AEPD (Spain) - PS/00187/2020: Difference between revisions
mNo edit summary |
m (Ar moved page AEPD - PS/00187/2020 to AEPD (Spain) - PS/00187/2020) |
||
(One intermediate revision by one other user not shown) | |||
Line 61: | Line 61: | ||
===Facts=== | ===Facts=== | ||
On 14 January 2020, the Subdirectorate-General for Nationality and Civil Status notified the Spanish | On 14 January 2020, the Subdirectorate-General for Nationality and Civil Status notified the Spanish DPA (hereinafter AEPD) of a security breach of personal data dated 22/11/2019 after becoming aware through an e-mail by a citizen of notification of granting of Spanish nationality corresponding to another person. | ||
The notified security breach | The notified security breach concerned 34 affected persons and subsequently incorporated 2 more, up to 36. These breaches all related to decisions of nationality being unduly shared with third parties. The security breach was communicated to the interested parties on 16/01/2020. | ||
The security gap had its technical origin in a modification in the process of generating decisions to grant nationality by residence that had been made in the application for processing nationality by residence files. | The security gap had its technical origin in a modification in the process of generating decisions to grant nationality by residence that had been made in the application for processing nationality by residence files. | ||
===Dispute=== | ===Dispute=== | ||
Is the infringement of the principles of integrity and confidentiality in granting nationality and residence a breach of Articles 5(1) (f), 25, 32, and 34 GDPR? | Is the infringement of the principles of integrity and confidentiality in granting nationality and residence a breach of Articles 5(1)(f), 25, 32, and 34 GDPR? | ||
===Holding=== | ===Holding=== | ||
The Secretary-General for Innovation and Quality of the Public Justice Service (SGICSPJ) did not apply the appropriate technical and organizational measures to guarantee a level of security appropriate to the risk | The Secretary-General for Innovation and Quality of the Public Justice Service (SGICSPJ) did not apply the appropriate technical and organizational measures to guarantee a level of security appropriate to the risk. This is evident as it has been proven that third parties had access to information reserved for the interested party (the applicant, a Spanish national) as a result of the malfunctioning of the new version of the application. | ||
The AEPD considered Articles 25, 32 and 34 GDPR in relation to Article 5(1)(f) GDPR to have been infringed | The AEPD considered Articles 25, 32 and 34 GDPR in relation to Article 5(1)(f) GDPR to have been infringed as a result of the security breach caused by the transmission of personal data to third parties in the processes of granting Spanish nationality and the residence permit of foreign nationals. | ||
==Comment== | ==Comment== |
Latest revision as of 14:08, 13 December 2023
AEPD - PS/00187/2020 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 5(1)(f) GDPR Article 25 GDPR Article 32 GDPR Article 34 GDPR Article 77 LOPDPGDD |
Type: | Investigation |
Outcome: | Violation Found |
Started: | |
Decided: | 16.11.2020 |
Published: | |
Fine: | None |
Parties: | Secretaría General para la Innovación y Calidad del Servicio Público de Justicia |
National Case Number/Name: | PS/00187/2020 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Spanish |
Original Source: | AEPD (in ES) |
Initial Contributor: | Francesc Julve Falco |
The Spanish DPA (AEPD) imposed a warning sanction against the Secretary General for Innovation and Quality of the Public Justice Service for a security breach (Articles 5(1)(f), 25, 32 and 34 GDPR), in the process of granting nationality and residence to immigrants.
English Summary
Facts
On 14 January 2020, the Subdirectorate-General for Nationality and Civil Status notified the Spanish DPA (hereinafter AEPD) of a security breach of personal data dated 22/11/2019 after becoming aware through an e-mail by a citizen of notification of granting of Spanish nationality corresponding to another person.
The notified security breach concerned 34 affected persons and subsequently incorporated 2 more, up to 36. These breaches all related to decisions of nationality being unduly shared with third parties. The security breach was communicated to the interested parties on 16/01/2020.
The security gap had its technical origin in a modification in the process of generating decisions to grant nationality by residence that had been made in the application for processing nationality by residence files.
Dispute
Is the infringement of the principles of integrity and confidentiality in granting nationality and residence a breach of Articles 5(1)(f), 25, 32, and 34 GDPR?
Holding
The Secretary-General for Innovation and Quality of the Public Justice Service (SGICSPJ) did not apply the appropriate technical and organizational measures to guarantee a level of security appropriate to the risk. This is evident as it has been proven that third parties had access to information reserved for the interested party (the applicant, a Spanish national) as a result of the malfunctioning of the new version of the application.
The AEPD considered Articles 25, 32 and 34 GDPR in relation to Article 5(1)(f) GDPR to have been infringed as a result of the security breach caused by the transmission of personal data to third parties in the processes of granting Spanish nationality and the residence permit of foreign nationals.
