AEPD (Spain) - EXP202205206
AEPD - EXP202205206 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 5(1)(f) GDPR Article 32 GDPR |
Type: | Investigation |
Outcome: | Violation Found |
Started: | 15.03.2022 |
Decided: | 07.02.2024 |
Published: | |
Fine: | 3,500,000 EUR |
Parties: | I-DE Redes Eléctricas Inteligentes, S.A.U. |
National Case Number/Name: | EXP202205206 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Spanish |
Original Source: | AEPD (in ES) |
Initial Contributor: | lm |
The DPA fined a controller € 3,500,000 after it failed to conduct an adequate risk assessment, overlooking avoidable security vulnerabilities that resulted in a data breach affecting 1,350,000 data subjects.
English Summary
Facts
On 15 March 2022, I-DE Redes Elécrticas Inteligentes, S.A.U. (the controller) detected an attack on its GEA management portal (GEA portal), which is a web portal that manages service connections between the electric distribution network. This is a web system in which several databases from companies within the Iberdrola group coexisted. At that point, the controller had yet to detect any effect on personal data.
The following day (16 March), a brute force attack was made against the same webpage, resulting in a general slowdown. The controller adopted security measures in order to repel the attack. The controller analysed the attack’s activity and concluded that it has extracted the personal data of 1.35 million clients. The breached data included names, surnames, email addresses, phone numbers, addresses, national identification card numbers and client codes. On 18 March 2022, the controller notified the breach to the AEPD.
Spanish law concerning the electricity sector requires that regulated activities (such as distribution of electricity) and unregulated activities (such as marketing) be unbundled. In this context, the controller is Iberdrola’s energy distribution brand and states that it can only access the personal data of users of the electric service. The controller provided the AEPD with its annual form indicating compliance with obligations to separate activities filed with the relevant Spanish authorities. It thus claims that it does not have access to the data of data subjects managed by other distribution companies.
Despite this separation, the controller communicated the breach to other companies of the Iberdrola group on 28 March 2022, noting that it could have affected information referring to clients of these companies. The controller included internal codes corresponding to the affected clients so that the companies could verify if those clients’ data had been compromised. Two companies, Iberdrola Clientes, S.A. and Curenergía Comercializador de Ultimo Recurso SA, subsequently reported to the AEPD that personal data of 92,550 and 1,515,000 clients was affected, respectively. Due to the numerous companies affected, the AEPD initiated investigations into four entities.
The controller requested that its case be joined with the AEPD’s investigation of Iberdrola (EXP202305587). It noted that the attack on its GEA portal was the common security incident that prompted both cases. With regard to the data breach and its security measures, the controller stated that had adopted the totality of security measures established by Iberdrola. It also argued that there had been no harm to the data subjects as a result of the breach.
Holding
The AEPD found that the controller violated Articles 5(1)(f) and 32 GDPR, imposing a fine of € 3,500,000.
It began by rejecting the controller’s request for joinder, finding that even though there was a common security incident, the cases involve distinct breaches of different sets of personal data.
With regard to the violation of Article 32 GDPR, the AEPD considered that the vulnerability resulting in the data breach was foreseeable and avoidable. The controller failed to carry out an appropriate assessment of the risks of harms to data subjects that were inherent in its processing, and it did not account for risks to confidentiality, availability or integrity of the data. Furthermore, the AEPD noted that there were vulnerabilities in the portal that could have been detected prior to the cyberattack, including an inadequate password policy and a failure to limit access to the portal from suspicious IP addresses. The precise details of the vulnerabilities are redacted in the decision, but the AEPD notes that the shortcomings were exploited in the cyberattack and resulted in the breach. It further stated that the vulnerability could have been identified in security assessments, but that the controller had not conducted a security review of its critical applications since 2019 – over two years before the incident. Due to the shortcomings in security measures that resulted in oversights of the GEA portal’s vulnerabilities, the AEPD found the controller violated Article 32 GDPR.
The AEPD also found that the controller violated Article 5(1)(f) GDPR. It focused in particular on the failure to protect confidentiality of the personal data affected. In addition to lacking the security measures discussed above, the controller also did not have technical measures in place, such as pseudonymisation, that corresponded to the detail of the personal data it was regularly processing. The AEPD rejected the argument that none of the data subjects were adversely affected by the breach, emphasizing that the loss of confidentiality is, in of itself, a harm to the fundamental right to data protection and a violation of the principle of confidentiality.
Comment
The AEPD rejected the controller’s request for joinder, finding that even though there was a common security incident, the cases involve distinct breaches of different sets of personal data. Indeed, the cyberattack was significant not only because it accessed the controller’s database, but because it also accessed the databases of two other companies (Iberdrola Clientes and Curenergía Comercializador de Ultimo Recurso. The different databases are hosted on a system maintained by Iberdrola, which is thus in charge of all of them. As a result of this, there has been a separate sanctioning procedure against Iberdrola focusing on its responsibility as the entity in charge of the processing of Ibercli y Curenergía and exclusively for the breach of personal data that affected those two companies. In this sense, the AEPD concluded, the impact on personal data of clients hosted in databases other than the controller’s cannot be part of the sanctioning procedure, which is meant to examine the conduct specifically of the controller.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/88 File No.: EXP202205206 - RESOLUTION OF SANCTIONING PROCEDURE From the procedure instructed by the Spanish Data Protection Agency and based to the following index BACKGROUND................................................. .................................................. .......3 FIRST................................................. .................................................. ...............3 SECOND................................................. .................................................. ..............4 THIRD................................................. .................................................. ...............4 ROOM................................................. .................................................. .................4 FIFTH................................................. .................................................. ..................4 SIXTH................................................. .................................................. ....................4 SEVENTH................................................. .................................................. ................5 EIGHTH................................................. .................................................. ..................5 Regulatory framework................................................ .................................................. ...5 Systems and database architecture. GEA Application.................................7 Regarding the chronology of the events. Actions taken in order to minimize adverse effects and measures adopted for their final resolution.....10 Regarding the causes that made the gap possible................................................13 Regarding the affected data................................................. ............................16 Regarding the treatment manager contract................................................... .18 Regarding security measures................................................... ....................18 Regarding communication to those affected................................................... ...........25 Information on the recurrence of these events and number of analogous events events over time.............................................. .......................................26 NINETH................................................. .................................................. ...............26 TENTH................................................. .................................................. ................26 ELEVENTH................................................ ...................................................27 TWELFTH................................................ ................................................29 THIRTEENTH................................................ ...................................................29 FOURTEENTH................................................ .................................................. .30 C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 2/88 PROVEN FACTS................................................ ................................................30 FIRST: First notification of personal data breach...................................30 SECOND: Second notification of personal data breach...................................30 THIRD: Chronology of the attack................................................ ..................................31 FOURTH: About the GEA application.............................................. ................................33 FIFTH: Causes that made the gap possible................................................ ...........3. 4 SIXTH: Recommended measures................................................ ..................................36 SEVENTH: immediate measures after the breach................................................... ..............37 EIGHTH: security measures implemented prior to the incident......38 NINTH: Risk analysis of the treatment affected by the data breach personal................................................ .................................................. .............39 TENTH: Number of people affected and type of data affected...................................39 ELEVENTH: Communication to those affected................................................. .....40 LEGAL FUNDAMENTALS................................................. ...................................40 Competence................................................. .................................................. ........40 Previous questions................................................ .................................................. .40 Regarding the request for accumulation and the suspension of the deadline to formulate allegations................................................. .................................................. ...........41 Response to the allegations to the Startup Agreement................................................... ..........43 FIRST: ON THE ACCUMULATION OF PROCEDURES.................43 SECOND. – ABOUT THE SPECIAL CIRCUMSTANCES THAT OCCURRED IN RELATIONSHIP WITH THE PROCESSING OF THIS FILE AND THE VIOLATION OF THE PRINCIPLES OF GOOD FAITH, LEGITIMATE TRUST AND LEGAL SECURITY................................................ .......................................44 THIRD.- ON THE ADDITIONAL AFFECTION OF THE PRINCIPLES OF THE SANCTIONAL LAW DERIVED FROM THE INTERPRETATION CARRIED OUT BY LAAEPD................................................... ...................................49 FOURTH.- ON THE ALLEGED VIOLATION BY I- OF THE ARTICLE 32 OF THE RGPD................................................. .................................................. ......57 FIFTH. – ON THE ALLEGED DELART INFRINGEMENT. 5.1.F) OF GDPR................................................. .................................................. ................63 Response to the allegations to the Proposed Resolution...................................................68 SECOND: About the previous acts of the AEPD and the violation of the principles of good faith, legitimate trust and legal certainty...................................69 THIRD: About the arguments supported by the Proposed Resolution to consider that bis in idem does not occur................................................. ..............74 C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 3/88 FOURTH: On the application of the principles of the right to sanctions to activity of the AEPD and the concurrence of a media contest................................77 FIFTH: Regarding the lack of violation by I-DE of article 32 of the RGPD .................................................. .................................................. .........................82 SIXTH: Regarding the absence of violation of the principle of confidentiality and integrity................................................. .................................................. ...........92 SEVENTH: Regarding the violation of the principle of proportionality to the detriment of I-DE rights................................................ ................................................96 Integrity and confidentiality................................................ ...................................102 Classification of the violation of article 5.1.f) of the RGPD................................................... ..103 Penalty for violation of article 5.1.f) of the RGPD................................................. ......104 Article 32 of the GDPR................................................ ................................................105 Classification of the violation of article 32 of the RGPD................................................. ....110 Penalty for violation of article 32 of the RGPD................................................. .......111 BACKGROUND FIRST: On March 18, 2022, the Innovation Division was notified Technology of this Spanish Data Protection Agency (hereinafter AEPD or the Agency) a security breach of personal data sent by I-DE REDES ELÉCTRICAS INTELLIGENTES, S.A.U. with NIF A95075578 (hereinafter, I-DE) as responsible for the treatment, in which it informs this Agency of the following: On the afternoon of March 15, 2022, an attack was detected against the information management website. connections (GEA) of I-DE. (…). At this time, no condition has yet been identified. personal information. The next day, March 16, a brute force attack is detected directed against the same target (GEA) as the incident the previous day. It repels taking action. On March 17, GEA reopens and the activity record is analyzed and it is concluded that there has been extraction of personal data. It is indicated that the number affected is 4.5 million clients of this company. SECOND: On March 29, 2022, I-DE presents a new notification expanding the information on the security breach reported on the 18th of the same month, in which he indicates that, after the forensic analysis of the incident, the number of his clients whose data has been affected is 1.35 million and that the existence of affected data of clients of other companies of the Iberdrola group, since that the attacker could potentially have exceeded security conditions of the exclusive information of I-DE, jumping to ranges of information from other societies, which has already been transmitted to the Company's Systems management for a detailed analysis of other conditions in other companies or businesses of the Iberdrola group. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 4/88 Likewise, they indicate that the exact start date of the breach is March 7, 2022. and report that the breach has not yet been communicated to the affected people and which, at the latest, will be informed by March 31, 2022. Along with the notification, the following is provided: - Report “GEA cyber incident. Incident description and actions”, in which describes the attack suffered and also includes the text of the communication that will be sent to those affected. THIRD: dated March 29, 2022, CURENERGIA COMERCIALIZADOR DE ULTIMO RESOURCE SA, with N.I.F. A95554630 (hereinafter CURENERGÍA) presents security breach notification, in which it indicates that it was aware of it on 28 March 2022 that it has been affected by the security breach suffered by I-DE, indicating the violation of the confidentiality of the personal data of 1,550,000 of its clients, whom it has not yet informed but will do so no later than 03/31/2022. FOURTH: dated March 28, 2022, IBERDROLA CLIENTES, S.A., with N.I.F. A95758389 (hereinafter IBERCLI) presents notification of breach of security, in which it indicates that it has been aware on March 28, 2022 that has been affected by the security breach suffered by I-DE, indicating the violation of the confidentiality of the personal data of 85,000 of its clients, to whom has not yet reported but will do so no later than 03/31/2022. FIFTH: Since April 2, 2022, they have been presented to this Agency claims from clients affected by the security incident, which have been progressively admitted for processing from May 9, 2022. SIXTH: On April 6, 2022, IBERCLI presents an extension of the notification gap in which it reports that the people affected by it are 1,515,000 and that they have been informed of the same on March 31, 2022 by communication addressed personally to each affected person (postcard, email, SMS or similar). Along with the notification, the following is provided: - Report “Cyberattack incident 03/28/2022. Incident description and Actions" - Annex Communication to interested parties SEVENTH: On April 6, 2022, CURENERGÍA presents an extension of the breach notification in which it informs that the people affected by it are 92,550 and that they have been informed of the same on March 31, 2022 through communication addressed personally to each affected person (postal, email, SMS or similar). Along with the notification, the following is provided: - Report “Cyberattack incident 03/28/2022. Incident description and Actions" C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 5/88 - Annex Communication to interested parties EIGHTH: The General Subdirectorate of Data Inspection proceeded to carry out of previous investigative actions to clarify the facts in issue, by virtue of the functions assigned to the control authorities in the article 57.1 and the powers granted in article 58.1 of the Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter GDPR), and in accordance with the provisions of Title VII, Chapter I, Second Section, of the LOPDGDD, having knowledge of the following points: During these actions, the following entities have been investigated: - I-DE REDES ELECTRICAS INTELLIGENTES S.A. with NIF A95075578 (in forward, I-DE) - IBERDROLA S.A. with NIF A48010615 with address at C/ TOMAS REDONDO, 1 - 28033 MADRID (MADRID) (hereinafter IBERDROLA) - IBERDROLA CLIENTES S.A.U. with NIF A95758389 (hereinafter, IBERCLI) - CURENERGIA COMERCIALIZADOR DE ULTIMO RESURSO S.A. with NIF A95554630 (hereinafter, CURENERGIA) Regulatory framework - The regulations governing the electricity sector, Law 54/1997, of November 27, of the Electrical Sector, imposes an obligation of total separation between the regulated activities, such as distribution, and liberalized activities, such as marketing. - The right that consumers of electrical energy have to access and connection to the transportation and distribution networks of electrical energy in the Spanish territory is specifically included in Law 24/2013, of 26 December, from the Electrical Sector. Distribution companies and marketing companies are two differentiated entities in the field of the Electrical Sector. In this sense the Law 24/2013, of December 26, of the Electrical Sector defines them as subjects different. - In accordance with the regulation of the electrical sector, the consumer, to receive electricity at your home, you need to be the holder of two contracts differentiated in relation to their point of supply (CUPS): On the one hand, the energy purchase contract, “contract of supply”, which is signed between a consumer and a company electricity marketer. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 6/88 Although it is also possible that the consumer acquires the electricity directly on the market, without the need for marketer, is not typical of natural person clients but of large electricity consuming companies, indicate I-DE, IBERCLI and CURENERGÍA in their response. On the other hand, the network access or distribution or transportation contract, “ATR contract”, which the consumer signs with the intermediation as agent of the marketing company with which it has contracted the purchase of electrical energy. Although you can also subscribe directly with the owner company of the network, is not typical of natural person clients but of large electricity consuming companies, indicate I-DE, IBERCLI and CURENERGÍA in their response. - When a customer wants to contract electricity at a supply point or make any contractual modification, said client goes to a marketing company, who on behalf of the client and as his agent contracts on its behalf the ATR contract, access contract to the distribution. Any contractual modification requested by a marketer to a distributor is made through XML digital requests complying with the exchange formats between agents established by the National Commission of Markets and Competition (CNMC), by virtue of the Resolution of 20 December 2016, which approves the formats of the data files exchange of information between energy distributors and marketers electricity and natural gas, and Resolution of December 17, 2019, by which New formats for information exchange files are approved between distributors and marketers and the Resolution of 20 December is modified. December 2016. Taking into account the above: - I-DE, electricity distributor of the Iberdrola group, states that can only access the data of its clients, that is, users of the electrical service whose supply point is within the network whose management, as a distributor, corresponds to you and not to those managed by other distribution companies. In relation to the users of your network, you know the information of the marketer of each consumer as a consequence of the signature with him (or with the marketer as agent of the consumer) of the ATR contract. - I-DE indicates that it would not have the capacity to know any type of information related to those who, being clients of IBERCLI or CURENERGIA, electric energy marketers of the Iberdrola group in the free market and regulated market, respectively, were not of this distributor. Systems and database architecture. GEA application C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 7/88 (…) IBERDROLA indicates that the audit to verify the logical separation of the access to information by I-DE has its cause in what is established in the regulatory regulations of the electrical sector, which imposes an obligation of separation total between regulated activities, such as distribution, and liberalized activities, such as is marketing, so that distribution companies must prove the aforementioned separation. I-DE informs that, annually, it issues a report that is presented to the Ministry for the Ecological Transition and the Demographic Challenge (MITERD) and the National Commission of Markets and Competition (CNMC) to account for compliance with the obligations regarding separation of activities by the companies of the group formed by Iberdrola España and the companies in which it participates with regulated activities, that is, the company I-DE REDES ELÉCTRICAS INTELIGENTES, S.A.U., article 12.2 b) of the Electricity Sector Law and article 14 of the Code of separation of Activities of the Companies of the Iberdrola Spain Group with Regulated Activities (“CSA”) available on the Iberdrola Spain website, during exercise. (…) Regarding the chronology of the events. Actions taken in order to minimize the adverse effects and measures adopted for their final resolution. I-D states the following: - On March 15, in the afternoon, an attack was detected against the management website I-DE attacks, (GEA), the sequence of events being the following: (…) - On the morning of March 16, 2022, there is a general slowdown access to various Iberdrola group websites. (…) - Starting March 17, 2022: (…) As of the 17th, no suspicious traffic or impact has been observed in none of the Iberdrola group's internet service systems. From the analysis of the activity log of the GEA application of the last days it is concluded on March 17 that a exfiltration, between March 7 and 15, 2022, of approximately 4.5 million interested parties (natural persons). (…) On March 28, 2022, the Systems Directorate communicates to IBERCLI and CURENERGIA the existence of a security incident in C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 8/88 the I-DE systems that could have affected the information referring to the clients of these companies and includes information regarding the internal customer codes of those affected, so that the companies verify whether data corresponding to Your clients. Information analyzed by IBERCLI and CURENERGIA verify that the security breach has affected personal data of clients of said companies. (…) - Likewise, I-DE states and certifies that since it became aware of the incident, the necessary actions were put into practice to, in coordination with affected organizations, comply with internal protocols established for this purpose and the applicable legislation, and which include the following Actions: Communication to INCIBE-CERT, National Institute of Cybersecurity in Spain, as a response team to security incidents Iberdrola reference computing. Communication to the Cybernetic Coordination Office, under the RDL 12/2018 on security of networks and information systems that refers the cybersecurity incident to the National Police for investigation, Communication to the National Center for Infrastructure Protection Criticisms under Law 08/2011 on Infrastructure Protection Critics. Presentation of a complaint to the National Police (Central Unit of Cybercrime) and the document presented by I-DE together with the same. Notification of the security breach to the AEPD and those affected. - In summary, the monitoring systems allowed the detection of a abnormal volume of traffic, a traffic analysis activity was launched greater detail and the immediate measures that were adopted were: (…) -IBERCLI and CURENERGIA state that the cessation of the incident occurred even before they were aware that it had affected personal data referring to its clients, resulting in said cessation of the additional security measures implemented by the Systems Directorate in the GEA application, aimed at preventing access to it from be exfiltrated by entering a random code information from the Database Data referring to clients of other Group entities. Regarding the causes that made the gap possible - (…) C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 9/88 Regarding the affected data - Exfiltrated customer data (…): Name Last names Email Fax Telephone Address NIF/DNI Client Code (…). - (…) On March 28, 2022, the Systems Management notifies IBERCLI and CURENERGIA the existence of a security incident in the security systems I-DE that may have affected the information referring to the clients of these companies and includes information referring to internal customer codes of those affected, so that the companies verify if they have been able to see compromised data corresponding to their clients. IBERCLI and CURENERGÍA verify that the security breach has affected personal data of 1,515,000 and 92,550 clients, respectively. Regarding the data processor contract - The Group's Framework Agreement for the Protection of Personal Data is provided Iberdrola in which the scope of the provision of services to the Group companies carried out by IBERDROLA. This agreement has been updated in its Annex II, said update being pending formalization. Likewise, the Declaration of Acceptance of Iberdrola España S.A.U. is provided. of its adhesion to the Framework Agreement for the Protection of Personal Data of the Iberdrola Group, the aforementioned entity acting, in accordance with what is indicated in the second clause, in his own name and right and on behalf of the companies belonging to its corporate group over which it has direct or indirectly control, among which are I-DE, IBERCLI and CURENERGY. - IBERCLI and CURENERGIA provide a copy of the record of the activities of processing of personal data corresponding to the affected treatments through the gap: (…) - IBERDROLA provides a copy of the records of the treatment activities corresponding to the treatments “Support and Maintenance of C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 10/88 IT Infrastructures” and “Application Development (SWF)”, which is carried out in your status as the person in charge of the treatment, with respect to various treatments of the Group companies, among which are those affected by the security breach. Regarding security measures Regarding the risk analysis carried out on the treatment activity that has been suffered the security breach before the breach occurred: - IBERDROLA states in a response letter that the Iberdrola Group has adopted a risk analysis methodology for data processing personal data that is implemented in an automated way in the company itself. corporate tool for recording treatment activities, so that In the registration process itself, the risk level of the treatment is determined. - In the case of treatments for which IBERDROLA acts as person in charge of the treatment, points out that the methodology involves carrying out the risk analysis in relation to each of the treatments with respect to those for which IBERDROLA holds said condition, so that this analysis is developed by the entity responsible for the treatment in collaboration with IBERDROLA - For this reason, the result of the risk analysis related to the specific treatments ***TREATMENT.1 and ***TREATMENT.2 figure incorporated into the Records of Treatment Activities of I-DE and those of IBERCLI and CURENERGIA, their results having been communicated to IBERDROLA. (…) -Security measures implemented prior to the gap in treatments of data where it has occurred: I-DE, IBERCLI and CURENERGIA indicate in their responses that prior to the incident, the following common security measures were implemented to the IT infrastructure of the Iberdrola Group: - (…) Likewise, like IBERDROLA, they also describe the security measures specific to the GEA system: - (…) Measures adopted to avoid, as far as possible, incidents such as the one that occurred - With the data obtained from the cyberattack methodology, (...). Regarding communication to those affected C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 11/88 - I-DE informs the Systems Directorate, on March 28, 2022, that, of the information provided regarding the customer codes of those affected Due to the gap, only 1.34 million records correspond to I-DE clients. Likewise, it determines that it will proceed to communicate the security breach to the affected through the communication channels that I-DE maintains with the themselves. The communications were sent via email; to the clients whose email address was available to them, through the making several shipments between March 31 and April 12, 2022; and by postal mail to the rest between March 30 and April 7, 2022. - On March 28, 2022, the Systems Department notifies IBERCLI and CURENERGIA the existence of a security incident in the security systems I-DE that may have affected the information referring to the clients of these companies and includes information referring to internal customer codes of those affected, so that the companies verify if they have been able to see compromised data corresponding to their clients. IBERCLI and CURENERGÍA state that after analyzing the information by their respective systems teams verify that the security breach has affected data personal of 1,515,000 and 92,550 clients, respectively. Likewise, they resolve to notify those affected of the security breach. The notification to those affected was carried out, between March 31 and April 1, 2022, at the clients whose email address was available, by sending massive electronic communications; and by postal mail to the rest on the 4th and April 5, 2022. - The three companies provide the communication model sent to those affected and it is verified that it complies with what is specified in article 34 of the RGPD. Information on the recurrence of these events and number of analogous events events in time. IBERDROLA states that apart from the security incident that is the subject of this procedure, no other procedure of a similar nature has occurred. NINTH: The entity I-DE REDES ELÉCTRICAS INTELLIGENTES, S.A.U. it is a great company established in 2000, and with a turnover, according to AXESOR of ***QUANTITY.1 euros in the year 2021 and ***QUANTITY.2 euros in the year 2022. TENTH: On May 5, 2023, the Director of the Spanish Agency for Data Protection agreed to initiate sanctioning proceedings against I-DE, in accordance with the provided in articles 63 and 64 of Law 39/2015, of October 1, of the Common Administrative Procedure of Public Administrations (hereinafter, LPACAP), for the alleged violation of Article 5.1.f) of the RGPD and Article 32 of the GDPR, typified in Article 83.5 of the GDPR and Article 83.4 of the GDPR. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 12/88 The aforementioned Startup Agreement was notified in accordance with the rules established in the Law 39/2015, of October 1, of the Common Administrative Procedure of the Public Administrations (hereinafter, LPACAP). ELEVENTH: On May 24, 2023, I-DE presents a document by which requests the accumulation of this file with EXP202305587, as well as the suspension of the deadline for issuing allegations until it is resolved about this petition, stating the following: I-DE understands that the facts that serve as a basis for the exercise of power sanctioning that the Agency tries to exercise are or have a unique basis that affects the two sanctioning files that have been opened as differentiated, for which requests the accumulation of both sanctioning procedures when understanding that there is a necessary connectivity between them, that is, that it is a same situation that can result in the responsibility of both. Understand by I-DE that the terms of said responsibility, total, partial, at the level of author, collaborator or any other that comes from criminal references can only be appreciated if the procedure is analyzed as a whole. I-DE maintains that the lack of accumulation in the present case could imply a double imputation to two entities of the same facts, which the greater the many belong to the same business group, specifically the Iberdrola group of which IBERDROLA is the parent company. If both files are not consolidated, I-DE states that it would be impossible to determine which is the degree of responsibility of each of them, since the facts are would be analyzed separately and without assessing the supposed simultaneous action, in terms of responsibility, of the two entities against which both procedures are directed. In this way, a double imputation of the same facts to both entities without assessing whether or not it is shared or if the sanctioning reproach directed separately against both does not should be subject to reduction as a consequence of this supposed concurrence of responsibility. With this, it is limited, in the terms established in the jurisprudence constitutional that is reproduced below, the right to defend I-DE, by not be able to analyze the concurrent circumstances in the case in a unified way as consequence of the fragmentation caused by the opening of two procedures differentiated. I-DE understands that the budgets established in article 57 of the Law are met 39/2015, of October 1, of the Common Administrative Procedure of the Public Administrations (hereinafter, LPACAP) that justify the accumulation of the procedures, as well as the individualization of the relevance of their application to the present assumption: A) Existence of "intimate connection" or "substantial identity." I-DE points out that, in the present case, on March 18, 2022, a personal data security breach, initially reported by I-DE. Is this same security breach that determines the opening of this procedure C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 13/88 in which responsibility is attributed to i-DE, as well as that of the one that is intended accumulate with the present, open to elucidate the responsibility of IBERDROLA. I-DE indicates that connectivity, in the present case, derives, therefore, from the fact that It tries to purge responsibility of two legal entities, but for the same fact: It is the Agency itself that makes it clear that this is a single security breach and that on it is the one on which, where appropriate, the responsibilities will be based. subjective opinions of I-DE, in this procedure, and of IBERDROLA in the procedure whose accumulation is requested. Therefore, I-DE concludes that, since there are only a few facts for which responsibility to both i-DE and IBERDROLA, it is evident that it is necessary the joint assessment of them in order to determine if there is a joint or separate responsibility of both entities, as well as whether the responsibility would be by different title in both cases. B) That the processing and resolution of the procedure corresponds to the same body. I-DE points out that, together with the previous requirement, the LPACAP imposes respect for general principle of competence of the body that must issue the resolution, requirement which is fulfilled in the present case, given that the Law attributes the jurisdiction to the processing of both procedures to a single sanctioning body, so with accumulation is not lost or that competence is blurred as a consequence of the potential existence of different instructional bodies. In the opinion of I-DE, the essential effect of the accumulation of files is that all issues to be resolved must be examined in a single procedure and decided in a single final act that jointly assesses the responsibilities of all those involved. I-DE points out that the scheme that has just been analyzed has, without a doubt, characteristics special in the sanctioning area due to the structure itself and the value judgment that the itself encloses. He brings up several Rulings of the Constitutional Court to point out that the main principles and constitutional guarantees of the criminal order and criminal process must be observed, with certain nuances, in the administrative procedure sanctioning system such as the right to be informed of the accusation (SSTC 31/1986, 190/1987, 29/1989) and to use the relevant means of evidence for the defense (SSTC 2/1987, 190/1987 and 212/1990), as well as the right to the presumption of innocence (SSTC 13/1982, 36 and 37/1985, 42/1989, 76/1990 and 138/1990), rights fundamental, all of them that have been incorporated by the legislator into the regulations regulating the common administrative procedure. I-DE understands that the fragmentation of the procedure into two procedures separated substantially affects the determination and verification of the facts relevant in it, as well as the delimitation of the potential responsibilities that may correspond to the entities to which the procedures whose accumulation is requested. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 14/88 Therefore, I-DE concludes that accumulation is a requirement of adequate instruction and the guarantee of the right of defense and that the separate processing of two disciplinary proceedings against two different legal entities for the same facts is detrimental to their interests. I-DE understands that the lack of accumulation in the present case could imply a double imputation to I-DE and IBERDROLA, as has been said, of the same facts, without the accumulation allowing us to elucidate what would be the degree of responsibility of each of them, since the facts would be analyzed separately and without entering to assess the alleged simultaneous action, in terms of responsibility, of the two entities against which both procedures are directed. Understands that maintaining the separation of procedures means in terms procedural a division of the cause that conditions the instructional action and of proposal because different instructions, evaluations and tests appear potentially different and, therefore, criteria that can be, equally, differentiated. For all the above, I-DE requests the accumulation of the two aforementioned files and that the suspension of the deadline for the formalization of allegations until the accumulation incident that is raised in accordance with this writing. Likewise, I-DE understands that, taking into account the nature of the request and the impact on the investigation of the files in question and, finally, on the law of defense of the interested parties in both procedures, by substantially affecting the content of the allegations that I-DE could make in the event that the mentioned accumulation, with the consequent reduction of their right to judicial protection effective in its modality of using the means of proof necessary for the adequate defense of your rights, we expressly request the suspension of the deadline for the formalization of the allegations so that they can be made according to the instruction criteria that we are requesting. Therefore, I-DE requests the suspension of the deadline for formalizing allegations until the accumulation incident that arises pursuant to the present writing. TWELFTH: On May 30, 2023, I-DE presented a written allegations to the Startup Agreement. THIRTEENTH: On January 2, 2024, a Proposal for Resolution, proposing that the Director of the Spanish Agency for the Protection of Data will be sanctioned to I-DE REDES ELÉCTRICAS INTELLIGENTES, S.A.U. with NIF A95075578, for a violation of Article 5.1.f) of the RGPD, typified in Article 83.5 of the RGPD, with an administrative fine of 2,500,000 euros (two and a half million euros) and for a violation of Article 32 of the RGPD, typified in Article 83.5 of the GDPR, with a fine of 1,000,000 euros (one million euros). C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 15/88 FOURTEENTH: On January 22, 2024, this Agency receives, in time and form, letter from I-DE in which it alleges allegations to the proposal of resolution. Of the actions carried out in this procedure and the documentation recorded in the file, the following have been accredited: PROVEN FACTS FIRST: First notification of personal data breach On March 18, 2022, I-DE notifies the AEPD of a data breach personal information in which he reports the following: (…) It is indicated that the number of affected people is 4.5 million clients of this company. Indicates the start date of the gap as March 9, 2022 Indicates the date of detection of the breach, understood as the date on which the responsible is certain that personal data has been affected: 17 of March 2022. SECOND: Second notification of personal data breach On March 29, 2022, I-DE presents a new notification expanding the information about the reported personal data breach, through the contribution from the report “GEA cyber incident. Incident description and actions.” dated 28 March 2022, according to which: “I-DE, within the provision of services to its clients, offers a web application called File Management and Connections (GEA): ***URL.1 This service allows customers or their representatives (installers) to carry out the relevant procedures for the process of a connection to the network. In the course of the application sessions, there is an exchange of client data information that is subject to the application's own security filters, so that each client (or delegated representative) will only be able to access the information that corresponds to the security and intended access profiles. It indicates that the number of affected clients of this company is 1,350,000 Indicates the start date of the gap as March 7, 2022 C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 16/88 THIRD: Chronology of the attack According to I-D, in the report “GEA cyber incident. Incident description and Actions." dated March 28, 2022” and provided along with the second notification of personal data breach, as well as in the written response to the request of information carried out by this AEPD, during the previous actions of investigation, presented on August 1, 2022 (Registration number: REGAGE22e00033475096) the chronology of the attack is as follows: - “On March 15, in the afternoon, an attack was detected against the information management website. I-DE connections, (GEA) (…) - On the morning of March 16, 2022, there is a general slowdown access to various Iberdrola group websites. (…) - Starting March 17: (…) As of the 17th, no suspicious traffic or impact has been observed in none of the Iberdrola group's internet service systems. From the analysis of the activity log of the GEA application of the last days it is concluded on March 17 that a exfiltration, between March 7 and 15, 2022, of approximately 4.5 million interested parties (natural persons). (…) On March 28, 2022, the Systems Directorate communicates to IBERCLI and CURENERGIA the existence of a security incident in the I-DE systems that could have affected the information referring to the clients of these companies and includes information regarding the internal customer codes of those affected, so that the companies verify whether data corresponding to Your clients. Information analyzed by IBERCLI and CURENERGIA verify that the security breach has affected personal data of clients of said companies. (…) FOURTH: About the GEA application Regarding the GEA application, I-DE states: In the report “GEA cyber incident. Incident description and actions.” dated 28 March 2022: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 17/88 -“I-DE, within the provision of services to its clients, offers a web application called File Management and Connections (GEA): ***URL.1 This service allows customers or their representatives (installers) to carry out the relevant procedures for the process of a connection to the network. In the course of the application sessions, there is an exchange of client data information that is subject to the application's own security filters, so that each client (or delegated representative) will only be able to access the information that corresponds to the security and intended access profiles” -I-DE has a system (SIC) of which GEA is its own and exclusive web service for the processing of their processes and customer data, with the business teams and systems responsible for the development, evolution and maintenance of this system, Likewise, exclusive for I-DE. -In the “Access Manual for regular clients, GEA”, provided by I-DE, the methodology for registering a user (Document No. 6 of entry REGAGE23e00004673128), which indicates that for the development of the Registering a new user requires an email address valid and accessible, to which an individualized link is automatically sent for each user, which allows setting the password for the first access, thus validating the registration in the application. -In the written response to the request made by this AEPD, presented with date February 21, 2023 (Registration number: REGAGE23e00011000318) indicates I- About what: (…) This URL was displayed to validated users at the time of the incident. IBERDROLA S.A., which provides different services to I-DE and other companies in the Group, among them, “IT infrastructure support and maintenance” and “Development of applications”, acting accordingly, as in charge of R-D processing, in its written response to the information request made by this AEPD during the period of prior investigations, presented on January 24, 2023 (Registration number: REGAGE23e00004670187), upon request for information relative to the description of the control and access permissions to the application of each one of the identified profiles, IBERDROLA responds: (…) FIFTH: Causes that made the gap possible In the “GEA Security Incident Forensic Report Summary”, dated March 23, 2022, provided by I-DE together with its written response to the request made by this AEPD, presented on August 1, 2022 (Registration number: REGAGE22e00033475841), it is indicated: (…) C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 18/88 -I-DE indicates the following: (…) -IBERDROLA S.A., which provides different services to I-DE and other companies in the Group, among them, “IT infrastructure support and maintenance” and “Development of applications”, acting accordingly, as in charge of R-D processing, in its written response to the information request made by this AEPD during the period of prior investigations, presented on January 24, 2023(Registration number: REGAGE23e00004670187), indicates the following: (…) SIXTH: Recommended measures It appears in the document “Summary Forensic Report GEA Security Incident”, of 03/23/2022, provided by I-DE in its letter of 08/1/2022, the following recommendations: (…) SEVENTH: immediate measures after the breach I-DE, in its written response to the request made by this AEPD, submitted on February 21, 2023 (Registration number: REGAGE23e00011000318) indicates: (…) IBERDROLA, S.A., in its response to the request for information carried out by this AEPD during the period of prior investigations, presented in dated January 24, 2023 (Registration number: REGAGE23e00004670187), attached as “Document No. 11”, the “Urgent Cybersecurity Plan”. In it it is indicated, among others, the following measures: Application Security: (…) EIGHTH: security measures implemented prior to the incident Among others, it was contributed: (…) NINTH: Risk analysis of the treatment affected by the data breach personal C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 19/88 At the request of this AEPD for a copy of the risk analysis on the rights and freedoms of natural persons carried out on the processing activity that has suffered the security breach prior to the incident, I-DE provided the scheme followed within the Iberdrola Group for the assessment of risk in the treatment of personal data is carried out in accordance with it. This scheme provides details of certain threats or circumstances such as “vulnerable groups” “access to personal data by more than 10 people” “international transfers” “large-scale treatments” “profiles with legal”. These circumstances are stated as questions and, as answered “yes” or “no”, a result is applied. Likewise, it indicates that “Attached as Document No. 8 is an explanatory document of the logic followed to calculate the risk level according to this methodology. This methodology is implemented in an automated way in the company itself. corporate tool for recording treatment activities, so that in the The registration process itself determines the risk level of the treatment. So, the application of said methodology in relation to treatment ***TREATMENT.1 resulted in a MEDIUM risk level, as stated in Document No. 7 referred to above. In said document 8, circumstances or threats are analyzed in the sense of indicated scheme, which are transferred to the Registry of Treatment Activities. TENTH: Number of people affected and type of data affected 1,350,000 I-DE clients affected. Type of data affected: Name and surname Email address Fax number Phone Postal address NIF/DNI Client code Company code ELEVENTH: Communication to those affected In the written response to the information request made by this AEPD, during the previous investigation proceedings, presented on August 1, 2022 (Registration number: REGAGE22e00033475096), I-DE states that it has communicated to those affected the personal data breach, indicating: “The aforementioned communications were sent to i-DE clients of whom email address was available through this means through making several shipments between March 31 and April 12, C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 20/88 2022, the gap being notified by ordinary mail to the remaining clients between on March 30 and April 7, 2022.” FOUNDATIONS OF LAW Yo Competence In accordance with the powers that article 58.2 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter RGPD), grants each control authority and as established in articles 47, 48.1, 64.2 and 68.1 of the Organic Law 3/2018, of December 5, on Protection of Personal Data and guarantee of digital rights (hereinafter, LOPDGDD), is competent to initiate and resolve this procedure the Director of the Spanish Protection Agency of data. Likewise, article 63.2 of the LOPDGDD determines that: "The procedures processed by the Spanish Data Protection Agency will be governed by the provisions in Regulation (EU) 2016/679, in this organic law, by the provisions regulations dictated in its development and, insofar as they do not contradict them, with a subsidiary, by the general rules on administrative procedures." II Previous issues I-DE is a large company of the Iberdrola Group dedicated to energy distribution electricity and for this purpose it processes personal data as the person responsible for a very high number of people since, according to what it states, it processes data of 21 million Of customers. Therefore, in accordance with the provisions of article 4.1 of the RGPD, the processing of personal data, since I-DE carries out, among other treatments, the collection, conservation, consultation, use, deletion, etc., of personal data of natural persons, such as: name, surname, ID, address postal address, telephone number, email address, bank details, data related to electricity supply and consumption, current account, etc. Likewise, IBERDROLA S.A. provides different services to I-DE and other companies of the Group, among them, “IT infrastructure support and maintenance” and “Application development”, acting accordingly, as in charge of the I-D treatment. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 21/88 In the case at hand, the security breach suffered has affected data personal data processed by I-DE in its capacity as data controller, determine the purposes and means with respect to these treatments, under article 4.7 of the GDPR. Article 4 section 12 of the GDPR broadly defines “violations of security of personal data” (hereinafter security breach) as “all those security violations that cause the destruction, loss or alteration accidental or unlawful personal data transmitted, preserved or otherwise processed form, or unauthorized communication or access to said data.” In the present case, there is a personal data security breach in the circumstances indicated above, categorized as a breach of confidentiality, by there has been improper access by an unauthorized third party to data personal data treated by I-DE. III Regarding the request for consolidation and the suspension of the deadline to formulate allegations Regarding the request for accumulation of this file and EXP202305587 carried out by I-DE, it should be noted that article 57 of the LPACAP establishes: “The administrative body that initiates or processes a procedure, whichever has been the form of his initiation, he may dispose, ex officio or at the request of part, its accumulation to others with whom it maintains a substantial or intimate identity connection, provided that it is the same body that must process and resolve the procedure. There will be no appeal against the accumulation agreement.” (emphasis is ours) Therefore, it is a possibility that the Administration has, not being obliged to proceed with the accumulation if requested. However, this does not prevent Motivate below the reasons why it has been considered appropriate. process both sanctioning procedures separately. Thus, although the two sanctioning files, one directed against I-DE and the other against IBERDROLA, S.A., start from the same security incident (the attack on the application GEA), it has produced two different personal data breaches and differentiated, as reflected in the Factual Background of this proposal, especially in the Eighth Factual Background, where the information collected during the phase of prior investigative actions carried out carried out by this AEPD. Thus, on the one hand, the attack was initiated through an I-DE web application, taking advantage of a vulnerability in it and that allowed access to the database I-DE data and which affected the confidentiality of 1,350,000 I-DE clients. By C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 22/88 Therefore, this sanctioning procedure is directed exclusively at I-DE as responsible for the processing of the personal data of its clients and as consequence of an existing vulnerability in one of your web applications. On the other hand, not only personal data of I-DE was affected in the cyberattack, but, when accessing the I-DE database, which was hosted in a system in which databases from other companies in the same group coexist, but that it was also possible to overcome the logical separation and access the databases of two other companies, IBERCLI and CURENERGÍA, affecting the confidentiality of personal data of clients of the latter two. These different databases different businesses are hosted or run on one maintained and supported system by the company IBERDROLA, S.A., which, consequently, is in charge of treatment of all of them, that is, I-DE, IBERCLI and CURENERGÍA. This fact has led to the initiation of a sanctioning procedure against IBERDROLA, S.A., but due to its responsibility as the person in charge of processing IBERCLI and CURENERGÍA and exclusively for the personal data breach that has affected only to the personal data of the clients of these two companies marketing companies and only taking into account the responsibility that may have IBERDROLA, S.A. regarding the configuration of the databases it manages regarding these two affected companies. In this sense, this impact on personal data of clients hosted in databases data other than I-DE cannot be part of this sanctioning procedure directed exclusively to examine the conduct of I-DE, since it is not responsible for any the personal data of affected customers that belong to other companies, nor of the possible failure to adopt appropriate measures for their protection or for the absolute separation between them. Therefore, it must be analyzed independent management of the databases carried out by IBERDROLA, S.A. regard of these third companies, without I-DE being able to respond for possible breaches of data protection regulations that may have been incurred those third companies. This was stated by I-DE in its written response to the request made by this AEPD, presented on August 1, 2022, in which when requested information on the data affected by the breach relating to IBERCLI clients and CURENERGÍA, responded that “I-DE does not have access to the data of the people who have been affected by the security breach and do not have the condition of clients of the aforementioned entity as their supply point is not assigned to the network managed by i-DE. This means that i-DE does not have the capacity to know any type of information related to those who are clients of IBERCLI or of CURNERGIA are not from this distributor” Therefore, the sanctioning procedures being directed at different subjects (two different companies), the personal data of clients from different companies may be affected. companies, I-DE having nothing to do with the data of other clients, be processed due to vulnerabilities or non-compliance with respect to different systems (one, web application, another a database), etc., which is why it has not been considered This AEPD accumulates the two files, but processes the two procedures sanctions separately, as the responsibility is clearly separated C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 23/88 that is attributed to each one, as well as being personal data breaches different and that affect personal data processed by different controllers. Likewise, this does not make I-DE defenseless because at all times it knows the facts of which he is accused, the infringement that they entail, their classification, the responsibility that has been incurred, as well as that it has had and has the opportunity to formulate allegations and present whatever documentation it deems appropriate in defense of your interests permitted by applicable legislation. Finally, regarding the request for suspension of the deadline to formulate allegations to the Startup Agreement until a decision is made on the accumulation of the two procedures, it means that this possibility does not exist even in the applicable regulations of data protection (RGPD AND LOPDGDD) nor in the LPACAP. On the contrary, in What this last law establishes is the obligation that the procedures that must be completed by the interested parties are mandatory: “Article 73. Compliance with procedures. 1. The procedures that must be completed by the interested parties must be made within a period of ten days from the day following the notification of the corresponding act, except in the case that the corresponding norm states set a different deadline.” Therefore, the request for suspension is not applicable, as this does not legally exist. possibility, nor has it had any effect, having not been suspended, in consequently, the deadline for formulating allegations. IV Response to allegations to the Startup Agreement In response to the allegations presented by I-DE, the following should be noted: FIRST: ON THE ACCUMULATION OF PROCEDURES I-DE reiterates the request for accumulation again and refers to the request presented to this effect on May 24, 2023. In this regard, it is appropriate to refer to what was argued in the Legal Basis above, in which a due answer to this question is given. SECOND. – ABOUT THE SPECIAL CIRCUMSTANCES THAT OCCURRED IN RELATIONSHIP WITH THE PROCESSING OF THIS FILE AND THE VIOLATION OF THE PRINCIPLES OF GOOD FAITH, LEGITIMATE TRUST AND LEGAL SECURITY I-DE alleges that this AEPD has violated the principles of legal certainty, good faith and legitimate trust established in article 3.2 e) of Law 40/2015, of 1 October, of the Legal Regime of the Public Sector (hereinafter LRJSP) since through writing dated April 18, 2022, from the Technological Innovation Division of the AEPD, it is indicated, in relation to the additional information provided by I-DE regarding the personal data breach suffered by her, which “After analyzing the information C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 24/88 provided, the security breach has been updated in the security log. notifications of security breaches and the initiation of other actions by part of this Agency”, but that nevertheless, subsequently and without no subsequent action until the date of the first information request that is addressed to you (writing signed on July 8, 2022 by the acting Inspector) of what which seems to indicate the initiation by the AEPD of investigative actions, without any agreement or decision in this regard. I-DE understands that this shows that it was not appropriate to carry out additional investigation related to the gap since the AEPD when signing the referred letter of April 18 considered appropriate the statements made by I-DE, not appreciating in the gap the concurrence of any element that justify the carrying out of investigative actions aimed at determining whether had produced an alleged violation of data protection regulations. However, I-DE continues, the AEPD on May 9, 2022, agrees to admission to processing of claims (formulated prior to April 18, 2022) and the initiation of prior investigative actions, but without it being stated in the file no action or circumstance related to this case that would have been contributed or occurred in the period between April 18 and the date of admission to processing and that justifies the start of the same. Likewise, I-DE understands that the letter of May 18, 2022 implies that the AEPD considered that the information received from her about the breach was sufficient to understand that it did not bear any responsibility for an alleged non-compliance with data protection regulations, which determined the archive of a file that, however, the AEPD decides to open days later without there is any indication that implies a substantial change in the nature, circumstances or severity of the breach. From this I-DE concludes that the AEPD adopted a decision that directly contradicts the previous one adopted just 20 days ago before. Faced with this, it should be noted that in no way can the interpretation of I-DE of the letter that he received on May 18, 2022. Thus, said letter is signed generically by the AEPD, comes from the Technological Innovation Division, the which is responsible for receiving security breaches and recording them in the registry at effect, and in which the following was indicated: “In relation to the additional information provided through check-in REGAGE22e00010072289, relating to a personal data breach in a treatment of I-DE REDES ELECTRICAS INTELLIGENTES S.A.U. we inform that: After analyzing the additional information provided, the security breach has been updated in the security breach notification log and not The initiation of other actions by this Agency is expected. However, we remind you of the need to investigate the causes of the incident until we understand how and why it has happened, and the obligation to take the timely actions to prevent it from happening again and minimize the impact C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 25/88 potential on those affected, as well as the obligation to document any security incident that may affect personal data such as facts related to them and the corrective measures provided as and as established in article 33.5 of the RGPD. If over time you obtain indications that imply a change substantial in the nature, circumstances or severity of the breach, may make a new complete notification through our electronic office https://sedeagpd.gob.es/sede-electronica-web/. Likewise, we inform you that in the following link you have at your disposal the guide for managing and reporting data security breaches personal information published by this Agency: https://www.aepd.es/media/guias/1ome-brechas-seguro.pdf” The heading includes “TECHNOLOGICAL INNOVATION DIVISION” On the left side of the document it is indicated that “Signed electronically by: Spanish Data Protection Agency. As of 04/18/2022” It is not signed by the Director of the Agency, it has no operative part in which something is agreed upon or resolved, nor does it have any indication of any recourse against the same. Therefore, and contrary to what I-DE states, this document does not have a decisive nature, nor due to its content, which only contains a forecast and which in no way can understood to mean that this AEPD has assessed and decided that it did not attend I- OF any responsibility for an alleged breach of the regulations of data protection, which would mean archiving some actions - as has wanted to understand I-DE-, nor by its form, since it does not even formally reflect a decision, much less a resolution to file any action, since For this to be the case, the only competent body for this is the current Director of the AEPD. Thus, Article 13 of the AEPD Statute, approved by Royal Decree 389/2021, of June 1, the functions of the Presidency are determined: 1. The Presidency of the Spanish Data Protection Agency is responsible for: d) Issue the resolutions and guidelines required for the exercise of functions of the Agency, in particular those derived from the exercise of powers provided for in article 57 of Regulation (EU) 2016/679 of Parliament European Parliament and of the Council, of April 27, 2016, and the exercise of powers of investigation and corrective powers provided for in article 58 of the cited Regulation. Therefore, to proceed with the archiving of investigation proceedings, it is required, first, that they have been initiated (either because a claim has been admitted for processing, either on their own initiative, which in both cases requires an express resolution signed by the Director), which had not happened at the time of issuance of the aforementioned writing from the Technological Innovation Division and, secondly, it is necessary again an express resolution on the part of the Director archiving C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 26/88 said actions to understand, now, that from the information collected in said investigations, the existence of a violation of the regulations of data protection, which had not occurred. In the present case, after notification of the personal data breach by I-DE, several claims were filed by people affected by it, the which were admitted for processing jointly by the AEPD in compliance with the article 64 LOPDGDD: Article 64. Form of initiation of the procedure and duration. 1.When the procedure refers exclusively to the lack of attention of a request to exercise the rights established in articles 15 to 22 of the Regulation (EU) 2016/679, will begin by agreement of admission to processing, which will be will be adopted in accordance with the provisions of article 65 of this organic law. In this case, the period to resolve the procedure will be six months from from the date on which the claimant had been notified of the agreement admission for processing. After this period, the interested party may consider estimated your claim. 2.When the procedure aims to determine the possible existence of a violation of the provisions of Regulation (EU) 2016/679 and in This organic law will begin by means of an initial agreement adopted by own initiative or as a result of a claim. If the procedure is based on a claim made before the Agency Spanish Data Protection Authority, in advance, will decide on your admission for processing, in accordance with the provisions of article 65 of this organic law. When the rules established in article 60 of the Regulation (EU) 2016/679, the procedure will begin by adopting the draft agreement to initiate the sanctioning procedure, which will be given formal knowledge to the interested party for the purposes provided for in article 75 of this organic Law. The claim is admitted for processing, as well as in cases in which the Agency Spanish Data Protection Agency acts on its own initiative, prior to the initiation agreement, there may be a phase of prior investigation actions, which will be governed by the provisions of article 67 of this organic law. Article 67. Previous investigation actions. 