AEPD (Spain) - EXP202209596: Difference between revisions
(Created page with "{{DPAdecisionBOX |Jurisdiction=Spain |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoES.jpg |DPA_Abbrevation=AEPD |DPA_With_Country=AEPD (Spain) |Case_Number_Name=EXP202209596 |ECLI= |Original_Source_Name_1=AEPD |Original_Source_Link_1=https://www.aepd.es/documento/ps-00426-2023.pdf |Original_Source_Language_1=Spanish |Original_Source_Language__Code_1=ES |Original_Source_Name_2= |Original_Source_Link_2= |Original_Source_Language_2= |Original_Source_Language__Code...") |
mNo edit summary |
||
Line 79: | Line 79: | ||
=== Holding === | === Holding === | ||
This incident was deemed a personal data breach under [[Article 5 GDPR#1f|Article 5(1)(f) GDPR]], as defined by [[Article 4 GDPR#12|Article 4(12) GDPR]]. Consequently, the Spanish DPA imposed a fine of €2,000, calculated based on Blu Management Spain's annual turnover. On February 29, 2024, the controller acknowledged responsibility and opted to take advantage of a 20% reduction by voluntarily paying the fine within the established timeframe and admitting responsibility, resulting in a reduced penalty of | This incident was deemed a personal data breach under [[Article 5 GDPR#1f|Article 5(1)(f) GDPR]], as defined by [[Article 4 GDPR#12|Article 4(12) GDPR]]. Consequently, the Spanish DPA imposed a fine of €2,000, calculated based on Blu Management Spain's annual turnover. On February 29, 2024, the controller acknowledged responsibility and opted to take advantage of a 20% reduction by voluntarily paying the fine within the established timeframe and admitting responsibility, resulting in a reduced penalty of €1,200. | ||
== Comment == | == Comment == |
Latest revision as of 14:27, 3 December 2024
AEPD - EXP202209596 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 5(1)(f) GDPR Article 63 GDPR Article 4.7 and 5.1(f) RGPD |
Type: | Complaint |
Outcome: | Upheld |
Started: | 14.09.2022 |
Decided: | |
Published: | 15.11.2024 |
Fine: | 2000 EUR |
Parties: | BLU MANAGEMENT SPAIN, S.L.. A.A.A. |
National Case Number/Name: | EXP202209596 |
European Case Law Identifier: | n/a |
Appeal: | Not appealed |
Original Language(s): | Spanish |
Original Source: | AEPD (in ES) |
Initial Contributor: | Rosa Ruiz |
The DPA fined Blu Management, S.L. €2000 for unlawfully disclosing a private individual's personal information to a third party leading to the individual receiving a communication from that third party through WhatsApp.
English Summary
Facts
The data subject filed a complaint with the Spanish Data Protection Agency (AEPD) against Blu Management Spain, S.L., a recruitment agency, alleging the unauthorized disclosure of her personal information. According to the complaint, the data subject had contacted the agency in May 2023 and participated in a phone interview. Subsequently, on July 27, 2021, she received several WhatsApp messages from a third party who claimed the interviewer at Blu Management had shared her name and phone number.
The data subject contacted the agency to inquire about the unauthorized disclosure and submitted both a data deletion request and a data access request. In response, the controller claimed to only possess the personal data included in her resume, such as identification details, academic history, and professional experience, and provided her with a copy. The controller also stated that it had deleted all personal data related to the data subject, including emails, messages, and other communications.
The data subject requested compensation, citing the controller's failure to adequately protect her personal information. The controller countered that the disclosure was made by an exchange student who had obtained the data during the interview conducted by one of the controller's employees, asserting that there had been no breach of its systems.
Holding
This incident was deemed a personal data breach under Article 5(1)(f) GDPR, as defined by Article 4(12) GDPR. Consequently, the Spanish DPA imposed a fine of €2,000, calculated based on Blu Management Spain's annual turnover. On February 29, 2024, the controller acknowledged responsibility and opted to take advantage of a 20% reduction by voluntarily paying the fine within the established timeframe and admitting responsibility, resulting in a reduced penalty of €1,200.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/18 File No.: EXP202209596 RESOLUTION TO TERMINATE THE PROCEDURE FOR VOLUNTARY PAYMENT From the procedure instructed by the Spanish Data Protection Agency and based on the following BACKGROUND FIRST: On February 22, 2024, the Director of the Spanish Data Protection Agency agreed to initiate sanctioning proceedings against BLU MANAGEMENT SPAIN, S.L. (hereinafter, the respondent party), by means of the Agreement transcribed below: << File No.: EXP202209596 IMI Reference: A56ID 437951- Case Register 550411 AGREEMENT TO START SANCTIONING PROCEEDINGS From the actions carried out by the Spanish Data Protection Agency and based on the following FACTS FIRST: A.A.A. (hereinafter, the complaining party) filed a claim with the French data protection authority. The claim is directed against BLU MANAGEMENT SPAIN, S.L. with NIF B66500661 (hereinafter, BLU MANAGEMENT). The reasons for the claim are as follows: The complainant contacted BLU MANAGEMENT, which is a recruitment agency, to apply for a job around May 2021, and had a telephone interview with B.B.B. (hereinafter, the BLU MANAGEMENT consultant). Subsequently, on July 26, 2021, the complainant received a series of messages via WhatsApp (…), where the complainant had worked. The person who sent these WhatsApp messages indicated to the complainant that the person who had provided him with his contact details was the BLU MANAGEMENT consultant. The complainant indicates that he had not given permission to BLU MANAGEMENT to share his data with third parties. For this reason, she contacted BLU MANAGEMENT on July 26, 27 and 30, 2021, having obtained a response from them, but she considers that what they have done is not enough to deal with these facts C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 2/18 Along with the claim, the following is provided: - Printout of the email sent by the complainant to contact@blueselection.com dated July 26, 2021 in which the complainant sets out the facts and