Comment
Since Article 77 of the Organic Law on the Protection of Personal Data and Guarantees of Digital Rights (LOPDPGDD) limits the penalties for infringements by public administrations to a warning, no pecuniary fine was imposed on the offending public administration in this case.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/17 Procedure No.: PS / 00187/2020 RESOLUTION OF SANCTIONING PROCEDURE Of the procedure instructed by the Spanish Agency for Data Protection and with based on the following BACKGROUND FIRST: On January 14, 2020, the Subdirectorate General for Nationality and Civil Status (hereinafter, SGNEC) attached to the General Directorate of Registries and of the Notary Public (currently the General Directorate of Legal Security and Public Faith, in hereinafter, DGSJFP) currently organically and functionally dependent on the General Secretariat for Innovation and Quality of the Public Justice Service (in hereinafter, SGICSPJ) of the Ministry of Justice, notifies this Spanish Agency for Data Protection (hereinafter, AEPD) a data security breach personal information (hereinafter, security breach) after having knowledge through a email by a citizen of a notification of granting of the Spanish nationality corresponding to another person (treatment related to the app *** APP.1). The SGNEC contacted by telephone the director of the Technology Division of Information and Communications of the Ministry of Justice (currently Division of Technologies and Digital Public Services, hereinafter, DTSPD) to know the nature and scope of the problem and the number of potential notifications affected. Finally, having confirmed the security breach, the SGNEC states that it was decided to stoppage of automated notifications until the cause and scope of the incident and its resolution. SECOND: On February 4, 2020, the director of the AEPD agrees initiate investigation actions, for which the Subdirectorate General of Inspection of Data proceeded to carry out preliminary investigation actions for the clarification of the facts object of the notification, having knowledge of the following extremes: C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 2/17 BACKGROUND Date of the events: *** DATE.1 Date of detection of the security breach: *** DATE.2 Date of notification of security bankruptcy: 01/14/2020 INVESTIGATED ENTITIES General Directorate of Legal Security and Public Faith of the Ministry of Justice with NIF S2813610I and DIR3 E00131304, and with address at Plaza de Jacinto Benavente 3, 28012 Madrid (organically and functionally attached to the SGICSPJ with NIF S2813610I and DIR3 E05077001 as data controller). RESULT OF INVESTIGATION ACTIONS 1. Regarding the facts: Around 2:30 p.m. on *** DATE.2, the SGNEC states that it received telephone communication regarding the receipt of an email electronic by a citizen of a notification of granting of the Spanish nationality by residence corresponding to another applicant. In that At the moment, the SGNEC contacted the DTSPD by telephone to find out the nature of the problem and the number of potentially affected by the security breach, and it was decided to stop the automated notifications until the cause of the incident is known and solved. No copy of the citizen's email is provided. The SGNEC informs that on January 13, 2020 it received from the DTSPD base report of the notification of the security bankruptcy that was communicated to the AEPD on January 14, 2020. From the aforementioned report, the SGNEC states that the incident reached 34 cases and subsequently incorporated another 2 more, up to 36, of the 23,394 nationality resolutions resolved until that moment. The intervention of the Delegate of Protection of Data as indicated in art 39 of the RGPD. The SGNEC declares that it has attached said report to the AEPD in its notification bankruptcy, and specifies the following: "The problem had its origin in a modification in the generation process of resolutions granting nationality by residence that had been made in the application *** APPLICATION.1, of processing of files of nationality by residence, on *** DATE.1 ”. The SGNEC informs that the detected failure originated when attaching the certificate of birth of the nationality applicant to the document of resolution of granting of nationality. The high number of resolutions generated from C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 3/17 concurrently is the consequence of a reinforcement plan that punctually implies a scenario of high concurrence of requests. Likewise, the SGNEC adds that this reinforcement plan has involved the participation of a number much higher number of processing personnel than initially foreseen in the design of the application. The SGNEC indicates that the personal data affected in the breach of security would correspond to the NIE (Foreigner Identification Number), name, surname, place and date of birth, address at the time of submit the application, the concession of nationality and a copy of the birth certificate (which again includes date and place information birth and name and surname of the parents). The SGNEC reports that it has registered two other incidents of security of personal data, on 06/28/2019 and 10/31/2019, also with incorrect notifications due to the error of recipients when communicating concessions of nationality, with 11 and 70 people affected respectively and already solved. The SGNEC states that the incident that occurred on 06/28/2019 derived from the process of sending telematic notifications for an incident in the application database, while that of 10/31/2019 consisted of an incorrect handling of exceptions in the case of saturation of different systems with which the application interacts, including the signature holder of the Ministry of Justice. The Data Inspection confirms that, on 09/05/2018, the AEPD issued a resolution of sanctioning procedure, of reference AP / 00049/2018, in which the now investigated to the General Directorate of Registries and Notaries dependent on the Undersecretary of Justice (now DGSJFP, dependent on the SGICSPJ). Specifically, in the aforementioned sanctioning file it was accredited that “The Information Technology and Communications Division of the Ministry of Justice reported that the service did not contemplate the attendance and he made a mistake when composing the birth certificate. He took and page that listed in the certificate are correct and correspond to the data of your birth registration, but the content with the digitized image are the of another request, that of marriage ”. (the underlining is from the AEPD). 