1.Before the adoption of the agreement to initiate the procedure, and once admitted processing the claim if there is one, the Spanish Data Protection Agency may carry out prior research actions in order to achieve a better determination of the facts and circumstances that justify the processing of the procedure. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 27/88 The Spanish Data Protection Agency will act in any case when it is requires research into treatments that involve massive data traffic personal. 2.Preliminary investigation actions will be subject to the provisions of the Section 2 of Chapter I of Title VII of this organic law and may not have a duration exceeding twelve months from the date of the admission agreement to procedure or the date of the agreement by which its initiation is decided when the Spanish Data Protection Agency acts on its own initiative or as consequence of the communication that had been sent to him by the authority of control of another Member State of the European Union, in accordance with article 64.3 of this organic law. (emphasis is ours) From said regulations it is not inferred in any way that the AEPD has to justify the way that I-DE requires the initiation of prior actions in the sense that it has that there is something new or some new circumstance or that the claims have had to provide new and different circumstances regarding documentation provided by I-DE in its notification of the breach to this Agency, since this is not required by the indicated regulations, in addition to the fact that it cannot be claimed that the affected parties contribute something new, apart from knowing that the confidentiality of your personal data due to a cyber attack, the circumstances of which they don't know. Precisely the previous investigative actions are carried out to clarify the facts and circumstances of what happened, gathering more information in order to be able to determine or not the existence of a possible violation of the regulations in data protection matters. In this sense, the beginning of previous investigations and its realization, the power of the AEPD with or without claims, does not prejudge anything, but that allows gathering the necessary information to determine whether or not there are indications of infringement. Even after said investigation, the proceedings may be archived to understand, in view of the information collected, that there are no indications of infringement. Which, in the present case, has not happened. What the regulations do indicate is that, after the presentation of claims, this Agency must decide whether to admit them for processing or not, having finally decided on their admission through, this time, an Admission Agreement for processing, signed by the Director of the Agency dated May 9, 2022. And, as indicated in article 67.2 referenced LOPDGDD, the AEPD can carry out prior actions of investigation in order to achieve a better determination of the facts and the circumstances. It is a power attributed to it by the RGPD and the LOPDGDD. Likewise, and to make matters worse, even in the event of there being no claims existed, the document from the Technological Innovation Division did not nor would it have been an obstacle or obstacle to the exercise of the powers of investigation that the AEPD has in accordance with the aforementioned article 64.2 that determines that “The claim is admitted for processing, as well as in the cases in which The Spanish Data Protection Agency acts on its own initiative, with character Prior to the initiation agreement, there may be a phase of prior actions of investigation…" C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 28/88 Therefore, this sanctioning procedure has not been initiated due to the content or by some new information provided in the claims, but by the information and documentation obtained after the period of prior investigation actions, to the possible violations of protection regulations may be inferred from it. of data. Finally, I-DE brings up the Supreme Court ruling of February 22 of 2016 (resource 4048/2013), understanding that it is fully applicable to the case, in the which is indicated: “According to the facts briefly stated, we can consider legitimate trust has been injured, since the Administration cannot adopt decisions that contravene the perspectives and hopes founded on the own previous decisions of the Administration. When you trust the stability of his criteria, evidenced in multiple previous acts in a same sense, which leads the administrator to adopt certain decisions, trust is generated based on the consistency of behavior administrative, which cannot be defrauded through an act amazing. […] It is worth keeping in mind that legitimate trust requires, ultimately, the concurrence of three essential requirements. Namely, that it is based on signs undeniable and external (1); that the hopes generated in the administered they must be legitimate (2); and that the final conduct of the Administration is contradictory with previous acts, is surprising and incoherent (3). Exactly what happens in the case examined, according to the facts previously reported. Let us remember that, with respect to legitimate trust, we have been declaring reiterated, by all, Judgment of December 22, 2010 (appeal contentious-administrative no. 257 / 2009), that << the principle of good faith protects the legitimate trust that may have been reasonably placed in the behavior of others and imposes the duty of coherence in the own behavior. Which is to say that the principle implies the requirement of a duty of behavior that consists of the need to to observe, with a view to the future, the behavior that previous acts predicted and accept the binding consequences that arise from one's own actions constituting a case of injury to the legitimate confidence of the parties “I will come contra factum propium >> In this regard, it is meant that the doctrine established therein is not “of application to the present case, since, as indicated above, it has not been a decision of this Administration, neither due to its form nor its content, nor has it caused trust in the stability of his criterion, since there has been no criterion decisive in this regard, much less evidenced in multiple previous acts in a same sense, so the action of this Agency in relation to the alleged has not supposed a final conduct of her that is contradictory with previous acts that be surprising or incoherent, in the sense of the Court's doctrine. For the above reasons, the claim made is rejected. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 29/88 THIRD.- ON THE ADDITIONAL AFFECTION TO THE PRINCIPLES OF THE SANCTIONING RIGHT ARISING FROM THE INTERPRETATION MADE BY LAAEPD I-DE alleges in this section that the Startup Agreement incurs important violations of the principles of administrative sanctioning law, since it implies the imposition of two infractions whose content is, in reality, identical or with respect to which, at least, it is possible to appreciate the subsumption of one of them in the other: 1.Violation of the non bis in idem principle I-DE alleges that in the Start Agreement the AEPD considers that the security implemented by it have not been, in its opinion, adequate and that this implies a double violation of the RGPD, on the one hand, it understands that I-DE has not adopted the appropriate technical and organizational measures, required by article 32 of the GDPR; and, On the other hand, it considers that the principle of security has been violated, allegedly violating article 5.1 f) of the GDPR, of which article 32 is nothing more than a mere specification. I-DE understands that this means that two different sanctions are imposed, respectively, considering that my client lacks the appropriate security measures and because he understands that it has occurred, due to the lack of such measures, a breach of confidentiality of personal data. And also, establishes for both alleged infractions circumstances modifying the responsibility of I-DE in every point identical, both in its determination and in the legal basis for its imposition. I-DE points out that it follows that the AEPD considers that the same fact (the alleged insufficiency of security measures) would constitute two infractions of the same protected legal asset (the adequate guarantee of the rights and freedoms of interested parties). And this, because, on the one hand, the absence of the security measures that the AEPD considers necessary to adopt and, on the other, the principle of security and confidentiality, which requires the adoption of such measures. Therefore, I-DE maintains that, incurring the triple identity of subject, fact and good protected legal, there is no doubt that the principle of non bis in has been violated idem, so it would only be possible to charge and punish for a single infraction, which in this case would only be for article 32, since it would only be possible to appreciate the supposed insufficiency of security measures. Faced with this, it is necessary to explain the difference between the violation of art. 5.1.f and the article 32 of the RGPD, which will be expanded in the following point regarding the allegation regarding the existence of media competition, as well as the different classification in sections even different from art. 83 of the GDPR and the different qualification of both the effects of prescription in the LOPDGDD. The art. 5.1.f) of the RGPD is violated when there is a loss of confidentiality, of integrity or availability of personal data due to the absence or deficiency of measures of any kind. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 30/88 This principle only determines the channel through which the maintenance of confidentiality, integrity or availability when explicit “through the application of appropriate technical and organizational measures”, which are not Strictly security. I-DE indicates that the appropriate technical and organizational measures to which it makes mention the art. 5.1.f) RGPD are the security measures of art. 32 of the GDPR. This would be to simplify the essence of the RGPD whose compliance is not limited to the implementation technical and organizational security measures; would mean, in our case, reduce the required guarantee through the principle of integrity and confidentiality at your discretion. achievement only with security measures. When art. 5.1.f) of the GDPR refers to technical or organizational measures appropriate to guarantee the rights and freedoms of the interested parties within the framework of The management of regulatory compliance with the RGPD does so in the sense provided in the art. 25 of the GDPR regarding privacy by design. This precept determines that, “Taking into account the state of the art, the cost of the application and the nature, scope, context and purposes of the processing, as well as the risks of varying probability and severity that the treatment entails for the rights and freedoms of natural persons, the person responsible for the treatment will apply, both at the time of determining the means of treatment as well as at the time of the treatment itself, appropriate technical and organizational measures, such as pseudonymization, designed to effectively apply the principles of data protection, such as data minimization, and integrate safeguards necessary in the treatment, in order to comply with the requirements of this Regulation and protect the rights of the interested parties” (emphasis is our) It should be noted that there are multiple technical or organizational measures that are not security and that the person responsible for the treatment can implement as a channel to guarantee this principle. However, art. 32 of the GDPR includes the obligation to implement measures appropriate technical and organizational security measures to ensure a level of security appropriate to the risk. Of security. Just for security. Furthermore, its objective is to guarantee a level of security appropriate to the risk. regardless of whether a security breach has occurred, while that in the case of article 5.1.f) of the RGPD, availability must be guaranteed, confidentiality and integrity and materializes, in this case, with the loss of data confidentiality. As can be seen, the two articles refer to different behaviors, although they may be related. Already entering fully into the examination of the non bis in idem, the Court's Judgment National of July 23, 2021 (rec. 1/2017) provides that, C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 31/88 “(…) In accordance with the legislation and jurisprudence set forth, the non bis in idem principle prevents punishing the same subject twice for the same act with support in the same foundation, the latter understood as the same legal interest protected by the sanctioning regulations in question. In fact, when there is the triple identity of subject, fact and foundation, the sum of sanctions creates a sanction unrelated to the judgment of proportionality carried out by the legislator and materializes the imposition of a sanction not legally provided for, which also violates the principle of proportionality. But for it to be possible to speak of “bis in idem” a triple identity must occur. between the terms compared: objective (same facts), subjective (against the same subjects) and causal (for the same basis or reason for punishing): 2. Subjective identity assumes that the affected subject must be the same, whatever the nature or judicial or administrative authority that prosecute and regardless of who the accuser or specific body is that has been resolved, or that it is tried alone or in conjunction with other affected. b) Factual identity assumes that the facts prosecuted are the same, and rules out the cases of real competition of infractions in which there is not the same illegal act but before several. c) The identity of the foundation or cause implies that the sanctioning measures do not can coincide if they respond to the same nature, that is, if they participate in a same teleological foundation, what happens between penal and administrative sanctions, but not between the punitive and the merely coercive.” Taking as reference what was previously explained, the principle has not been violated non bis in idem, since, although roughly understood the facts are detected consequence of a personal data breach, the violation of art. 5.1.f) of the GDPR takes the form of a clear loss of confidentiality and availability, the violation of the art. 32 of the GDPR boils down to the absence and deficiency of security measures (security only) detected, present regardless of data breach personal. In fact, if these deficiencies in the security measures that are detected in the I-DE web application would have been detected by the AEPD without would have resulted in the loss of confidentiality, it could only have been sanctioned by art. 32 of the GDPR. And all this in the face of the allegations made by I-DE which considers that in both precepts require only one conduct, which is to implement adequate security. It's not true, since art. 5.1.f) of the GDPR is not limited to guaranteeing security appropriate to the risk, but rather to guarantee the integrity and availability through any measures. And not only through security measures, but through everything type of appropriate technical or organizational measures. As we have indicated, through art. 5.1.f) of the RGPD, a loss of availability and confidentiality and, through art. 32 of the RGPD the absence and/or deficiency of the security measures implemented by the person responsible for the treatment. Absent or deficient security measures, we add, that violate the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 32/88 GDPR regardless of whether the loss of data had not occurred. confidentiality and availability. Finally, regarding the application of identical aggravating factors in both infractions, We must mean that the circumstances provided for in art. 83.2 of the GDPR and the provided in art. 76.2 of the LOPDGDD are the only ones that can be applied by AEPD for any infraction. The determining factor in this case, with respect to that provided for in art. 83.2.b) of the GDPR does not is that they coincide in their use, but rather the foundation established for their consideration. Having said all that, it is not considered that there is a violation of the principle of non bis in idem, enshrined in article 25 of the Spanish Constitution. 