APDCAT (Catalonia) - PS 57/2023: Difference between revisions
(→Facts) |
mNo edit summary |
||
(One intermediate revision by the same user not shown) | |||
Line 63: | Line 63: | ||
}} | }} | ||
The DPA fined a controller €3000 for violating the principle of confidentiality when it sent emails to numerous family members of patients at an occupational center without using the blind copy option. | The Catalan DPA fined a controller €3000 for violating the principle of confidentiality when it sent emails to numerous family members of patients at an occupational health center without using the blind copy option. | ||
== English Summary == | == English Summary == |
Latest revision as of 14:16, 17 April 2024
APDCAT - PS 57/2023 | |
---|---|
Authority: | APDCAT (Catalonia) |
Jurisdiction: | Spain |
Relevant Law: | Article 5(1)(f) GDPR Artículo 85, Ley 39/2015, de 1 de octubre, del Procedimiento Administrativo Común de las Administraciones Públicas (LPAC) |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | 23.01.2024 |
Published: | |
Fine: | 3000 |
Parties: | Eulen, Servicios sociosanitarios SA |
National Case Number/Name: | PS 57/2023 |
European Case Law Identifier: | n/a |
Appeal: | Not appealed |
Original Language(s): | Catalan, Valencian |
Original Source: | Autoritat Catalana de Protecció de Dades (in CA) |
Initial Contributor: | lm |
The Catalan DPA fined a controller €3000 for violating the principle of confidentiality when it sent emails to numerous family members of patients at an occupational health center without using the blind copy option.
English Summary
Facts
On 18 February 2023, 5 May 2023, 8 May 2023, 10 May 2023 and 14 June 2023, the Catalan DPA received a number of complaints against Eulen, Servicios sociosanitarios SA (the controller), an occupational center for people with disabilities. The complaints claimed that on six occasions, employees of the controller sent several emails to the family and guardians of patients without using the blind copy option (BCC).
The emails were sent on separate occasions and by different employees. The incidents involved mailing lists of over 50 data subjects, which differed in each instance. As a result of the failure to BCC, the names, surnames and email addresses of several data subjects, as well as their status as ‘family and guardians’, were disclosed to unauthorized third parties. Because some email addresses featured a corporate domain, the disclosure in some cases permitted inference of the organization to which data subjects belong.
In response to the complaints, the DPA initiated an investigation. In its defense brief, the controller stated that the lack of BCC had been caused by human error and a breach of internal procedures, as the usual operation according to distributed employee instructions was to BCC email addresses. The controller also stated that it carried out periodic trainings in data protection. With regard to the creation of mailing lists, it stated that family members voluntarily provided their electronic address information at the beginning of service.
After the investigation had already been initiated, the DPA received additional complaints against the controller for the same breach of personal data via emails sent without BCC. In response to these complaints, the DPA initiated a disciplinary procedure against the controller on 3 October 2023 for violating Article 5(1)(f) GDPR.
Holding
On 1 January 2024, the investigator for the Catalan DPA proposed a fine of € 3000 for the controller’s infringement of Article 5(1)(f) GDPR’s principle of confidentiality.
On 16 January 2024, the controller submitted a letter acknowledging its responsibility for the acts and stated that it had made a voluntary payment advance of € 1800.
In assessing the adequacy of the sanction, the DPA considered the responsibility of the controller for the emails. The DPA considered that, even where human error in breach of company policy occurs, the responsibility for lack of diligence of personnel must be answered by the controller. The DPA also took into account mitigation and security measures taken by the controller, including continued training efforts and a new protocol introducing warnings where a large number of non-corporate emails are included in an email. Based on these considerations, the DPA concluded that a sanction of € 3000 was appropriate.
In accordance with Article 85(3) of the LPAC, the DPA noted that where a controller has acknowledged responsibility or made the voluntary payment of a pecuniary penalty, a reduction of 20% to the penalty is appropriate. Where both are done, a 40% reduction is warranted. In this case the controller both acknowledged its responsibility and paid a 60% advance of the total penalty. The DPA thus considered that the penalty should be reduced 40% to € 1800, which the controller had paid.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Catalan, Valencian original. Please refer to the Catalan, Valencian original for more details.