2. Regarding the measures prior to the event of the security bankruptcy: The SGNEC is currently identified in the RAT (registry of treatment activities) of the Ministry of Justice as responsible for the processing of data in the management of applications for Spanish nationality. The SGNEC provides an internal working document to update the RAT in that DTSPD is specified as joint controller now analyzed as of January 2020. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 4/17 The SGNEC states that it has carried out an EIPD (impact assessment on data protection) in June 2019, which contains an analysis of risks associated with the data processing it manages. The SGNEC has a report on actions derived from the EIPD in the management of applications for Spanish nationality, which aims to minimize the potential risks analyzed through the implementation of various corrective actions to reduce them to residual risks that have resulted be of high level. The DTSPD, as joint controller of the treatment (according to the RAT provided and in force since January 2020), has a procedure on the quality of the software projects of the Ministry of Justice throughout its entire life cycle, which serves as the basis for its construction and development in the defining the phases that govern the analysis and design of the solution, as well as the tests to be carried out in the different environments (development, integration, quality and pre-production), until its definitive implementation in the production environment, and active monitoring after it is put into production. 3. Regarding the measures after the occurrence of the security breach: 3.1. Of a corrective nature (reactive to correct the security gap): The SGNEC states that, once the incident is known, on *** DATE.2 at 2:30 p.m., the signature and notification process was blocked automated concessions of Spanish nationality in the application involved (*** APPLICATION.1). On Tuesday, January 14, 2020, the security breach is notified to the AEPD. The SGNEC states that on Wednesday, January 15, 2020 at 3:50 p.m. hours, the Citizen Folder is removed from the notifications electronic documents of the concessions of Spanish nationality issued with erroneous content when referring to another applicant for nationality. The SGNEC provides evidence that on Thursday, January 16, 2020, the 72 notices electronically signed communicating the security breach both to the addressees of the resolutions and to the people who received erroneously, received acknowledgments were completed, envelopes and delivery notes for postal delivery to those interested. The SGNEC states that on January 21, 2020 the departure was registered from the General Registry of the Ministry of Justice the relationship of administrative notifications along with envelopes, acknowledgments and delivery notes for processing communications to interested parties. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 5/17 The SGNEC informs that the signature process will be enabled again on the 23rd January 2020 at 3:40 p.m., not the notification process automatic granting of Spanish nationality that continued blocked as of February 26, 2020. The SGNEC states that as of Friday, January 24, 2020 at 9:00 am they begin to make notifications of granting nationality manually after checking that the document to notify is correct. 3.2. Of a preventive nature (proactive to avoid a repeat bankruptcy of security): DTSPD states that it has designed in the application *** APPLICATION.1 a more robust measure that checks the content of documents of granting Spanish nationality prior to notification, in such a way that no document can be notified corresponding in contents with the treated file. SGNEC informs that a prior quality control protocol has been established (not details it) to ensure that the document to be notified is correct, the notification being carried out manually and supervised. The DTSPD states that the new version is in the testing phase of the application that incorporates in the notification process the reading and checking the content of the document to be communicated with character prior to notification. The SGNEC conveys that the new version of the application is (as of February 26, 2020) undergoing controls quality tests (functional tests, performance tests and concurrence). DTSPD reports having detected the source of the security breach in improper handling of temporary files when attaching the birth certificate to the nationality grant resolution. Additionally, the SGNEC highlights that it is working on the implementation of an automatic process that goes through the forms of the application and that allows to carry out a quality control in addition to the performed in the application options, in such a way as to guarantee that the resolutions granting Spanish nationality are notified correctly. On the date of this agreement to initiate the Data Inspection of the AEPD has not been informed of the progress and the guarantees established / implemented in the new app / version of grant notifications nationality, as well as the tests in the new version of November 2019 carried out, risk analysis, impact assessment on the rights and freedoms of the interested parties and if the incident has been resolved. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 6/17 THIRD: On July 9, 2020, the Director of the Spanish Agency for Data Protection agreed to initiate a sanctioning procedure to the claimed, by the alleged violation of Article 32 of the RGPD, Article 5.1.f) of the RGPD, Article 25 of the RGPD, typified in Article 83.5 of the RGPD. FOURTH: On October 7, 2020, a resolution proposal was formulated, proposing in the following terms: << That the Director of the Spanish Data Protection Agency sanctions the General Secretariat for Innovation and Quality of the Public Justice Service, with NIF S2813610I, by: 1. Infringement of article 5.1.f) of the RGPD typified in article 83.5.a) of the RGPD with penalty of warning. 2. Infringement of articles 25, 32 and 33 of the RGPD in relation to the article 5.1.f) of the RGPD, typified in article 83.4.a) of the RGPD with sanction of awareness. 3. Violation of article 34 of the RGPD in relation to article 5.1.f) of the RGPD, typified in article 83.4.a) of the RGPD, with penalty of warning. 