APDCAT (Catalonia) - PS 57/2023: Difference between revisions

From GDPRhub
(Created page with "{{DPAdecisionBOX |Jurisdiction=Spain |DPA-BG-Color= |DPAlogo=Apdcat-logo.png |DPA_Abbrevation=APDCAT |DPA_With_Country=APDCAT (Catalonia) |Case_Number_Name=PS 57/2023 |ECLI= |Original_Source_Name_1=Autoritat Catalana de Protecció de Dades |Original_Source_Link_1=https://apdcat.gencat.cat/web/.content/Resolucio/Resolucions_Cercador/Resolucions/Documents/ca_ps_2023_057.pdf |Original_Source_Language_1=Catalan, Valencian |Original_Source_Language__Code_1=CA |Original_Sou...")
 
Line 63: Line 63:
}}
}}


The DPA fined a controller € 3000 for violating the principle of confidentiality when it sent emails to numerous family members of patients at an occupational center without using the blind copy option.
The DPA fined a controller €3000 for violating the principle of confidentiality when it sent emails to numerous family members of patients at an occupational center without using the blind copy option.


== English Summary ==
== English Summary ==

Revision as of 13:56, 17 April 2024

APDCAT - PS 57/2023
Apdcat-logo.png
Authority: APDCAT (Catalonia)
Jurisdiction: Spain
Relevant Law: Article 5(1)(f) GDPR
Artículo 85, Ley 39/2015, de 1 de octubre, del Procedimiento Administrativo Común de las Administraciones Públicas (LPAC)
Type: Complaint
Outcome: Upheld
Started:
Decided: 23.01.2024
Published:
Fine: 3000
Parties: Eulen, Servicios sociosanitarios SA
National Case Number/Name: PS 57/2023
European Case Law Identifier: n/a
Appeal: Not appealed
Original Language(s): Catalan, Valencian
Original Source: Autoritat Catalana de Protecció de Dades (in CA)
Initial Contributor: lm

The DPA fined a controller €3000 for violating the principle of confidentiality when it sent emails to numerous family members of patients at an occupational center without using the blind copy option.

English Summary

Facts

On 18 February 2023, 5 May 2023, 8 May 2023, 10 May 2023 and 14 June 2023, the Catalan DPA received a number of complaints against Eulen, Servicios sociosanitarios SA (the controller), an occupational center for people with disabilities. The complaints claimed that on six occasions, employees of the controller sent several emails to the family and guardians of patients without using the blind copy option (BCC).

The emails were sent on separate occasions and by different employees. The incidents involved mailing lists of over 50 data subjects, which differed in each instance. As a result of the failure to BCC, the names, surnames and email addresses of several data subjects, as well as their status as ‘family and guardians’, were disclosed to unauthorized third parties. Because some email addresses featured a corporate domain, the disclosure in some cases permitted inference of the organization to which data subjects belong.

In response to the complaints, the DPA initiated an investigation. In its defense brief, the controller stated that the lack of BCC had been caused by human error and a breach of internal procedures, as the usual operation according to distributed employee instructions was to BCC email addresses. The controller also stated that it carried out periodic trainings in data protection. With regard to the creation of mailing lists, it stated that family members voluntarily provided their electronic address information at the beginning of service.

After the investigation had already been initiated, the DPA received additional complaints against the controller for the same breach of personal data via emails sent without BCC. In response to these complaints, the DPA initiated a disciplinary procedure against the controller on 3 October 2023 for violating Article 5(1)(f) GDPR.

Holding

On 1 January 2024, the investigator for the Catalan DPA proposed a fine of € 3000 for the controller’s infringement of Article 5(1)(f) GDPR’s principle of confidentiality.

On 16 January 2024, the controller submitted a letter acknowledging its responsibility for the acts and stated that it had made a voluntary payment advance of € 1800.

In assessing the adequacy of the sanction, the DPA considered the responsibility of the controller for the emails. The DPA considered that, even where human error in breach of company policy occurs, the responsibility for lack of diligence of personnel must be answered by the controller. The DPA also took into account mitigation and security measures taken by the controller, including continued training efforts and a new protocol introducing warnings where a large number of non-corporate emails are included in an email. Based on these considerations, the DPA concluded that a sanction of € 3000 was appropriate.

In accordance with Article 85(3) of the LPAC, the DPA noted that where a controller has acknowledged responsibility or made the voluntary payment of a pecuniary penalty, a reduction of 20% to the penalty is appropriate. Where both are done, a 40% reduction is warranted. In this case the controller both acknowledged its responsibility and paid a 60% advance of the total penalty. The DPA thus considered that the penalty should be reduced 40% to € 1800, which the controller had paid.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Catalan, Valencian original. Please refer to the Catalan, Valencian original for more details.

File identification

Resolution of sanctioning procedure no. PS 57/2023, referring to Eulen, Services

Sociosanitarios, SA


Background

1. On 18/02/2023, the Catalan Data Protection Authority received a
   complaint against Eulen, Servicios sociosanitarios, SA (from now on, Eulen), with reason

   of an alleged breach of the regulations on the protection of personal data. In
   concretely, the reporting person (henceforth, reporting person A) stated that, in
   date 06/17/2022, Eulen, concessionaire that manages the Llar residence and Centre
   Ocupacional Torremar (from now on, Torremar), "has published my email address
   email to a whole distribution list made up of about 50 email addresses
   open electronic, so that everyone on this list has received them
   everyone's email addresses.”