2. Subsidiarily, existence of medial competition between the two imputed conducts to I-DE I-DE alleges that, on the other hand, the Initiation Agreement identifies (and intends to sanction) a plurality of infractions that, supposedly, my client would have committed (which which is flatly denied) when, in reality, one of them would be subsumed and embedded in the other, giving rise to a medial competition in the terms provided in the article 29.5 of the LRJSP. I-DE understands that both infractions cannot be sanctioned, given that the commission of the alleged violation of article 32.1 of the RGPD would determine the alleged violation of article 5.1.f) of the same legal text and would be sanctioned by themselves facts, since it considers that the alleged violation of article 5.1 f) would require and inseparably the cause of the alleged lack of diligent implementation of the measures referred to in article 32.1 of the RGPD. I-DE brings up certain jurisprudence (for all, Sentence 339/2015 of September 25, 2015 of the National Court - appeal 262/2014 - which cites the Supreme Court ruling of February 8, 1999, - appeal 9/1996 -): “the application of medial competition requires a necessary referral of infractions respect to the others and vice versa, so it is essential that some do not can be committed without executing the others.” Thus, there must exist “such a relationship between the infringements concerned that one of them necessarily derives from the other, so that the commission of one is not possible without executing the other” (for all, the Judgment of the National Court of December 26, 2013, - appeal 416/2012). Thus I-DE concludes that it is evident that such a relationship exists between the two infringements who intend to accuse her. In this regard, it means, as noted above, that art. 32 of the GDPR, although related to art. 5.1.f) of the GDPR does not circumscribe the principle In its whole. Thus, Article 5.1.f) of the GDPR is one of the principles relating to processing. The principles relating to the treatment are, on the one hand, the starting point and the clause of closure of the legal data protection system, constituting true C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 33/88 informing rules of the system with an intense expansive force; on the other hand, at have a high level of specificity, they are mandatory standards that are susceptible of being infringed. Well, art. 5.1.f) of the RGPD includes the principle of integrity and confidentiality and determines that personal data will be processed in such a way as to guarantee adequate security of personal data, including protection against unauthorized or illicit treatment and against its loss, destruction or accidental damage, through the application of appropriate technical or organizational measures of all kinds, not just security. Moreover, art. 32 of the GDPR regulates how the security of the processing in relation to the specific security measures that must be implement, in such a way that taking into account the state of the art, the costs of application, and the nature, scope, context and purposes of the processing, as well as risks of varying probability and severity to the rights and freedoms of natural persons, the person responsible and the person in charge of the treatment will apply measures appropriate technical and organizational measures to guarantee a level of security appropriate to the risk that includes, among other issues, the ability to guarantee the data confidentiality. As has been noted, this provision, art. 32 of the GDPR, although related to the art. 5.1.f) of the GDPR does not circumscribe the principle in its entirety. The art. 5.1.f) of the GDPR strictly requires that confidentiality be guaranteed, and requires for its application a loss of confidentiality. We can find cases in which there are inadequate measures without there being a loss of integrity and confidentiality. Proof of this is not only this difference between the violation of art. 5.1.f and the article 32 of the RGPD, but the different classification in sections even different from the art. 83 of the GDPR and the different qualification of both for the purposes of prescription in the LOPDGDD. In the case examined, as stated in the proven facts, there is a clear loss of confidentiality revealed through a clear result: produced illegitimate access by an unauthorized third party to personal data. Likewise, as indicated, art. 5.1.f) of the RGPD is violated when produces a loss of confidentiality, integrity or availability of data personal, which may or may not occur due to the absence or deficiency of the measures Strictly security. This principle only determines the channel through which the maintenance of confidentiality, integrity or availability when explicit “through the application of appropriate technical and organizational measures”, which are not Strictly security. I-DE indicates that the appropriate technical and organizational measures to which it makes mention article 5.1.f) are the security measures of art. 32 of the GDPR. This would be to simplify the essence of the RGPD whose compliance is not limited to the implementation C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 34/88 technical and organizational security measures; would mean, in our case, reduce the required guarantee through the principle of integrity and confidentiality at your discretion. achievement only with security measures. As noted above, when art. 5.1.f) of the GDPR refers to appropriate technical or organizational measures to guarantee the rights and freedoms of interested parties within the framework of GDPR regulatory compliance management. does in the sense provided in art. 25 of the GDPR regarding privacy from design. We reiterate that there are multiple technical or organizational measures that are not security and that the person responsible for the treatment can implement as a channel to guarantee this principle. And all this in the face of the allegations made to the contrary by I-DE that it considers that in both precepts a single conduct is required, which is to implement security appropriate. It is not true, since art. 5.1.f) of the RGPD is not restricted to the guarantee of security appropriate to the risk, but rather to guarantee the integrity and availability. And not only through security measures, but through all kinds of appropriate technical or organizational measures. As we have indicated, through art. 5.1.f) of the RGPD, a loss of availability and confidentiality and, through art. 32 of the GDPR the absence and deficiency of the security measures implemented by the person responsible for the treatment. Absent or deficient security measures, we add, that violate the GDPR regardless of whether the loss of data had not occurred. confidentiality and availability. In the present case, the aforementioned article 32 has been violated regardless of whether ultimately suffered a breach of confidentiality or not, because the conduct reprehensible and that violates said precept is the lack or inadequacy of those measures, in themselves, that is, it is infringed and punished for it regardless of whether Whether or not a personal data breach has occurred. Which does not prevent, in In the event of a personal data breach materializing, this circumstance as an aggravating circumstance, in accordance with the RGPD. On the other hand, in the present case, so that we are faced with a violation of the article 5.1.f) it has been and is an unavoidable requirement that the confidentiality of the data be violated personal (which does not happen with the violation of article 32) Regarding the media competition, it should be noted that article 29 of the LRJSP does not It is applicable to the sanctioning regime imposed by the RGPD. And this is because: 3. The GDPR is a complete system. The GDPR is a community standard directly applicable in the Member States, which contains a new, complete and global system aimed at guaranteeing the protection of personal data in a uniform manner throughout the European Union. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 35/88 In relation, specifically and also, to the sanctioning regime provided in the same, its provisions are applicable immediately, directly and integral, providing for a complete system without gaps that must be understood, be interpreted and integrated in an absolute, complete, integral manner, thus leaving the Its ultimate purpose is the effective and real guarantee of the Fundamental Right to Personal data protection. The opposite determines the loss of the guarantees of the rights and freedoms of citizens. In fact, a specific example of the lack of loopholes in the system of GDPR is article 83 of the GDPR that determines the circumstances that can operate as aggravating or mitigating circumstances with respect to an infringement (art. 83.2 of the RGDP) or that specifies the existing rule regarding a possible medial competition (art. 83.3 of the GDPR). To the above we must add that the RGPD does not allow the development or realization of its provisions by the legislators of the Member States, safe from what the European legislator himself has specifically provided for, delimiting it in a very concrete (for example, the provision of art. 83.7 of the RGPD). The LOPDGDD only develops or specifies some aspects of the RGPD as far as it allows and with the scope that it allows. This is because the intended purpose of the European legislator is to implement a uniform system throughout the European Union that guarantees the rights and freedoms of natural persons, that corrects behavior contrary to the RGPD, that encourages compliance, which enables the free circulation of this data. In this sense, recital 2 of the GDPR determines that, “(2) The principles and rules relating to the protection of natural persons in what regarding the processing of your personal data must, whatever their nationality or residence, respect their fundamental freedoms and rights, in particularly the right to the protection of personal data. The present Regulation aims to contribute to the full realization of an area of freedom, security and justice and an economic union, to economic and social progress, to reinforcement and convergence of economies within the internal market, as well as well-being of natural persons.” (emphasis is ours) Recital 13 of the GDPR continues to indicate that, “(13) To ensure a consistent level of protection of natural persons throughout the Union and avoid divergences that hinder the free circulation of personal data within the internal market, a regulation is necessary that provides security legal and transparency to economic operators, including microenterprises and small and medium-sized businesses, and offer individuals of all Member States the same level of enforceable rights and obligations and responsibilities for those responsible and in charge of the treatment, in order to ensure consistent supervision of the processing of personal data and sanctions equivalents in all Member States, as well as effective cooperation between the supervisory authorities of the different Member States. The good functioning of the internal market requires that the free circulation of data C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 36/88 personal property in the Union is not restricted or prohibited for reasons related to protection of natural persons with regard to data processing personal”. (emphasis is ours) In this system, the determining factor of the GDPR is not the fines. The corrective powers of the control authorities provided for in art. 58.2 of the RGPD conjugated with the provisions of art. 83 of the GDPR show the prevalence of corrective measures against fines. Thus, art. 83.2 of the GDPR says that “Administrative fines will be imposed, in depending on the circumstances of each individual case, in addition to or in lieu of the measures contemplated in article 58, paragraph 2, letters a) to h) and j). In this way the corrective measures, which are all those provided for in art. 58.2 of RGPD except the fine, have prevalence in this system, the fine being relegated economic to cases in which the circumstances of the specific case determine that a fine be imposed together with corrective measures or in lieu of the themselves. And all this with the purpose of forcing compliance with the RGPD, avoiding non-compliance, encourage compliance and ensure that infringement is not more profitable than non-compliance. For this reason, art. 83.1 of the RGPD prevents that “Each supervisory authority will guarantee that the imposition of administrative fines pursuant to this article for the infringements of this Regulation indicated in paragraphs 4, 5 and 6 are in each individual case effective, proportionate and dissuasive.” (emphasis is our) For this system to work with all its guarantees, it is necessary that several elements are deployed in an integral and complete manner. The application of foreign rules to the RGPD regarding the determination of fines in each of the States members applying their national law, whether due to aggravating circumstances or mitigating circumstances not provided for in the RGPD -or in the LOPDGDD in the Spanish case-, whether due to the application of a media contest different from that provided in the RGPD, it would remain effectiveness to the system that would lose its meaning, its teleological purpose, resulting in the fines imposed for different violations would no longer be effective, proportionate and dissuasive. And in this way the interested parties would also be robbed. of the effective guarantee of their rights and freedoms, weakening the uniform application of the GDPR. Mechanisms for the protection of rights and freedoms of citizens and would be contrary to the spirit of the RGPD. The GDPR is endowed with its own principle of proportionality that must be applied in its strict terms. 4. There is no legal loophole, there is no supplementary application of art. 29 of the GDPR. In addition to the above, it means that there is no legal gap regarding the application of the media contest. Neither the RGPD allows nor the LOPDGDD provides for the supplementary application of the provisions of art. 29 of the LRJSP. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 37/88 There is also no subsidiary application of art. 29 of the GDPR. In Title VIII of the LOPDGDD regarding “Procedures in case of possible violation of the regulations of data protection”, article 63 that opens the Title provides that “The Procedures processed by the Spanish Data Protection Agency will be governed by the provisions of Regulation (EU) 2016/679, in this organic law, by the regulatory provisions dictated in its development and, as far as they are not contradict, on a subsidiary basis, by the general rules on the administrative procedures.” Although there is a clear reference to the LPACAP, it is not establishes in no way a subsidiary application with respect to the LRJSP that does not contains in its articles any provision relating to administrative procedure some. In the same way that the AEPD is not applying the aggravating and mitigating circumstances provided in art. 29 of the LRJSP, since the RGPD establishes its own, therefore, There is no legal loophole or subsidiary application of the same, nor is it possible to apply section relating to media competition and for identical reasons. In any case, the judicial precedents cited by the plaintiff regarding the competition medial come from the application of the LOPD of the year 99 that transposed the Directive 95/46/EC, the RGPD establishing a clearly different system. At that time, article 115 of Royal Decree 1720/2007, of December 21, which approves the Regulations for the development of Organic Law 15/1999, of December 13, of protection of personal data, it did provide for a supplementary application of the Law 30/1992, of November 26, on the Legal Regime of Administrations Public and Common Administrative Procedure. Thirdly, and now focusing on the specific case examined, and without prejudice From the above, it should be noted that there is no medial competition. Article 29.5 of the LRJSP establishes that “When the commission of an infraction results necessarily the commission of another or others, only the sanction should be imposed corresponding to the most serious infraction committed.” Well, the medial competition takes place when in a specific case the commission of an infraction is a necessary means to commit a different one. The established facts determine the commission of two different infractions, without the violation of article 32 of the RGPD (security of processing), as stated the appellant, is the necessary means by which the violation of the article 5.1.F) of the RGPD (principle of confidentiality). In conclusion, from all this and against everything argued, it has been proven that I-DE was not diligent because it did not adequately guarantee confidentiality of the personal data of its clients, as well as that it did not have the measures appropriate technical and organizational measures to ensure an appropriate level of security. For the above reasons, the allegation is rejected. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 38/88 FOURTH.- ON THE ALLEGED VIOLATION BY I-DE OF ARTICLE 32 OF THE GDPR I-DE alleges that it does not agree that the Startup Agreement indicates that it was not the diligent enough to implement appropriate security measures to prevent security incidents from occurring like the one that happened, as it maintains that, as has been revealed in the responses given to the AEPD in the different information requirements, it has been proven that there was implemented multiple and robust security measures aimed at protecting the information of its clients and prior to March 2022. I-DE proceeds below to detail the security measures it has implanted. Faced with this, it means that in the present case there was a vulnerability in the GEA web application, which was used by the cybercriminal. So, as it has has been accredited in the Proven Facts and as indicated in the Foundation of Law VI of the Initiation Agreement, (…). Therefore, the above shows the existence of a web application with a vulnerability that allowed: (…) Likewise, as a subsequent measure to avoid incidents such as the one that occurred, proceeded through I-DE to modify the GEA application (…). On the other hand, as security measures existed before the incident, they pointed out, among others, the following: (…). And it is precisely this vulnerability that was used by the attacker during the security breach. (…) From the above, it follows that this attack would have been avoided if that code would not have been visible. Even more so if you take into account that this is one of the requirements that are included in the indicated document, (…). Likewise, this vulnerability is identifiable in security assessments. Without However, during the investigation proceedings I-DE has not proven that detect the vulnerability of the GEA application within the framework of the security evaluation implemented in the Iberdrola Group. Furthermore, as has been indicated, the last review or security assessment of critical applications dates from 2019, almost two and a half years before the incident, so they were not being very taking into account the rapid advances in technology, as well as the sophistication of cyber attacks, in addition to the fact that the results obtained. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 39/88 Therefore, the GEA application contained an avoidable and identifiable vulnerability that was the one used by the attacker. This clearly shows a non-compliance with article 32 of the GDPR, as it requires appropriate measures to guarantee a level of security appropriate to the risk, and all this taking into account the state of the art, application costs and the nature, scope, context and the purposes of the treatment. (…) Regarding the risks to the rights and freedoms based on which they must appropriate security measures be established and implemented, I-DE has not provided a risk analysis carried out prior to the incident that complies with art. 32 of GDPR, as it does not indicate what measures should be applied to the risk level. Also, the approach to risk analysis, contained in the Register of Activities of Treatment regarding the affected activity is not oriented to the risks that for the rights and freedoms of the owners of personal data may involve the loss of confidentiality, availability or integrity. Recital 75 of the GDPR, cited in the Initiation Agreement, indicates that “The risks for the rights and freedoms of natural persons, of seriousness and probability variables, may be due to data processing that could cause damage and physical, material or immaterial damages, particularly in cases in which the treatment may give rise to problems of discrimination, identity theft or fraud, financial loss, reputational damage, loss of confidentiality of data subject to professional secrecy, unauthorized reversal of pseudonymization or any other significant economic or social harm; in cases where deprives data subjects of their rights and freedoms or prevents them from exercising control about your personal data; in cases where the personal data processed reveal ethnic or racial origin, political opinions, religion or beliefs philosophical, militancy in unions and the processing of genetic data, data relating to health or data on sexual life, or criminal convictions and offences. or related security measures; in cases in which aspects are evaluated personal, in particular the analysis or prediction of aspects related to the performance at work, economic situation, health, preferences or interests personal, reliability or behavior, situation or movements, in order to create or use personal profiles; in cases in which personal data of vulnerable people, particularly children; or in cases where the treatment involves a large amount of personal data and affects a large number of interested." For its part, art. 28.2 LOPDGDD determines that “For the adoption of the measures referred to in the previous section, those responsible and in charge of the treatment will take into account, in particular, the increased risks that could arise in the following assumptions: 5. When the treatment could generate situations of discrimination, identity theft or fraud, financial loss, damage to the reputation, loss of confidentiality of data subject to professional secrecy, unauthorized reversal of pseudonymization or any other harm economically, morally or socially significant for those affected. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 40/88 b) When the treatment could deprive those affected of their rights and freedoms or could prevent them from exercising control over their data personal (,,,)” As explained in the guide “Risk management and impact assessment in processing of personal data” of the AEPD, “The RGPD establishes the obligation of manage the risk that a risk to people's rights and freedoms poses treatment. This risk arises both from the very existence of the treatment and from its technical and organizational dimensions. The risk arises both from the automated data processing as well as manual processing, human elements and the resources involved. The risk arises from the purposes of the treatment and its nature, and also by its scope and the context in which it is unwraps.” However, these risks have not been assessed. Damage has not been assessed for physical, material or immaterial persons, or at least it is not proven that fact, lacking, therefore, a risk analysis focused on the protection of the rights and freedoms of the interested parties. On the other hand, I-DE understands that the AEPD has linked the alleged non-compliance with article 32 with the production of the result that occurred as a consequence of the concurrence of a series of factors that were unpredictable and that were detected and resolved immediately. It therefore concludes that the AEPD is imposing, with regard to the adoption of security measures, a obligation of result, but which is nevertheless an obligation of means. In this regard, it brings up or stated by the Supreme Court in its ruling of February 15, 2022 (cassation appeal 7359/2020), which clearly states clear way that the obligation imposed by data protection regulations personnel, to adopt technical and organizational measures aimed at guaranteeing the confidentiality, availability and integrity of the information, is an obligation of means and not result. In this regard, it should be noted that the aforementioned Judgment effectively indicates, above all security measures regarding data protection, that “… the obligation that falls on the person responsible and on the person in charge of the treatment with respect to the adoption of necessary measures to guarantee the security of personal data personnel is not an obligation of result but of means, without the obligation being enforceable. infallibility of the measures adopted. Only the adoption and implementation of technical and organizational measures, which according to the state of the technology and in relation to the nature of the processing carried out and the data personal data in question, reasonably allow to avoid its alteration, loss, “unauthorized treatment or access.” (emphasis is ours) However, the Judgment continues indicating, in the specific case analyzed in same, that “…the program used to collect customer data does not contained no security measures that would allow checking whether the address of email entered was real or fictitious and whether it really belonged to the person whose data was being processed and gave consent for it. The state C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 41/88 of the technique at the time in which these events occurred allowed us to establish measures aimed at verifying the veracity of the email address, conditioning the continuation of the process for the user to receive the contract at the address provided and only from it provide the necessary consent for its collection and treatment. Measures that were not adopted in this case. (…) So, at the time these events occurred, there were technical measures related to the registration process, which would have prevented the filtration of personal data produced. This implies that the technical measures adopted did not comply with the security conditions in the terms required in art. 9.1 of the LO 15/1999, therefore incurring the infringement provided for in art. 44.3.h) consisting of “Maintain the files, premises, programs or equipment that contain personal data without due security conditions that via regulations are determined […]”. Therefore, although it is inferred from the Judgment that the obligations established by the Article 32 of the GDPR are media, it also makes it clear that, if at the time of When the incident occurred, there were adequate technical measures to avoid or mitigate the effects thereof and were not applied, this represents a breach of the aforementioned obligation imposed by the RGPD and, therefore, a violation of it. In the present case, as has been pointed out, there was a vulnerability in the application GEA, which was identifiable in the safety evaluations as well as avoidable, as as evidenced by the fact that I-DE subsequently proceeded to correct said vulnerability. This clearly shows a breach of the article 32 of the GDPR, as it requires appropriate measures to guarantee a level of security appropriate to the risk, and all this taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the treatment. I-DE also alleges that the security breach is not caused by insufficient the measures adopted, but rather the intense activity carried out by a third party with the sole intention to carry out the cyberattack produced to the detriment not only of the i-DE clients, but of the company itself. Faced with this, it should be noted that total infallibility of the measures that can be taken to ensure adequate protection in the processing of personal data. However, once the attack occurs, it must evaluate the diligence of the data controller in the application of the measures appropriate technical and organizational measures to guarantee a level of security appropriate to the risk, taking into account the state of the art, application costs, nature, scope, context and purposes of the processing. In the present case, I-DE did not count, at the time of the breach of data protection, with appropriate measures in relation to the risks of the processing for the protection of personal data, since as indicated, There was a detectable and avoidable vulnerability in its web application, which was exploited by cybercriminals. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 42/88 Finally, in accordance with the Judgment of June 22, 2021- Rec. 1210/2018, and the Judgment of November 5, 2011 - Rec. 1796/2019, in which the subjective or culpable element, it is insisted that the guilt of the plaintiff cannot be considered excluded or attenuated by the fact that the fraudulent action of a third party, since the responsibility of the plaintiff does not derives from his actions, but from his own. Finally, I-DE points out that it had implemented mechanisms that allowed the almost immediate detection of the security breach suffered as a result of the access to GEA, adopting immediately, so i-DE understands that its rapid performance is a clear example that for the same reason it was given, and is given, complete compliance with the provisions of article 32.1 c) of the RGPD, when it refers to “the ability to restore availability and access to personal data in the event of a physical or technical incident”, something that, however, has not been the object of sufficient assessment by the Initiation Agreement. In this regard, both in the Initiation Agreement and in this proposal it has been taken into account that I-DE reacted as quickly as possible and proceeded to take action aimed at repelling the attack and to avoid its repetition, considering it as mitigating circumstance in accordance with article 83.2.c) RGPD. For the above reasons, the claim made is rejected. FIFTH. – ON THE ALLEGED DELART INFRINGEMENT. 5.1.F) OF THE RGPD In this section I-DE alleges that it has not been proven, not even indicatively, the fraudulent use of personal data, limiting the Startup Agreement to consider that there is a very high risk nor that it has materialized in practice. In this regard, it should be clarified that what I-DE is accused of is the violation of the principle of confidentiality since it is clear that, after suffering a computer attack against the GEA website, taking advantage of a vulnerability in it, there was an access illegitimate access to personal data and the extraction thereof by a third party does not authorized, which meant the loss of confidentiality and control of numerous personal data (name and surname, ID, postal address, fax, e-mail, telephone, client code) and that affected 1,350,000 I-DE clients. This supposes the breach of the duty to guarantee the confidentiality of personal data, since, as has been indicated, article 5.1.f) indicates that they must be treated in such a way manner that ensures adequate security of personal data, including the protection against unauthorized or illicit processing. Regarding the high risk that these data, in the hands of cybercriminal/s, were used fraudulently, this was indicated to express what involves the loss of confidentiality, but is not necessary in any way, to understand violated article 5.1.f) that said risks of fraudulent use are materialize, because what has materialized with the gap is the loss of confidentiality of the personal data processed by I-DE, which is what is attributed to it exclusively. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 43/88 On the other hand, I-DE once again insists in this section that it understands that the AEPD considered the breach reported by it to be archived and that the claims were not provide nothing new and, therefore, nothing seems to justify the reopening of the investigation when it had been archived. In this regard, it is appropriate to refer to everything already argued in relation to it in the Second section of this Legal Basis. For the above reasons, the claim made is rejected. SIXTH. – ON THE VIOLATION OF THE PRINCIPLE OF PROPORTIONALITY I-DE alleges that the sanctions imposed violate the principle of proportionality, since the AEPD, to determine the amount of the sanctions, has resorted to criteria completely generic. Thus, regarding the alleged negligence in its actions, I-DE indicates that it has proven that the events that occurred occurred at a specific time and that were resolved very quickly, so the measures adopted before the incident mitigated its effects. This immediate solution to the incident, which shows that they did have planned actions in the event of a possible attack on their systems. Faced with this, it should be noted that the appropriate technical and organizational measures to guarantee a level of security appropriate to the risk that for the rights and freedoms of natural persons may have the processing of personal data They cannot in any way be only reactive measures, that is, to solve immediately a personal data breach. Thus, article 32 of the GDPR not only indicates that they must guarantee adequate security, but also that said Measures should include the ability to ensure the confidentiality, integrity, ongoing availability and resilience of treatment systems and services (letter b of article 32.1 GDPR). Therefore, it is not enough to have measures to react as soon as possible when confidentiality has been breached, we must have also appropriate prior measures to prevent said violation. And this because Equally or more important are the measures aimed at safeguarding confidentiality, the integrity and availability of personal data, that is, the measures preventive measures aimed at avoiding any violation of this. Therefore, it cannot be accepted that the measures that I-DE had implemented were adequate in that they allowed the incident to be resolved later, since this it only demonstrates the existence of corrective measures. However, what they allowed Those reactive measures were the cessation of the attack once it had occurred and the restoration of the service, that is, in terms of the protection of personal data, it avoided an impact greater and this has already been taken into account as a mitigating circumstance in the present procedure sanctioning, but in no way can they solve the loss of confidentiality of the personal data affected, since this had already materialized. That is, the confidentiality of personal data is guaranteed above all with precautionary measures. In this sense, it has already been indicated in the response to the allegation C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 44/88 Fourth of this Legal Basis, the vulnerability contained in the GEA application, which was used by the cybercriminal for his attack and that the Furthermore, it was perfectly identifiable in the security evaluations. In In relation to the latter, it should not be forgotten that article 32.2 GDPR determines that security measures must also include a process of verification, evaluation and regular assessment of the effectiveness of technical and organizational measures to ensure the safety of the treatment. Therefore, all of this only reflects a lack of diligence on the part of I-DE to the when it comes to guaranteeing security appropriate to the risk of data processing that performed. In this sense, it should not be forgotten that GEA is a web application, it is That is, it allows access from the Internet to a database where stored personal data of millions of customers, which involves processing on a large scale, which requires appropriate security measures for that web environment and aimed especially at guaranteeing that illegitimate access does not occur to said personal information. On the other hand, I-DE points out that it does not agree that it is considered an aggravating circumstance. the linking of your activity with the processing of personal data, because he understands that his behavior is getting worse because he belongs to the electrical sector and that for this reason special diligence must be required, and that this once again attacks the principle of proportionality. Faced with this, it means that their behavior is not aggravated by belonging to the sector electrical, but because its activity, the development of its business, involves and requires continuous and abundant processing of personal data, as demonstrated by the fact that it processes data from millions of people. Therefore, as indicated in the Startup Agreement, I-DE