requests that the email be sent to the company's data protection officer (hereinafter, DPO), expressed in the following terms: “T(...) message is aimed at the DPO of your company. Dear Madam, Sir, Tonight, I have been approached by a close friend of one of your employees who gave away my personal phone number. Long story short, I was in touch with one of your employees from the recruitment team a couple of month ago. T(...) employee - I'll be happy to provide you (...) name - gave away my phone number to (...) friend so I can help (...) resolving (...) issues (...). Your employee's friend contacted me by whatsapp tonight and I was able to get clear confirmation that my interviewer from Bluselection was the one who gave my phone number away. Tchat transcript ready to be provided to you as proof. I would like to highlight the fact that t(...) is a serious matter. First of all, I find quite alarming that your employees use your company data to resolve their friends private matters. (...). Second, I certainly did not consent my data to be used for your employees private matters. Third, I know quite well the GDPR and the scenario where an employee of a company uses personal data for (...) own sake or (...) friends' sake is definitely not allowed. I want to be contacted urgently on t(...) matter that is unacceptable. You can contact me by phone (***PHONE.1) or by email in english or french. If I don't hear from your real DPO soon, I will quickly launch all procedures to sue your company.” [Unofficial translation: “This message is addressed to your company's DPO. (…) This evening, I was approached by (…) to whom you gave my personal phone number. In short, I was in contact with one of your (…) from the recruitment team a couple of months ago. (…) — I will be happy to provide your name — gave my phone number to your ***PARENT.1 so that he can help you (…). The ***PARENT.1 of your ***POSITION.1 contacted me by whatsapp this evening and I was able to get a clear confirmation that my ***POSITION.2 of BluSelection was the one who gave him my phone number. I have a transcript of the chat ready to provide to you as proof. I would like to highlight the fact that this is a serious matter. Firstly, I find it quite alarming that your ***POSITION.1 uses your company's data to resolve private matters of your friends (…). Secondly, I certainly did not give permission for my data to be used by your ***POSITION.1 for private matters. Thirdly, I am quite familiar with the GDPR and the scenario where a ***POSITION.1 of a company uses personal C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 3/18 data for his own benefit or for that of his friends is definitely not allowed. I want to be contacted urgently regarding this matter which is unacceptable. You can contact me by phone (***PHONE.1) or by email in English or French. If I do not hear from your DPO very soon, I will promptly initiate all procedures to sue your company.”] - Printout of email sent by the complainant to ***EMAIL.1 dated July 27, 2021 in which the complainant confirms that he has been contacted by phone by a ***POST.1 of BLUE MANAGEMENT and requests the exercise of his rights in the following terms: “Thank you for your call today. Following our conversation today, I was contacted yesterday evening by a friend of one of your former employees B.B.B.. had access to my data while (…) was an employee of yours and gave my personal phone number away to (...) friend (tchat transcript attached). I never consented for my data to be disclosed to third parties such as friends of your employees; hence, as I, the data subject, am victim of a breach of my data, I request: 1- Immediate erasure of the data you hold about me. I also want a copy of these data that you should provide me with within 30 days from today as per the GDPR. T(...) is a Data Access Request. 2- I understand B.B.B. is no longer one of your employees. However, it raises some concerns. I would like to know the actions you are gonna take to make sure t(...) kind of scenario never happens again to someone else. 3- As there is a violation of my rights (you have not been able to hold my data safely and avoid your former employee to send them away), I would like to be compensated. Failing to respond to my requests within 30 days from today will result in a complaint filed to the AEPD. They will then decide what compensation is fair for t(...) data breach.” [Unofficial translation: “Thank you for your call today. Following our conversation today, I was contacted last night by a ***PARENT.1 (…) of his ex ***POST.1 B.B.B.. had access to my data while I was ***POST.1 his and gave my personal phone number to his ***PARENT.1 (chat transcript attached). I never consented to my data being disclosed to third parties, such as friends of his ***POST.1; therefore, as I, the data subject, am a victim of a data breach of my data, I request: 1- Immediately delete the data you have on me. I also want a copy of this data which you must provide to me within 30 days from today as per the GDPR. This is a data access request. I understand that B.B.B. is no longer one of your ***POST.1. However, it raises some concerns. I would like to know the actions you are going to take to make sure this type of scenario never happens to anyone else again. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 4/18 3- As there is a violation of my rights (you have failed to keep my data securely and prevent your ***POST.1 from sending it), I would like to receive compensation. Failure to respond to my requests within 30 days from today will result in a complaint filed with the AEPD. They will then decide what compensation is fair for this data breach.”] It is noted that a text document is attached to this email which the complaining party indicates is the transcript of the whatsapp conversation that is mentioned within the body of the email. - Printout of email sent by ***EMAIL.1 to the complainant, dated July 27, 2021, confirming receipt of the previous email in the following terms: “Hi A.A.A., Thank you for your time during our phone call and the information you gave me. By my email reply, I confirm the reception of your requests. As mentioned on our call, I will directly transfer t(...) topic to my address and our Legal advisor. We will come back to you as soon as possible. I wish you a pleasant