4. And require the SGICSPJ to contribute to this AEPD a summary of the final result of the action plan, already started in February 2020, by which the more robust security measures in data processing in the applicative *** APPLICATION. 1 for which it is responsible for protection of data through the SGNEC >>. FIFTH: On 10/23/2020 the investigated submitted allegations to the proposal of resolution in the following terms: In the first place, the investigated considers that there was no integrity breach, since that as defined by the National Security Scheme (ENS), integrity is that “property or characteristic consisting in that the information asset has not been altered in an unauthorized manner ”, so it does not apply to the present case. In this regard, it should be noted that the new principle of integrity, previously called security, included in article 5.1. f) of the RGPD, brings cause of the provisions of the Article 1 of the aforementioned regulation (object of the RGPD) regarding the processing of data personal in a broad sense and with a temporal projection regardless of the specific data that are subject to treatment, and not only with respect to specific data and static in time for a given treatment. Consequently, the claim must be rejected. Second, regarding the confidentiality dimension of the processed data, the investigated indicates that it was limited to 36 direct people and another 36 indirectly, so that a number of finite and determined people were produced, and not a undetermined number of people, as indicated in article 25.2 of the RGPD. In this sense, it is meant that the indeterminacy referred to in the article 25.2 of the GDPR refers to the default design principle under which the technical and organizational measures applied will guarantee in particular that, by default, personal data is not accessible to an undetermined number of people C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 7/17 physical, and not the number of people affected by the gap. Consequently, the claim must be rejected. Third, it provides a set of measures adopted of a reactive nature and proactive, from which diligent conduct is derived in order to minimize the impact of the gap and prevent similar situations from recurring in the future. In this sense provides documentary on new quality actions in the code, tests functional that specifically contemplate the concurrence of requests and composition of documents to be notified, life cycle review, training of the development and periodic monitoring plan of the code quality plan. Fourth, the investigated provides documentary on the tender of a file contracting for the adaptation of the treatments carried out in the unit to ENS, starting its execution in September 2020, reinforcing the policies of security both by the personnel assigned to the DTSPD and its main service providers acting as data processors. To this end, It provides a list of technical prescriptions that govern said contract. Fifth, the investigated provides notification to the AEPD of the gaps in security dates 06/28/2019 and 10/31/2019. Finally, the investigated report on the new scenario of co-responsibility in the treatments as indicated in article 26 of the RGPD by the DTSPD. Of the actions carried out in this procedure and of the documentation Obrante in the file, the following have been accredited: PROVEN FACTS FIRST: On January 14, 2020, the Subdirectorate General for Nationality and Civil Status (hereinafter, SGNEC) attached to the General Directorate of Registries and of the Notary Public (currently the General Directorate of Legal Security and Public Faith, in hereinafter, DGSJFP) currently organically and functionally dependent on the General Secretariat for Innovation and Quality of the Public Justice Service (in hereinafter, SGICSPJ) of the Ministry of Justice, notifies this Spanish Agency for Data Protection (hereinafter, AEPD) a data security breach personal dated 11/22/2019 after having knowledge through an email electronic by a citizen of a notification of granting of the Spanish nationality corresponding to another person (treatment related to the app *** APP.1). SECOND: The reported security breach reaches 34 affected and later they incorporated another 2 more, up to 36, all of them related to resolutions of nationality unduly notified to third parties. The security breach It was communicated to the interested parties on 01/16/2020. THIRD: The security breach had its technical origin in a modification in the process of generation of resolutions granting nationality by residence that had been made in the application *** APPLICATION.1, processing of nationality files by residence, on *** DATE. 1. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 8/17 FOURTH: The fault detected originated by attaching the birth certificate of the nationality applicant to the nationality grant resolution document as a consequence of the high number of resolutions generated in a concurrent. FIFTH: The personal data affected in the security breach would correspond to the NIE (Foreigner Identification Number), name, surname, place and date of birth, address at the time of submitting the application, the granting of nationality and copy of the birth certificate (which again contains data date and place of birth and name and surname of the parents). SIXTH: It is established that the SGNEC, organically dependent on the SGICSPJ, has registered two other personal data security incidents, on dates 06/28/2019 and 10/31/2019, also with incorrect notifications due to error recipients when communicating nationality concessions, with 11 and 70 people affected respectively and already solved. These security breaches were duly notified to the AEPD but there is no evidence that they were communicated to the affected. SEVENTH: On 09/05/2018, the AEPD issued a procedural resolution reference sanctioner AP / 00049/2018, in which it was sanctioned by the same facts to those now investigated to the General Directorate of Registries and Notaries dependent on the Undersecretary of Justice (now DGSJFP, dependent of the SGICSPJ). Specifically, in the aforementioned sanctioning file it was accredited and thus it is stated in the proven facts that "The Information Technology Division and Communications of the Ministry of Justice reported that the service did not contemplate the concurrence and made a mistake when composing the birth certificate ”. EIGHTH: Regarding the treatments carried out by the SGNEC, there has been