File identification Resolution of sanctioning procedure no. PS 57/2023, referring to Eulen, Services Sociosanitarios, SA Background 1. On 18/02/2023, the Catalan Data Protection Authority received a complaint against Eulen, Servicios sociosanitarios, SA (from now on, Eulen), with reason of an alleged breach of the regulations on the protection of personal data. In concretely, the reporting person (henceforth, reporting person A) stated that, in date 06/17/2022, Eulen, concessionaire that manages the Llar residence and Centre Ocupacional Torremar (from now on, Torremar), "has published my email address email to a whole distribution list made up of about 50 email addresses open electronic, so that everyone on this list has received them everyone's email addresses.” Complainant A provided a copy of an electronic message sent on the day 06/17/2022, at 3:50 p.m., by (...), from the email address (...). This message it was sent to a plurality of electronic addresses, including his, without being used the blind copy option (BCC). In the aforementioned email, the addresses electronics were mostly identified in a first term with the name and an o two surnames of the recipient, followed by the full email address. For as for the body of the message, it was addressed to "familias y tutelas" and contained a short text of informative about the centre's range of activities. This complaint was assigned complaint number IP 95/2023. 2. Also on 02/18/2023, the Authority received another complaint against Eulen, due to an alleged breach of data protection regulations personal Specifically, the reporting person (henceforth, reporting person B) exhibited: — That "The residence and CO Torremar (...) has transferred management to the company Eulen Sociosanitarios (...) has published and disseminated my email address, to one plurality of recipients included in a distribution list." — That "At no time have I authorized either the Generalitat de Catalunya, or the concessionaire of the Eulen management to publish, issue or disseminate any personal data to third parties." The reporting person provided a copy of the same electronic message mentioned in the antecedent 1. This complaint was assigned complaint number IP 96/2023. 3. On 05/05/2023 and 05/10/2023, the Spanish Data Protection Agency (AEPD) will transfer to this Authority two complaints with subjective identity with the IP complaint 95/2023, in which the reporting person A set out, for what is of interest here: 1/16 — That "Eulen Sociosanitarios, has sent communications by email to one plurality of more than 50 different recipients without hidden copy, so that spread the email account of all these people.” — That "the distribution list of the 3 emails that have been detected are different, the which implies that there is no single official distribution list that contains all of them relatives and guardian entities of the people residing in Torremar but not se have created different distribution lists without any type of control (…).” — That "The different mails have been sent by different workers from Eulen, lo que quiere decir, that it has not been the product of a one-off error by a trabajador but that Eulen's workers do not have adequate training and/or that they do not exist technical and organizational measures necessary to guarantee the security of data processing.” — That "Two of the distribution lists have more than 50 email accounts and the other has more than 60 email accounts; therefore, the number of people affected is considerable.” — That "(...) the email accounts that have been published or disseminated are from people who they have disabled relatives in said residence and that, therefore, can be done a disabled person's family email account association (…)." — That "(...) in all distribution lists numbers and surnames are shown and, a then the number of the email account, a clear association is produced number and surnames - email account (…).” The reporting person A provided a copy of the same electronic message mentioned in a the antecedent 1. 4. On 05/05/2023, the AEPD sent the Authority a new complaint against Eulen, due to an alleged breach of data protection regulations personal Specifically, the reporting person (henceforth, reporting person C), set out the same facts that the reporting person A had indicated in his complaints and that have been reproduced in the precedent 3. The reporting person C provided a copy of the same electronic message mentioned in a the antecedent 1 and, in addition, other messages that are related below: — Message sent on 10/23/2020, at 9:54 a.m., by (...) to a plurality of addresses electronic, without using the CCO option, including that of the reporting person. Many of these e-mail addresses contain the first and last names or surnames of its holders and a corporate domain, which in some cases allows to infer the organization to which they belong (fundaciosantaclara, cataloniafundacio, latutela, somfundacio, aspanin, kibuk). This message is signed by (...), addressed to "families" and contains information related to the use of the Zoom platform. — Message sent on 5/11/2021, at 9:33 a.m., by (...) to a plurality of addresses electronic, without making use of the CCO option, including that of the person 2/16 complainant. Some of these electronic addresses contain the first and last name of its owners and a corporate domain (segurosdkw, fundaciosantaclara, cataloniafundacio, latutela, somfundacio, aspanin, kibuk). This message is signed by him (...), is addressed to "families and guardianship entities" and contains information about menus of the month of november This complaint was assigned complaint number IP 242/2023. 5. In relation to complaint no. IP 96/2023, on 08/05/2023 the AEPD sent a other complaint against Eulen, in which the complainant B presented identical facts that the person denouncing A in his complaints before the AEPD and which have been reproduced in the antecedent 3. 