day. Kind regards,” [Unofficial translation: “Hello A.A.A., Thank you for your time during our phone call and the information you gave me. With my email reply, I confirm the reception of your requests. As mentioned on our call, I will directly transfer this topic to my address and our legal advisor. We will reply as soon as possible. I wish you a pleasant day. Kind regards,"] - Printout of email sent by ***EMAIL.2 to the complaining party, dated July 30, 2021 in which the following information is offered: “First of all, please accept our apologies for the unwanted events, of which we found out through your email and the telephone conversation held on July 26th with our Recruitment Manager, C.C.C.. We would like to inform you that B.B.B. you have not been a member of t(...) organization since last June 30. That on the date he left our Company, all access permissions to the candidates database were withdrawn and (...) email account you have been blocked. Additionally, we have contacted B.B.B. with whom we have signed a confidentiality and non-concurrence agreement and he has certified the destruction of (...) contact information (name and mobile phone number). Likewise, we inform you that, to avoid t(...) situation to occur again, all Blu Selection employees who terminate their contracts or are dismissed will sign a Confidentiality and Non-Attendance Agreement, so as to guarantee that they do do not have in their possession personal data of which our company is a Data C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 5/18 Controller. In addition, we are going to initiate a Data Protection Impact Assessment and the activity of employees regarding access to personal data will be monitored. In relation to your request to exercise your right of access to the personal data held by Blu Selection, according to arts. 15 and 13 respectively of the GDPR and the Spanish Data Protection Act, we indicate that we only have the personal data included in your resume (identification data, academic data and data on professional experience) that you sent us on May 1, 2021 in order to participate in the selection processes managed by t(...) company. We attach a copy of it. Finally, we inform you that we have proceeded, as you have requested, to cancel and erase all your personal data for which Blu Selection is Controller in in accordance with the GDPR and the Spanish Data Protection Act, including all emails and other messages and communication received. Serve t(...) communication as a means of proof of the cancellation of your personal data.” [Unofficial translation: “First of all, please accept our apologies for these unwanted events, which we learned about through your email and the telephone conversation held on July 26th with our Recruitment Manager, C.C.C.. We would like to inform you that B.B.B. is not a member of this organization since last June 30th. That on the date you left our Company, all access permissions to the candidate database were withdrawn and your email account has been blocked. In addition, we have contacted B.B.B. with whom we have signed a confidentiality and non-competition agreement and have certified the destruction of your contact information (name and mobile phone number). We also inform you that, in order to prevent this situation from happening again, all ***POSITION.1s at Blu Selection who terminate their contracts or are dismissed will sign a Confidentiality and Non-Attendance Agreement, in order to ensure that they do not have in their possession personal data for which our company is Data Controller. In addition, we will initiate a Data Protection Impact Assessment and the activity of the ***POSITION.1s will be monitored with respect to access to personal data. In relation to your request to exercise your right of access to personal data held by Blu Selection, according to articles 15 and 13 respectively of the GDPR and the Spanish Data Protection Law, we indicate that we only have the personal data included in your resume (identification data, academic data and data on professional experience) that you sent us on May 1, 2021 in order to participate in the selection processes managed by this company. We attach a copy of it. Finally, we inform you that we have proceeded, as you have requested, to cancel and delete all your personal data for which Blu Selection is the Data Controller in accordance with the GDPR and the Spanish Data Protection Law, including all emails and other messages and communications received. This communication serves as proof of the cancellation of your personal data.”] C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 6/18 It is noted that a PDF document called “***URL.1” is attached to this email. - Printout of email sent by the complaining party to ***EMAIL.2 dated July 30, 2021, in response to the previous email, with the following content: “Dear Data Protection Officer, Thank you for your email. I appreciate you fulfilled most of my requests within a short period of time. The content of your email is an admission of liability on your part (especially paragraph 3). In fact, your employee at that time (up until June 30th 2021) was able to circumvent your systems to extract my data without your knowledge and at my prejudice. Even though you should have performed the DPIA way before such critical situation happened to prevent it from occurring, I appreciate you are now willing to assess your company. Nevertheless, as the employer of B.B.B. you failed to store my data safely. As a victim of a prejudice I ask for a reasonable compensation for your failure. If I do not hear from you before August, 27th 2021 or if your final answer stands where it is at t(...) point, I will have to contact the AEPD to make them aware of t(...) situation and ask for their guidance to find an amicable solution. “I look forward to hearing from you.” [Unofficial translation: “Dear Data Protection Officer: Thank you for your email. I appreciate that you have complied with most of my requests in a short period of time. The content of your email is an admission of liability on your part (especially paragraph 3). Indeed, your ***POST.1 at that time (until June 30, 2021) was able to bypass your systems to extract my data without my knowledge and to my detriment. Even though I should have performed the DPIA long before such a critical situation