   Complainant A provided a copy of an electronic message sent on the day
   06/17/2022, at 3:50 p.m., by (...), from the email address (...). This message
   it was sent to a plurality of electronic addresses, including his, without being used
   the blind copy option (BCC). In the aforementioned email, the addresses
   electronics were mostly identified in a first term with the name and an o
   two surnames of the recipient, followed by the full email address. For

   as for the body of the message, it was addressed to "familias y tutelas" and contained a short text of
   informative about the centre's range of activities.

   This complaint was assigned complaint number IP 95/2023.

2. Also on 02/18/2023, the Authority received another complaint against Eulen,
   due to an alleged breach of data protection regulations

   personal Specifically, the reporting person (henceforth, reporting person B)
   exhibited:

   — That "The residence and CO Torremar (...) has transferred management to the company Eulen
      Sociosanitarios (...) has published and disseminated my email address, to one
      plurality of recipients included in a distribution list."


   — That "At no time have I authorized either the Generalitat de Catalunya, or the
      concessionaire of the Eulen management to publish, issue or disseminate any personal data
      to third parties."

   The reporting person provided a copy of the same electronic message mentioned in
   the antecedent 1.


   This complaint was assigned complaint number IP 96/2023.

3. On 05/05/2023 and 05/10/2023, the Spanish Data Protection Agency (AEPD) will
   transfer to this Authority two complaints with subjective identity with the IP complaint
   95/2023, in which the reporting person A set out, for what is of interest here:

                                                                                            1/16 — That "Eulen Sociosanitarios, has sent communications by email to one
      plurality of more than 50 different recipients without hidden copy, so that

      spread the email account of all these people.”

   — That "the distribution list of the 3 emails that have been detected are different, the
      which implies that there is no single official distribution list that contains all of them
      relatives and guardian entities of the people residing in Torremar but not se
      have created different distribution lists without any type of control (…).”


   — That "The different mails have been sent by different workers from Eulen, lo
      que quiere decir, that it has not been the product of a one-off error by a trabajador but
      that Eulen's workers do not have adequate training and/or that they do not exist
      technical and organizational measures necessary to guarantee the security of
      data processing.”

   — That "Two of the distribution lists have more than 50 email accounts and the other

      has more than 60 email accounts; therefore, the number of people affected is
      considerable.”

   — That "(...) the email accounts that have been published or disseminated are from people who
      they have disabled relatives in said residence and that, therefore, can be done
      a disabled person's family email account association (…)."


   — That "(...) in all distribution lists numbers and surnames are shown and, a
      then the number of the email account, a clear association is produced
      number and surnames - email account (…).”

   The reporting person A provided a copy of the same electronic message mentioned in a
   the antecedent 1.


4. On 05/05/2023, the AEPD sent the Authority a new complaint against Eulen,
   due to an alleged breach of data protection regulations
   personal Specifically, the reporting person (henceforth, reporting person C),
   set out the same facts that the reporting person A had indicated in his
   complaints and that have been reproduced in the precedent 3.

   The reporting person C provided a copy of the same electronic message mentioned in a

   the antecedent 1 and, in addition, other messages that are related below:

   — Message sent on 10/23/2020, at 9:54 a.m., by (...) to a plurality of addresses
      electronic, without using the CCO option, including that of the reporting person.
      Many of these e-mail addresses contain the first and last names or surnames
      of its holders and a corporate domain, which in some cases allows to infer
      the organization to which they belong (fundaciosantaclara, cataloniafundacio, latutela,

      somfundacio, aspanin, kibuk). This message is signed by (...), addressed to "families" and
      contains information related to the use of the Zoom platform.

   — Message sent on 5/11/2021, at 9:33 a.m., by (...) to a plurality of addresses
      electronic, without making use of the CCO option, including that of the person

                                                                                             2/16 complainant. Some of these electronic addresses contain the first and last name
      of its owners and a corporate domain (segurosdkw, fundaciosantaclara,
      cataloniafundacio, latutela, somfundacio, aspanin, kibuk). This message is signed by him

      (...), is addressed to "families and guardianship entities" and contains information about menus of the
      month of november

   This complaint was assigned complaint number IP 242/2023.

5. In relation to complaint no. IP 96/2023, on 08/05/2023 the AEPD sent a
   other complaint against Eulen, in which the complainant B presented identical facts that

   the person denouncing A in his complaints before the AEPD and which have been reproduced in
   the antecedent 3.

6. In relation to complaint no. IP 242/2023, on 05/10/2023 had entry to
   the Authority another complaint against Eulen, due to an alleged breach of the
   regulations on personal data protection. Specifically, the complainant C
   presented, for what is of interest here:


   — That Eulen “sent e-mail communications to a plurality of more than
      50 recipients on different occasions and on different distribution lists without copying
      hidden, so the email account of all of them has been broadcast
      people and in some emails, including the first and last name.”