evidence carried out a DPIA (impact assessment on data protection) in June of 2019, which contains a risk analysis (AR) associated with the data processing that manages. However, there is no update of the AR and EIDP in the modifications of the treatments carried out on 11/22/2019 that resulted in the security breach from that date. However, in allegations the proposal of resolution, the adequate update to the RGPD, LOPDGDD and ENS of the treatments carried out by the researcher as well as the implantation of the both active and proactive corrective measures to avoid recurrence in the future of similar events. FOUNDATIONS OF LAW I By virtue of the powers that article 58.2 of the General Regulation of Protection of Data (hereinafter RGPD) recognizes each control authority, and according to established in articles 47 and 48 of the Organic Law on Data Protection and Digital Rights Guarantee (hereinafter LOPDGDD), the Director of the Agency Spanish Data Protection is competent to initiate and resolve this process. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 9/17 II Definitions: Article 4.12 of the RGPD, "violation of the security of personal data": all breach of security resulting in accidental destruction, loss or alteration or illicit personal data transmitted, stored or otherwise processed, or the unauthorized communication or access to said data. Article 4.7 of the RGPD, "data controller" or "controller": the person physical or legal, public authority, service or other body that, alone or together with others, determine the purposes and means of the treatment; if the law of the Union or of the Member States determine the purposes and means of the treatment, the person responsible for the treatment or the specific criteria for their appointment may be established by the Law of the Union or of the Member States ”. III In the present case, in accordance with the provisions of the aforementioned article 4.7 of the RGPD and in the RD 453/2020, of March 10, which develops the basic organic structure of the Ministry of Justice, article 3.1, corresponds to the SGICSPJ the direction, impulse and management of ministerial powers related to civil status and nationality, to through the DGSJFP (art 7.1.b) of the aforementioned RD) that processes and resolves the files Nationality. Consequently, at present the SGICSPJ is responsible for the treatments of personal data in all the actions carried out by the different organic units attached to it relative to civil status and nationality, whenever that, as indicated in article 4.7 of the aforementioned RGPD, is the natural or legal person, public authority, service or other body that, alone or together with others, determines the purposes and means of the treatment, in coherence with the provisions of article 3 of the aforementioned RD 453/2020 whereby the SGICSPJ is responsible for the “direction, promotion and management of Ministerial powers related to civil status and nationality… “. It should be noted that although the General Secretariat for Innovation and Quality of the Public Justice Service was not responsible for data processing now analyzed at the time of the security breach (s) (dated 06/28/2019, 10/31/2019 and 11/22/2019), it is true that with the current basic structure of the The Ministry of Justice is responsible for carrying out the mandatory regularizations in the data processing for which it is responsible and promote with due diligence its compliance with the RGPD. IV Article 5.1.f) of the RGPD, Principles relating to treatment, states the following: "1. The personal data will be: (…) f) treated in such a way as to guarantee adequate data security personal data, including protection against unauthorized or illegal processing and against its loss, destruction or accidental damage, through the application of technical measures or appropriate organizational ('integrity and confidentiality') ”. In the present case, the security breach must be classified as integrity and confidentiality as a consequence, in the first place, of the lack of security adequate and appropriate technical or organizational measures (integrity), and secondly place for unauthorized access to personal data by third parties C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 10/17 (confidentiality), both principles regulated in the same article 5.1.f) of the RGPD transcribed above. V Establishes Article 25 of the RGPD, the following: "Data protection by design and by default 1. Taking into account the state of the art, the cost of the application and the nature, scope, context and purposes of the treatment, as well as the risks of varying probability and seriousness that the treatment entails for the rights and freedoms of individuals the data controller will apply, both at the time of determining the means of treatment such as at the time of treatment itself, technical measures and appropriate organizational measures, such as pseudonymisation, designed to apply effective data protection principles, such as data minimization, and integrate the necessary guarantees in the treatment, in order to meet the requirements of the these Regulations and protect the rights of the interested parties. 2. The person responsible for the treatment will apply the technical and organizational measures appropriate in order to ensure that, by default, they are only processed the personal data that are necessary for each of the specific purposes of the treatment. This obligation will apply to the amount of personal data collected, to the extension of its treatment, its conservation period and its accessibility. Such measures will ensure in particular that, by default, personal data is not accessible, without the intervention of the person, to an indeterminate number of people physical. 