6. In relation to complaint no. IP 242/2023, on 05/10/2023 had entry to the Authority another complaint against Eulen, due to an alleged breach of the regulations on personal data protection. Specifically, the complainant C presented, for what is of interest here: — That Eulen “sent e-mail communications to a plurality of more than 50 recipients on different occasions and on different distribution lists without copying hidden, so the email account of all of them has been broadcast people and in some emails, including the first and last name.” — That "(...) the distribution list of the 3 emails that have been detected are different, something which implies that there is no single "official" distribution list that contains all the relatives and guardian entities of the people residing in Torremar but who have left creating different distribution lists without any control.” — That "(...) have detected these shipments in the years 2020, 2021 and 2022 which is a very broad period of time. (...) This wide period of time shows that it was not a one-off incident and that the workers did not have the adequate training on the protection of personal data and/or there is none no protocol or organizational measure to protect that data.” — That "The different emails have been sent by different company personnel Eulen, which means that it was not the product of a one-off error by a worker but that Eulen's workers do not have the appropriate training and/or that there is none technical and organizational measures necessary to guarantee the security of the treatment of the data.” — That “Two of the distribution lists have more than 50 email accounts and the other has more than 60 mail accounts; therefore, the number of people affected is considerable.” — That "The context in which the postal items are located must be taken into account, one residence and occupational center for disabled people, so that the Email accounts that have been published or disseminated are from people who have family members disabled in this residence and that, therefore, an association of disabled person's family email account (...)." 3/16 — That "In this case, the creator of the distribution lists, in addition, has added first and last names and then the name of the mail account and the extension that identifies it the entity, company or group to which it belongs. Thus, the accounts of mail from different entities and corporations, e.g. you can see mails from the Catalonia Foundation, of La Tutela, We are Foundation, Generalitat de Catalunya, the College Barcelona Lawyers, Aspanin, etc. It produces a clear and dangerous association between first and last name_email account_entity or collective to which it belongs, fact that without doubt is much more serious because different data have been published together that can facilitate the identification of a person or the creation of a specific profile. This denotes (...) the lack of adequate training of the people who created each of the lists of distribution.” The reporting person C provided a copy of the same electronic messages described in the antecedent 4. 7. Also on 05/10/2023, the Authority received five more complaints against Eulen, due to an alleged breach of data protection regulations personal Specifically, whistleblowers (henceforth, whistleblowers D, E, F, G and H) highlighted the same facts and in the same terms as they have reproduced in antecedent 6 and provided a copy of the same electronic messages described in the antecedent 4. These complaints were assigned the numbers IP 246/2023, IP 247/2023, IP 249/2023, IP 252/2023 and IP 253/2023. 8. On 14/06/2023, complainant A expanded his previous complaint (IP 95/2023) against Eulen through a letter in which he set out: — That “there has been a new mailing without a blind copy to a new list of distribution, from a new Eulen email account and with the signature of (...).” — That "(...) it is important that an audit be carried out at Eulen mercantile on the compliance with each and every one of the requirements and conditions regarding data protection of a personal nature to the residents and their families." On this occasion, the complainant provided a copy of an electronic message sent on 05/31/2023, at 12:57 p.m., by (...), from the electronic address (...), to a plurality of emails without using the BCC option. In this message electronic, two addresses were identified in a first term with the name and one or two surnames of the recipient and, then, the full email address. In regard for the rest of the recipients, there was only the email address, which in the majority of cases was composed of initials and a full surname. As for the body of the message, was addressed to "families" and contained a short informative text about the center menus. 9. On 14/06/2023, the Catalan Data Protection Authority received a new complaint against Eulen, due to an alleged breach of the regulations on personal data protection. The reporting person (henceforth, person complainant I) stated that "on several occasions they have sent emails to relatives and 4/16 guardianship entities where they have not hidden the recipients' emails (...).” The reporting person provided copies of the following electronic messages — some of which had already been presented together with the previous complaints—, in which no the BCC option had been used and that they were addressed to numerous electronic addresses, among which was that of the reporting person I: — Message sent on 11/06/2019, at 1:20 p.m., from the account (...), with the matter "Informative newsletter Torremar Vol. 7.” — Message sent on 09/23/2021, at 1:34 p.m., from the account (...), with the matter "resumption of two external activities C.O Torremar." — Message sent on 05/11/2021, at 9:33 a.m., from the account (...), with the subject "Menu November 2021." — Message sent on 06/17/2022, at 3:50 p.m., from the account (...), with the matter "Comunicado Centro Ocupacional Torremar." — Message sent on 08/01/2023, at 12:30 p.m., from the account (...), with the subject "Torremar contact phone number - 08/01 and 01/09." — Message sent on 05/31/2023, at 12:57 p.m., from the account (...), with the subject "June Menus." This complaint was assigned complaint number IP 313/2023. 