted in this Agency being notified of the decision not to carry out take any action related to the aforementioned gap. Faced with this, first of all, it is worth remembering that this question was already answered in the Proposed Resolution, and a response is given in the Legal Basis IV of the present Resolution and to which reference should be made. On the other hand, it cannot be admitted or understood, even indirectly, that the The aforementioned writing in question is signed by the Director of this Agency, by as long as your signature does not appear expressly, no matter how much IBERDROLA wants to artificially presuppose that the signature comes from said body by displaying the representation of the AEPD. No generic signature of the AEPD or any of the bodies in which it is structured, nor the signature of any of the holders of the same may substitute the signature of the Director when exercising the powers that has been attributed both by Law and by the Statute of the AEPD. Likewise, the delegation of signature in these cases must be direct and express, and must appear in the administrative act that is signed by delegation to guarantee and safeguard that the decision has been adopted by a competent body. In this sense, the Statute of the Spanish Data Protection Agency, approved By Royal Decree 389/2021, of June 1 (hereinafter the Statute) establishes expressly that: "1. It corresponds to the Presidency of the Spanish Data Protection Agency: (…) d) Issue the resolutions and guidelines required for the exercise of the functions of the Agency, in particular those derived from the exercise of the powers provided for in the Article 57 of Regulation (EU) 2016/679 of the European Parliament and of the Council, of April 27, 2016, and the exercise of investigative powers and powers “corrective measures provided for in article 58 of the aforementioned Regulation.” (emphasis is our) On the other hand, article 27 of the Statute establishes the powers that the General Subdirectorate of Data Inspection of the AEPD: "1. The General Subdirectorate of Data Inspection is the administrative body, dependent on the Presidency of the Spanish Data Protection Agency, which develops the powers provided for in article 57.1, letters f), g), h), i) and u) of the Regulation (EU) 2016/679 of the European Parliament and of the Council, of April 27, 2016, and carries out the inspection and instruction functions necessary for the exercise of the investigative powers established in article 58.1, letters a), b), d), e) and f) C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 58/99 and the corrective powers provided in article 58.2, letters a), b), c), d), f), g), i) and j), both of the aforementioned Regulations. (emphasis is ours) 2. In order to fulfill the tasks established in the previous section, to the General Data Inspection Subdirectorate is responsible for the following: functions: a) Permanent supervision of compliance with Regulation (EU) 2016/679 of the European Parliament and of the Council, of April 27, 2016, of the Organic Law 3/2018, of December 5, and the provisions that develop it, by the responsible and in charge of the treatments. b) The exercise of the investigative powers defined in article 51 of the Law Organic 3/2018, December 5. (…) d) The processing of procedures in case of possible violation of the data protection regulations in accordance with the provisions of title VIII of the Law Organic 3/2018, of December 5, including citizens' complaints due to lack of attention to their requests to exercise the rights contemplated in Articles 15 to 22 of Regulation (EU) 2016/679 of the European Parliament and of the Council, of April 27, 2016. Corresponds to the General Subdirectorate of Data Inspection the duty to inform the claimant about the course and the result of the claim presented to the Spanish Data Protection Agency, in accordance with the provisions of article 77.2 of the aforementioned Regulation. (…) e) The evaluation of the admissibility for processing of the claims that are presented before the Spanish Data Protection Agency, and the proposal to the Presidency of decision on admission or non-admission to processing, in accordance with the provisions of the Article 65 of Organic Law 3/2018, of December 5. (…) h) Carrying out prior investigation actions agreed upon by the Presidency on its own initiative, following a complaint, or at the request of another body or authority of control, in order to achieve a better determination of the facts and circumstances that justify the processing of the procedure, according to the provisions of article 67 of "Organic Law 3/2018, of December 5." (emphasis is ours) Therefore, with respect to the Technological Innovation Division of the AEPD, which In accordance with the Statute, its functions include “analyzing and classifying the security breaches and, where appropriate, propose with reasons to the Presidency the initiation of an investigation when there are indications of the commission of an infringement” (article 31 e) of the AEPD Statute), this does not mean that it is the only and exclusive means by which this Agency can initiate investigative actions. So, This investigative power that the AEPD has, as has been reflected in the described regulations, is carried out by the General Subdirectorate of Inspection of Data, which may initiate investigative actions ex officio, by order of the Director, either as a consequence of the admission of claims presented before the AEPD. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 59/99 The Technological Innovation Division, after analyzing the documentation provided by I- DE (not all the circumstances of the incident) has indicated that it does not foresee the start of other actions, and not that I do not consider the provisions of the RGPD violated or that the decision had been made not to carry out any action related to the mentioned gap. The Technological Innovation Division did not make a decision, but rather was limited to informing I-DE of a forecast, which does not prevent them from being taken into account. takes into account other circumstances, such as the presentation of claims by those affected due to the gap, which makes it advisable to separate from this forecast. Therefore, the aforementioned document does not have the decisive and decisive nature that it now has. IBERDROLA intends, neither by its content nor by its form and this is not an obstacle nor can it prevent in any way the investigative power that the AEPD has and its exercise through the inspection and investigation functions that the Subdirectorate General of Data Inspection is entrusted. Above all, after the presentation of claims by affected people and that the LOPDGDD obliges their processing. Thus, article 65 of the LOPDGDD, relating to the “Admission for processing of claims”, establishes that 1.When a request is submitted to the Spanish Data Protection Agency claim, it must evaluate its admissibility for processing, in accordance with the forecasts of this article. 2. The Spanish Data Protection Agency will not accept claims presented when they do not concern data protection issues personal, manifestly unfounded, abusive or not provide rational evidence of the existence of an infringement. Therefore, when complaints are submitted to the AEPD, it is obliged to analyze their admissibility in advance, and may disallow them only in the cases of section 2 of article 65 transcribed, which did not occur in the case that we occupies Therefore, once admitted for processing, prior investigation actions were initiated. precisely to find out the facts and circumstances that occurred and if the These could lead to a possible violation of the regulations regarding data protection, as permitted and empowered by articles 64 and 66 of the LOPDGDD, which were already transcribed in the response to the allegations to the Startup Agreement and which, for the sake of expository clarity, are indicated again: Article 64. Form of initiation of the procedure and duration. 1.When the procedure refers exclusively to the lack of attention of a request to exercise the rights established in articles 15 to 22 of the Regulation (EU) 2016/679, will begin by agreement of admission to processing, which will be will be adopted in accordance with the provisions of article 65 of this organic law. In this case, the period to resolve the procedure will be six months from from the date on which the claimant was notified of the admission agreement to C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 60/99 Procedure. After this period, the interested party may consider his claim. 2.When the procedure aims to determine the possible existence of a violation of the provisions of Regulation (EU) 2016/679 and this law organic, will be initiated by means of a start-up agreement adopted on its own initiative or as consequence of claim. If the procedure is based on a claim made before the Agency Spanish Data Protection Authority, in advance, will decide on your admission to be processed, in accordance with the provisions of article 65 of this organic law. When the rules established in article 60 of the Regulation (EU) 2016/679, the procedure will begin by adopting the draft agreement to initiate the sanctioning procedure, which will be given formal knowledge to the interested party for the purposes provided for in article 75 of this law organic. The claim is admitted for processing, as well as in cases in which the Agency Spanish Data Protection Agency acts on its own initiative, prior to the initiation agreement, there may be a phase of prior investigation actions, which It will be governed by the provisions of article 67 of this organic law. (emphasis is our) Article 67. Previous investigation actions. 1.Before the adoption of the agreement to initiate the procedure, and once admitted to processing the claim if there is one, the Spanish Data Protection Agency may carry out prior research actions in order to achieve a better determination of the facts and circumstances that justify the processing of the procedure. The Spanish Data Protection Agency will act in any case when it is requires research into treatments that involve massive data traffic personal. 2.Preliminary investigation actions will be subject to the provisions of Section 2nd of Chapter I of Title VII of this organic law and may not have a duration greater than twelve months from the date of the agreement for admission to processing or the date of the agreement by which its initiation is decided when the Spanish Agency of Data Protection acts on its own initiative or as a consequence of the communication that had been sent to you by the control authority of another State member of the European Union, in accordance with article 64.3 of this organic law. (he emphasis is ours) Therefore, it is reiterated that from said regulations it is not inferred in any way that the AEPD have to justify the initiation of actions in the manner required by IBERDROLA previous in the sense that there must be something new or some new circumstance or that the claims have had to provide new and different with respect to the documentation provided by I-DE in its notification of the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 61/99 breach to this Agency, since this is not required by the indicated regulations, in addition that those affected cannot be expected to contribute something new, apart from know that the confidentiality of your personal data has been violated by a cyber attack whose circumstances they are unaware of. Precisely the previous investigative actions are carried out to clarify the facts and circumstances of what happened, gathering more information in order to be able to determine the existence of a possible violation of the regulations regarding Data Protection. In this sense, the beginning of previous investigations and their realization, power of the AEPD with or without claims, does not prejudge anything, but rather allows gathering the necessary information to determine whether or not there are indications of infringement. Even after said investigation, the proceedings may be archived to understand, in view of the information collected, that there are no indications of infringement. Which, in the present case, has not happened. What the reflected regulations do indicate is that, after the presentation of claims, This Agency must decide whether to admit them for processing or not, having finally decided on their admission through, this time, an Admission Agreement for processing, signed by the Director of the Agency dated May 9, 2022. And, as indicated in article 67.2 referenced LOPDGDD, the AEPD can carry out prior actions of investigation in order to achieve a better determination of the facts and the circumstances. It is a power attributed to it by the RGPD and the LOPDGDD. Likewise, and to make matters worse, as indicated, even in the assuming that the claims have not existed, the forecast of the Division of Technological Innovation would not have been an obstacle or obstacle to the exercise, ex officio, of the investigative powers that the AEPD has in accordance with the cited article 64.2 which determines that “The claim is admitted for processing, as well as in the cases in which the Spanish Data Protection Agency acts on its own initiative, prior to the initiation agreement, there may be a phase of previous investigation actions…” Therefore, this sanctioning procedure has not been initiated due to the content or by some new information provided in the claims, but by the information and documentation obtained after the period of prior investigation actions, to the possible violations of protection regulations may be inferred from it. of data. THIRD: Regarding the arguments supported by the Proposed Resolution for consider that bis in idem does not occur. IBERDROLA once again indicates that the non bis in idem principle has been violated in the imposition of the two infractions, since it understands that the AEPD is not prosecuting the violation of article 5.1.f) of the RGPD for a reason other than that derived from, at its judgment, inadequate security of personal data, but solely and exclusively for that reason. In this regard, the Judgment of the National Court of July 23, 2021 (rec. 1/2017), which provides, C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 62/99 “(…) In accordance with the legislation and jurisprudence set forth, the non bis in idem principle prevents punishing the same subject twice for the same act with support in the same foundation, the latter understood as the same legal interest protected by the sanctioning regulations in question. In fact, when there is the triple identity of subject, fact and foundation, the sum of sanctions creates a sanction unrelated to the judgment of proportionality carried out by the legislator and materializes the imposition of a sanction not legally provided for, which also violates the principle of proportionality. But in order to speak of "bis in idem" a triple identity must occur. between the terms compared: objective (same facts), subjective (against the same subjects) and causal (for the same basis or reason for punishing): a) Subjective identity assumes that the affected subject must be the same, regardless of whatever the nature or judicial or administrative authority that prosecutes and with independence of who the accuser or specific body is that has resolved, or that be tried alone or in conjunction with other affected parties. b) Factual identity assumes that the facts prosecuted are the same, and rules out the cases of real competition of infractions in which there is not the same illegal act but before several. c) The identity of the foundation or cause implies that the sanctioning measures do not can coincide if they respond to the same nature, that is, if they participate in a same teleological foundation, what happens between penal and administrative sanctions, but not between the punitive and the merely coercive.” Taking as reference what was previously explained in the procedure sanctioning agent, the non bis in idem principle has not been violated, since, although Roughly understood, the facts are detected as a result of a data breach personal, the violation of art. 5.1.f) of the RGPD results in a clear loss of confidentiality that affected certain clients, the violation of art. 32 of GDPR boils down to poor security measures (security only) detected, present regardless of the personal data breach. Of In fact, if these security measures that IBERDROLA had implemented had been detected by the AEPD without loss of confidentiality having occurred, It would only have been sanctioned by art. 32 of the GDPR. As we have indicated, through art. 5.1.f) of the RGPD, a loss of confidentiality and availability and through art. 32 of the GDPR the deficiency of security measures implemented by the person responsible for the treatment. Measures of poor security, we add, that violate the GDPR, regardless of whether whether or not the personal data breach occurred. Article 32 of the GDPR is violated regardless of whether or not a breach occurs. personal data breach. That is, it is violated by not having appropriate measures to guarantee adequate security in the processing of data without necessary or essential for a security breach to occur in the personal data that, if applicable, may affect the confidentiality of the data, either only to availability, or only to integrity, or to some or all of them. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 63/99 Another thing is that the deficiency in security measures becomes evident, in the specific case, on the occasion of a breach of data security personal data (violation of confidentiality in this case), as has occurred in the present assumption. On the other hand the art. 5.1.f) of the RGPD is violated when there is a loss of confidentiality or integrity of personal data, which may or may not occur due to absence or deficiency of security measures. This principle only determines the channel through which the maintenance of the confidentiality, integrity or availability when it explains “through the application of appropriate technical and organizational measures”, which are not strictly security measures. Likewise, it means again that article 5.1.f) of the RGPD is one of the principles relating to treatment. The principles relating to treatment are, on the one hand, side, the starting point and the closing clause of the legal protection system of data, constituting true informing rules of the system with an intense expansive force; On the other hand, since they have a high level of concreteness, they are standards of mandatory compliance susceptible to being infringed. The violation of confidentiality that is attributed to I-DE is for failing to comply with the obligation imposed in article 5.1.f to process the data in such a way that ensures adequate security, including protection against unauthorized or illicit treatment, through the application of technical measures or appropriate organizational structures. Finally, it should be added that, in relation to the alleged violation of the principle of non bis in idem, a response to this allegation was already given in the Proposal of Resolution, in which the non-existence of the triple identity of facts, subject and foundation, as required by jurisprudence, response that appears fully transcribed in the Third section of the Fundamentals of Law IV of this Resolution and to which reference should be made. Finally, regarding the allegations by IBERDROLA regarding the fact that in the imputation of the violation of article 5.1.f) an obligation of result is being required, which is contrary to the Judgment of February 15, 2022 (cassation appeal 7359/2020), which indicates that the obligation imposed by the regulations for the protection of personal data, to adopt technical and organizational measures is an obligation to means and not results, it means that what is analyzed in said Judgment is the compliance with technical and organizational measures in the sense of whether they are adequate to guarantee the safety of the treatments, that is, we would be not in the scope of compliance with article 5.1.f, but in the scope of compliance of article 32 RGPD when dealing with security measures. Therefore, the argument given by IBERDROLA and the analysis of the same that is going to be carried out must refer exclusively in relation to the violation of article 32 GDPR, which will be develop in the Fifth section of this Legal Basis relating to the violation of article 32. FOURTH: On the application of the principles of the right to sanctions to the activity of the AEPD and the concurrence of a media competition. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 64/99 IBERDROLA alleges again that, if the existence of the bis in is not appreciated idem, at least one of the infractions would be subsumed and embedded in the another, since the imputation of the violation of article 5.1.f) of the RGPD is due to the fact that the treatment has not been carried out, in the opinion of the AEPD, in compliance with the necessary security measures. IBERDROLA therefore understands the existence of an absolute link between the alleged absence of security measures adequate and the breach of the principle of confidentiality. That is, it is the supposed insufficiency of security measures which directly leads to the violation of article 32 and violation of 5.1.f). There is, therefore, a clear case of medial competition, since the two infractions charged cannot commit one without the other. Below, IBERDROLA argues the reasons why it considers that it is of application of article 29 of the LRJSP and that, with its non-application, the AEPD is implicitly repealing, in terms of data protection, all guarantees of the sanctioning regime established by the Constitutional Court. In this regard, since this allegation was already formulated against the Agreement of Start and response is given in the Third section of the Fundamentals of Law IV, It is necessary to refer to it in its entirety. On the other hand, in relation to the mention made by the AEPD regarding the non- applicability of art. 29 of Law 40/2015, of October 1, on the Legal Regime of the Public Sector (hereinafter, “LRJSP”), IBERDROLA brings up the Royal Decree 389/2021, of June 1, which approves the Statute of the Spanish Agency for Data Protection, article 3 of which establishes that the AEPD is governed by what provided in the RGPD, and additionally, by the LRJSP. IBERDROLA understands that above implies that, in relation to everything not expressly regulated in the RGPD or the LOPDGDD, the provisions for this purpose in the LRJSP will be followed, as is the case of competitions for infringements provided for in article 29 of the LRJSP in relationship with the principle of proportionality as a principle of power sanctioning. Faced with this, it means that article 3.2 of the aforementioned Statute of the AEPD establishes the next: 2. Additionally, as soon as it is compatible with their full independence, will be governed by Law 40/2015, of October 1, on the Legal Regime of the Sector Public, particularly what is provided for autonomous organizations; by the law 39/2015, of October 1, of the Common Administrative Procedure of the Public administrations; by Law 47/2003, of November 26, General Budgetary; by Law 9/2017, of November 8, on Sector Contracts Public, by which the Directives of the European Parliament and of the Council 2014/23/EU and 2014/24/EU, February 26, 2014; by Law 33/2003, of November 3, of the Heritage of Public Administrations, as well as the rest of the regulations of general and special administrative law that may apply. In defect of administrative rule, common law will apply. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 65/99 Therefore, what is being indicated is that the regime is additionally applied legal of the Public Sector, but in relation to its consideration as an organism public belonging to the General Administration of the State, that is, to considerations such as its composition, organization, structure, etc. For its part, article 3.3 of the AEPD Statute indicates the following: 3. The procedures processed by the Spanish Agency for the Protection of Data will be governed by the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council, of April 27, 2016, the Organic Law 3/2018, of December 5, on Protection of Personal Data and guarantee of digital rights, by the regulatory provisions issued in their development and, insofar as they do not contradict them, on a subsidiary basis, by the general rules on administrative procedures. Therefore, in the procedures processed by it, among them, the procedure sanctioning, neither the LRJSP nor the LPAC is applied additionally, but rather declares that the procedures processed by the AEPD will be governed by the RGPD and the LOPDGDD. And on a subsidiary basis (not supplementary) by the rules on the administrative procedures. In this regard, it is insisted that there is no supplementary application of the aforementioned precept, for as there is no legal loophole regarding the application of the media competition provided for in said article 29 of the LRJSP. Neither the RGPD allows nor the LOPDGDD provides for the supplementary application of the provisions of art. 29 of the LRJSP. In Title VIII of the LOPDGDD related to “Procedures in case of possible violation of data protection regulations”, article 63 that opens the Title is provides that "The procedures processed by the Spanish Agency for the Protection of Data will be governed by the provisions of Regulation (EU) 2016/679, in this law organic, by the regulatory provisions dictated in its development and, as do not contradict them, on a subsidiary basis, by the general rules on the administrative procedures.". Although there is a referral to the LPACAP, it is not establishes in no way a subsidiary application with respect to the LRJSP that does not contains in its articles any provision relating to administrative procedure some. In the same way that the AEPD is not applying the aggravating and mitigating circumstances provided in the same art. 29 of the LRJSP, since the RGPD establishes its own, for Therefore, there is no legal loophole or subsidiary application of the same, nor is there any application of the section relating to the media contest and for identical reasons. As already indicated, in addition to the application of rules other than the GDPR regarding the determination of fines in each of the Member States applying their national law, whether due to aggravating or mitigating circumstances not provided for in the RGPD -or in the LOPDGDD in the Spanish case-, either by the application of a media contest other than that provided for in the RGPD, would reduce the effectiveness of the system that would lose its meaning, its teleological purpose, resulting in the fines imposed by different infringements would no longer be effective, proportionate and dissuasive. And of This way would also deprive the interested parties of the effective guarantee of their C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 66/99 rights and freedoms, weakening the uniform application of the GDPR. The mechanisms for the protection of the rights and freedoms of citizens and would be contrary to the spirit of the GDPR. Clarify, in advance, that supplementary status refers to cases in which, in a certain norm does not regulate a specific assumption, legal loophole, giving give rise to the application of another legal norm that regulates such a situation, provided that it does not is inconsistent with the legal system. While subsidiarity refers to a competition of standards, which means that for a given case two or more rules may be applicable, so so that the subsidizing norm cedes to the benefit of the main one. Well, having examined both suppletoriness and subsidiarity, we conclude the not application of article 29 of the LRJSP but of article 83 of the RGPD in relation with the principle of proportionality. This is so because: • The principle of proportionality applies to the sanctioning procedure. • The principle of proportionality is fully regulated in article 83 of the GDPR. • There is no legal loophole. • Neither the RGPD nor the LOPDGDD refer to the application, due to the existence of a legal loophole, of article 29 of the LRJSP. • In the procedures processed by the AEPD, for the procedures administrative procedures processed, the subsidiary application of the general rules is foreseen on administrative procedures. • In the procedures processed by the AEPD, for the procedures administrative procedures processed and not in relation to the principles of the procedure sanctioning, a subsidiary application of the LRJSP is not established in the LOPDGDD. Therefore, there is neither supplementary nor subsidiarity that would make the article apply. 29 of the LRJSP. Regarding the fact that, as indicated by IBERDROLA, the Agency itself has previously considered said article 29 applicable considering the existence of cases of media competition, as in its Resolution of April 23, 2021, issued In the procedure PS/00240/2019, it should be noted that the Administration can separate from what was previously resolved. Thus, article 35 of the LPACAP establishes that: 1. They will be motivated, with succinct reference to facts and foundations of right: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 67/99 c) Acts that are separated from the criteria followed in preceding actions or of the opinion of advisory bodies. Therefore, it is legitimate for the Administration to separate itself from the criteria followed in preceding actions, as long as said change is motivated, which occurs in the present case. Thus, in addition to what has just been argued in this own section, it is worth remembering again that this allegation was already made against the Initiation Agreement, relating to the media contest and responded to it by motivating and arguing why the existence of the medial competition is not considered and, furthermore, The non-applicability of article 29 LRJSP is motivated. Therefore, it is necessary to refer to the arguments put forward and that appear transcribed in the Third section of the Legal basis IV of this Resolution. Therefore, once argued and motivated, not only is the existence of concurrence of infractions, as well as the reasons why it is not considered applicable to article 29 LRJSP, the change of criterion. In this sense, the Sentence of March 12, 2018, of the Superior Court of Justice of Madrid, Administrative Litigation Chamber, Section 4 (Rec. 761/2017), points out, on the occasion of the review of a sanctioning procedure, that: “(…) the Administration can separate itself from what was previously resolved motivating the change (art. 35.c) of Law 39/2015, of October 1, of the Common Administrative Procedure of Public Administrations). As points out the Supreme Court in its Order of December 4, 1998 "... so that the doctrine of the acts of the Administration has application is It is fundamentally necessary that a first body of the Administration has issued a first act declaring rights and then in the second revoke the decision taken in the first", and said circumstance does not occur in this case because the present administrative act of tax settlement does not revokes any decision taken in a preceding act relating to it tax concept nor is there an express declarative act that is now modify. For these purposes, it is necessary to distinguish between the effectiveness of the acts of the Administration and the connection of the Administration to precedents interpretative measures applied in previous situations since, in the event that is questioned, and using the words of the Supreme Court (ruling of 25 February 2000), it is not possible to speak of "own act but at most a change of criterion and interpretation, which is perfectly valid." Likewise, the STS of June 27, 2000 states: "...the principle of acting against one's own acts could not be taken to extremes such that they obstruct the conformity with the Law of a certain action, by the mere fact of" (the existence of) "another previous one of a different sign although this was not protected by legality, in the same way that equality only falls within the scope of legality, as is sufficiently known, under penalty of being able to consolidate illegal or inappropriate resolutions forever to Law, irreversible and impossible to modify later. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 68/99 The High Court has expressed itself in the same sense in other Sentences. So, In that of February 1, 1999, it declares that "this principle cannot be invoked to create, maintain or extend in the field of public law, situations contrary to the legal system, or when the preceding act results in contradiction with the purpose or interest protected by a legal norm that, due to its nature, is not capable of protecting a discretionary action of the Administration that involves the recognition of rights and/or obligations that arise from its own acts. Or said by another In this way, the doctrine of proper acts without the limitation that has just been explained could introduce into the field of public law relations the principle of the autonomy of the will as an ordering method of regulated matters by norms of a mandatory nature, in which the public interest prevails safeguarded by the principle of legality; a principle that would be violated If an action by the Administration contrary to the legal system for the sole fact that this has been decided by the Administration or because it responds to a precedent thereof. (...) or, said in In other words, it cannot be said that the trust placed in an act or precedent that is contrary to the mandatory norm” (the emphasis is ours). Likewise, and for greater completeness, this criterion of understanding the article as not applicable 29 LRJSP is not new as it has been applied in previous sanctioning proceedings at the moment. As an example, PS/00020/2023 and PS/00667/2023 are noted. Finally, IBERDROLA alleges that the application of article 29 is a possibility also recognized by Guidelines 4/2022, on the calculation of fines administrative under the RGPD, which expressly stipulates the criteria that must be follow the administrative authority to evaluate, prior to the imposition of the sanction, the possible concurrence of these. In light of this, it is noted that, in relation to the citation of Guidelines 04/2022 of the CEPD on the calculation of administrative fines under the GDPR, in its version 2.1, adopted on May 24, 2023, in section 22 reference is made to three types of concurrence, namely, infringement, unity of action and plurality of actions: “When examining the analysis of the traditions of the Member States in matter of competition rules, as indicated in the jurisprudence of the CJEU, and taking into account the different areas of application and the consequences legal, these principles can be roughly grouped into the three categories following: - Concurrence of violations (chapter 3.1.1), - Unity of action (chapter 3.1.2), - Plurality of actions (chapter 3.2). In cases of concurrence of infractions, the provision established in this regard is that contained in article 83.3 of the RGPD, which establishes a quantitative limit in these cases of concurrence: “If a person responsible or in charge of the treatment breaches intentionally or negligently, for the same operations of treatment or related operations, various provisions of this Regulation, the total amount of the administrative fine will not be higher than the amount provided for the most serious infractions.” C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 69/99 Likewise, at this moment we must remember that the seriousness of the infractions of the GDPR is determined in accordance with the rules established in it and not in the LOPDGDD. The classification of infractions is regulated in article 83, sections 4, 5 and 6 of the GDPR, while the classification of infringements as very serious, serious or minor for the sole purposes of the prescription is provided in the articles 72, 73 and 74 of the LOPDGDD. Last but not least, the AEPD does not sanction for the same offense, such as IBERDROLA alleges, but have been verified through proven facts not refuted by IBERDROLA, the commission of two differentiated infractions, classified in a differentiated manner, and in the specific case there is also no media competition. For all the above reasons, this allegation is rejected. FIFTH: Regarding the lack of violation by I-DE of article 32 of the RGPD IBERDROLA once again indicates that it had carried out an analysis of the risks that The processing of data could affect the rights and freedoms of the interested parties, as well as implemented security measures that allowed mitigating the mentioned risks. Faced with this, it should be indicated that the analysis of the risks of the treatment of activity affected by the incident does not show any measures to be adopted to alleviate the alleged risks detected. Thus, in response to the request made by this Agency during the actions of prior investigation, copy of the risk analysis on the rights and freedoms of natural persons carried out prior to the incident and in relation to with the processing activity affected by the personal data breach, both IBERCLI and CURENERGÍA provided the same document and indicate that it is the scheme followed within the Iberdrola Group for the assessment of risk in the processing of personal data and that is carried out in accordance with it: (…) Likewise, both companies attached a document explaining the logic followed for calculating the risk level according to this methodology, called “Logic “Risk Level calculation”: (…) (…) They explain that this methodology is implemented in an automated way in the own corporate tool for recording treatment activities, so that In the registration process itself, the risk level of the treatment is determined. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 70/99 As can be seen, the aforementioned document details certain threats or circumstances - which are transferred to the Registry of Treatment Activities, to the corresponding activity -, such as “vulnerable groups” “access to data “personal transactions by more than 10 people” “international transfers” “treatments large scale” “profiles with legal effects”. These circumstances are established as questions and, depending on whether the answer is “yes” or “no”, a result is applied. Thus, the application of said methodology in relation to the activity of affected treatment “(…)” (“…”) for which they are responsible, in relation to their respective clients IBERCLI and CURENERGIA, resulted in a level of Medium risk. Therefore, several of these questions appear in the Log of Activities of Treatment of the activity affected by the personal data breach, in which Answer “Yes” or “No” and a “Medium” risk is indicated, but nothing more. That is, no Any measure is indicated that should be adopted to alleviate this average risk. I don't even know It is an inherent risk or a residual risk. Likewise, IBERDROLA was required to provide the risk analysis and, where appropriate, case, the EIPDs, with respect to the treatments carried out as person in charge of the treatment and in relation to the treatment activities affected by the gap, responds, in its response brief (submitted on 01/24/2023 Registration number: REGAGE23e00004670187) that: “The Iberdrola Group has adopted a risk analysis methodology for processing of personal data that is implemented in an automated way in the corporate tool for recording treatment activities, so that in the registration process itself the risk level of the treatment. In the case of treatments for which IBERDROLA acts as responsible for the treatment, the methodology involves carrying out the risk analysis in relation to each of the treatments for which my client has said condition, so that this analysis is developed by the entity itself responsible for the treatment in collaboration with my client. For this reason, the risk analysis related to specific treatments (…) is incorporated into the i-DE Processing Activity Records and the of IBERCLI and CURENERGIA, their results having been communicated to me principal. According to what these entities inform us, the result of said analysis appears in the responses provided in this procedure to the requirements of information made to them.” Also, at the request of this Agency during the preliminary investigation phase, IBERDROLA provided (registration number: REGAGE23e00004673128) the Registry of Treatment activities corresponding to the treatments "Support and IT Infrastructure Maintenance” (activity “RET_IT_001) and “Development of applications (SWF)” (activity “RET_IT_011”) carried out by IBERDROLA in its status of data processor with respect to various treatments of the companies of the Iberdrola Group, among which are those affected by the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 71/99 security breach. Analyzed said Registry, no information has been transferred to it. of the questions or circumstances referred to in the documents above reflected and that has been indicated for the entire Iberdrola Group as a methodology of risk analysis of personal data processing found implemented in an automated way in the corporate registration tool itself treatment activities, so that the registration process itself determines the risk level of the treatment. Therefore, IBERDROLA has not proven that it has carried out a risk analysis regarding the treatment activities outlined above and carried out in your status of person in charge of the treatment, so it has not proven what states that it has implemented the security measures that allowed mitigate those risks. Nor has it proven that it has assessed the inherent risks that derive from your participation as processor in other treatments nor that by whether the measures adopted are appropriate to mitigate them. In particular, there has not been accredited person who has assessed the inherent risks of the treatment he performs consisting of storing the personal data of different people responsible for the treatment (different companies) in the same database in which, in addition, exceptionally (as indicated) it stores personal data in the same Table There is only a logical separation, which means that it has not been accredited nor the adoption of security measures that would mitigate these risks not evaluated. Likewise, after analyzing the methodology provided by both IBERCLI and CURENERGÍA and who state (also IBERDROLA) that it is the one that applies to the entire Iberdrola Group to carry out the risk analysis, as well as the documentation provided, especially the Record of Treatment Activities respective, it is not reflected that said analyzes are focused on the risks of probability and 0gravity variables that for the “rights and freedoms of natural persons may entail the treatment, such as damages physical, material or immaterial, in particular problems of discrimination, identity theft, fraud, financial loss, reputational damage, loss of confidentiality of data subject to professional secrecy, reversal not authorized pseudonymization or any other economic or social harm significant; in cases where the interested parties are deprived of their rights and freedoms or are prevented from exercising control over their personal data; In the cases in which personal aspects are evaluated, in particular the analysis or prediction of aspects related to performance at work, economic situation, health, personal preferences or interests, reliability or behavior, situation or movements, in order to create or use personal profiles; in cases where personal data of vulnerable people, in particular children, are processed; or in cases in which the processing involves a large amount of personal data and affects a large number of interested parties, etc., all in accordance with Considering 75 of the GDPR For its part, art. 28.2 LOPDGDD determines that “For the adoption of the measures referred to in the previous section, those responsible and in charge of the treatment will take into account, in particular, the increased risks that could arise in the following assumptions: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 72/99 a) When the treatment could generate situations of discrimination, identity theft or fraud, financial loss, damage to the reputation, loss of confidentiality of data subject to professional secrecy, unauthorized reversal of pseudonymization or any other harm economically, morally or socially significant for those affected. b) When the treatment could deprive those affected of their rights and freedoms or could prevent them from exercising control over their data personal (,,,)” Likewise, as explained in the guide “Risk management and impact assessment in processing of personal data” of the AEPD, “The RGPD establishes the obligation of manage the risk that a risk to people's rights and freedoms poses treatment. This risk arises both from the very existence of the treatment and from its technical and organizational dimensions. The risk arises both from the automated data processing and manual processing, human elements and the resources involved. The risk arises from the purposes of the treatment and its nature, and also by its scope and the context in which it is unwraps.” However, as indicated, these risks have not been assessed. Not have assessed the damages to natural persons, material or immaterial, or at least not it is proven that it has been done, lacking, therefore, a risk analysis focused on the protection of the rights and freedoms of the interested parties. Also, in that risk analysis carried out nor does it indicate what security measures to adopt to alleviate that “Medium” risk thrown. Due to the above, as stated above, IBERDROLA has not accredited the that he states that “he had carried out an analysis of the risks that the processing of the data could affect the rights and freedoms of the interested parties, as well as implemented security measures that allowed mitigating the mentioned risks” In another order of things, IBERDROLA alleges that the statements made by the AEPD in the Proposed Resolution demonstrate the existence of a absolute causal relationship between the vulnerability that is intended to be attributed to IBERDROLA and that produced in the GEA application. This is how he transcribes the following from the Proposal: “(…) Therefore, it was not adequate or was insufficient, which means a violation of art. 32, as it reflects a lack or insufficiency of measures appropriate to ensure adequate safety, according to the