occurred to prevent it from occurring, I appreciate that you are now willing to evaluate your company. However, since ***POST.1 of B.B.B. did not store my data securely, I am asking you, as a victim of harm, for reasonable compensation for your failure. If I do not hear from you by August 27, 2021 or if your final response remains at this point, I will have to contact the AEPD to inform them of this situation and ask for their guidance to find an amicable solution. I look forward to hearing from you.”] - Transcript of a WhatsApp conversation dated July 26, 2021 in which, among other information, the following is stated: “07/26/2021, 8:39 PM - ***PHONE.2: Hello! I hope you are doing well. My name is D.D.D. and I got your phone number from a friend who did an interview with you. Since he knew that I had problems with my ***ACCOUNT.1 he kindly gave me your number. The problem with my business and my private account is, C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 7/18 that I got permanently banned from ***ACCOUNTA.1. I do not know why t(...) happened since I used my accounts in a normal way. When I ask for help or contact the support they will not give me an answer or solutions for t(...) problem, so I wanted to ask you If you know a way to solve t(...) misunderstanding. Item it would mean a lot if you could take the time to answer. Thank you in advance. 07/26/2021, 20:39 - ***PHONE.2: Kind Regards 07/26/2021, 20:39 - ***PHONE.2: D.D.D. 07/26/2021, 20:42 - A.A.A.: Hi. What is the name of your friend who supposedly did an interview with me? 07/26/2021, 20:46 - ***PHONE.2: I will ask for permission to give out (...) name and come back to you in a second. 26/07/2021, 20:46 - A.A.A.: If you dont tell me how you got t(...) number I wont be able to assist 26/07/2021, 20:47 - ***TELÉFONO.2: I fully understand that, I just want to make sure my friend is ok with t(...) 26/07/2021, 20:48 - A.A.A.: Well, if your friend gave you my private number it means he is also my friend. That shouldnt be an issue to provide (...) name 26/07/2021, 20:49 - ***TELÉFONO.2: He got your number from a interview with (...). You contacted the company he worked in, so you do not know (...) personally 26/07/2021, 20:50 - A.A.A.: What company? 26/07/2021, 20:51 - ***TELÉFONO.2: As soon as my friend will give me the Ok I will be transparent with all the information you need 26/07/2021, 20:53 - A.A.A.: Look mate. You are coming out of the blue requesting my help but you dont want to tell me where you got my private number from. If I dont have at least the name of the company and ideally the ame of the person who gave it to you within 5min, you are gonna have to deal with ***CUENTA.1 directly I am afraid 26/07/2021, 20:55 - ***TELÉFONO.2: ok I just called (...), the company is called blue selection 26/07/2021, 20:56 - A.A.A.: In spain 26/07/2021, 20:56 - A.A.A.: ? 26/07/2021, 20:56 - ***TELÉFONO.2: yes” … “26/07/2021, 21:10 - A.A.A.: Is it B.B.B. who gave you my number? 26/07/2021, 21:11 - ***TELÉFONO.2: I agreed with (...) that I do not give the name away, I also do not know your name or anything 26/07/2021, 21:11 - A.A.A.: So t(...) is (...)? 26/07/2021, 21:12 - ***TELÉFONO.2: Why is t(...) necessary? 26/07/2021, 21:12 - A.A.A.: Because I dont know you 26/07/2021, 21:13 - A.A.A.: I need some reassurance here 26/07/2021, 21:13 - ***TELÉFONO.2: I fully understand, but you know that my request is legit since I know the name of the company 26/07/2021, 21:14 - A.A.A.: I had contact only with (...), so t(...) is (...) 26/07/2021, 21:15 - ***TELÉFONO.2: I will not give away the name of the person, I know that I can not give you any value for helping me 26/07/2021, 21:15 - ***TELÉFONO.2: I could pay you if it is possible to solve t(...) problem C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 8/18 26/07/2021, 21:17 - A.A.A.: Look mate you are going too far. T(...) has to stop. I am no longer an employee of ***CUENTA.1 and surely did not consent for my personal number to be given away. Please contact ***CUENTA.1 26/07/2021, 21:17 - ***TELÉFONO.2: Ok, I am sorry for disturbing you. I will delete your number right away. 26/07/2021, 21:19 - You blocked t(...) contact. Tap to unblock.” [Traducción no oficial: “26.7.2021, 20:39 — ***TELÉFONO.2: ¡Hola! Espero que estés bien. Mi nombre es D.D.D. y obtuve tu número de teléfono de un ***PARENTESCO.1 que hizo una entrevista contigo. Ya que sabía que tenía problemas con mi cuenta de ***CUENTA.1, amablemente me dio su número. El problema con mi negocio y mi cuenta privada es que ***CUENTA.1 me prohibieron permanentemente utilizarla. No sé por qué sucedió esto porque usé mis cuentas de una manera normal. Cuando pido ayuda o contacto con el soporte no me dan una respuesta o soluciones para este problema, así que quería preguntarte si sabes una manera de resolver este malentendido. Significaría mucho si pudieras tomarte el tiempo para responder. Gracias de antemano. 26.7.2021, 20:39 — ***TELÉFONO.2: Saludos cordiales 26.7.2021, 20:39 — ***TELÉFONO.2: D.D.D. 26.7.2021, 20:42 — A.A.A.: Hola. ¿Cuál es el nombre de tu ***PARENTESCO.1 que supuestamente hizo una entrevista conmigo? 26.7.2021, 20:46 — ***TELÉFONO.2: Pediré permiso para dar su nombre y te contesto en un segundo. 26.7.2021, 20:46 — A.A.A.: Si no me dices cómo conseguiste este número, no podré ayudarte. 26.7.2021, 20:47 — ***TELÉFONO.2: Lo entiendo completamente. Solo quiero asegurarme de que mi ***PARENTESCO.1 esté de acuerdo con esto. 26.7.2021, 20:48 — A.A.A.: Bueno, si tu ***PARENTESCO.1 te dio mi número privado significa que también es mi ***PARENTESCO.1. Eso no debería ser un problema para proporcionar su nombre 26.7.2021, 20:49 — ***TELÉFONO.2: Obtuvo tu número de una entrevista con él. Se puso en contacto con la empresa en la que trabajó, por lo que no lo conoce personalmente. 26.7.2021, 20:50 — A.A.A.: ¿Qué compañía? 26.7.2021, 20:51 — ***TELÉFONO.2: Tan pronto como mi ***PARENTESCO.1 me dé el Ok seré transparente con toda la información que necesite 26.7.2021, 20:53 — A.A.A.: Mira ***PARENTESCO.1. Vienes de la nada solicitando mi ayuda pero no quieres decirme de dónde sacaste mi número privado. Si no tengo al menos el nombre de la empresa e idealmente el nombre de la persona que te lo dio dentro de 5 minutos, vas a tener que lidiar con ***CUENTA.1 directamente. 