10. Given the previous complaints, the Authority initiated a preliminary investigation to determine if the facts were likely to motivate the initiation of a disciplinary procedure, yes with what is foreseen in article 7 of Decree 278/1993, of November 9, on the sanctioning procedure for application to areas of competence of the Generalitat, i article 55.2 of Law 39/2015, of October 1, on the common administrative procedure of public administrations (LPAC). In this information phase, on 03/07/2023 the reported entity was required to report the reasons why the CCO option was not used in the shipment of the mentioned electronic messages. He was also asked how many lists of distribution had and the reason why the email address of some users is related to it with their first and last names, so that they appear visible. Finally, it was requested to Eulen if there was any protocol or instruction on the use of e-mail and if there was any Torremar staff trained in data protection. 11. On 07/18/2023, Eulen responded to the request with a letter in which he explained, in summary, the following: — Which "provides the Home-Residence and Occupational Center Management Service for people with intellectual disabilities "Torremar" since October 2017. Acting, in this case, como encargado del tratamiento [according to the contract formalized with the 5/16 Department of Work, Social Affairs and Families, currently Department of Rights Social]." — That "The volume of emails sent to families is approximately 30 monthly mails”. — That "(...) the sending of e-mails to the family distribution group has been caused by a 'human error - breach of internal procedures', since it has been verified that the usual operation is to use a shipment with CCO." — That, with regard to the management of distribution lists, "the Directorate of Residence nos convey that there are no more distribution lists." — That, with regard to the creation and modification of distribution lists, "the mailers family members' electronic files are provided, voluntarily, at the beginning of the provision of the service (…) for effective communication with them.” — That they have an "instruction on security measures to comply with the regulations for the protection of personal data in which the measures of minimum security that must be applied in any support, computer device or software from any of the companies that are part of the Eulen Group where it is store personal data." — That [in the previous instruction] it is specifically detailed that “If you are going to send a mail electronically to several recipients at the same time, the hidden copy (CCO) will be used.” — That, based on the aforementioned instruction, "to facilitate compliance with the instruction in the services, especially in the socio-sanitary, was created (...) one guide with a more accessible format. This guide was sent to the socio-sanitary centers last October 10, 2022.” — That, with regard to the training provided in the field of data protection to staff d'Eulen, carries out "periodically, trainings and awareness actions in this matter." It then lists various formations and campaigns of awareness carried out by the company. — That "it is perfectly certified that Eulen Servicios Sociosanitarios, S.A. has acted with due diligence applying the measures, both technical and organizational, necessary to avoid the exposure of personal data. (…) me client [Eulen] has worked diligently so that this type of case does not return to happen." The reported entity attached the following documentation to the letter: — Copy of electronic messages that have been the subject of a complaint. — A sample of several electronic messages sent with the BCC option. — The instruction "Safety measures for compliance with the regulations of protection of personal data". This instruction contains a specific dedicated section 6/16 to the use of e-mail in which, among other indications, it appears "If it is sent an email to several recipients at the same time, the blind copy (BCC) will be used.” — The "Guide to technical and organizational measures for the protection of information", la which also contains instructions in the same sense as the previous one regarding shipping of electronic messages to various recipients. In addition, in the same guide it is indicated that "is obligatory and has a binding character with respect to the relationship contract with the worker (...).” — The Eulen Group's "Personal Data Protection Decalogue". — The “Corporate policy for the protection of personal data.” — The document "Good practices for the use of collaborative tools." — The document "Confidentiality in the treatment of personal data." — Various certificates and information relating to training in data protection and cyber security performed by Eulen. — Copy of a thread of electronic messages addressed to several people, including managers and managers of socio-health services, on "The importance of the confidentiality in the treatment of personal data." — Agenda of the “Reunión Directors Residencias GG-DI y CD”, of 11/24/2022, according to which, among other matters, it was about “Documentos protección de data." 12. On 14/08/2023, 16/08/2023 and 01/09/2023, they had access to the Catalan Authority of Data Protection three new complaints against Eulen, on the grounds of a presumptive non-compliance with the regulations on personal data protection. Specifically, the complainants (henceforth complainants J, K and L) set out the facts in terms analogous to what has been exposed in the 6th precedent and provided a copy of the same messages electronics described in the preceding 4. These complaints were assigned complaint numbers IP 413/2023, 414/2023 and 416/2023. 13. On 03/10/2023, the director of the Catalan Data Protection Authority agree to start a disciplinary procedure against Eulen, Servicios Sociosanitarios, SA for an alleged violation provided for in article 83.5.a, in relation to article 5.1.f, all those of Regulation (EU) 2016/679 of the European Parliament and of the Council, of April 27, regarding the protection of natural persons with regard to the processing of personal data and the free circulation of this data (RGPD). This initiation agreement was notified to the imputed entity on 10/16/2023. 14. In the initiation agreement, the imputed entity was granted a period of 10 working days to formulate allegations and propose the practice of tests that it considers convenient for defend their interests. 