risk, in the processing of personal data.” Faced with this, it means that what has been wanted and is intended to be indicated is that what is revealed with the cyberattack and with the statements of IBERDROLA Regarding how the database it manages works, the logical separation existing in the database was not adequate as far as it was allowed, modifying a parameter in an application of one of the companies, access personal data of C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 73/99 clients of other companies for whom there is no authorization for such access. That is, you could “jump” or ignore that logical separation. In this regard, it is worth remembering that as indicated by IBERDROLA, (...). (…) (…): -(…). Therefore, there was an inadequate logical separation of the personal data of clients from different companies stored in the same Table in the database managed by IBERDROLA, as far as it allowed, changing a parameter in a URL (the Client code) in one of the applications of one of the companies (I-DE) unauthorized access to personal data of clients of other companies (IBERCLI and CURENERGIA), not guaranteeing, therefore, adequate security of the personal data processed by these two companies. Therefore, IBERDROLA, as the person in charge of processing with respect to the activities of treatment affected by the personal data breach, since it gives them the service consisting of “Maintenance and support of servers and databases that support business applications affected by GDPR” (according to the description of the treatment carried out in the Register of Treatment Activities, regarding the Activity “RET_IT_001”), as well as the “Development and Maintenance of applications” (Activity “RET_IT_011”), did not adequately guarantee the total separation of the personal data of the clients of the different companies and that are processed (stored) in the same database (in this case, in the same Table) managed by IBERDROLA. Therefore, IBERDROLA has not complied with the obligation that, as Manager of the Treatment, is derived from the GDPR to adopt appropriate measures based on the risk posed by the treatments carried out and imposed by section 7.5 of the Clause Seven of the Framework Agreement for the protection of personal data for the Group Iberdrola”, signed on May 18, 2018, outlined in the Eighth Proven Fact and which reads like this: “7.5.- Obligations of the Data Processor. e) Security Measures. In accordance with the GDPR, apply appropriate technical and organizational measures to guarantee an adequate level of risk, taking into account the state of the technique, the costs of implementation, and the nature, scope, context and purposes of treatment, as well as risks of varying probability and severity for the rights and freedoms of natural persons. The security measures to be implemented are those indicated in Annex III of this PDP Framework Agreement.” C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 74/99 For its part, it has not complied with the obligations indicated in the aforementioned Annex. III “Security Measures. Cybersecurity and Information Security” of the mentioned Framework Agreement, which, among others, indicates the following: “The security conditions established in this Annex are applicable to the provision of services, as well as compliance with the obligations of the Manager of Processing in accordance with the PDP Framework Agreement 1.(…) 3.(…) 4. (…) (…) . IBERDROLA also alleges that the reasoning supported by the AEPD can only be described as circular because, being clear that jurisprudence has established emphasizes that the obligation to adopt security measures is one of means and not of result, the AEPD carries out an assessment of the alleged non-compliance by IBERDROLA of the obligation to implement security measures by investing the reasoning that must be followed for this, by indicating throughout its Proposal of Resolution that, ultimately, the measures were objectively inadequate as consequence of the fact that the attack could actually occur and the breach of personal data took place. IBERDROLA therefore maintains that, in this way, the AEPD intends to avoid the doctrine supported by the Supreme Court in its ruling of February 15, 2022 referring to the insufficiency of the measures, but ultimately their reasoning is that the result is taken into consideration as a premise for consider that the means were inadequate before it occurred. In this regard, it should be noted, first of all, that this Agency has not relied in the result of the cyber attack to justify non-compliance with article 32 of the RGPD, since, as derived from everything indicated above, said non-compliance already occurred before and independently of the attack suffered, which shows that there were no appropriate measures to guarantee a security level appropriate to the risks. Thus, it has not been the result, but the fact If possible from an application of one of the companies to access the data personal data from clients of other companies. What the incident has done is precisely to highlight the prior existence of this possibility. Therefore, that logical separation between personal data of clients from different companies that were stored in the same Table in the database, it was not appropriate. Likewise, it has not accredited the completion of risk analysis regarding the treatment activities carried out as the person in charge of treatment, Therefore, it has not been proven that the security measures implemented allowed mitigate unevaluated risks. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 75/99 Secondly, regarding the Supreme Court Ruling of February 15, 2022 (cassation appeal 7359/2020), it means, as already stated in the Proposal for a Resolution, which the aforementioned Judgment effectively indicates, regarding the security measures regarding data protection, that “… the obligation that falls on the person responsible and on the person in charge of the treatment with respect to the adoption of necessary measures to guarantee the security of personal data personnel is not an obligation of result but of means, without the obligation being enforceable. infallibility of the measures adopted. Only the adoption and implementation of technical and organizational measures, which according to the state of the technology and in relation to the nature of the processing carried out and the data personal data in question, reasonably allow to avoid its alteration, loss, “unauthorized treatment or access.” (emphasis is ours) However, the Judgment continues indicating, in the specific case analyzed in same, that “…the program used to collect customer data does not contained no security measures that would allow checking whether the address of email entered was real or fictitious and whether it really belonged to the person whose data was being processed and gave consent for it. The state of the technique at the time these events occurred made it possible to establish measures aimed at verifying the veracity of the email address, conditioning the continuation of the process for the user to receive the contract at the address provided and only from it provide the necessary consent for its collection and treatment. Measures that were not adopted in this case. (…) So, at the time these events occurred, there were technical measures related to the registration process, which would have prevented the filtration of personal data produced. This implies that the technical measures adopted did not comply with the security conditions in the terms required in art. 9.1 of the LO 15/1999, therefore incurring the infringement provided for in art. 44.3.h) consisting of "Maintain the files, premises, programs or equipment that contain personal data without due security conditions that via regulations are determined [...]". (…) It is stated that the technical security measures referred to the program computer scientist were responsible for xxxx who designed the program and was responsible for the file and treatment, and that the sanctioned company was only acting on its behalf collecting data from clients who opted for financing. The truth is that the data processor - the natural or legal person who, alone or jointly with others, process personal data on behalf of the data controller, art. 4 section 8 of the Regulation, such as art. 3.g) of LOPD 15/1999, and the collection of data implies processing (art. 3.c), - must also adopt measures of a nature technical and organizational measures necessary to guarantee the security of data personal character, as provided in art. 32.1 of Regulation (EU) 2016/679 of the Parliament and the Council and art. 9.1 of the LOPD and is subject to the regime sanctioning established in the Law (art. 43 of LOPD 15/1999). The appellant company processed customer data on behalf of the person responsible for the file so she implemented and used said program being knowledgeable, or would have should be, that it lacked the necessary security measures…” C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 76/99 Therefore, although it is inferred from the Judgment that the obligations established by the Article 32 of the GDPR are media, it also makes it clear that, if at the time of When the incident occurred, there were adequate technical measures to avoid or mitigate the effects thereof and were not applied, this represents a breach of the aforementioned obligation imposed by the RGPD and, therefore, a violation of it. Amen that These obligations apply to both the controller and the person in charge of the treatment. It should be noted, first of all, that this ruling is issued under the protection of the regulations prior to the RGPD, in which, in accordance with the system provided for in the LOPD and in the RLOPD, security measures were perfectly standardized. Without However, with the RGPD we have moved from a system with security measures standard and static for any person responsible to own security measures to each organization (adapted to its characteristics and idiosyncrasy), which considers the risks specific to the entity concerned; Furthermore, now they are dynamic, so way that is not exhausted by the implementation of appropriate security measures to the risk at the beginning of the treatments, but there must be adequate management of the risk and adapt to the risks that appear. The new regulation provided for in the GDPR significantly expands the obligations of the responsible for the treatment and its scope of action and responsibility, extending now clearly to the actions carried out by those in charge of the treatment, which fall within their scope of responsibility. Although in this case, As indicated above, the treatments carried out by IBERDROLA are specific risks arise due to their participation as manager who must have foresee and mitigate and that there is no evidence that he has done. These are risks that are generated for his own activity as manager. Secondly, the cited Supreme Court Judgment considers, in relation to a violation of art. 9 of the LOPDP that “the obligation that falls on the responsible for the file and about the person in charge of processing regarding the adoption of measures necessary to guarantee the security of personal data It is not an obligation of result but of means, without infallibility being required. of the measures adopted. Only the adoption and implementation of technical and organizational measures, which in accordance with the state of technology and in relation to the nature of the processing carried out and the personal data in question, reasonably allow to avoid its alteration, loss, treatment or unauthorized access authorized". Regarding this, he specifies that “It is not enough to design the technical and organizational means necessary, it is also necessary to correctly implement it and use it correctly. appropriate, so that he will also be responsible for the lack of diligence in his use, understood as reasonable diligence taking into account the circumstances of the case". As has been demonstrated and argued throughout this sanctioning procedure, it is considered that there were no measures of appropriate security measures to ensure security appropriate to the risk, including even if there had been no personal data breach. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 77/99 In this regard, this Agency wishes to point out that in no way does it consider that the obligation to implement security measures imposed by the regulations of data protection has the nature of an obligation of result and not of means. But it is no less true that IBERDROLA did not have, before the incident, with measures that “in accordance with the state of technology and in relation to the nature of the processing carried out and the personal data in question, allow reasonably prevent its alteration, loss, treatment or unauthorized access.” Therefore, although it is inferred from the Judgment that the obligations established by the Article 32 of the GDPR are media, it also makes it clear that, if at the time of When the incident occurred, there were adequate technical measures to avoid or mitigate the effects thereof and were not applied, this represents a breach of the aforementioned obligation imposed by the RGPD and, therefore, a violation of it. In the present case, as has been pointed out, it was not duly guaranteed this logical separation because, as has been indicated, it was possible, modifying a parameter of a URL in an application of one of the companies, access data personal data from clients of other companies. And this was the case before the attack. Therefore, liability is not being demanded as an exclusive consequence of a result caused by a cyber attack. Another thing is that it has become manifest on the occasion of the existence of a data security breach personal Finally, and in addition to everything indicated, it means that, however that regarding the Startup Agreement IBERDROLA formulated allegations against the accusation If you have failed to comply with article 32 of the RGPD, you should refer to the Fourth section of the Fundamentals of Law IV. SIXTH: Regarding the absence of violation of the principle of confidentiality and integrity. IBERDROLA once again reviews the absolute identity between the two infractions that were they charge him to the point that the alleged violation of article 5.1.f) of the RGPD or well it turns out to be the result of the alleged violation of article 32 of said Regulation or brings direct, immediate and exclusive cause of this assumption second breach, that is, due to the lack of adequate security measures. IBERDROLA points out in this regard that the AEPD has not considered the existence of any violation that does not refer to security measures, since no measure has been indicated that has ceased to comply other than those of security that may be required. In this regard, it was already indicated in the Proposed Resolution that when art. 5.1.f) of the GDPR refers to appropriate technical or organizational measures to ensure the rights and freedoms of data subjects within the framework of compliance management regulations of the RGPD does so in the sense provided for in art. 25 of the GDPR regarding privacy by design. This precept determines that, C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 78/99 “Taking into account the state of the art, the cost of the application and the nature, scope, context and purposes of the processing, as well as the risks of varying probability and severity that the treatment entails for the rights and freedoms of natural persons, the