   — That "(...) the distribution list of the 3 emails that have been detected are different, something

      which implies that there is no single "official" distribution list that contains all the
      relatives and guardian entities of the people residing in Torremar but who have left
      creating different distribution lists without any control.”

   — That "(...) have detected these shipments in the years 2020, 2021 and 2022 which is a
      very broad period of time. (...) This wide period of time shows
      that it was not a one-off incident and that the workers did not have the

      adequate training on the protection of personal data and/or there is none
      no protocol or organizational measure to protect that data.”

   — That "The different emails have been sent by different company personnel
      Eulen, which means that it was not the product of a one-off error by a worker
      but that Eulen's workers do not have the appropriate training and/or that there is none
      technical and organizational measures necessary to guarantee the security of the treatment

      of the data.”

   — That “Two of the distribution lists have more than 50 email accounts and the other has
      more than 60 mail accounts; therefore, the number of people affected is
      considerable.”

   — That "The context in which the postal items are located must be taken into account, one

      residence and occupational center for disabled people, so that the
      Email accounts that have been published or disseminated are from people who have family members
      disabled in this residence and that, therefore, an association of
      disabled person's family email account (...)."


                                                                                            3/16 — That "In this case, the creator of the distribution lists, in addition, has added
      first and last names and then the name of the mail account and the extension that identifies it
      the entity, company or group to which it belongs. Thus, the accounts of

      mail from different entities and corporations, e.g. you can see mails from the
      Catalonia Foundation, of La Tutela, We are Foundation, Generalitat de Catalunya, the College
      Barcelona Lawyers, Aspanin, etc. It produces a clear and dangerous association
      between first and last name_email account_entity or collective to which it belongs, fact that without
      doubt is much more serious because different data have been published together that can facilitate
      the identification of a person or the creation of a specific profile. This denotes (...) the
      lack of adequate training of the people who created each of the lists

      of distribution.”

   The reporting person C provided a copy of the same electronic messages described in
   the antecedent 4.

7. Also on 05/10/2023, the Authority received five more complaints against
   Eulen, due to an alleged breach of data protection regulations

   personal Specifically, whistleblowers (henceforth, whistleblowers
   D, E, F, G and H) highlighted the same facts and in the same terms as they have
   reproduced in antecedent 6 and provided a copy of the same electronic messages described
   in the antecedent 4.

   These complaints were assigned the numbers IP 246/2023, IP 247/2023, IP 249/2023,
   IP 252/2023 and IP 253/2023.


8. On 14/06/2023, complainant A expanded his previous complaint (IP
   95/2023) against Eulen through a letter in which he set out:

   — That “there has been a new mailing without a blind copy to a new list of
      distribution, from a new Eulen email account and with the signature of (...).”


   — That "(...) it is important that an audit be carried out at Eulen mercantile on the
      compliance with each and every one of the requirements and conditions regarding data protection
      of a personal nature to the residents and their families."

   On this occasion, the complainant provided a copy of an electronic message sent
   on 05/31/2023, at 12:57 p.m., by (...), from the electronic address (...), to a
   plurality of emails without using the BCC option. In this message

   electronic, two addresses were identified in a first term with the name and one or two
   surnames of the recipient and, then, the full email address. In regard
   for the rest of the recipients, there was only the email address, which in the majority of
   cases was composed of initials and a full surname. As for the body of the
   message, was addressed to "families" and contained a short informative text about
   the center menus.


9. On 14/06/2023, the Catalan Data Protection Authority received a
   new complaint against Eulen, due to an alleged breach of the regulations
   on personal data protection. The reporting person (henceforth, person
   complainant I) stated that "on several occasions they have sent emails to relatives and


                                                                                             4/16 guardianship entities where they have not hidden the recipients' emails
   (...).”


   The reporting person provided copies of the following electronic messages — some
   of which had already been presented together with the previous complaints—, in which no
   the BCC option had been used and that they were addressed to numerous electronic addresses,
   among which was that of the reporting person I:

   — Message sent on 11/06/2019, at 1:20 p.m., from the account (...), with
      the matter "Informative newsletter Torremar Vol. 7.”


   — Message sent on 09/23/2021, at 1:34 p.m., from the account (...), with
      the matter "resumption of two external activities C.O Torremar."

   — Message sent on 05/11/2021, at 9:33 a.m., from the account (...), with
      the subject "Menu November 2021."


   — Message sent on 06/17/2022, at 3:50 p.m., from the account (...), with
      the matter "Comunicado Centro Ocupacional Torremar."

   — Message sent on 08/01/2023, at 12:30 p.m., from the account (...), with
      the subject "Torremar contact phone number - 08/01 and 01/09."

   — Message sent on 05/31/2023, at 12:57 p.m., from the account (...), with

      the subject "June Menus."

   This complaint was assigned complaint number IP 313/2023.

10. Given the previous complaints, the Authority initiated a preliminary investigation to determine
   if the facts were likely to motivate the initiation of a disciplinary procedure, yes
   with what is foreseen in article 7 of Decree 278/1993, of November 9, on the

   sanctioning procedure for application to areas of competence of the Generalitat, i
   article 55.2 of Law 39/2015, of October 1, on the common administrative procedure of
   public administrations (LPAC).