7/1615. On 10/30/2023, Eulen filed objections to the initiation agreement, which are addressed in section 2 of the fundamentals of law. 16. On 02/01/2024, the person instructing this procedure formulated a resolution proposal, by which it was proposed that the director of the Catalan Authority of Data Protection imposed on Eulen, Servicios Sociosanitarios, SA a fine of 3,000 euros, as responsible for an infringement provided for in article 83.5.a in relation with article 5.1.f, all of them of the RGPD. This resolution proposal was notified on 08/01/2024 and a deadline was granted of 10 days to formulate allegations. 17. On 01/16/2024, the accused entity submitted a letter in which it acknowledges its responsibility for the alleged acts and states that he has made the voluntary payment advance of the pecuniary sanction that the instructing person proposed. Along with the letter, the accused entity provided a copy of the bank transfer made on 15/01/2024, through which he paid in advance in the amount of 1,800 euros (one thousand eight hundred euros), corresponding to the monetary penalty proposed by the instructing person in the resolution proposal, once the reductions have been applied provided for in article 85 of Law 39/2015. proven facts Eulen, Servicios Sociosanitarios, SA sent six emails from several corporate accounts to fifty electronic addresses, linked to relatives and guardians of users of the Torremar Home-residence and Occupational Center, without making use of the hidden copy tool. The e-mails mentioned were sent on the dates 23/10/2020, 23/09/2021, 05/11/2021, 17/06/2022, 08/01/2023 and 31/05/2023. With shipping of these messages, the reported entity disseminated the following information to the recipients of the other recipients: the email address and, in some cases, the first and last name and the institution with which they have some connection, data easily deducible from the domain corporate of certain recipient addresses. Fundamentals of law 1. The provisions of the LPAC and article 15 of the Decree apply to this procedure 278/1993, according to the provisions of DT 2a of Law 32/2010, of October 1, of the Catalan Data Protection Authority. In accordance with articles 5 and 8 of the Law 32/2010, the resolution of the sanctioning procedure corresponds to the Director of the Authority Catalan Data Protection Authority. 2. In accordance with article 85.3 of the LPAC, both the recognition of responsibility and the advanced voluntary payment of the proposed monetary penalty entails the application of single reductions of 20% of the amount of the penalty, cumulative with each other. The effectiveness of these reductions is conditional on the withdrawal or renunciation of any action or administrative appeal against the sanction. For both cases, sections 1 and 2 of article 85 of the LPAC provide for the termination of the procedure. 8/16 Although it presented allegations in the initiation agreement, the accused entity has not submitted allegations to the proposed resolution, since both options have been accepted for reduce the amount of the penalty. However, it is considered appropriate to reiterate below the most relevant to the reasoned response that the instructing person gave to the allegations before the initiation agreement. 2.1. About the shipment being due to human error and about the lack of responsibility of the entity In its statement of objections to the initiation agreement, the accused entity set out, among other things: — That "It has been certified that Eulen Servicios Sociosanitarios S.A. sent six emails, from various corporate accounts, addressed to relatives and guardians of users of the Residencia Torremar, without making use of the functionality of hidden copy (CCO).” — That "From the analysis of the aforementioned incident, the Data Protection and Privacy Office of the EULEN Group and the Data Protection representative concluded that there was it was caused by a human error caused by the non-compliance of them internal procedures. (…)”. — That "Since Eulen Servicios Sociosanitarios has been aware of the facts that are imputed to him, as a result of the requirement relating to the previous information phase that the APDCAT made the entity on July 3, 2023, the workers of the Residencia Torremar, applying due diligence, have not sent an email again electronically without using the hidden copy." — That "the concurrence of these concrete and punctual human errors must be put to rest." in relation to the principle of culpability that governs in penal matters", en connection with the provisions of article 28 of Law 40/2015, of October 1, on the regime legal of the public sector, which states that "They can only be sanctioned for facts physical and legal persons, (...) that constitute an administrative infraction responsible for those by way of grief or guilt.” As the instructor explained in the proposed resolution, it is necessary to start from the premise that the entity recognized the commission of the alleged acts. In this sense, the allegations formulated did not tend to distort the reality of the events that motivated the initiation of the procedure nor the legal qualification established in the initiation agreement, but that focused on rebutting the responsibility of the reported entity, with the argument that the six Controversial emails were sent due to human error by staff at the residence The Court has recently ruled on the culpability of legal entities National which, in its judgment of 16/10/2023, analyzes precisely this issue in a case of violation of data protection regulations: "The Constitutional Court has repeatedly declared that the principles of order penal, among which there is the one of culpability, are applicable, con ciertos nuances, to the sanctioning administrative law, to be both manifestations of the 9/16 punitive order of the State (STC 18/1987, 150/1991), and that does not fit in the administrative sanctioning scope the objective responsibility or without fault, in which virtue excludes the possibility of imposing sanctions for the mere result, sin prove a minimum of culpability even for