26.7.2021, 20:55 — ***TELÉFONO.2: OK, acabo de llamarlo, la compañía se llama blu selection. 26.7.2021, 20:56 — A.A.A.: En España 26.7.2021, 20:56 — A.A.A.: 26.7.2021, 20:56 — ***TELÉFONO.2: sí” ... “26.7.2021, 21:10 — A.A.A.: ¿Es B.B.B. quien te dio mi número? C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 9/18 26.7.2021, 21:11 — ***TELÉFONO.2: Acordé con él en que no dar su nombre, tampoco sé tu nombre ni nada. 26.7.2021, 21:11 — A.A.A.: ¿Así que es él? 26.7.2021, 21:12 — ***TELÉFONO.2: ¿Por qué es necesario? 26.7.2021, 21:12 — A.A.A.: Porque no te conozco 26.7.2021, 21:13 — A.A.A.: Necesito un poco de seguridad aquí 26.7.2021, 21:13 — ***TELÉFONO.2: Entiendo perfectamente, pero sabes que mi petición es legítima ya que conozco el nombre de la empresa 26.7.2021, 21:14 — A.A.A.: Solo tuve contacto con él, así que es él. 26.7.2021, 21:15 — ***TELÉFONO.2: No daré el nombre de la persona, sé que no puedo darte ningún valor por ayudarme 26.7.2021, 21:15 — ***TELÉFONO.2: Podría pagarte si es posible resolver este problema. 26.7.2021, 21:17 — A.A.A.: Mira amigo, vas demasiado lejos. Esto tiene que parar. Ya no soy empleada de ***CUENTA.1 y estoy segura de que no consentí que mi número personal fuera dado a otros. Póngase en contacto con ***CUENTA.1 26.7.2021, 21:17 — ***TELÉFONO.2: OK, lamento molestarte. Eliminaré tu número de inmediato. 26/07/2021, 21:19 — Usted bloqueó este contacto. Toque para desbloquear.”] SEGUNDO: A través del “Sistema de Información del Mercado Interior” (en lo sucesivo Sistema IMI), regulado por el Reglamento (UE) nº 1024/2012, del Parlamento Europeo y del Consejo, de 25 de octubre de 2012 (Reglamento IMI), cuyo objetivo es favorecer la cooperación administrativa transfronteriza, la asistencia mutua entre los Estados miembros y el intercambio de información, se transmitió la citada reclamación el día 14 de septiembre de 2022 y se le dio fecha de registro de entrada en la Agencia Española de Protección de Datos (AEPD) el 15 de septiembre de 2022. El traslado de esta reclamación a la AEPD se realizó de conformidad con lo establecido en el artículo 56 del Reglamento (UE) 2016/679, del Parlamento Europeo y del Consejo, de 27/04/2016, relativo a la Protección de las Personas Físicas en lo que respecta al Tratamiento de Datos Personales y a la Libre Circulación de estos Datos (en lo sucesivo, RGPD), teniendo en cuenta su carácter transfronterizo y que esta Agencia es competente para actuar como autoridad de control principal, dado que BLU MANAGEMENT tiene su establecimiento único en España. Según las informaciones incorporadas al Sistema IMI, de conformidad con lo establecido en el artículo 60 del RGPD, la autoridad de protección de datos de Francia actúa como autoridad interesada, de acuerdo con lo dispuesto en el artículo 4.22) letra c) del RGPD, al ser la autoridad de control frente a la que se ha presentado la reclamación, sin que otras autoridades de control se hubieran declarado interesadas en el presente procedimiento. TERCERO: Con fecha 10 de febrero de 2023, de conformidad con el artículo 64 entonces vigente de la Ley Orgánica 3/2018, de 5 de diciembre, de Protección de Datos Personales y garantía de los derechos digitales (en adelante, LOPDGDD), se admitió a trámite la reclamación presentada por la parte reclamante. CUARTO: La Subdirección General de Inspección de Datos procedió a la realización de actuaciones previas de investigación para el esclarecimiento de los hechos en C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 10/18 cuestión, en virtud de las funciones asignadas a las autoridades de control en el artículo 57.1 y de los poderes otorgados en el artículo 58.1 del Reglamento (UE) 2016/679 (Reglamento General de Protección de Datos, en adelante RGPD), y de conformidad con lo establecido en el Título VII, Capítulo I, Sección segunda, de la LOPDGDD, teniendo conocimiento de los siguientes extremos: El día 30 de junio de 2023, se presenta un escrito ante la AEPD en nombre y representación de BLU MANAGEMENT como respuesta a un requerimiento de información, en el que se aporta, entre otra, la siguiente información: - Copia del correo electrónico enviado por ***EMAIL.2 a la parte reclamante, fechado el 30 de julio de 2021, que ya había sido aportado por la CNIL junto con la reclamación. Junto a él, se aporta un certificado de que este correo fue enviado el 30 de julio de 2021. On September 4, 2023, a letter was submitted to the AEPD on behalf of and representing BLU MANAGEMENT in response to a request for information, in which the following information was provided, among others: - It is indicated that a Data Protection Impact Assessment (hereinafter, EIPD) was carried out after receiving the request from the complainant. A copy of the EIPD for the data processing that "consists of conducting interviews with candidates for positions offered by third-party clients of Blu Management Spain, S.L." is provided. From this EIPD, the conclusion is drawn that it is not necessary to carry out a prior consultation with the competent authority. - Copy of the analysis of the risks related to this processing activity and the applicable security measures, including whether or not they are already implemented and the date of implementation of the measure. - Regarding the causes of this incident, the following is indicated: “During the interview with the complainant, Mr. B.B.B. was present in his capacity as an intern together with the Recruitment Consultant and, we understand that during the interview he was able to see the mobile phone number of (…) and provide this information to a friend, who was the one who contacted the complainant on July 26, 2021, date on which B.B.B. no longer belonged to Blu as an Erasmus+ intern, since he voluntarily withdrew from his internship on June 16, 2021, as evidenced by the email sent by the Recruitment Manager, C.C.C. to E.E.E. responsible for Erasmus+ of ***UNIVERSITY.1. Upon learning of the claimant's email, we made the appropriate inquiries, contacting B.B.B. to find out first-hand what had happened, who confirmed to us that during the interview in which he was present, he noted down the claimant's mobile phone number to provide it to "(...)". For all the above, this party understands that it is not appropriate to provide any contract on the maintenance of the Information Systems, since they have not been