   In this information phase, on 03/07/2023 the reported entity was required
   to report the reasons why the CCO option was not used in the shipment
   of the mentioned electronic messages. He was also asked how many lists of

   distribution had and the reason why the email address of some users is related to it
   with their first and last names, so that they appear visible. Finally, it was requested
   to Eulen if there was any protocol or instruction on the use of e-mail and if there was any
   Torremar staff trained in data protection.

11. On 07/18/2023, Eulen responded to the request with a letter in which he explained,
   in summary, the following:


   — Which "provides the Home-Residence and Occupational Center Management Service for
      people with intellectual disabilities "Torremar" since October 2017. Acting,
      in this case, como encargado del tratamiento [according to the contract formalized with the


                                                                                            5/16 Department of Work, Social Affairs and Families, currently Department of Rights
   Social]."


— That "The volume of emails sent to families is
   approximately 30 monthly mails”.

— That "(...) the sending of e-mails to the family distribution group
   has been caused by a 'human error - breach of internal procedures',
   since it has been verified that the usual operation is to use a shipment with CCO."


— That, with regard to the management of distribution lists, "the Directorate of Residence nos
   convey that there are no more distribution lists."

— That, with regard to the creation and modification of distribution lists, "the mailers
   family members' electronic files are provided, voluntarily, at the beginning of the
   provision of the service (…) for effective communication with them.”


— That they have an "instruction on security measures to comply with the
   regulations for the protection of personal data in which the measures of
   minimum security that must be applied in any support, computer device
   or software from any of the companies that are part of the Eulen Group where it is
   store personal data."

— That [in the previous instruction] it is specifically detailed that “If you are going to send a mail

   electronically to several recipients at the same time, the hidden copy (CCO) will be used.”

— That, based on the aforementioned instruction, "to facilitate compliance with the
   instruction in the services, especially in the socio-sanitary, was created (...) one
   guide with a more accessible format. This guide was sent to the socio-sanitary centers
   last October 10, 2022.”


— That, with regard to the training provided in the field of data protection to staff
   d'Eulen, carries out "periodically, trainings and awareness actions in
   this matter." It then lists various formations and campaigns of
   awareness carried out by the company.

— That "it is perfectly certified that Eulen Servicios Sociosanitarios, S.A. has
   acted with due diligence applying the measures, both technical and

   organizational, necessary to avoid the exposure of personal data. (…) me
   client [Eulen] has worked diligently so that this type of case does not return
   to happen."

The reported entity attached the following documentation to the letter:

— Copy of electronic messages that have been the subject of a complaint.


— A sample of several electronic messages sent with the BCC option.

— The instruction "Safety measures for compliance with the regulations of
   protection of personal data". This instruction contains a specific dedicated section

                                                                                        6/16 to the use of e-mail in which, among other indications, it appears "If it is sent
      an email to several recipients at the same time, the blind copy (BCC) will be used.”


   — The "Guide to technical and organizational measures for the protection of information", la
      which also contains instructions in the same sense as the previous one regarding shipping
      of electronic messages to various recipients. In addition, in the same guide it is indicated
      that "is obligatory and has a binding character with respect to the relationship
      contract with the worker (...).”

   — The Eulen Group's "Personal Data Protection Decalogue".


   — The “Corporate policy for the protection of personal data.”

   — The document "Good practices for the use of collaborative tools."

   — The document "Confidentiality in the treatment of personal data."


   — Various certificates and information relating to training in data protection and
      cyber security performed by Eulen.

   — Copy of a thread of electronic messages addressed to several people, including
      managers and managers of socio-health services, on "The importance of the
      confidentiality in the treatment of personal data."


   — Agenda of the “Reunión Directors Residencias GG-DI y CD”, of 11/24/2022,
      according to which, among other matters, it was about “Documentos protección de
      data."

12. On 14/08/2023, 16/08/2023 and 01/09/2023, they had access to the Catalan Authority
   of Data Protection three new complaints against Eulen, on the grounds of a presumptive
   non-compliance with the regulations on personal data protection. Specifically, the

   complainants (henceforth complainants J, K and L) set out the facts in terms
   analogous to what has been exposed in the 6th precedent and provided a copy of the same messages
   electronics described in the preceding 4.

   These complaints were assigned complaint numbers IP 413/2023, 414/2023 and
   416/2023.


13. On 03/10/2023, the director of the Catalan Data Protection Authority
   agree to start a disciplinary procedure against Eulen, Servicios Sociosanitarios, SA
   for an alleged violation provided for in article 83.5.a, in relation to article 5.1.f, all
   those of Regulation (EU) 2016/679 of the European Parliament and of the Council, of April 27,
   regarding the protection of natural persons with regard to the processing of personal data
   and the free circulation of this data (RGPD). This initiation agreement was notified to
   the imputed entity on 10/16/2023.


14. In the initiation agreement, the imputed entity was granted a period of 10 working days to
   formulate allegations and propose the practice of tests that it considers convenient for
   defend their interests.