mere negligence (SSTC 76/1990 y 164/2005). The principle of guilt, guaranteed by article 25 of the Constitution, limits the exercise of the State's ius puniendi and demands, as referred to by the Constitutional Court in the sentence 129/2003, of June 20, that the imposition of the sanction is sustained in the requirement of the subjective element of guilt, to guarantee the principle of responsibility and the right to a sanctioning procedure with all guarantees (STS of March 1, 2012, Rec 1298/2009). According to Law 40/2015, art 27, they only constitute administrative infractions violations of the legal system provided as such infractions by law. And the art. 28 of the same that can only be sanctioned by constitutive acts of administrative infraction those responsible for them, even as simple non-observance Obviously, this assumes that said responsibility can only be demanded for tort or guilt, being banished from the scope of law administrative sanctioning the so-called "objective responsibility", and understanding the I blame imprudence, negligence. However, the mode of attribution of responsibility to legal persons is not known corresponds to the willful or imprudent forms of culpability that are imputable to human behavior. So that, in the case of infractions committed by legal persons, although the element of culpability must be met, this is it necessarily applies in a different way to how it is done with respect to people physical According to STC 246/1991 "(...) this construction differs from the imputability of the authorship of the infringement to the legal person is born from the very nature of fiction legal to which these subjects respond. They lack the volitional element in sense strict, but not the ability to infringe the rules to which they are subject. Ability to infringe and, therefore, direct reprehensibility that derives from the good legal protected by the rule that is infringed and the need for said protection be really effective and for the risk that, consequently, the person must assume legal that is subject to compliance with said rule "(in this sense STS of 24 November 2011, Rec 258/2009).” In the case analyzed here it is clear that the shipments of the controversial mails — the which occurred, not just once in a timely and isolated manner, but on six occasions— they were the result of a lack of diligence on the part of Eulen's staff. The same entity recognizes this circumstance, when it states that "as a result of the requirement relative to the phase of previous information that the APDCAT made to the entity on July 3, 2023, los workers of the Residencia Torremar, applying due diligence, have not returned to send an email without using the hidden copy”; and this lack of diligence of its staff must be answered by the accused entity. To all of the above we must add that the liability regime provided for in the data protection regulations, specifically a Article 70 of Organic Law 3/2018, of December 5, on the protection of personal data and guarantee of digital rights (LOPDGDD), falls, among other subjects, on the responsible for the treatment. 10/16 2.2. With regard to the measures that the organization has taken to prevent them from being reproduced facts Regarding this, the imputed entity alleged the following in its statement of allegations a the initiation agreement: — That "(...) we want to highlight, in addition to the security measures that were already in place mentioned in the information request phase, new measures of seguridad que se están teniendo en cuenta or are going to be implemented as a result of the incident To avoid human errors and guarantee the confidentiality of data personal (...) it has been decided to bet on the implementation of a tool of communication for those services in which the sending of is necessary communications to different groups." — That "The Data Protection Office, for its part, will continue with its campaigns of awareness and training in the field of data protection, making it special emphasis on the importance of guaranteeing the confidentiality of the data.” — That "Equally, we are working with the TIC Area of the Eulen Group for the implementation of new security measures, such as introducing warnings in cases where a large number of non-corporate mails are included include them in blind copy.” With the previous allegations, the reported entity showed that it had implemented certain security measures in order to avoid events like those that have gave rise to this sanctioning procedure and that, moreover, he was working for implement new measures for this purpose. With regard to this allegation, it should be noted that no penalty is imposed in this procedure the lack of implementation of security measures, but the fact that the data confidentiality. This obligation is provided for in articles 5.1.f of the RGPD and 5 of the LOPDGDD and has a different content from the obligations described in articles 25 and 32 of the RGPD, linked to security measures. In other words, it is one thing the obligation of the person responsible or in charge of the treatment to implement the measures relevant technical and organizational measures to avoid loss, destruction or damage accidental loss of the data, or its unauthorized or illegal treatment; and another the duty of confidentiality incumbent on those in charge, those in charge and all the people who provide service in their organizations, in relation to the subject data treatment. Therefore, there may be a violation of the confidentiality of the data, as is the case that concerns us here, regardless of whether the person in charge or in charge of the treatment have implemented appropriate security measures. This Authority positively values Eulen promoting new measures to prevent the facts occur again, but these actions do not affect the declared facts proven in this procedure, nor its legal qualification. It is an undisputed fact that on the dates 23/10/2020, 23/09/2021, 05/11/2021, 17/06/2022, 08/01/2023 and 31/05/2023, personnel in Eulen's service sent a total of six electronic messages to a plurality of people, without using the hidden copy tool; in this way he spread the data of the other recipients, as indicated in the proven facts. 