3. A certification mechanism approved in accordance with Article 42 may be used as an element that proves compliance with the obligations established in the sections 1 and 2 of this article ”. In this sense, and with regard to the allegation that the security breach that gave rise to the sanctioning procedure AP / 00049/2018 (resolved on 09/05/2018) corresponds to "completely different data processing", it should be noted that the origin of the gaps analyzed has a common cause in the lack of foresight since the design of the concurrency factor in the processes of both applications (*** APPLICATION.2 and *** APPLICATION.1). Article 32 of the RGPD establishes the following: "1. Taking into account the state of the art, the application costs, and the nature, scope, context and purposes of the treatment, as well as risks of variable probability and severity for the rights and freedoms of individuals physical, the controller and the person in charge of the treatment will apply technical measures and appropriate organizational arrangements to ensure a level of security appropriate to the risk, that in your case include, among others: a) pseudonymisation and encryption of personal data; b) the ability to guarantee confidentiality, integrity, availability and permanent resilience of treatment systems and services; c) the ability to restore the availability and access to personal data of quick way in case of physical or technical incident; d) a process of regular verification, evaluation and assessment of the effectiveness of the technical and organizational measures to guarantee the security of the treatment. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 11/17 2. When evaluating the adequacy of the security level, particular attention will be paid to takes into account the risks presented by the data processing, in particular as consequence of accidental or illegal destruction, loss or alteration of data personal data transmitted, preserved or otherwise processed, or the communication or unauthorized access to said data ”. Article 34.1 of the RGPD establishes the following: "1. When it is probable that the violation of the security of personal data entails a high risk for the rights and freedoms of natural persons, the responsible for the treatment will communicate it to the interested party without undue delay. " Regarding article 32, it is established that the person responsible for the treatment did not apply the appropriate technical and organizational measures to ensure a level of security appropriate to risk; risk that was not even evaluated in the update of the new version of the application *** APPLICATION. 1. Regarding article 34, it should be noted that the actions carried out are It follows that the SGICSPJ, through the SGNEC, notified this AEPD of the gap in security of personal data dated *** DATE.1 and communicated it to the interested parties on 01/16/2020. However, the investigated also affirms that there were two gaps of similar and previous security to the one now investigated. It appears in the allegations to the resolution proposal that the gaps of dates 06/26/2019 and 10/31/2019 were notified to this AEPD (art 33 RGPD) but there is no evidence that they have been communicated to the interested parties (art 34 RGPD), although the first states in the notification that will communicate to the interested parties but there is no record of completion and, in the second, it is stated that It was communicated to the interested parties by telephone but there is no record of it. SAW Article 24 of the RGPD, responsibility of the data controller, indicates what next: "1. Taking into account the nature, scope, context and purposes of the processing, as well as risks of varying probability and severity to the rights and freedoms of natural persons, the data controller will apply measures appropriate technical and organizational measures in order to ensure and demonstrate that the treatment is in accordance with this Regulation. These measures will be reviewed and will update when necessary. 2. When they are provided in relation to the treatment activities, between the measures mentioned in section 1 shall include the application, by the responsible for the treatment, of the appropriate data protection policies ”(…). VII From the facts described, it appears that the SGICSPJ, as responsible for the treatments now analyzed and through their organs hierarchically dependent, did not apply the appropriate technical and organizational measures to guarantee a level of security appropriate to the risk, since it is proven that third parties had access to information reserved to the interested party (applicant of Spanish nationality) as a consequence of the malfunction in the commissioning production of the new version of the application *** APPLICATION.1 that manages the DGSJFP through SGNEC, both hierarchically dependent on SGICSPJ. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 12/17 The risks in the treatment contemplated in the new version of the application *** APPLICATION. 1 should have been taken into account and evaluated by the person responsible for the treatment (SGICSPJ) through the mandatory risk analysis and where appropriate impact assessment and, based on it, have established the measures technical and organizational that would have prevented the loss of control of the data personal data of applicants for Spanish nationality as a result of the repeated and already known lack of anticipation of concurrent processes in the treatment of data of the different applications (APLIACIÓN.1 and APLIACIÓN.2). It should be emphasized that the level of risk and the impact were already known with advance since there is in this AEPD a sanctioning file for facts similar (AP / 00049/2018 and resolution date of 09/05/2018) and, in addition, the SGNEC notes that similar events were recorded on dates prior to the security breach dated 11/22/2019, specifically on 06/28/2019 and 10/31/2019. It also appears in the aforementioned previous sanctioning procedure that the current DTSPD informed the SGNEC that “the service did not contemplate the attendance and made a mistake when compose the birth certificate… ”and, nevertheless, a year later it was repeated on three other occasions faithfully the incident for the same cause. The consequence of this absence in the control of data processing from the design and by default (art 25 RGPD) and the implementation of security measures appropriate (art 32 RGPD) to the risk of the new version of the application *** APPLICATION.1 causing the date gap *** DATE.1, was the loss of integrity and confidentiality of personal data, violating the two principles contained in article 5.1.f) of the RGPD. VIII Article 83.4 of the RGPD provides the following: "4. Violations of the following provisions will be sanctioned, in accordance with the paragraph 2, with administrative fines of a maximum of EUR 10 000 000 or, in the case of a company, an amount equivalent to a maximum of 2% of the total annual global business volume of the previous financial year, opting for the highest amount: a) The obligations of the person in charge and the person in charge