                                                                                             7/1615. On 10/30/2023, Eulen filed objections to the initiation agreement, which are addressed in
   section 2 of the fundamentals of law.


16. On 02/01/2024, the person instructing this procedure formulated a
   resolution proposal, by which it was proposed that the director of the Catalan Authority of
   Data Protection imposed on Eulen, Servicios Sociosanitarios, SA a fine

   of 3,000 euros, as responsible for an infringement provided for in article 83.5.a in relation
   with article 5.1.f, all of them of the RGPD.

   This resolution proposal was notified on 08/01/2024 and a deadline was granted
   of 10 days to formulate allegations.

17. On 01/16/2024, the accused entity submitted a letter in which it acknowledges its

   responsibility for the alleged acts and states that he has made the voluntary payment
   advance of the pecuniary sanction that the instructing person proposed.

   Along with the letter, the accused entity provided a copy of the bank transfer
   made on 15/01/2024, through which he paid in advance in the amount of
   1,800 euros (one thousand eight hundred euros), corresponding to the monetary penalty proposed by the
   instructing person in the resolution proposal, once the reductions have been applied

   provided for in article 85 of Law 39/2015.


proven facts

Eulen, Servicios Sociosanitarios, SA sent six emails from several
corporate accounts to fifty electronic addresses, linked to relatives and guardians of

users of the Torremar Home-residence and Occupational Center, without making use of
the hidden copy tool. The e-mails mentioned were sent on the dates
23/10/2020, 23/09/2021, 05/11/2021, 17/06/2022, 08/01/2023 and 31/05/2023. With shipping
of these messages, the reported entity disseminated the following information to the recipients
of the other recipients: the email address and, in some cases, the first and last name and the
institution with which they have some connection, data easily deducible from the domain
corporate of certain recipient addresses.



Fundamentals of law

1. The provisions of the LPAC and article 15 of the Decree apply to this procedure
   278/1993, according to the provisions of DT 2a of Law 32/2010, of October 1, of
   the Catalan Data Protection Authority. In accordance with articles 5 and 8 of the Law

   32/2010, the resolution of the sanctioning procedure corresponds to the Director of the Authority
   Catalan Data Protection Authority.

2. In accordance with article 85.3 of the LPAC, both the recognition of responsibility and
   the advanced voluntary payment of the proposed monetary penalty entails the application of
   single reductions of 20% of the amount of the penalty, cumulative with each other. The effectiveness
   of these reductions is conditional on the withdrawal or renunciation of any action

   or administrative appeal against the sanction. For both cases, sections 1 and 2
   of article 85 of the LPAC provide for the termination of the procedure.
                                                                                             8/16 Although it presented allegations in the initiation agreement, the accused entity has not
submitted allegations to the proposed resolution, since both options have been accepted for

reduce the amount of the penalty. However, it is considered appropriate to reiterate below the most
relevant to the reasoned response that the instructing person gave to the allegations
before the initiation agreement.

 2.1. About the shipment being due to human error and about the lack of
         responsibility of the entity


In its statement of objections to the initiation agreement, the accused entity set out, among
other things:

— That "It has been certified that Eulen Servicios Sociosanitarios S.A. sent six
   emails, from various corporate accounts, addressed to relatives and guardians
   of users of the Residencia Torremar, without making use of the functionality of
   hidden copy (CCO).”


— That "From the analysis of the aforementioned incident, the Data Protection and Privacy Office
   of the EULEN Group and the Data Protection representative concluded that there was
   it was caused by a human error caused by the non-compliance of them
   internal procedures. (…)”.

— That "Since Eulen Servicios Sociosanitarios has been aware of the facts
   that are imputed to him, as a result of the requirement relating to the previous information phase that

   the APDCAT made the entity on July 3, 2023, the workers of the
   Residencia Torremar, applying due diligence, have not sent an email again
   electronically without using the hidden copy."

— That "the concurrence of these concrete and punctual human errors must be put to rest."
   in relation to the principle of culpability that governs in penal matters", en
   connection with the provisions of article 28 of Law 40/2015, of October 1, on the regime
   legal of the public sector, which states that "They can only be sanctioned for facts

   physical and legal persons, (...) that constitute an administrative infraction
   responsible for those by way of grief or guilt.”

As the instructor explained in the proposed resolution, it is necessary to start from the premise that
the entity recognized the commission of the alleged acts. In this sense, the allegations
formulated did not tend to distort the reality of the events that motivated the initiation of the
procedure nor the legal qualification established in the initiation agreement, but that

focused on rebutting the responsibility of the reported entity, with the argument that the six
Controversial emails were sent due to human error by staff at the
residence

The Court has recently ruled on the culpability of legal entities
National which, in its judgment of 16/10/2023, analyzes precisely this issue
in a case of violation of data protection regulations:


   "The Constitutional Court has repeatedly declared that the principles of order
   penal, among which there is the one of culpability, are applicable, con ciertos
   nuances, to the sanctioning administrative law, to be both manifestations of the
                                                                                           9/16 punitive order of the State (STC 18/1987, 150/1991), and that does not fit in the
   administrative sanctioning scope the objective responsibility or without fault, in which
   virtue excludes the possibility of imposing sanctions for the mere result, sin

   prove a minimum of culpability even for mere negligence (SSTC 76/1990 y
   164/2005).