2.3. About the type of data contained in the electronic messages 11/16 In relation to the content of electronic messages regarding personal data, the accused entity set out the following in its statement of objections to the initiation agreement: — That “(…) These are emails that contain generic information without expose personal data, beyond email addresses of the group of recipients to whom the messages were directed.” — That "The data affected are listed as basic: only they have I expose data related to the e-mails of those interested. Among them, around 35% are corporate emails and sometimes several of them they are linked to a single user. (…).” — That "(...) the number-surname association to the email address is not part of it Eulen Servicios Sociosanitarios, but they are the users of said mail electronic quienes, voluntarily when creating and configuring their account, associate the email to the user, including number, last name or any other data." — That "(...) the electronic mails did not contain personal data, beyond email addresses." In accordance with the above, Eulen alleged that with the sending of the electronic messages without making use of the bcc option only the address data was disseminated electronic address of the recipients, since the other data (name, surname, etc.) them associated these people with their email account at the time of the his creation As evidenced by the instructor in the resolution proposal, it must be taken into account that, regardless of who the people who created the electronic accounts in their moment they had been linked to other personal data, this does not detract from the imputed fact, since this data was disseminated to third party users through sending electronic messages without using the blind copy option. 2.4. About the concurrent circumstances In relation to sending the six electronic messages without using the copy option hidden, the accused entity alleged: — That "It should be noted that the number of emails that have sent to families and representatives without the hidden copy functionality implies a very small volume in relation to the total number of mails sent since the beginning of the management of the Residence (seven years have passed since the award (...) the number of emails sent without hidden copy is minimal in relation to the emails sent since the start of the service, being clearly visible that it was an error on time." — That "There has been no intention in the sending of the electronic mails (...)." — That "Eulen Servicios Sociosanitarios has not been previously sanctioned, by no control authority for breaches of data protection.” 12/16 — That "The existence of no damage or prejudice to persons has been verified affected (…).” The entity related here a series of circumstances that could have an impact at the time to graduate the amount of the penalty; but it cannot be questioned, as has already been said, that sending mail without using the bcc option resulted in processing of data, which violated the principle of confidentiality of the personal data of the affected people The analysis on the imposition of a financial penalty, as well as the attenuated and aggravating factors that concur in this case, is made in the basis of law 4. 3. In relation to the facts described in the proven facts section, relating to the sending of electronic messages without using the hidden copy option, you must go to article 5.1.f of the RGPD, which provides for the following: "1. The personal data will be: (...) f) processed in such a way that adequate security is guaranteed to them personal data, including the protection against unauthorized treatment or unlawful and against its loss, destruction or accidental damage, through the application of appropriate technical or organizational measures ("integrity and confidentiality")". This principle of integrity and confidentiality provided for by the RGPD must be supplemented with the duty of confidentiality contained in article 5 of the LOPDGDD, which establishes the next: "Article 5. Duty of confidentiality 1. Those responsible and in charge of data processing as well as all the people who intervene in any phase of this are subject to the duty of confidentiality referred to in article 5.1.f) of the Regulation (EU) 2016/679. 2. The general obligation indicated in the previous section is complementary to those duties of professional secrecy in accordance with the applicable regulations. 3. The obligations established in the previous sections still remain that has ended the relationship of the obligee with the person responsible or in charge of treatment". During the processing of this procedure, the fact described in the facts section has been proven proven, which is constitutive of the offense provided for in article 83.5.a of the RGPD, which typifies as such the violation of the "principios básicos para el tratamiento (...)", among which confidentiality comes first. The conduct addressed here has been included as a very serious infraction in article 72.1.i of the LOPDGDD), as follows: "i) The violation of the duty of confidentiality established in article 5 of this Organic Law." 13/164. By not fitting Eulen, Servicios Sociosanitarios, SA in any of the subjects provided for article 77.1 of the LOPDGDD, results from the application of the general sanctioning regime provided for in article 83 of the RGPD. Article 83.5 of the RGPD establishes that the infractions provided for therein are sanctioned with an administrative fine of 20,000,000 euros at most, or if it is a company, of an amount equivalent to a maximum of 4% of the total annual business volume total of the previous financial year, and you must opt for the higher amount. Having said that, the amount of the administrative fine to be imposed must be determined. According to the provisions of article 83.2 of the RGPD, and also in accordance with the principle of proportionality enshrined in article 29 of Law 40/2015, as indicated by the instructor in the proposed resolution, a penalty of 3,000 euros (three thousand euros) should be imposed. This quantification of the fine is based on the weighting between the aggravating criteria and