in accordance with articles 8, 11, 25 a 39, 42 and 43; " In the present case, articles 25, 32 and 34 of the RGPD, typified in article 83.4 of the RGPD transcribed above. Article 83.5 of the RGPD provides the following: "5. Violations of the following provisions will be sanctioned, in accordance with the paragraph 2, with administrative fines of up to EUR 20,000,000 or, in the case of a company, an amount equivalent to a maximum of 4% of the total annual global business volume of the previous financial year, opting for the highest amount: C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 13/17 a) the basic principles for the treatment, including the conditions for the consent in accordance with articles 5, 6, 7 and 9; " In the present case, article 5.1.f) of the RGPD is once again violated, this once referred to the principle of confidentiality, for which the classification which indicates article 83.5 of the RGPD transcribed above. For its part, article 71 of the LOPDGDD, under the heading "Infractions" determines what following: The acts and behaviors referred to in the paragraphs 4, 5 and 6 of article 83 of Regulation (EU) 2016/679, as well as those that are contrary to this organic law. Establishes article 72 of the LOPDGDD, under the heading of considered infractions very serious, the following: “1. Based on the provisions of article 83.5 of the Regulation (EU) 2016/679 are considered very serious and will prescribe after three years the infractions that suppose a substantial violation of the articles mentioned in that and, in particular, the following: a) The processing of personal data violating the principles and guarantees established in article 5 of Regulation (EU) 2016/679 ”. It establishes article 73 of the LOPDGDD, under the heading “Infractions considered bass ", the following:" 1. Based on what is established in article 83.4 of the Regulation (EU) 2016/679 are considered serious and will prescribe after two years the offenses that involve a substantial violation of the aforementioned articles in that and, in particular, the following: (…) d) The lack of adoption of those technical and organizational measures that result appropriate to effectively apply the principles of data protection from the design, as well as the non-integration of the necessary guarantees in the treatment, in the terms required by article 25 of Regulation (EU) 2016/679. (…) f) The lack of adoption of those technical and organizational measures that result appropriate to ensure a level of security appropriate to the risk of the treatment, in the terms required by article 32.1 of Regulation (EU) 2016/679. g) The breach, as a consequence of the lack of due diligence, of the technical and organizational measures that have been implemented as required by article 32.1 of Regulation (EU) 2016/679. (…) r) Failure to comply with the duty to notify the data protection authority of a breach of personal data security in accordance with the provisions of Article 33 of Regulation (EU) 2016/679 (…) C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 14/17 t) The processing of personal data without having carried out the evaluation of the impact of processing operations on the protection of personal data in the assumptions in which it is required. (…) ”. This section, in relation to changes made on *** DATE.1 in the app *** APPLICATION.1. It establishes article 74 of the LOPDGDD, under the heading “Infractions considered mild ”, the following:“ They are considered mild and will prescribe the remaining merely formal infractions of the articles mentioned in the paragraphs 4 and 5 of Article 83 of Regulation (EU) 2016/679 and, in particular, the following: (…) ñ) Failure to comply with the duty to notify the affected party of a violation of the data security that poses a high risk to the rights and freedoms of the affected, as required by article 34 of Regulation (EU) 2016/679, Unless the provisions of article 73 s) of this organic law are applicable ”. From all the above, the following is concluded: Regarding the classification of infractions of article 83.5.a) of the RGPD - Violation of the principle of confidentiality (art 5.1.f) RGPD), is considered very serious offense for the purposes of prescription (three years) as indicated in article 72.1.a) of the LOPGDD, punishable by warning as provided in article 77.2 of the LOPDGDD. Regarding the classification of infractions of article 83.4.a) of the RGPD - Lack of diligence when implementing data protection from design (art 25 RGPD in relation to article 5.1.f) of the RGPD), the absence, breach lack of due diligence in the application of security measures appropriate depending on the risk (art 32 RGPD in relation to article 5.1.f) of the RGPD), are considered serious infringements for the purposes of prescription (two years) as indicated in article 73.d), f), g) and t), of the LOPGDD and punishable with warning according to article 77.2 of the LOPDGDD. - Lack of communication to stakeholders of the date security breach 06/28/2020 and dated 10/31/2019 (article 34 of the RGPD in relation to article 5.1.f) of the RGPD) considered a minor infringement for the purposes of prescription (one year) as indicated in article 74.ñ) of the LOPGDD and punishable by warning according to article 77.2 of the LOPDGDD. Consequently, the violation of both principles (integrity and confidentiality) they constitute the element of guilt that requires the imposition of sanction. It should be emphasized that the absence of consideration of the risk already known and previously sanctioned by this AEPD in the aforementioned sanctioning procedure (AP / 00049/2018) and after both security breaches prior to the current date 06/28/2019 and 10/31/2019, has again led to improper access by third parties unrelated to the personal data of the interested party and repeatedly affecting the C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 15/17 principles of integrity and confidentiality, aggravates culpability and sanctioner of the conduct carried out by the SGICSPJ. IX Article 58.2 of the RGPD establishes the following: 2. Each supervisory authority shall have all the following powers corrective measures listed below: (…) b) sanction any person responsible or in charge of the treatment with warning when the processing operations have violated the provisions of these Regulations; Establishes article 76 of the LOPDGDD under the heading "Sanctions and measures corrective “, the following: 