involved." C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 11/18 - Regarding the measures adopted to modify security incidents such as the one that occurred, the following is indicated: “it was internally agreed that in all selection processes attended by students on internships, they would be prevented from accessing them with tablets or mobile phones and, always accompanied by a Selection Consultant who would be the one to have access to the candidates' data, once they have given their consent for the selection processes. Additionally, all Blu ***POSITION.1s sign an NDA regarding all data that they handle in the exercise of their functions. Finally, the employment contracts were modified to include a clause relating to the “Use of information and technology equipment and devices.” -Regarding the lack of notification of this security incident to the AEPD, the following is indicated: “In accordance with the reasons for exception in article 34 of the GDPR, where a series of cases are stated in which this communication will not be mandatory, this company chose not to proceed with the notification of the security breach, since, after the breach, Blu Selection took technical and organizational measures to ensure that there is no possibility of the high risk materializing and, above all, taking into account that it has only occurred on one subject and all actions were directed to prevent the events that occurred from being repeated.” FIFTH: Volume of business or activity: According to the query made on September 8, 2023 in the Axesor Monitoriza service (https://monitoriza.axesor.es/), BLU MANAGEMENT SPAIN SL is a "Self-employed" type company with a sales volume, in the fiscal year 2020, of ***AMOUNT.1 euros. SIXTH: On January 8, 2024, the Director of the AEPD adopted a draft agreement to initiate sanctioning proceedings. Following the process established in article 60 of the GDPR, on January 18, 2024, the aforementioned draft was transmitted through the IMI system and the interested authorities were informed that they had four weeks from that moment to formulate pertinent and reasoned objections. The processing period for the proceedings was automatically suspended for these four weeks, in accordance with the provisions of Article 64 of the LOPDGDD. Within the period for this purpose, the interested supervisory authorities did not submit relevant and reasoned objections in this regard, so it is considered that all the authorities agree with said project and are bound by it, in accordance with the provisions of Article 60 of the GDPR. FUNDAMENTALS OF LAW I Competence C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 12/18 In accordance with the powers granted to each supervisory authority by article 58.2 and 60 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter RGPD) and according to the provisions of articles 47, 48.1, 64.2 and 68.1 of Organic Law 3/2018, of December 5, on the Protection of Personal Data and guarantee of digital rights (hereinafter, LOPDGDD), the Director of the Spanish Data Protection Agency is competent to initiate and resolve this procedure. Likewise, article 63.2 of the LOPDGDD determines that: "The procedures processed by the Spanish Data Protection Agency will be governed by the provisions of Regulation (EU) 2016/679, in this organic law, by the regulatory provisions issued in its development and, insofar as they do not contradict them, on a subsidiary basis, by the general rules on administrative procedures." II Preliminary questions In the present case, in accordance with the provisions of article 4.1 and 4.2 of the RGPD, the processing of personal data is recorded, since BLU MANAGEMENT collects and stores, among others, the following personal data of natural persons: name, and telephone number, among other processing. BLU MANAGEMENT carries out this activity in its capacity as data controller, since it determines the purposes and means of such activity, pursuant to Article 4.7 of the GDPR. Furthermore, this is cross-border processing, since BLU MANAGEMENT is established in Spain, although it provides services to other countries in the European Union. Article 4, paragraph 12 of the GDPR broadly defines “personal data security breaches” (hereinafter, security breach) as “any security breach leading to the accidental or unlawful destruction, loss or alteration of personal data transmitted, stored or otherwise processed, or unauthorized disclosure or access to such data.” In the present case, there is a breach of security of personal data in the circumstances indicated above, categorized as a breach of confidentiality, insofar as a friend of BLU MANAGEMENT would have used his position to take the complainant's phone and communicate it to a third party, who contacted the complainant via WhatsApp. Within the principles of treatment provided for in article 5 of the GDPR, the integrity and confidentiality of personal data is guaranteed in section 1.f) of article 5 of the GDPR. III Principle of integrity and confidentiality Article 5.1.f) “Principles relating to treatment” of the GDPR establishes: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 13/18 “1. Personal data shall be: (…) f) processed in such a way as to ensure appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, by applying appropriate technical or organisational measures ("integrity and confidentiality"). In the present case, it is clear that the personal data of the affected parties, contained in the BLU MANAGEMENT database, were unduly disclosed to a third party, insofar as the complainant has stated that he received a communication via WhatsApp from a third party, in which he informed him that his data (name and telephone number) had been obtained by a person working at BLU MANAGEMENT. Furthermore, BLU MANAGEMENT has stated that, when contacting the person who allegedly shared the telephone number, he has confirmed that he had accessed the complainant's telephone number and communicated it to the third party. For its part, BLU MANAGEMENT has informed the complainant that the person who leaked the data has certified the destruction of their contact information. Therefore, in accordance with the evidence available at this time in order to initiate sanctioning proceedings, and without prejudice to what may result from the investigation, it is considered that