   The principle of guilt, guaranteed by article 25 of the Constitution, limits the
   exercise of the State's ius puniendi and demands, as referred to by the Constitutional Court in
   the sentence 129/2003, of June 20, that the imposition of the sanction is sustained in
   the requirement of the subjective element of guilt, to guarantee the principle of

   responsibility and the right to a sanctioning procedure with all guarantees
   (STS of March 1, 2012, Rec 1298/2009).

   According to Law 40/2015, art 27, they only constitute administrative infractions
   violations of the legal system provided as such infractions by law.
   And the art. 28 of the same that can only be sanctioned by constitutive acts of
   administrative infraction those responsible for them, even as simple

   non-observance Obviously, this assumes that said responsibility can only be
   demanded for tort or guilt, being banished from the scope of law
   administrative sanctioning the so-called "objective responsibility", and understanding the
   I blame imprudence, negligence.

   However, the mode of attribution of responsibility to legal persons is not known
   corresponds to the willful or imprudent forms of culpability that are imputable

   to human behavior. So that, in the case of infractions committed by
   legal persons, although the element of culpability must be met, this is
   it necessarily applies in a different way to how it is done with respect to people
   physical According to STC 246/1991 "(...) this construction differs from the imputability of
   the authorship of the infringement to the legal person is born from the very nature of fiction
   legal to which these subjects respond. They lack the volitional element in sense
   strict, but not the ability to infringe the rules to which they are subject.

   Ability to infringe and, therefore, direct reprehensibility that derives from the good
   legal protected by the rule that is infringed and the need for said protection
   be really effective and for the risk that, consequently, the person must assume
   legal that is subject to compliance with said rule "(in this sense STS of 24
   November 2011, Rec 258/2009).”

In the case analyzed here it is clear that the shipments of the controversial mails — the

which occurred, not just once in a timely and isolated manner, but on six occasions—
they were the result of a lack of diligence on the part of Eulen's staff. The same entity recognizes
this circumstance, when it states that "as a result of the requirement relative to the phase of
previous information that the APDCAT made to the entity on July 3, 2023, los
workers of the Residencia Torremar, applying due diligence, have not returned to
send an email without using the hidden copy”; and this lack of diligence
of its staff must be answered by the accused entity. To all of the above we must add that the

liability regime provided for in the data protection regulations, specifically a
Article 70 of Organic Law 3/2018, of December 5, on the protection of personal data
and guarantee of digital rights (LOPDGDD), falls, among other subjects, on the
responsible for the treatment.


                                                                                        10/16 2.2. With regard to the measures that the organization has taken to prevent them from being reproduced
        facts


Regarding this, the imputed entity alleged the following in its statement of allegations a
the initiation agreement:
— That "(...) we want to highlight, in addition to the security measures that were already in place

   mentioned in the information request phase, new measures of
   seguridad que se están teniendo en cuenta or are going to be implemented as a result of the
   incident To avoid human errors and guarantee the confidentiality of data
   personal (...) it has been decided to bet on the implementation of a tool of
   communication for those services in which the sending of is necessary
   communications to different groups."

— That "The Data Protection Office, for its part, will continue with its campaigns
   of awareness and training in the field of data protection, making it special
   emphasis on the importance of guaranteeing the confidentiality of the data.”

— That "Equally, we are working with the TIC Area of the Eulen Group for the
   implementation of new security measures, such as introducing warnings
   in cases where a large number of non-corporate mails are included
   include them in blind copy.”

With the previous allegations, the reported entity showed that it had
implemented certain security measures in order to avoid events like those that have
gave rise to this sanctioning procedure and that, moreover, he was working for
implement new measures for this purpose.


With regard to this allegation, it should be noted that no penalty is imposed in this procedure
the lack of implementation of security measures, but the fact that the
data confidentiality. This obligation is provided for in articles 5.1.f of the RGPD and
5 of the LOPDGDD and has a different content from the obligations described in articles 25 and 32
of the RGPD, linked to security measures. In other words, it is one thing
the obligation of the person responsible or in charge of the treatment to implement the measures

relevant technical and organizational measures to avoid loss, destruction or damage
accidental loss of the data, or its unauthorized or illegal treatment; and another the duty of
confidentiality incumbent on those in charge, those in charge and all the people who
provide service in their organizations, in relation to the subject data
treatment. Therefore, there may be a violation of the confidentiality of the data,
as is the case that concerns us here, regardless of whether the person in charge or in charge
of the treatment have implemented appropriate security measures.

This Authority positively values Eulen promoting new measures to prevent the
facts occur again, but these actions do not affect the declared facts proven in
this procedure, nor its legal qualification. It is an undisputed fact that

on the dates 23/10/2020, 23/09/2021, 05/11/2021, 17/06/2022, 08/01/2023 and 31/05/2023,
personnel in Eulen's service sent a total of six electronic messages to a plurality
of people, without using the hidden copy tool; in this way he spread the
data of the other recipients, as indicated in the proven facts.

