AEPD (Spain) - EXP202412881: Difference between revisions
(Created page with "{{DPAdecisionBOX |Jurisdiction=Spain |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoES.jpg |DPA_Abbrevation=AEPD |DPA_With_Country=AEPD (Spain) |Case_Number_Name=EXP202412881 |ECLI= |Original_Source_Name_1=AEPD |Original_Source_Link_1=https://www.aepd.es/documento/ps-00540-2024.pdf |Original_Source_Language_1=Spanish |Original_Source_Language__Code_1=ES |Original_Source_Name_2= |Original_Source_Link_2= |Original_Source_Language_2= |Original_Source_Language__Code...") |
mNo edit summary |
||
| (2 intermediate revisions by the same user not shown) | |||
| Line 61: | Line 61: | ||
}} | }} | ||
An insurance company was fined €1,000,000 by a DPA after a coding error caused the personal data, including special category data, of 3,395 individuals to be erroneously sent via email to 354 recipient companies. | |||
== English Summary == | == English Summary == | ||
=== Facts === | === Facts === | ||
The controller, Ibermurta, is | The controller, Ibermurta, is an insurance company and partner of the Spanish Social Security System. They digitize and facilitate the management of queries and complaints related to the eligibility of workers in companies using the platform for economic benefits when they fall ill. | ||
In July 2024, a weekly email sent by the controller contained a coding error and as a result additional attachments were inadvertently included in emails being sent to partner companies. The personal data of 3,395 data subjects (including special category data), all employees of partner companies, was sent to a total of 354 recipient partner companies. The personal data was comprised of: name and surname, tax identification number, social security number, age, sick leave status, date of employment, date of leaving, number of sick days taken, employee’s company, reason for sick leave, expected number of days sick leave to be taken, total cost of the process, National Occupational Code of the employee, the employee’s eligibility for the financial benefit, whether the illness was due to a work accident, whether the illness was due to a traffic accident, and the sex of each employee. | In July 2024, a weekly email sent by the controller contained a coding error and as a result additional attachments were inadvertently included in emails being sent to partner companies. The personal data of 3,395 data subjects (including special category data), all employees of partner companies, was sent to a total of 354 recipient partner companies. The personal data was comprised of: name and surname, tax identification number, social security number, age, sick leave status, date of employment, date of leaving, number of sick days taken, employee’s company, reason for sick leave, expected number of days sick leave to be taken, total cost of the process, National Occupational Code of the employee, the employee’s eligibility for the financial benefit, whether the illness was due to a work accident, whether the illness was due to a traffic accident, and the sex of each employee. | ||
Eight complaints were filed with the Spanish DPA (AEPD) by data subjects between August and September 2024. | Eight complaints were filed with the Spanish DPA (AEPD) by data subjects between August and September 2024. | ||
=== Holding === | === Holding === | ||
The DPA found that the controller had infringed [[Article 5 GDPR#1f|Article 5(1)(f) GDPR]]. In doing so, the DPA highlighted the large number of email that were sent by the controller (~250,000 per month) and was critical of the lack of corresponding security measures. The DPA noted that both the volume of emails being sent and the sensitivity of the personal data in question warranted control mechanisms to prevent or detect errors in the configuration of the sending procedure for emails. | The DPA found that the controller had infringed [[Article 5 GDPR#1f|Article 5(1)(f) GDPR]]. This principle requires that personal data is processed in a manner which ensures its security. | ||
In doing so, the DPA highlighted the large number of email that were sent by the controller (~250,000 per month) and was critical of the lack of corresponding security measures. The DPA noted that both the volume of emails being sent and the sensitivity of the personal data in question warranted control mechanisms to prevent or detect errors in the configuration of the sending procedure for emails. | |||
The DPA considered the infringement to be of a serious nature, considering both the large number of data subjects involved in the breach, as well as the inclusion in the breach of special category data. Accordingly, a fine of €1,000,000 was imposed. | The DPA considered the infringement to be of a serious nature, considering both the large number of data subjects involved in the breach, as well as the inclusion in the breach of special category data. Accordingly, a fine of €1,000,000 was imposed. | ||
Latest revision as of 08:56, 12 March 2025
| AEPD - EXP202412881 | |
|---|---|
 | |
| Authority: | AEPD (Spain) |
| Jurisdiction: | Spain |
| Relevant Law: | Article 5(1)(f) GDPR |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | 03.02.2025 |
| Decided: | 03.03.2025 |
| Published: | 03.03.2025 |
| Fine: | 1,000,000 EUR |
| Parties: | IBERMUTUA MUTUA COLABORADORA CON LA SEGURIDAD SOCIAL Nº 274 |
| National Case Number/Name: | EXP202412881 |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | Spanish |
| Original Source: | AEPD (in ES) |
| Initial Contributor: | cwa |
An insurance company was fined €1,000,000 by a DPA after a coding error caused the personal data, including special category data, of 3,395 individuals to be erroneously sent via email to 354 recipient companies.
English Summary
Facts
The controller, Ibermurta, is an insurance company and partner of the Spanish Social Security System. They digitize and facilitate the management of queries and complaints related to the eligibility of workers in companies using the platform for economic benefits when they fall ill.
In July 2024, a weekly email sent by the controller contained a coding error and as a result additional attachments were inadvertently included in emails being sent to partner companies. The personal data of 3,395 data subjects (including special category data), all employees of partner companies, was sent to a total of 354 recipient partner companies. The personal data was comprised of: name and surname, tax identification number, social security number, age, sick leave status, date of employment, date of leaving, number of sick days taken, employee’s company, reason for sick leave, expected number of days sick leave to be taken, total cost of the process, National Occupational Code of the employee, the employee’s eligibility for the financial benefit, whether the illness was due to a work accident, whether the illness was due to a traffic accident, and the sex of each employee.
Eight complaints were filed with the Spanish DPA (AEPD) by data subjects between August and September 2024.
Holding
The DPA found that the controller had infringed Article 5(1)(f) GDPR. This principle requires that personal data is processed in a manner which ensures its security.
In doing so, the DPA highlighted the large number of email that were sent by the controller (~250,000 per month) and was critical of the lack of corresponding security measures. The DPA noted that both the volume of emails being sent and the sensitivity of the personal data in question warranted control mechanisms to prevent or detect errors in the configuration of the sending procedure for emails.
The DPA considered the infringement to be of a serious nature, considering both the large number of data subjects involved in the breach, as well as the inclusion in the breach of special category data. Accordingly, a fine of €1,000,000 was imposed.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