the known facts could constitute an infringement, attributable to BLU MANAGEMENT, for violation of article 5.1.f) of the RGPD. IV Classification of the infringement of Article 5.1.f) of the GDPR If confirmed, the aforementioned infringement of Article 5.1.f) of the GDPR could entail the commission of the infringements classified in Article 83.5 of the GDPR, which under the heading "General conditions for the imposition of administrative fines" provides: "Infringements of the following provisions shall be punishable, in accordance with paragraph 2, by administrative fines of not more than EUR 20 000 000 or, in the case of an undertaking, not more than 4 % of the total annual turnover of the previous financial year, whichever is higher: a) the basic principles for processing, including the conditions for consent pursuant to Articles 5, 6, 7 and 9; (…)” For the purposes of the limitation period, article 72 “Infringements considered very serious” of the LOPDGDD indicates: “1. In accordance with the provisions of article 83.5 of Regulation (EU) 2016/679, infringements that constitute a substantial violation of the articles mentioned therein and, in particular, the following are considered very serious and will be subject to a three-year statute of limitations: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 14/18 a) The processing of personal data in violation of the principles and guarantees established in article 5 of Regulation (EU) 2016/679. (…)” V Proposal for a sanction for the infringement of article 5.1.f) of the GDPR For the purposes of deciding on the imposition of an administrative fine and its amount, in accordance with the evidence available at the time of the agreement to initiate sanctioning proceedings, and without prejudice to the outcome of the investigation, it is considered that the balance of the circumstances contemplated in article 83.2 of the GDPR and 76.2 of the LOPDGDD, with respect to the infringement committed by violating the provisions of article 5.1.f) of the GDPR, allows for an initial fine of €2,000 (two thousand euros). VI Imposition of measures If the infringement is confirmed, in accordance with the provisions of the aforementioned article 58.2 d) of the GDPR, according to which each supervisory authority may “order the controller or processor to comply with the provisions of this Regulation, where appropriate, in a certain manner and within a specified period…” in the resolution adopted, BLU MANAGEMENT may be required to notify this Agency within SIX MONTHS that it has adopted the appropriate measures to adapt its actions to the regulations mentioned in this act, without prejudice to other measures that may arise from the instruction of the procedure. The imposition of these measures is compatible with the sanction consisting of an administrative fine, as provided for in article 83.2 of the GDPR. It is noted that failure to comply with the possible order to adopt measures imposed by this body in the resolution that ends this procedure may be considered as an administrative infringement in accordance with the provisions of the RGPD, classified as an infringement in its article 83.5 and 83.6, and such conduct may motivate the opening of a subsequent administrative sanctioned procedure. Therefore, in accordance with the above, by the Director of the Spanish Data Protection Agency, IT IS AGREED: FIRST: TO INITIATE SANCTIONING PROCEDURE against BLU MANAGEMENT SPAIN, S.L., with NIF B66500661, for the alleged infringement of article 5.1.f) of the RGPD, classified in article 83.5 of the RGPD. SECOND: TO APPOINT R.R.R. as instructor. and, as secretary, to S.S.S., indicating that they may be challenged, if applicable, in accordance with the provisions of articles 23 and 24 of Law 40/2015, of October 1, on the Legal Regime of the Public Sector (LRJSP). C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 15/18 THIRD: INCORPORATE into the file, for evidentiary purposes, the documentation from the IMI that has given rise to the prior investigation actions, as well as the documents obtained and generated by the General Subdirectorate of Data Inspection in the actions prior to the start of this procedure and the documentation from the IMI on the draft decision. FOURTH: THAT for the purposes provided for in art. 64.2 b) of Law 39/2015, of 1 October, on the Common Administrative Procedure of Public Administrations, the penalty that may apply would be 2,000 euros, without prejudice to the outcome of the investigation. FIFTH: NOTIFY this agreement to BLU MANAGEMENT SPAIN, S.L., with NIF B66500661, granting it a hearing period of ten working days to formulate the allegations and present the evidence it considers appropriate. In its written allegations, it must provide its NIF and the file number that appears in the heading of this document. If you do not make any objections to this initiation agreement within the stipulated period, it may be considered a resolution proposal, as established in article 64.2.f) of Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations (hereinafter, LPACAP). In accordance with the provisions of article 85 of the LPACAP, you may acknowledge your responsibility within the period granted for the formulation of objections to this initiation agreement; which will entail a 20% reduction of the sanction to be imposed in this procedure. With the application of this reduction, the sanction would be set at 1,600 euros, and the procedure will be resolved with the imposition of this sanction. Likewise, the applicant may, at any time prior to the resolution of this procedure, make voluntary payment of the proposed fine, which will involve a 20% reduction in its amount. With the application of this reduction, the fine would be set at 1,600 euros and its payment will imply the termination of the procedure, without prejudice to the imposition of the corresponding measures. The reduction for voluntary payment of the fine can be added to the one that must be applied for the recognition of responsibility, provided that this recognition of responsibility is made clear within the period granted to formulate allegations at the opening of the procedure. The voluntary payment of the amount referred to in the previous paragraph may be made at any time prior to the resolution. In this case, if both reductions were to be applied, the