person responsible for the treatment will apply, both at the time of determining the means of treatment as well as at the time of the treatment itself, appropriate technical and organizational measures, such as pseudonymization, designed to effectively apply the principles of data protection, such as data minimization, and integrate safeguards necessary in the treatment, in order to comply with the requirements of this Regulation and protect the rights of the interested parties” (emphasis is our) It should be noted that there are multiple technical or organizational measures that are not security and that the person responsible for the treatment can implement as a channel to guarantee this principle. In this sense, IBERDROLA has not proven that it has complied with what is established in said precept, since it has not been proven that, in accordance with the risks of varying probability and severity that the treatment entails, for those rights and freedoms of natural persons, has applied technical measures and appropriate organizational measures, such as pseudonymization, designed and aimed at effectively applying data protection principles, among which is the principle of confidentiality. Therefore, the GDPR requires the applicability of data protection from design and implementation. need to manage both the risks to the rights and freedoms of individuals, such as the impact on those rights and freedoms that a data breach, especially in web environments, because they can affect a large population volume. As stated in the guidelines for treatments that involve communication of data between public administrations of this Agency, whose reasoning is extrapolated to large organizations that handle large amounts of data, always There are risks related to personal data breaches. However, these will be especially considerable in the processing of personal data carried out carried out by large public and private organizations that are serving a large part of the citizens, and even much more if they are interconnected. Is very It is important to keep in mind that the risk that data breaches can pose personal data in such treatments does not depend so much on whether categories of sensitive and/or specially protected data as well as the consequences for the fundamental rights that can arise from a compromise of information. To estimate the impact that a personal data breach could have, you must consider the consequences that would arise from its materialization. A form of To do so is, before a breach occurs, to consider the possible scenarios of materialization of a compromise of personal data, determine its consequences, and evaluate how it affects the rights and freedoms of the interested parties, especially if these are irreversible consequences on their fundamental rights Regarding measures appropriate to the level of risks to rights and freedoms, the art. 24.1 of the GDPR establishes that the measures to be adopted in a C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 79/99 treatment to guarantee and be able to demonstrate its compliance with the Regulation must take into account the scope, context and purposes of the treatment, and must address, in particular, the extent of subjects affected by it and the risk that means for fundamental rights and not only the typology of the data. In the aforementioned Guidelines it is indicated that “the technical and organizational measures that adopted must be specifically aimed at minimizing the risks identified for rights and freedoms from potential data breaches personal. This implies that the person responsible must evaluate the risks that may appear, design measures aimed at minimizing its probability and impact, and determine the extent to which such measures are appropriately managing the “concrete risks in a dynamic process” And it is added that “Appropriate measures must be selected and implemented from the design of the treatments with the aim that all risk contexts for rights and freedoms to be considered. It must be taken into account that Some measures will be more effective in avoiding or mitigating the direct impact on the individuals and other measures will be mainly about the social impact for the Fundamental rights. It is necessary to apply a high level of data protection by flaw (…)" It is not disputed that a personal data breach may occur, therefore within of the risk management of a given organization, precisely because may produce a gap, said scenario must be evaluated as inseparable part of risk management for the purposes of (i) adopting all types of appropriate technical and organizational measures to prevent it from materializing and (ii) determine ex post measures to minimize damage. On this particular The aforementioned Guidelines explain that “given the possible scenarios of materialization of different types of gaps, the answer must be found, at least, to the following questions from the design of the treatment and prior to its implementation: • What personal and social impact a personal data breach can have if materializes. • What data protection measures should be implemented a priori to minimize the personal and social impact that a materialized breach could produce. • What response measures should be planned and executed after the fact, once the breach has occurred, to minimize the personal and social impact.” Therefore, its management cannot be based exclusively on the scope of the cybersecurity, but it has to encompass all the areas in which it is developed treatment, since, otherwise, risk management would not be complete, and, therefore, it would be useless. To achieve this, it is essential to adopt specific measures for the data protection by design and by default, and also measures for a effective management of the consequences of the gap aimed at protecting rights fundamentals of natural persons. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 80/99 As has been pointed out, there are multiple technical or organizational measures that are not of security and that the person responsible for the treatment can implement as a channel to guarantee the principle of confidentiality. In this sense, IBERDROLA has not proven that it has complied with what is established in the RGPD, since it has not been proven that, in accordance with all of the above, has assessed those risks and applied appropriate technical and organizational measures aimed at effectively applying data protection principles, including measures aimed at guaranteeing the principle of confidentiality. And along with this there must be highlight that in this case the bankruptcy of the principle of confidentiality. Furthermore, and apart from the above, not even in the analysis of the risks to adopt the security measures of article 32, the measures have been indicated. measures to be adopted to alleviate the “medium” risk that the activity of treatment affected by the gap, as indicated below in detail. more extensive and detailed in the response to the Fourth allegation hereof Foundation of Law. Therefore, in the case examined, as stated in the proven facts, there is a clear loss of confidentiality since access has occurred by a third party unauthorized access to personal data processed by IBERCLI and CURENERGÍA regarding of which IBERDROLA acts as the person in charge of the treatment, which does not imply objective liability, since IBERDROLA was not diligent in not guaranteeing, In this way, adequate security through the application of technical measures and appropriate organizational measures, not only security, but of all kinds. Regarding what was stated by IBERDROLA regarding that this AEPD has not accredited in no way the materialization of the risk posed by the loss of confidentiality for the affected persons, that no client of IBERCLI or of CURENERGIA have had their rights affected as a result of the gap in security occurred, which understands that it does not allow considering a principle violated and impose a fine of two million as a consequence of said alleged violation. of euros on the basis of a mere potentiality or the consideration that it could be produce a high risk of fraud, in no way proven. Faced with this, and as already indicated in the Proposed Resolution, what was accuses IBERDROLA of violating the principle of confidentiality since it that, after suffering a computer attack through the GEA website application, a illegitimate access and extraction by an unauthorized third party of personal data treated by CURENERGÍA and IBERCLI, which meant the loss of confidentiality and of control of numerous personal data (…) and that affected 1,515,000 clients of IBERCLI and 92,550 from CURENERGIA. Therefore, the risk did materialize, consisting of loss of confidentiality and loss of control over data. What is guaranteed is confidentiality in order to avoid serious damage that can produce its bankruptcy, since it represents a high risk for the interested parties - in case of confidentiality being violated-, fraudulent use of the data: impersonation of the identity for online recruitment, phishing, financial fraud, etc. The lost of confidentiality has already occurred in this case as access has occurred and C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 81/99 exfiltration, with which it is no longer that there is a “probability” of risk, but rather of this risk causing harm itself. This implies non-compliance with the duty to guarantee the confidentiality of personal data, since as has been indicated, article 5.1.f) indicates that they must be treated in such a way that ensures adequate security of personal data, including the protection against unauthorized or illicit treatment. Likewise, regarding the fact that none of its clients have been affected in any of their rights as a consequence of the security breach, IBERDROLA forgets that the loss of confidentiality suffered in itself means that it is seen affected the core of the fundamental right to data protection, which is none other than having control of personal data. Regarding the high risk that these data, in the hands of cybercriminal/s, were used fraudulently, this was indicated to express what involves the loss of confidentiality, but is not necessary in any way, to understand that article 5.1.f has been violated, that said risks of fraudulent use are materialize, because what has materialized with the gap is the loss of confidentiality of the personal data processed by IBERDROLA, which is what is exclusively imputes. For the above reasons, the allegation is rejected. SEVENTH: Regarding the violation of the principle of proportionality to the detriment of the IBERDROLA rights IBERDROLA draws attention to the fact that the same circumstances have been applied aggravating circumstances in relation to the two infractions charged, which means that evidence to what extent the connection between both in total, proceeding the application of what was invoked in the Second and Third allegations (violation of the non bis principle in idem and existence of media competition) In this regard, it was already indicated, in relation to the application of identical aggravating factors in both infractions, that the circumstances provided for in art. 83.2 of the GDPR and the provided in art. 76.2 of the LOPDGDD are the only ones that can be applied by AEPD for any infraction. The determining factor in this case is not that they coincide in their use, but rather the foundation to be established for your consideration. Likewise, IBERDROLA alleges the inappropriate application of article 83.2.a) of the GDPR, drawing attention to the fact that it has been considered appropriate aggravate the penalty imposed due to the fact that a loss of property has occurred confidentiality of personal data, both in relation to article 32 and article 5.1.f) Thus, IBERDROLA maintains that, in relation to the violation of article 32, in accordance with to the traditional concept of security in systems, its objective is the guarantee of the integrity, confidentiality and availability of the information, therefore that, if the AEPD considers that the fact that a gap occurs C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 82/99 confidentiality would aggravate the conduct consisting of the alleged absence of such security measures, any accusation for the alleged violation of article 32, will be aggravated by the AEPD, which would entail the inclusion in the catalog of violations of a kind aggravated by their very nature, which without However, it is not included in the RGPD or the LOPDGDD. In this regard, it should be noted, contrary to what has been argued, that the violation of Confidentiality is not necessary or essential in the commission of the violation of article 32, since as already indicated above, it can be violate the aforementioned article 32 due to the absence of appropriate security measures or due to inefficiency in its use or implementation, without necessarily having a personal data breach has occurred. Another different thing is that it is put into evidences the violation of article 32 as a consequence of the materialization of a violation of the security of personal data that, by its very definition, involves “any breach of security that results in the destruction, loss or alteration accidental or unlawful personal data transmitted, preserved or otherwise processed form, or unauthorized communication or access to said data” (section 12 of article 4 of the GDPR) Therefore, in the present case, the logical separation existing in the database does not was adequate as far as it was allowed, modifying a parameter in a one of the companies, access personal data of clients of other companies with respect to which there is no authorization for such access. This shows that IBERDROLA was not applying appropriate measures to guarantee a level of security appropriate to the risk of their treatments, which in itself represents a violation of article 32. If, in addition, said deficiencies have allowed or facilitated, as is the case, a breach of personal data (in this case, confidentiality breach), there is no obstacle to consider said violation as an aggravating circumstance of article 83.2.a), which allows taking into account the “nature, severity and duration of the infraction, taking into account the nature, scope or purpose of the processing operation in question as well as the number of interested parties affected and the level of damages and damages they have suffered” (emphasis added). Regarding the application of the aggravating circumstance of article 83.2.a) for violation of the article 5.1.f), although it is true that the violation of confidentiality is not appropriate as a circumstance to be taken into account to aggravate the infringement since is subsumed in the offending type itself, it is also true that said precept, the 83.2.a) of the RGPD has been applied as an aggravating circumstance, also taking into account the number of interested parties affected, which are very numerous, amounting to more than one million people (1,607,550) as well as numerous data were stolen personal (…), so it is appropriate to continue taking these circumstances into account as aggravating factors, so article 83.2.a) of the GDPR continues to apply. Regarding the fact that IBERDROLA understands that in relation to this aggravating circumstance, it is intended take into account some alleged damages and losses suffered, which have not been accredited by the AEPD, it means that what is taken into account in said aggravating circumstance is the damage and risk that loss of confidentiality entails in itself, which entails a total loss