attenuators indicated below. As mitigating criteria, the following causes concur, some of them invoked by the accused entity: — Lack of intentionality (art. 83.2.b RGPD). — The degree of responsibility of the person in charge or of the person in charge of the treatment, having in account of the technical or organizational measures that have been applied by virtue of what articles 25 and 32 of the RGPD (art. 83.2.d RGPD) provide. — The category of personal data affected by the infringement, given that it is not special category data (art. 83.2 g RGPD). — It is not recorded that profits have been obtained as a result of the commission of the infringement (art. 83.2.k RGPD and art. 76.2.c LOPDGDD). It must be said that some of the circumstances alleged by Eulen cannot be taken into account consideration as mitigating factors. Like this: — That no damage has been proven to the affected people. May they not be accredited does not imply that they have not occurred or that they may not occur in the future. From fact, the leakage of personal data does not cease to cause damage to the affected person, to a greater or lesser extent. The possibility that some of the recipients of the disputed mails use these addresses for others purposes, possibility directly proportional to the number of recipients (approx fifty), with the consequent inconvenience and damage that this could have for the affected people Thus, this circumstance cannot be taken into account as a mitigating, but not as aggravating either. — That it is an isolated event, limited to the sending of six emails. Not this one either circumstance can be taken into account as mitigating. As has been said, it cannot be considered an isolated event when the shipment occurred on six different occasions and by people different workers 14/16 — That the entity has not been previously sanctioned. Nor this circumstance can be considered a mitigating factor, since it is an obligation of the entities subject to the data protection regulations comply with their obligations. On the contrary, as aggravating criteria, the following elements must be taken into account: — The number of people affected (art. 83.2.a of the RGPD and 76.2.a of the LOPDGDD). — The link between the activity of the offender and the practice of data processing personal (art. 76.2.a LOPDGDD). 5. On the other hand, in accordance with article 85.3 of the LPAC and as stated in the agreement of initiation, if before the resolution of the sanctioning procedure the imputed entity acknowledges his responsibility or makes the voluntary payment of the pecuniary penalty, as appropriate apply a 20% reduction on the amount of the provisionally quantified penalty. Yes the two cases mentioned coincide, the reduction is applied cumulatively (40%). As has been advanced, the effectiveness of the aforementioned reductions is conditional on withdrawal or the renunciation of any action or appeal through the administrative route against the sanction (art. 85.3 LPAC, in fine). Well, as indicated in the antecedents, by means of a letter dated 01/16/2024 the entity accused has acknowledged his responsibility. Likewise, on the same date he paid in advance 1,800 euros (one thousand eight hundred euros), corresponding to the amount of the penalty resulting once the cumulative reduction of 40% has been applied. 6. Given the findings of the violations provided for in article 83 of the RGPD in relation to treatments of private ownership, article 21.3 of Law 32/2010, of October 1, of the Catalan Data Protection Authority authorizes the Director of the Authority so that the resolution that declares the infringement establishes the appropriate measures so that it ceases or ceases correct the effects. However, in this case no measure should be required for cease or correct the effects of the infringement, given that it is a matter of facts already accomplished and taken care of, also, that the entity has implemented measures aimed at preventing events such as that have led to the initiation of this sanctioning procedure occur again. resolution For all this, I resolve: 1. To impose on Eulen, Servicios Sociosanitarios, SA the sanction consisting of a fine of 3,000 euros (three thousand euros), as responsible for an infringement provided for in article 83.5.a in relation to article 5.1.f, both of the RGPD. It is not necessary to require measures to correct the effects of the infringement, in accordance with what has been exposed to the legal basis 6. 2. Declare that Eulen, Servicios Sociosanitarios, SA has effected the advanced payment of 1,800 euros (one thousand eight hundred euros), which corresponds to the total amount of the penalty imposed, 15/16 once the percentage of deduction of 40% corresponding to the reductions has been applied provided for in article 85 of the LPAC. 3. Notify this resolution to Eulen, Servicios Sociosanitarios, SA. 4. Order that this resolution be published on the Authority's website (apdcat.gencat.cat), from in accordance with article 17 of Law 32/2010, of October 1. Against this resolution, which puts an end to the administrative process in accordance with articles 26.2 of Law 32/2010 and 14.3 of Decree 48/2003, of February 20, which approves the Statute of the Catalan Data Protection Agency, with discretion the imputed entity can file an appeal before the director of the Catalan Protection Authority Data, within one month from the day after its notification, according to with what is provided for in article 123 et seq. of Law 39/2015. It can also be interposed directly an administrative contentious appeal before the administrative contentious courts of Barcelona, within two months from the day after yours notification, in accordance with articles 8, 14 and 46 of Law 29/1998, of July 13, regulating of the administrative contentious jurisdiction. If the imputed entity expresses to the Authority its intention to file a contentious appeal administrative against the administratively firm resolution, the resolution will be suspended precautionary in the terms provided for in article 90.3 of the LPAC. Likewise, the accused entity can file any other appeal it deems appropriate to defend their interests. The director 16/16