 2.3. About the type of data contained in the electronic messages



                                                                                        11/16 In relation to the content of electronic messages regarding personal data,
the accused entity set out the following in its statement of objections to the initiation agreement:


— That “(…) These are emails that contain generic information without
   expose personal data, beyond email addresses
   of the group of recipients to whom the messages were directed.”

— That "The data affected are listed as basic: only they have
   I expose data related to the e-mails of those interested. Among them,
   around 35% are corporate emails and sometimes several of them
   they are linked to a single user. (…).”

— That "(...) the number-surname association to the email address is not part of it
   Eulen Servicios Sociosanitarios, but they are the users of said mail
   electronic quienes, voluntarily when creating and configuring their account, associate the
   email to the user, including number, last name or any other
   data."

— That "(...) the electronic mails did not contain personal data, beyond
   email addresses."

In accordance with the above, Eulen alleged that with the sending of the electronic messages
without making use of the bcc option only the address data was disseminated

electronic address of the recipients, since the other data (name, surname, etc.) them
associated these people with their email account at the time of the
his creation

As evidenced by the instructor in the resolution proposal, it must be taken into account that,
regardless of who the people who created the electronic accounts in their
moment they had been linked to other personal data, this does not detract from the imputed fact,

since this data was disseminated to third party users through
sending electronic messages without using the blind copy option.

 2.4. About the concurrent circumstances

In relation to sending the six electronic messages without using the copy option
hidden, the accused entity alleged:


— That "It should be noted that the number of emails that have
   sent to families and representatives without the hidden copy functionality implies a
   very small volume in relation to the total number of mails sent since the beginning
   of the management of the Residence (seven years have passed since the award (...)
   the number of emails sent without hidden copy is minimal in relation to the emails
   sent since the start of the service, being clearly visible that it was an error

   on time."

— That "There has been no intention in the sending of the electronic mails (...)."

— That "Eulen Servicios Sociosanitarios has not been previously sanctioned, by
   no control authority for breaches of data protection.”



                                                                                        12/16 — That "The existence of no damage or prejudice to persons has been verified
      affected (…).”


   The entity related here a series of circumstances that could have an impact at the time
   to graduate the amount of the penalty; but it cannot be questioned, as has already been said, that
   sending mail without using the bcc option resulted in processing
   of data, which violated the principle of confidentiality of the personal data of the
   affected people The analysis on the imposition of a financial penalty, as well as the
   attenuated and aggravating factors that concur in this case, is made in the basis of law 4.

3. In relation to the facts described in the proven facts section, relating to the sending of

   electronic messages without using the hidden copy option, you must go to article 5.1.f of
   the RGPD, which provides for the following:

        "1. The personal data will be:
        (...)
        f) processed in such a way that adequate security is guaranteed to them
        personal data, including the protection against unauthorized treatment or

        unlawful and against its loss, destruction or accidental damage, through the
        application of appropriate technical or organizational measures ("integrity and
        confidentiality")".

   This principle of integrity and confidentiality provided for by the RGPD must be supplemented with
   the duty of confidentiality contained in article 5 of the LOPDGDD, which establishes
   the next:


        "Article 5. Duty of confidentiality
        1. Those responsible and in charge of data processing as well as all the
        people who intervene in any phase of this are subject to the
        duty of confidentiality referred to in article 5.1.f) of the Regulation (EU)
        2016/679.
        2. The general obligation indicated in the previous section is complementary to those

        duties of professional secrecy in accordance with the applicable regulations.
        3. The obligations established in the previous sections still remain
        that has ended the relationship of the obligee with the person responsible or in charge of
        treatment".

   During the processing of this procedure, the fact described in the facts section has been proven
   proven, which is constitutive of the offense provided for in article 83.5.a of the RGPD, which typifies

   as such the violation of the "principios básicos para el tratamiento (...)", among which
   confidentiality comes first.

   The conduct addressed here has been included as a very serious infraction in article 72.1.i of
   the LOPDGDD), as follows:

        "i) The violation of the duty of confidentiality established in article 5

        of this Organic Law."




                                                                                              13/164. By not fitting Eulen, Servicios Sociosanitarios, SA in any of the subjects provided for
   article 77.1 of the LOPDGDD, results from the application of the general sanctioning regime provided for in
   article 83 of the RGPD.


   Article 83.5 of the RGPD establishes that the infractions provided for therein are sanctioned with
   an administrative fine of 20,000,000 euros at most, or if it is a
   company, of an amount equivalent to a maximum of 4% of the total annual business volume
   total of the previous financial year, and you must opt for the higher amount.

   Having said that, the amount of the administrative fine to be imposed must be determined.

   According to the provisions of article 83.2 of the RGPD, and also in accordance with the principle of
   proportionality enshrined in article 29 of Law 40/2015, as indicated by the instructor
   in the proposed resolution, a penalty of 3,000 euros (three thousand euros) should be imposed.
   This quantification of the fine is based on the weighting between the aggravating criteria and
   attenuators indicated below.

   As mitigating criteria, the following causes concur, some of them invoked by

   the accused entity:

    — Lack of intentionality (art. 83.2.b RGPD).