amount of the fine would be established at 1,200 euros. In any case, the effectiveness of any of the two reductions mentioned will be conditioned to the withdrawal or waiver of any action or appeal through administrative course against the sanction. If you choose to proceed with the voluntary payment of any of the amounts indicated above (1,600 or 1,200 euros), you must make the payment C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 16/18 into the account number IBAN: ES00-0000-0000-0000-0000-0000 opened in the name of the Spanish Data Protection Agency at the bank CAIXABANK, S.A., indicating in the concept the reference number of the procedure that appears in the heading of this document and the reason for the reduction of the amount to which you are adhering. Likewise, proof of payment must be sent to the Subdirectorate General of Inspection to continue with the procedure in accordance with the amount paid. The procedure will have a maximum duration of twelve months from the date of the start agreement. After this period, it will expire and, consequently, the proceedings will be filed; in accordance with the provisions of article 64 of the LOPDGDD. Finally, it is noted that in accordance with the provisions of article 112.1 of the LPACAP, there is no administrative appeal against this act. 935-30102023 Mar España Martí Director of the Spanish Data Protection Agency >> SECOND: On February 29, 2024, the respondent party has proceeded to pay the penalty in the amount of 1,200 euros using the two reductions provided for in the Initiation Agreement transcribed above, which implies the recognition of responsibility. THIRD: The payment made, within the period granted to formulate allegations at the opening of the procedure, entails the waiver of any action or appeal in administrative course against the penalty and the recognition of responsibility in relation to the facts referred to in the Initiation Agreement and its legal qualification. FOURTH: In the initiation agreement transcribed above it was indicated that, if the infringement is confirmed, it could be agreed to impose on the person responsible the adoption of appropriate measures to adjust its performance to the regulations mentioned in this act, in accordance with the provisions of the cited article 58.2 d) of the RGPD, according to which each control authority may "order the person responsible or in charge of the treatment that the treatment operations comply with the provisions of this Regulation, where appropriate, in a certain manner and within a specified period...". Having acknowledged the responsibility for the infringement, the imposition of the measures included in the initiation agreement is appropriate. LEGAL BASIS I C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 17/18 Competence In accordance with the powers that article 58.2 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter RGPD), grants to each control authority and as established in articles 47, 48.1, 64.2 and 68.1 of Organic Law 3/2018, of December 5, on the Protection of Personal Data and guarantee of digital rights (hereinafter, LOPDGDD), the Director of the Spanish Data Protection Agency is competent to initiate and resolve this procedure. Likewise, article 63.2 of the LOPDGDD determines that: "The procedures processed by the Spanish Data Protection Agency will be governed by the provisions of Regulation (EU) 2016/679, in this organic law, by the regulatory provisions issued in its development and, insofar as they do not contradict them, in a subsidiary manner, by the general rules on administrative procedures." II Termination of the procedure Article 85 of Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations (hereinafter, LPACAP), under the heading "Termination of sanctioning procedures" provides the following: "1. Once a sanctioning procedure has been initiated, if the offender acknowledges his responsibility, the procedure may be resolved with the imposition of the appropriate sanction. 2. When the sanction is of a purely monetary nature or when it is possible to impose a monetary sanction and another of a non-monetary nature but the inappropriateness of the second has been justified, the voluntary payment by the presumed responsible party, at any time prior to the resolution, will imply the termination of the procedure, except in relation to the restoration of the altered situation or the determination of compensation for the damages and losses caused by the commission of the infringement. 3. In both cases, when the sanction is of a purely monetary nature, the body competent to resolve the procedure will apply reductions of at least 20% on the amount of the proposed sanction, these being cumulative with each other. The aforementioned reductions must be determined in the notification of the initiation of the procedure and their effectiveness will be conditional on the withdrawal or waiver of any action or appeal in administrative proceedings against the sanction. The percentage of reduction provided for in this section may be increased by regulation.” In accordance with the above, the Director of the Spanish Data Protection Agency RESOLVES: FIRST: DECLARE the termination of procedure EXP202209596, in accordance with the provisions of article 85 of the LPACAP. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 18/18 SECOND: ORDER BLU MANAGEMENT SPAIN, S.L. to notify the Agency within 6 months from the date this resolution becomes final and enforceable of the adoption of the measures described in the legal grounds of the Initiation Agreement transcribed in this resolution. THIRD: NOTIFY this resolution to BLU MANAGEMENT SPAIN, S.L.. In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties. Against this resolution, which ends the administrative process as prescribed by art. 114.1.c) of Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations, interested parties may file an administrative appeal before the Administrative Disputes Chamber of the National Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Administrative Disputes Jurisdiction, within two months from the day following the notification of this act, as provided for in article 46.1 of the referred Law. 1259-151024 Mar España Martí Director of the Spanish Data Protection Agency C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es