of control over one's personal data and high risk C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 83/99 which entails that they are used fraudulently, since they have been stolen by a cybercriminal. On the other hand, IBERDROLA argues that the aggravating circumstance of the article cannot be applied 83.2.b) of the RGPD regarding the existence of negligence since, in the Judgment of the European Court of Justice, of December 5, 2023 (case C-807/21), declares that: “75 Consequently, it must be declared that article 83 of the GDPR does not allows imposing an administrative fine for an infraction contemplated in its sections 4 to 6 without proving that said infringement was committed intentionally or negligently by the person responsible for the treatment and that, for Therefore, guilt in the commission of the infraction constitutes a requirement for the imposition of the fine.” From this IBERDROLA deduces that whether such intentionality or negligence is necessary for the infringement to be considered committed, it can hardly be considered that the most serious form of enforceable guilt can act as a circumstance aggravating factor, and even less so on a subjective criterion, such as the volume of IBERDROLA. Faced with this, it should be noted that one thing is that, in order to impute an infringement administrative is necessary the existence of intention or negligence and another, which does not The existence of especially negligent negligence may be used as an aggravating circumstance. highlighted, due to the circumstances of the case. The opposite would be contrary to one's own article 83.2.b) which establishes that “When deciding to impose an administrative fine and its amount in each individual case will be duly taken into account: b) intentionality or negligence in the infringement” Thus, in any violation of data protection regulations, the existence of intentionality or negligence. And this both to a data controller as a natural person, as a legal entity, whether a small company with little connection with the processing of personal data, whether it is a large company, a multinational, etc., and with processing of personal data in a manner continuous and on a large scale, for example. Therefore, once it has been determined that, as a premise, this subjective element occurs base guilt, this does not prevent the aggravating factor from being considered intentionality or negligence indicated by considering that, in accordance with the specific circumstances of the case, a different degree of intentionality is considered or negligence in the actions of the offending subject. Thus, in accordance with the Guidelines 04/2022 of the European Data Protection Board on the calculation of administrative fines under the GDPR, version 2.1, adopted on 24 May 2023, notes the following: “4.2.2 — Intentional or negligent nature of the infringement 55. In its previous guidance the EDPB stated that "in general, the intention includes both knowledge and will in relation to the characteristics of C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 84/99 a crime, while "unintentional" means that there was no intention to cause the infringement, although the controller/processor breached the duty to care required by law. Example 4 — Illustrations of intent and negligence (from WP 253) "Circumstances indicative of intentional violations may be a illicit processing explicitly authorized by the senior management hierarchy of the responsible for the treatment, or despite the advice of the protection delegate of data or violating existing policies, for example, obtaining and processing of data about the employees of a competitor with the intention of discredit that competitor in the market. Other examples here can be: - the modification of personal data to give a (positive) impression misleading about whether objectives have been met; we have seen it in the context of targets for hospital waiting times - the trading of personal data for commercial purposes, i.e. the sale of data as “opted” without checking or ignoring the opinions of users. interested parties about how their data should be used Other circumstances, such as failure to read and follow policies existing, human error, lack of verification of personal data in the published information, the lack of application of technical updates in the timing, lack of policy adoption (rather than simply lack of of application) may be indicative of negligence"; 56. The intentional or negligent nature of the infringement [Article 83(2)(b) of the GDPR] must be evaluated taking into account the objective elements of conduct obtained from the facts of the matter. The EDPB highlighted that it is generally accepted that intentional violations, "demonstrate contempt for the provisions of the law, are more serious than unintentional ones. In the case of intentional infringement, it is The supervisory authority is likely to give more weight to this factor. According to the circumstances of the case, the supervisory authority may also attribute weight to the degree of negligence. At best, negligence could be considered neutral." (emphasis is ours) In the present case, the aggravating circumstance of negligence is appreciated since IBERDROLA manages a database in which personal data of clients of different companies, having to guarantee adequate security at all times for such treatment and absolute separation. However, there was a inadequate configuration that did not guarantee an appropriate logical separation and that allowed access to be made from an application of one of the companies unauthorized access to the personal data of other companies. Likewise, in relation to the violation of article 5.1.f) of the RGPD, it is appreciated Also as an aggravating factor is the negligence shown by IBERDROLA because, as has been pointed out, due to its subjective circumstances and the high number of data personal data of numerous clients of the companies for which it acts as responsible for the treatment (21 million I-DE clients; 8 million IBERCLI clients; 3 C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 85/99 million of CURENERGÍA), a greater degree of professionalism and diligence in the duty to guarantee the confidentiality of the personal data of those companies. Regarding the consideration of the size of IBERDROLA as an aggravating factor, it is appropriate point out that the same level of diligence cannot be required from a company like IBERDROLA, which is payable to a natural person or a small business, for example. This means that a higher level of diligence is required because the level of professionalism is greater. It is appropriate to recall again, in this sense, the Judgment of the National Court of 10/17/2007 (rec. 63/2006), that with respect to entities whose activity involves the continuous processing of customer data, indicates “…the Supreme Court comes understanding that imprudence exists whenever a legal duty of care, that is, when the offender does not behave with the required diligence. And in the assessment of the degree of diligence, special consideration must be given to professionalism or not of the subject, and there is no doubt that, in the case now examined, when the activity of the appellant is constant and abundant handling of data of a personnel must insist on rigor and exquisite care to conform to the legal provisions in this regard. Finally, contrary to what was stated by IBERDROLA, the consideration of this aggravating circumstance of negligence has at no time meant that it has increased the maximum limit of the sanction to be imposed, since the maximum limits are found established in sections 4 and 5 of article 83 of the RGPD, which allow impose a penalty, respectively of 10,000,000 euros or 2% of the volume of global annual total business and 20,000,000 euros or 4% of the volume of global annual total business. Therefore, at no time has the amount been established maximum of the sanction that could be imposed as a consequence of the application of the aggravating factors as indicated by IBERDROLA. Regarding the aggravating circumstance included in article 76.2.b of the LOPDGDD, IBERDROLA points out that its conduct is getting worse due to the mere fact of belong to a specific sector of activity. In this regard, it means that in said precept does not take into consideration the specific activity to which one is dedicated IBERDROLA (electricity sector), but its connection with the performance of treatments of personal data, since it carries out massive and large-scale processing (at least 21 million I-DE clients; 8 million from IBERCLI; 3 million from CURENERGÍA) and continuously. In this sense, the Spanish legislator has considered including in article 76 of the LOPDGDD that: “2. In accordance with the provisions of article 83.2.k) of the Regulations (EU) 2016/679 may also be taken into account: (…) b) The linking of the offender's activity with the performance of medical treatment. personal information." This Agency simply takes into consideration that circumstance, provided for by the legislator, when deciding the imposition of the administrative fine. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 86/99 Finally, IBERDROLA alleges the breach of the principle of equal treatment if taking into consideration the precedents of this Agency. Thus, it indicates the procedure PS/000179/2020 in which it indicates that a minor penalty was imposed despite understand that the circumstances were more serious, but that, above all, in said file, no sanction was imposed for violation of article 5.1.f) of the RGPD, despite the existence of a data confidentiality breach being evident, The AEPD having therefore modified its criteria, since by now converting what was considered a violation of article 32 of the GDPR in two violations, by making now refers to 5.1.f) of the RGPD, and considerably multiply the total amount of The infringement represents a flagrant breach of the principle of equality, security legal and public faith. Likewise, he points out that this also goes against the doctrine of own acts. Faced with this, as already pointed out in the Proposed Resolution, the circumstances and facts of procedure PS/000179/2020 are not the same nor comparable, just as there is no equality in illegality, so there is no try to equate sanctions in the face of different facts and circumstances. Therefore, It is necessary to refer to the response to this same allegation and which appears transcribed in its entirety in the Sixth section of the Fundamentals of Law IV of the present Resolution. Regarding what IBERDROLA maintains regarding the fact that the principle of equality also in the fact that PS/000179/2020 only sanctioned for a violation of article 32 and was not considered a violation of article 5.1.f) of the GDPR, there having also been a confidentiality breach, and that this also goes against the doctrine of own acts, it means that IBERDROLA has only selected and brings up this file to defend an alleged treatment unequal but which, however, ignores the numerous sanctioning procedures existing prior to the present in which, after a gap of confidentiality, has been sanctioned for violating both precepts. By way As an example and without exhaustive character, since there are more, the following should be indicated: PS/00444/2021, PS/00420/2021, PS/00528/2021, PS/00099/2022, PS/00113/2022, PS/00164/2022, PS/00419/2022, PS/00168/2022. Finally, regarding the procedure PS/0002/2023 in which they have been imposed also two sanctions for violating both article 32 and 5.1.f) of the RGPD and that for also refer to a company in the electricity sector, brings up IBERDROLA to make a comparison, because there it was imposed, in the total sum of the two sanctions for these two infractions, an amount that only exceeds by one million euros the imposed on IBERDROLA, despite the fact that there were injured parties, it means new that the facts and circumstances are different and that, for this reason, it was imposed a different fine (in this case higher), in addition to other fines for other different violations that were considered. In this sense, it is once again recalled that, in terms of data protection, the technical and organizational security measures to be adopted by those responsible and data processors and other obligations to comply required by the RGPD, must be appropriate in relation to the specific risks posed by the specific treatments carried out by each person responsible. Therefore, when analyzing the diligence of each other in compliance with the regulations must be at the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 87/99 circumstances of each case, taking into account the nature, scope, context and the purposes of each treatment, there being, therefore, no identical cases. In this sense, it must be remembered that article 83, in section 2, establishes that “The Administrative fines will be imposed, depending on the circumstances of each case individual…” (emphasis added). It should not be ignored that in that procedure A fine exceeding one million euros was imposed in relation to the present. Therefore, it is necessary to attend to the circumstances of each individual case, there being no two identical files and, therefore, with equal results. As a general and final consideration, it should be noted that none of the sanctions applied violates the principle of proportionality. Thus, it must be remembered that the articles 83.4 and 83.5 of the RGPD, where the violation of article 32 and article 5.1.f), establish limits on the amounts of the fines that can be imposed, very far from those that have finally been imposed established. Thus, article 83.4 of the aforementioned Regulation establishes that sanctions will be imposed, in accordance with paragraph 2, with administrative fines of a maximum of EUR 10 000 000 or, In the case of a company, an amount equivalent to a maximum of 2% of the global total annual business volume of the previous financial year, opting for the of greater amount. In this regard, according to the Axesor entity, the volume IBERDROLA's business forecast for 2022 was ***AMOUNT.2 euros, which would have allowed imposing a penalty of up to ***AMOUNT.3 euros, for the violation of article 32. For its part, article 83.5 of the RGPD establishes that sanctions will be imposed, in accordance with paragraph 2, with administrative fines of a maximum of EUR 20 000 000 or, In the case of a company, an amount equivalent to a maximum of 4% of the global total annual business volume of the previous financial year, opting for the of greater amount. In this regard, in accordance with the turnover indicated, would have allowed imposing a penalty of up to ***AMOUNT.4 euros, for violation of article 5.1.f). Therefore, taking into account the above, as well as IBERDROLA's negligence in manage a database in which personal data of millions of people are stored clients from different companies, which requires it to guarantee at all times a adequate security for said treatment and absolute separation, existed, without However, an inadequate configuration that did not guarantee proper separation logical and that allowed from an application of one of the companies to be able to make unauthorized access to the personal data of other companies. In addition, taking into account the high number of affected people whose personal data were exfiltrated by a cybercriminal, which represents a loss of control over personal data irremediably, with the risk that this entails, cannot be It can be said that the sanctions finally imposed violate the principle of proportionality, taking