1. The sanctions provided for in sections 4, 5 and 6 of article 83 of the Regulation (EU) 2016/679 will be applied taking into account the graduation criteria established in section 2 of said article. (…) 3. It will be possible, complementary or alternatively, the adoption, when appropriate, of the remaining corrective measures referred to in article 83.2 of the Regulation (EU) 2016/679. X However, the LOPDGDD in its article 77, Regime applicable to certain categories of data controllers or managers, establishes the following: "1. The regime established in this article will be applicable to the treatments of who are responsible or in charge: (…) c) The General Administration of the State, the Administrations of the communities autonomous entities and the entities that make up the Local Administration. (…) 2. When the managers or managers listed in section 1 commit any of the infractions referred to in articles 72 to 74 of this law organic, the competent data protection authority will dictate resolution sanctioning them with warning. The resolution will establish Likewise, the measures to be adopted to stop the conduct or to correct the effects of the offense that had been committed. The resolution will be notified to the person in charge of the treatment, the body of the that depends hierarchically, where appropriate, and those affected who had the condition interested party, if applicable. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 16/17 3. Without prejudice to the provisions of the previous section, the protection authority of data will also propose the initiation of disciplinary actions when there are sufficient evidence for it. In this case, the procedure and the penalties to apply will be those established in the legislation on disciplinary or sanctioning regime that result of application. Likewise, when the infractions are attributable to authorities and managers, and certify the existence of technical reports or recommendations for the treatment that had not been duly addressed, in the resolution imposing the The sanction will include a warning with the name of the position responsible and will order the publication in the Official Gazette of the State or Autonomous corresponds. 4. The resolutions that fall in relation to the measures and actions referred to in the sections previous. 5. They will be communicated to the Ombudsman or, where appropriate, to similar institutions of the autonomous communities the actions carried out and the resolutions issued under this article. 6. When the competent authority is the Spanish Agency for Data Protection, this will publish on its website with due separation the resolutions referring to the entities of section 1 of this article, with express indication of the identity of the person in charge of the treatment that had committed the infringement. When the competence corresponds to an autonomous authority for the protection of data will be, in terms of the advertising of these resolutions, to what your specific regulations ”. Of the evidence available according to the facts proven in the present sanctioning procedure, is accredited by the person in charge (the SGICSPJ) violation of the provisions of articles 5.1.f) and 25, 32 and 34 in relation to 5.1.f) of the RGPD in the terms described above. In the supposed object of this procedure, it is considered that the appropriate measures to prevent the security incident from reoccurring referred, so the person responsible for the adoption of new measures is not required. Therefore, in accordance with the applicable legislation and the criteria of graduation of the sanctions whose existence has been accredited, the Director of the Spanish Agency for Data Protection RESOLVES: FIRST: IMPOSE the GENERAL SECRETARIAT FOR INNOVATION AND QUALITY OF THE PUBLIC JUSTICE SERVICE, with NIF S2813610I, by: 1. Infringement of article 5.1.f) of the RGPD typified in article 83.5.a) of the RGPD with penalty of warning. 2. Violation of articles 25 and 32 of the RGPD in relation to article 5.1.f) of the RGPD, typified in article 83.4.a) of the RGPD with sanction of awareness. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 17/17 3. Violation of article 34 of the RGPD in relation to article 5.1.f) of the RGPD, typified in article 83.4.a) of the RGPD, with penalty of warning. SECOND: NOTIFY this resolution to the GENERAL SECRETARIAT FOR THE INNOVATION AND QUALITY OF THE PUBLIC JUSTICE SERVICE, with NIF S2813610I. THIRD: COMMUNICATE this resolution to the Ombudsman, of in accordance with the provisions of article 77.5 of the LOPDGDD. THIRD: In accordance with the provisions of article 50 of the LOPDGDD, the This Resolution will be made public once it has been notified to the interested parties. Against this resolution, which ends the administrative procedure according to art. 48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the Interested parties may file, optionally, an appeal for reconsideration before the Director of the Spanish Agency for Data Protection within a month to count from the day after notification of this resolution or directly contentious-administrative appeal before the Contentious-Administrative Chamber of the National High Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Contentious-administrative jurisdiction, within a period of two months from the day following notification of this act, as provided in article 46.1 of the referred Law. Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPACAP, may provisionally suspend the final resolution through administrative channels if the interested party expresses his intention to file contentious-administrative appeal. If this is the case, the interested party must formally communicate this fact through letter addressed to the Spanish Agency for Data Protection, presenting it through of the Electronic Registry of the Agency [https://sedeagpd.gob.es/sede-electronica- web /], or through any of the other records provided for in art. 16.4 of the cited Law 39/2015, of October 1. You must also transfer to the Agency the documentation proving the effective filing of the contentious appeal- administrative. If the Agency was not aware of the filing of the appeal contentious-administrative within a period of two months from the day following the notification of this resolution would terminate the precautionary suspension. Mar Spain Martí Director of the Spanish Agency for Data Protection C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es