    — The degree of responsibility of the person in charge or of the person in charge of the treatment, having in
        account of the technical or organizational measures that have been applied by virtue of what
        articles 25 and 32 of the RGPD (art. 83.2.d RGPD) provide.

    — The category of personal data affected by the infringement, given that

        it is not special category data (art. 83.2 g RGPD).

    — It is not recorded that profits have been obtained as a result of the commission of the
        infringement (art. 83.2.k RGPD and art. 76.2.c LOPDGDD).

   It must be said that some of the circumstances alleged by Eulen cannot be taken into account
   consideration as mitigating factors. Like this:


   — That no damage has been proven to the affected people. May they not be
      accredited does not imply that they have not occurred or that they may not occur in the future. From
      fact, the leakage of personal data does not cease to cause damage to the affected person,
      to a greater or lesser extent. The possibility that some of the
      recipients of the disputed mails use these addresses for others
      purposes, possibility directly proportional to the number of recipients (approx
      fifty), with the consequent inconvenience and damage that this could have for the

      affected people Thus, this circumstance cannot be taken into account as a
      mitigating, but not as aggravating either.
   — That it is an isolated event, limited to the sending of six emails. Not this one either
      circumstance can be taken into account as mitigating. As has been said, it cannot be considered

      an isolated event when the shipment occurred on six different occasions and by people
      different workers




                                                                                           14/16 — That the entity has not been previously sanctioned. Nor this circumstance
      can be considered a mitigating factor, since it is an obligation of the entities subject to the
      data protection regulations comply with their obligations.


   On the contrary, as aggravating criteria, the following elements must be taken into account:

   — The number of people affected (art. 83.2.a of the RGPD and 76.2.a of the LOPDGDD).

   — The link between the activity of the offender and the practice of data processing
      personal (art. 76.2.a LOPDGDD).


5. On the other hand, in accordance with article 85.3 of the LPAC and as stated in the agreement
   of initiation, if before the resolution of the sanctioning procedure the imputed entity

   acknowledges his responsibility or makes the voluntary payment of the pecuniary penalty, as appropriate
   apply a 20% reduction on the amount of the provisionally quantified penalty. Yes
   the two cases mentioned coincide, the reduction is applied cumulatively (40%).

   As has been advanced, the effectiveness of the aforementioned reductions is conditional on
   withdrawal or the renunciation of any action or appeal through the administrative route against the
   sanction (art. 85.3 LPAC, in fine).


   Well, as indicated in the antecedents, by means of a letter dated 01/16/2024 the entity
   accused has acknowledged his responsibility. Likewise, on the same date he paid
   in advance 1,800 euros (one thousand eight hundred euros), corresponding to the amount of the
   penalty resulting once the cumulative reduction of 40% has been applied.

6. Given the findings of the violations provided for in article 83 of the RGPD in relation to

   treatments of private ownership, article 21.3 of Law 32/2010, of October 1, of
   the Catalan Data Protection Authority authorizes the Director of the Authority so that the
   resolution that declares the infringement establishes the appropriate measures so that it ceases or ceases
   correct the effects. However, in this case no measure should be required for
   cease or correct the effects of the infringement, given that it is a matter of facts already accomplished and taken care of,
   also, that the entity has implemented measures aimed at preventing events such as
   that have led to the initiation of this sanctioning procedure occur again.



resolution

For all this, I resolve:

1. To impose on Eulen, Servicios Sociosanitarios, SA the sanction consisting of a fine of

   3,000 euros (three thousand euros), as responsible for an infringement provided for in article 83.5.a
   in relation to article 5.1.f, both of the RGPD.

   It is not necessary to require measures to correct the effects of the infringement, in accordance with what
   has been exposed to the legal basis 6.

2. Declare that Eulen, Servicios Sociosanitarios, SA has effected the advanced payment of

   1,800 euros (one thousand eight hundred euros), which corresponds to the total amount of the penalty imposed,

                                                                                             15/16 once the percentage of deduction of 40% corresponding to the reductions has been applied
   provided for in article 85 of the LPAC.


3. Notify this resolution to Eulen, Servicios Sociosanitarios, SA.

4. Order that this resolution be published on the Authority's website (apdcat.gencat.cat), from
   in accordance with article 17 of Law 32/2010, of October 1.


Against this resolution, which puts an end to the administrative process in accordance with articles 26.2 of
Law 32/2010 and 14.3 of Decree 48/2003, of February 20, which approves the Statute of
the Catalan Data Protection Agency, with discretion the imputed entity can
file an appeal before the director of the Catalan Protection Authority
Data, within one month from the day after its notification, according to

with what is provided for in article 123 et seq. of Law 39/2015. It can also be interposed
directly an administrative contentious appeal before the administrative contentious courts
of Barcelona, within two months from the day after yours
notification, in accordance with articles 8, 14 and 46 of Law 29/1998, of July 13, regulating
of the administrative contentious jurisdiction.


If the imputed entity expresses to the Authority its intention to file a contentious appeal
administrative against the administratively firm resolution, the resolution will be suspended
precautionary in the terms provided for in article 90.3 of the LPAC.


Likewise, the accused entity can file any other appeal it deems appropriate
to defend their interests.

The director


























                                                                                              16/16