into account that “Each supervisory authority will ensure that the imposition of administrative fines in accordance with this article for the infringements of this Regulation indicated in paragraphs 4, 5 and 6 are in each individual case effective, proportionate and dissuasive” (emphasis is our) C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 88/99 For the above reasons, the allegation is rejected. SAW Integrity and confidentiality Article 5.1.f) “Principles relating to processing” of the GDPR establishes: "1. The personal data will be: (…) f) treated in such a way as to ensure adequate safety of the personal data, including protection against unauthorized processing or unlawful and against its loss, destruction or accidental damage, through the application of appropriate technical or organizational measures ("integrity and confidentiality»).” The principle of data integrity and confidentiality requires a guarantee of security in the application of technical or organizational measures that prevent alteration of personal data, its loss, unauthorized or illicit processing or access. It's not the existence of this fundamental right is not possible if the confidentiality, integrity and availability thereof. Hence, the integrity and confidentiality of personal data are considered essential to prevent the interested parties from suffering negative effects. Therefore, they must be treated in a manner that ensures adequate integrity and confidentiality of personal data, especially to prevent access, processing or use authorized users of said data. In short, both the person responsible and the person in charge of the treatment have the obligation to integrate the necessary guarantees in the treatment, with the purpose of, under the principle of proactive responsibility, comply and be able to demonstrate compliance, while respecting the fundamental right to protection of data. In this regard, it should be remembered that the confidentiality of personal data is regulated in article 5 of the RGPD, being, therefore, one of the principles related to the treatment. The principles relating to treatment are, on the one hand, the starting point and the closing clause of the legal data protection system, constituting true informing rules of the system with an intense expansive force; for another On the other hand, as they have a high level of specificity, they are mandatory standards. likely to be infringed. Article 5.1.f) of the GDPR establishes a clear obligation of consistent compliance in preventing unauthorized or illicit treatments by implementing security measures suitable. Therefore, one must be in a position to guarantee the confidentiality of personal data to prevent a third party from accessing data that does not belong to them. ownership, since it is mandatory to process personal data in accordance with the RGPD and LOPDGDD. For this reason, it is an activity where the diligence provided by C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 89/99 responsible and those in charge of the treatment is essential to avoid this type of unauthorized access. In the present case, the principle of confidentiality has been violated since it is clear that after suffering a computer attack against a web application of the company I-DE (GEA), In addition to illegal access to personal data processed by it, also produced illegitimate access to personal data - and the extraction of the same - from two companies different from the first and treated by IBERDROLA in quality of treatment manager. In this regard, it must be remembered that IBERDROLA, as the person in charge of processing of IBERCLI and CURENERGÍA, processes personal data on their behalf, Specifically in this case, IBERDROLA manages and administers the systems and the database of data where the personal data of these two companies are housed. However, the attack suffered by another company in the Group (and which also hosts its data in the same place) has led to the exfiltration of personal data contained in the database of data referred to and belonging to clients of other entities of the Group, not having guaranteed, therefore, the confidentiality of the personal data of some and others. This has led to the loss of confidentiality and control of numerous data personal (…) and that has affected 1,515,000,000 IBERCLI clients and 92,550 CURENERGÍA clients. This represents a breach of the duty to guarantee the confidentiality of personal data, since as indicated, article 5.1f) points out that they must be treated in such a way as to guarantee safety adequate protection of personal data, including protection against unauthorized processing. authorized or illegal. Therefore, the risk of loss of confidentiality has materialized, having been usurped by a cybercriminal, which means that they can be used for not known (sold, communicated, published, etc.), all without consent of its owners, leading to a total and absolute loss of control over them. In addition, it also poses a very high risk of fraudulent use of them. (identity theft, fraud, financial losses, etc.) or that serve to any other utility that in certain circumstances constitutes a threat for its owners. It should also be taken into account that most of the data Leaked personal information is data that cannot be modified or changed by others. (name, surname, ID, address...) This loss of control over one's own personal data results in a violation of the fundamental right to data protection recognized in the article 18 of the Spanish Constitution, as the Constitutional Court has indicated (Sentence 292/2000, of November 30, 2000) “the fundamental right to Data protection seeks to guarantee the person power of control over their personal data, about its use and destination, with the purpose of preventing its illicit trafficking and harmful to the dignity and rights of the affected person (…) The right to data protection "It guarantees individuals the power to dispose of these data." C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 90/99 For all the above and in accordance with the evidence available, it is considers that the known facts constitute an infringement, attributable to IBERDROLA, for violation of article 5.1.f) of the RGPD. VII Classification of the violation of article 5.1.f) of the RGPD The aforementioned violation of article 5.1.f) of the RGPD implies the commission of the violations typified in article 83.5 of the RGPD that under the heading “General conditions for the imposition of administrative fines” provides: “Infractions of the following provisions will be sanctioned, in accordance with the paragraph 2, with administrative fines of a maximum of EUR 20 000 000 or, In the case of a company, an amount equivalent to a maximum of 4% of the global total annual business volume of the previous financial year, opting for the largest amount: a) the basic principles for the treatment, including the conditions for the consent under articles 5, 6, 7 and 9; (…)” In this regard, the LOPDGDD, in its article 71 “Infringements” establishes that “The acts and conduct referred to in sections 4, 5 and 6 of article 83 of Regulation (EU) 2016/679, as well as those that result contrary to this organic law.” For the purposes of the limitation period, article 72 “Infringements considered very “serious” of the LOPDGDD indicates: "1. Based on what is established in article 83.5 of Regulation (EU) 2016/679, considered very serious and will prescribe violations that involve three years a substantial violation of the articles mentioned therein and, in particular, the following: a) The processing of personal data violating the principles and guarantees established in article 5 of Regulation (EU) 2016/679. (…)” VIII Penalty for violation of article 5.1.f) of the RGPD For the purposes of deciding on the imposition of an administrative fine and its amount, In accordance with the evidence available, the sanction should be graduated to impose in accordance with the following criteria established in article 83.2 of the GDPR: As aggravating factors: - Article 83.2.a) RGPD: Nature, severity and duration of the infringement. -Number of interested parties affected: there are very numerous people affected, since It amounts to more than a million and a half people (1,607,550). C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 91/99 -Level of damages and losses suffered: High. Numerous were stolen personal data (…) and a very considerable number of clients (1,607,550) by a cybercriminal, therefore losing all control over the themselves, which poses a high risk of fraudulent use (identity theft, fraud, financial losses, etc.), thus emptying the right of its content. fundamental to the protection of personal data that, as indicated by the Court Constitutional Court in the previously reviewed Judgment, seeks to guarantee the person a power of control and disposal over their personal data, over their use and destination, with the purpose of preventing illicit trafficking and harm to the dignity and rights of the affected person. - Article 83.2.b) RGPD. Intentional or negligence in the infringement: The existence of negligence in compliance and observance of technical measures and organizational measures to ensure the security necessary for data protection personal data, specifically to guarantee their confidentiality. To this In this regard, it must be remembered that IBERDROLA is a large company, which carries out, as manager, large-scale treatments, affecting numerous natural persons (from the statements made by the three companies affected by the breach, at least processes data from 21 million people) so A higher level of diligence and adequate security measures are required to guarantee the confidentiality of the personal data processed. It is worth remembering, in this sense, the Judgment of the National Court of 10/17/2007 (rec. 63/2006), that with respect to entities whose activity involves the continuous processing of customer data, indicates “…the Supreme Court comes understanding that imprudence exists whenever a legal duty of care, that is, when the offender does not behave with the required diligence. And in the assessment of the degree of diligence, special consideration must be given to professionalism or not of the subject, and there is no doubt that, in the case now examined, when the activity of the appellant is constant and abundant handling of data of a personnel must insist on rigor and exquisite care to conform to the legal provisions in this regard.” As mitigating factors: - Article 83.2.c) RGPD. Measures taken by the person responsible or in charge to alleviate the damages and losses suffered by the interested parties: Positive. As it was she who, upon detecting performance and availability problems on the Web, confirmed that It was a bankruptcy and he proceeded to block the attacker's IP and communicate the gap to I-DE, which could have avoided a much more serious impact. Also managed the gap jointly with I-DE. Likewise, it is considered that it is appropriate to graduate the sanction to be imposed in accordance with the following criteria established in section 2 of article 76 “Sanctions and measures “corrective measures” of the LOPDGDD: As aggravating factors: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 92/99 - Article 76.2.b) LOPDGDD. Linking the offender's activity with the performance of personal data processing: The development of the activity business that IBERDROLA carries out involves continuous and wide-ranging scale of personal data, since it processes data as a person in charge of at least 21 millions of people. Therefore, it is a large company accustomed to processing of personal data. For the purposes of deciding on the imposition of an administrative fine and its amount, in accordance with the evidence available, taking into account the circumstances of the case and the criteria established in article 83.2 of the RGPD with regarding the infraction committed by violating the provisions of article 5.1.f) of the RGPD allows a fine of €2,000,000 (two million euros) to be set. IX Article 32 of the GDPR Article 32 “Security of processing” of the GDPR establishes: "1. Taking into account the state of the art, the application costs, and the nature, scope, context and purposes of the processing, as well as risks of variable probability and severity for people's rights and freedoms physical, the person responsible and the person in charge of the treatment will apply technical and appropriate organizational measures to guarantee a level of security appropriate to the risk, which, if applicable, includes, among others: a) pseudonymization and encryption of personal data; b) the ability to guarantee the confidentiality, integrity, availability and permanent resilience of treatment systems and services; c) the ability to restore availability and access to data personnel quickly in the event of a physical or technical incident; d) a process of regular verification, evaluation and assessment of effectiveness of the technical and organizational measures to guarantee the security of the treatment. 2. When evaluating the adequacy of the security level, particular consideration will be given to takes into account the risks presented by data processing, in particular as consequence of accidental or unlawful destruction, loss or alteration of data personal data transmitted, preserved or otherwise processed, or the communication or unauthorized access to said data. 3. Adherence to a code of conduct approved under Article 40 or to a certification mechanism approved pursuant to article 42 may serve as an element to demonstrate compliance with the requirements established in section 1 of the present article. 4. The controller and the person in charge of the treatment will take measures to ensure that any person acting under the authority of the person responsible or in charge and C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 93/99 has access to personal data can only process said data following instructions of the person responsible, unless it is obliged to do so by virtue of the Law of the Union or the Member States.” Article 32 does not establish static security measures, but will correspond to responsible and in charge determine those security measures that are necessary to guarantee the confidentiality, integrity and availability of the personal data, therefore, the same data processing may involve measures different security measures depending on the specific specificities in which it has where such data processing takes place. In line with these provisions, Recital 75 of the GDPR establishes: risks to the rights and freedoms of natural persons, serious and variable probability, may be due to data processing that could cause physical, material or immaterial damages, particularly in cases where that the treatment may give rise to problems of discrimination, usurpation of identity or fraud, financial loss, reputational damage, loss of confidentiality of data subject to professional secrecy, unauthorized reversal of the pseudonymization or any other significant economic or social harm; in the cases in which the interested parties are deprived of their rights and freedoms or are prevents you from exercising control over your personal data; in cases where the data processed personal reveals ethnic or racial origin, political opinions, religion or philosophical beliefs, militancy in unions and the processing of genetic data, data relating to health or data on sexual life, or convictions and offenses criminal or related security measures; in cases in which they are evaluated personal aspects, in particular the analysis or prediction of aspects related to the performance at work, economic situation, health, preferences or interests personal, reliability or behavior, situation or movements, in order to create or use personal profiles; in cases in which personal data of vulnerable people, particularly children; or in cases where the treatment involves a large amount of personal data and affects a large number of interested. (emphasis is ours) Likewise, Recital 83 of the GDPR establishes: In order to maintain the security and prevent the processing from infringing the provisions of this Regulation, the responsible or the person in charge must evaluate the risks inherent to the treatment and apply measures to mitigate them, such as encryption. These measures must guarantee a appropriate level of security, including confidentiality, taking into account the status of the technique and the cost of its application with respect to the risks and the nature of personal data that must be protected. When assessing risk in relation to data security, the risks that arise from the processing of personal data, such as destruction, loss or alteration accidental or unlawful personal data transmitted, preserved or otherwise processed form, or unauthorized communication or access to said data, susceptible in particular of causing physical, material or immaterial damages. (he emphasis is ours) In this regard, it should be emphasized that article 28.3.c) of the RGPD attributes to the responsible for the treatment the obligation to take all necessary measures to in accordance with article 32. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 94/99 Data security requires the application of technical or organizational measures appropriate in the processing of personal data to protect said data against access, use, modification, dissemination, loss, destruction or accidental damage, unauthorized or illicit. In this sense, security measures are key when to guarantee the fundamental right to data protection. It is not possible existence of the fundamental right to the protection of personal data if it is not possible to guarantee their confidentiality, integrity and availability. It should not be forgotten that, in accordance with article 32.1 of the aforementioned GDPR, the technical and organizational measures to apply to guarantee a level of security appropriate to the risk must take into account the state of the art, the costs of application, nature, scope, context and purposes of the processing, as well as risks of varying probability and severity to the rights and freedoms of Physical persons. Therefore, IBERDROLA, when evaluating the risks and determining the measures appropriate technical and organizational measures to guarantee a level of security appropriate to the risk to the rights and freedoms of natural persons from the processing of data that it carries out as data processor, is obliged to take into account take into account the specific activity that your business entails, which involves processing data personal information continuously and on a large scale (numerous data to be collected, processed, store…); the type of data processed: identification, contact, those related to the supply and consumption of electricity, current accounts, etc.); the context: existence of web applications on the Internet, that is, in a non-isolated environment, which entails risks derived from the interconnectivity of the network itself, which They must be attended to in a specialized way; existence of a common database several companies with separation requirements (physical or logical). Therefore, derived from the activity to which it is dedicated, IBERDROLA is obliged to carry out a highly specialized risk analysis and implementation of appropriate technical and organizational measures to ensure a level of security appropriate to the risk of its activity for the rights and freedoms of people. In the present case, as noted above, through the cyber attack suffered to a web application of one of the group companies, there was, in addition to illicit access to personal data processed by said company, access not authorized to personal data of clients of two other different companies and one illicit exfiltration of the same, by being able to circumvent or violate the separation existing logic in the database where personal data is hosted and stored various companies of the Group and which IBERDROLA administers and manages (…). (…). (…). (…). C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 95/99 (…). All of the above demonstrates that IBERDROLA did not have the technical and appropriate organizational measures to guarantee complete separation between data personnel of the different companies with respect to which it acts as manager of the treatment and, therefore, the security incident such as the one that took place in the present case and that CURENERGÍA and IBERCLI suffered, that is, not applied appropriate technical and organizational measures to ensure a level of security appropriate to the risk of your personal data processing. Therefore, in accordance with the evidence available, it is considered that The known facts constitute an infringement, attributable to IBERDROLA, for violation of article 32 of the RGPD. x Classification of the violation of article 32 of the GDPR The aforementioned violation of article 32 of the RGPD implies the commission of the violations typified in article 83.4 of the RGPD that under the heading “General conditions for the imposition of administrative fines” provides: “Infractions of the following provisions will be sanctioned, in accordance with the paragraph 2, with administrative fines of a maximum of EUR 10 000 000 or, In the case of a company, an amount equivalent to a maximum of 2% of the global total annual business volume of the previous financial year, opting for the largest amount: a) the obligations of the controller and the processor pursuant to Articles 8, 11, 25 to 39, 42 and 43; (…)” In this regard, the LOPDGDD, in its article 71 “Infringements” establishes that “The acts and conduct referred to in sections 4, 5 and 6 of article 83 of Regulation (EU) 2016/679, as well as those that result contrary to this organic law.” For the purposes of the limitation period, article 73 “Infringements considered serious” of the LOPDGDD indicates: “Based on what is established in article 83.4 of Regulation (EU) 2016/679, are considered serious and will prescribe after two years the infractions that involve a substantial violation of the articles mentioned therein and, in particular, the following: (…) f) The lack of adoption of those technical and organizational measures that are appropriate to guarantee a level of security appropriate to the risk of the treatment, in the terms required by article 32.1 of the Regulation (EU) 2016/679. XI C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 96/99 Penalty for violation of article 32 of the GDPR For the purposes of deciding on the imposition of an administrative fine and its amount, In accordance with the evidence available, the sanction should be graduated to impose, in accordance with the following criteria established in article 83.2 of the GDPR: As aggravating factors: - Article 83.2.a) RGPD: Nature, severity and duration of the infringement. -It is considered that the nature of the infraction is serious since it has entailed a loss of confidentiality and, therefore, of disposition and control irremediable on personal data. -Number of interested parties affected: there are very numerous people affected, since It amounts to more than a million and a half people (1,607,550). -Level of damages and losses suffered: High. Numerous were stolen personal data (…) and a very considerable number of clients (1,607,550) losing, therefore, all control over them, which entails high risk of fraudulent use (identity theft, fraud, financial losses, etc.), thus emptying the fundamental right to data protection of content personal that, as indicated by the Constitutional Court in the Sentence previously outlined, seeks to guarantee the person power of control and provision on your personal data, on its use and destination, with the purpose of preventing illicit trafficking and harm to the dignity and rights of the affected. - Article 83.2.b) RGPD. The existence of negligence on the part of IBERDROLA is observed in the compliance and observance of technical and organizational measures to guarantee the security necessary for the protection of personal data, specifically to guarantee their confidentiality. In this regard, it must be remembered that IBERDROLA is a large company, which carries out, as manager, large-scale treatments scale, affecting their treatments to numerous natural persons (including the statements made by the three companies affected by the breach, at least deals data of 21 million people) so a higher level of diligence is required and appropriate security measures to ensure the confidentiality of data personal it deals with. It is worth remembering, in this sense, the Judgment of the National Court of 10/17/2007 (rec. 63/2006), that with respect to entities whose activity involves the continuous processing of customer data, indicates “…the Supreme Court comes understanding that imprudence exists whenever a legal duty of care, that is, when the offender does not behave with the required diligence. And in the assessment of the degree of diligence, special consideration must be given to professionalism or not of the subject, and there is no doubt that, in the case now examined, when the activity of the appellant is constant and abundant handling of data of a C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 97/99 personnel must insist on rigor and exquisite care to conform to the legal provisions in this regard. As mitigating factors: - Article 83.2.c) RGPD. Measures taken by the person responsible or in charge to alleviate the damages and losses suffered by the interested parties: Positive. As far as it was she who, upon detecting performance and availability problems on the Web, confirmed that it was a bankruptcy and proceeded to block the attacker's IP and communicate the gap to I-DE, which could have avoided a much more serious impact. Also managed the gap jointly with I-DE. Likewise, it is considered that it is appropriate to graduate the sanction to be imposed in accordance with the following criteria established in section 2 of article 76 “Sanctions and measures “corrective measures” of the LOPDGDD: As aggravating factors: - Article 76.2.b) LOPDGDD. Linking the offender's activity with the performance of personal data processing: The development of the activity business that IBERDROLA carries out involves continuous and wide-ranging personal data scale. Therefore, it is a large company accustomed to processing of personal data. The balance of the circumstances contemplated in article 83.2 of the RGPD and the article 76.2 of the LOPDGDD, with respect to the infraction committed by violating the established in article 32 of the RGPD, allows setting a penalty of €1,000,000 (a million euros). Therefore, in accordance with the applicable legislation and evaluated the criteria of graduation of the sanctions whose existence has been proven, the Director of the Spanish Data Protection Agency RESOLVES: FIRST: IMPOSE IBERDROLA, S.A., with NIF A48010615, for an infringement of Article 5.1.f) of the RGPD, typified in Article 83.5 of the RGPD, a fine administrative amount of 2,000,000 euros (two million euros). SECOND: IMPOSE IBERDROLA, S.A., with NIF A48010615, for an infringement of Article 32 of the RGPD, typified in Article 83.5 of the RGPD, a fine of 1,000,000 euros (one million euros). THIRD: NOTIFY this resolution to IBERDROLA, S.A. FOURTH: This resolution will be enforceable once the deadline to file the optional resource for replacement (one month counting from the day following the notification of this resolution) without the interested party having made use of this power. The sanctioned person is warned that he must make effective the sanction imposed once This resolution is executive, in accordance with the provisions of art. 98.1.b) C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 98/99 of Law 39/2015, of October 1, on the Common Administrative Procedure of the Public Administrations (hereinafter LPACAP), within the voluntary payment period established in art. 68 of the General Collection Regulations, approved by Real Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003, of 17 December, through your entry, indicating the NIF of the sanctioned person and the number of procedure that appears in the heading of this document, in the account restricted IBAN number: ES00-0000-0000-0000-0000-0000, opened in the name of the Spanish Data Protection Agency in the banking entity CAIXABANK, S.A.. Otherwise, it will be collected during the executive period. Once the notification is received and once enforceable, if the enforceable date is between the 1st and 15th of each month, both inclusive, the deadline to make the payment voluntary will be until the 20th of the following month or immediately following business month, and if The payment period is between the 16th and last day of each month, both inclusive. It will be until the 5th of the second following or immediately following business month. In accordance with the provisions of article 76.4 of the LOPDGDD and given that the The amount of the penalty imposed is greater than one million euros, it will be subject to publication in the Official State Gazette of the information that identifies the offender, the violation committed and the amount of the penalty. In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties. Against this resolution, which puts an end to the administrative procedure in accordance with art. 48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the Interested parties may optionally file an appeal for reconsideration before the Director of the Spanish Data Protection Agency within a period of one month to count from the day following the notification of this resolution or directly contentious-administrative appeal before the Contentious-administrative Chamber of the National Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Contentious-administrative Jurisdiction, within a period of two months from the day following the notification of this act, as provided for in article 46.1 of the referred Law. Finally, it is noted that in accordance with the provisions of art. 90.3 a) of the LPACAP, may provisionally suspend the final resolution through administrative means if the interested party expresses his intention to file a contentious-administrative appeal. If this is the case, the interested party must formally communicate this fact through writing addressed to the Spanish Data Protection Agency, presenting it through of the Agency's Electronic Registry [https://sedeagpd.gob.es/sede-electronica- web/], or through any of the other registries provided for in art. 16.4 of the cited Law 39/2015, of October 1. You must also transfer to the Agency the documentation that proves the effective filing of the contentious appeal administrative. If the Agency was not aware of the filing of the appeal contentious-administrative procedure within a period of two months from the day following the notification of this resolution would terminate the precautionary suspension. 938-16012024 C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 99/99 Sea Spain Martí Director of the Spanish Data Protection Agency C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es