is a company accustomed to processing of personal data, which entails, once again, the requirement of greater degree of diligence. On the other hand, it is noted that article 83.2 of the RGPD provides that “When deciding the imposition of an administrative fine and its amount in each individual case will be due account: (…) k) any other aggravating or mitigating factor applicable to the circumstances of the case…". In this sense, the Spanish legislator has considered including in article 76 of the LOPDGDD that: “2. In accordance with the provisions of article 83.2.k) of the Regulations (EU) 2016/679 may also be taken into account: (…) b) The linking of the offender's activity with the performance of treatments of personal data.” C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 45/88 This Agency simply takes into consideration that circumstance, provided for by the legislator, when deciding the imposition of the administrative fine. It should be noted that, for the purposes of deciding the imposition of a fine, it cannot have administrative, the same consideration as an infraction produced by a natural person or a small company not accustomed to processing personal data, which a large company like I-DE, accustomed to processing personal data of millions of clients, with a long history behind them in this regard. By assumption that the violation is considered to be more serious for the purposes of imposing a fine if the person responsible for the treatment is among the latter, as is the case of I-DE. On the other hand, it alleges the lack of proportionality comparing it with the file PS/00179/2020, in which it indicates that he was only fined 500,000 euros despite that not only was confidentiality breached, but that the breach was not notified to the AEPD, something that I-DE has done, but, nevertheless, the sanction is considerably smaller. In this regard, it should be noted, on the one hand, that in terms of data protection, the technical and organizational security measures to be adopted by those responsible for the treatment and other obligations to comply required by the RGPD, must be the appropriate in relation to the specific risks posed by the specific treatments carried out by each person responsible. Therefore, when analyzing the diligence of some and others in compliance with the regulations must be based on the circumstances of each case, taking into account the nature, scope, context and purposes of each treatment, therefore there are no identical cases. On the other hand, article 83 establishes that 1. Each supervisory authority shall ensure that the imposition of fines administrative sanctions under this article for violations of the of this Regulation indicated in sections 4, 5 and 6 are in each case effective, proportionate and dissuasive individual treatment. 2. Administrative fines will be imposed, depending on the circumstances of each individual case..." Therefore, it is necessary to attend to the circumstances of each individual case, there being no two identical files and, therefore, with equal results. As an example, in the file that brings up those affected were less than half than in the case which concerns us now; the violation of art. 32 of the GDPR, it was for another type of insufficiency in measures to guarantee adequate safety for the treatment; These were events that occurred in 2018, the year in which it became mandatory GDPR compliance, which is not the same as four years later; it is not the same knowledge of the technique a few years before and after, especially due to the rapid progress thereof, v etc. Likewise, it is pointed out that there are many other files after and before the present in which the violation of the confidentiality of data such as the violation of security measures of the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 46/88 article 32 of the RGPD, although, as has been pointed out, the specific circumstances of the case. Finally, and for completeness, it is not appropriate to demand equality in illegality. The Jurisprudence is clear on this. Thus, the Judgment of the National Court of April 28, 2023 (SAN 04/28/2023 REC. 409/2021 indicates that “A deal is referred to discriminatory sanction since that fine or economic sanction can be replaced by the measures of art. 58 GDPR, less burdensome measures as could be the warning. And refers to other infractions committed by other entities. Of course the plaintiff tries to compare this situation with another sanctioning procedure that is mentioned, but we are not dealing with a deal discriminatory or that the principle of equality is violated since it is a principle that only operates within the framework of legality when equal factual situations have a different treatment without reasonable justification. As the STS of January 20 points out 2004, “equality must be preached within the law, so that if the action correct of the Administration is the one now prosecuted, as we have declared, the invoked as contrary to it was not and, consequently, it cannot be used to request that equal treatment be applied to the appellant, since, as this Chamber of the Court Supreme Court has declared in its sentences of June 16, 2003, July 14, 2003 and October 20, 2003 that "the principle of equality has no significance for protect a situation contrary to the legal system", and this, as indicated by the Sentencing chamber, regardless of the fact that the administrative action has not been proven alleged as contradictory to the present one.” In the same sense, the STS of April 2, 2014 (Rec. 1916/2010) points out that “the “Legality prevails over a possible injury to the principle of equality.” In this case, We are facing an administrative infraction that is intended to be compared with another that has had a different solution, but from what is observed in the allegation that is formulated the plaintiff can hardly make a comparison of a situation and another. Let us remember that according to the consolidated constitutional doctrine for To appreciate the occurrence of a violation of the principle of equality, there must be the following assumptions: 1) provision of an ideal comparison term demonstrative of the substantial identity of the legal situations that have received different treatment, 2) that the unequal treatment is not based on objective reasons that justify, and 3) that the comparative trial is carried out within the framework of legality, since it is not possible to invoke the principle of equality in illegality to perpetuate situations contrary to what is provided for by the legal system. Thus things, the conduct for which the plaintiff has been sanctioned and which is contrary to law does not allow its responsibility to be further attenuated by the fact that in other assumptions, which are unknown, the sanction imposed was not economic and considered more beneficial.” For all the above reasons, the claim made is rejected. V Response to the allegations to the Proposed Resolution In response to the allegations presented by I-DE, the following should be noted: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 47/88 FIRST: Regarding the defenselessness generated by I-DE as a consequence of not having agreed to the accumulation of procedures EXP202305587 and EXP202205206 I-DE is once again ratified in the allegations regarding the Initiation Agreement regarding its request for the accumulation of both files, also indicating that with Regardless of whether article 57 of the LPACAP indicates a “may”, the power granted must be considered in all cases enforceable to the Administration when the non-cumulative processing of the procedures may negatively affect the rights of those included in them, I-DE insisting that the non-accumulation attentive to their right to defense. Thus, it indicates that the administrative file does not even contain the real accreditation of the admission for processing of any claim directed against I-DE or against any another company of the Iberdrola Group, so that I-DE has been forced to intuit, from the Research Actions Report (IAI), the information that could have given rise to the AEPD opening this sanctioning procedure. I-DE therefore understands that this simple fact would be sufficient to justify the obligation to consolidate the two files since their access to the information that the AEPD has available to consider committed two alleged violations of data protection regulations has been limited to those elements that the AEPD has considered appropriate to incorporate into this file, without being able to have a complete vision of the facts or, consequently, of the motives that induce the AEPD to impose such sanctions. For this reason, I-DE considers that the accumulation of procedures harms their rights. In this regard, it should be noted, first of all, that it has already been answered in the proposal resolution regarding the request for consolidation of the two files referenced, response that is transcribed in the Fundamentals of Law III of this Resolution to which reference should be made. Therefore, although it is true that it is a power of the Administration to proceed with the accumulation or not, it is also that the reasons were argued and the reasons why it was not appropriate or not It was appropriate to combine both sanctioning procedures. Regarding what is alleged by I-DE regarding the fact that non-accumulation produces defenselessness, because in his file there is no record of the admission for processing of any claim against it, it means that said admissions for processing are not recorded either. in the other file to which the accumulation is requested, so it would not have effects in this sense, consequently not causing any defenselessness accumulation. In this regard, it is noted that, since April 2, 2022, they have been presented to this Agency claims from clients affected by the security incident, the which have been progressively admitted for processing since May 9, 2022. In In this sense, it is indicated that the claimants basically claim to have seen their personal data affected by the aforementioned breach, without being able to provide any added information because, logically, in the face of cyberattacks such as the one suffered, They can provide little or no information because they are unaware of it and do not have access to it. same. These claims were accepted for processing successively, from the May 9, by the Director of this Agency, as they were presented since April C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 48/88 2022. All of them have not been the subject of any further procedures. That is why These claims are not part of this sanctioning procedure, only two to which I-DE has had access, so defenselessness has not been caused. Likewise, in the Background of both the Initiation Agreement and the Proposal for Resolution and also this Resolution, the existence of these claims. Specifically, it is indicated in the Fifth Background that “Since 2 April 2022, customer complaints have been submitted to this Agency affected by the security incident, which have been progressively admitted for processing since May 9, 2022.” Therefore, I-DE has been informed from the beginning of the existence of said claims. Due to the above, whether or not knowledge of the specific content of said claims does not affect in any way the right of defense of I-DE since this sanctioning procedure was initiated and has been processed solely as a consequence of the facts proven during the preliminary investigation actions carried out by this Agency. Therefore, I-DE has known at all times and complete form of the facts of which he is accused and all the circumstances in relation with them, which, it is insisted, derive exclusively from the entire documentation collected and other actions carried out during the prior investigations and not the content of the claims that are not part of either procedure. Likewise, he has had knowledge of everything moment of the infractions that are attributed to such acts and the sanctions that could arise from them, and has been able to allege and present whatever documentation has been deemed relevant throughout this procedure sanctioner. Therefore, the requested non-accumulation does not cause you any defenselessness nor does it affect you. negatively to any of your procedural rights In relation to the rest of the arguments raised by I-DE to demand the accumulation, as these are reproductions of those exposed in the Initiation Agreement, It is appropriate to refer to the response given by this Agency and which appears, as has been indicated, transcribed in Legal Basis III of this Resolution. SECOND: About the previous acts of the AEPD and the violation of the principles of good faith, legitimate trust and legal certainty. I-DE insists again that the letter of April 18, 2022 that was addressed to it from the Technological Innovation Division of this Agency has a decision-making nature and that this prevents or should have prevented any investigative action subsequent of the personal data breach suffered which, in addition, violates the principles of good faith, legitimate trust and legal certainty. Likewise, it indicates that one of the functions of the Technological Innovation Division of This Agency is to “analyze and classify security breaches and, where appropriate, reasonedly propose to the Presidency the initiation of an investigation when “sees signs of the commission of an infraction” (article 31 e) of the Statute of the AEPD). C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 49/88 I-DE adds that the aforementioned letter is signed by the “AEPD”, which means that it must be understood as signed by the Director, since the “legal and institutional representation” of the Agency corresponds solely and exclusively to the Director, as established in the article 13.1b) of the AEPD Statute. From this I-DE concludes that, having been analyzed by the Innovation Division Technological the information communicated by her about the security breach, understood that it was not appropriate to submit any type of proposal to the Director of the AEPD motivated in relation to the same, as I do not consider the provisions of the GDPR, this resulted in this Agency being notified of the decision not to carry out any action related to the aforementioned gap. Faced with this, first of all it is worth remembering that this question was already answered in the Proposed Resolution, a response that appears transcribed entirely in the Legal basis IV of this Resolution and to which reference should be made. On the other hand, it cannot be admitted or understood, even indirectly, that the The aforementioned writing in question is signed by the Director of this Agency, by as long as his signature does not appear expressly, no matter how much I-DE wants to assume artificially that the signature comes from said body by holding the representation of the AEPD. No generic signature from the AEPD or any of the bodies in which is structured, nor can the signature of any of the holders thereof replace the signature of the Director when exercising the powers attributed to her both by Law and by the Statute of the AEPD, the delegation of signature in these cases must be direct and express, and must be stated in the administrative act that is signed by delegation to guarantee and safeguard that the decision has been adopted by competent body. In this sense, the Statute of the Spanish Data Protection Agency, approved By Royal Decree 389/2021, of June 1 (hereinafter the Statute) establishes expressly that: 1. The Presidency of the Spanish Data Protection Agency is responsible for: d) Issue the resolutions and guidelines required for the exercise of functions of the Agency, in particular those derived from the exercise of powers provided for in article 57 of Regulation (EU) 2016/679 of Parliament European Parliament and of the Council, of April 27, 2016, and the exercise of powers of investigation and corrective powers provided for in article 58 of the cited Regulation. (emphasis is ours) On the other hand, article 27 of the Statute establishes the powers that the General Subdirectorate of Data Inspection of the AEPD: 1. The Subdirectorate General of Data Inspection is the administrative body, dependent on the Presidency of the Spanish Data Protection Agency, which develops the powers provided for in article 57.1, letters f), g), h), i) and u) of the Regulation (EU) 2016/679 of the European Parliament and of the Council, of April 27, 2016, and carries out the inspection and instruction functions necessary for the exercise of the investigative powers established in article 58.1, letters a), b), d), e) and f) C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 50/88 and the corrective powers provided in article 58.2, letters a), b), c), d), f), g), i) and j), both of the aforementioned Regulation. (emphasis is ours) 2. In order to fulfill the tasks established in the previous section, to the General Data Inspection Subdirectorate is responsible for the following: functions: a) Permanent supervision of compliance with Regulation (EU) 2016/679 of the European Parliament and of the Council, of April 27, 2016, of the Law Organic 3/2018, of December 5, and the provisions that develop it, by those responsible and in charge of the treatments. b) The exercise of the investigative powers defined in article 51 of Organic Law 3/2018, of December 5. (…) d) The processing of procedures in case of possible violation of the data protection regulations in accordance with the provisions of title VIII of the Organic Law 3/2018, of December 5, including the claims of the citizens due to lack of attention to their requests to exercise their rights contemplated in articles 15 to 22 of Regulation (EU) 2016/679 of the European Parliament and of the Council, of April 27, 2016. It corresponds to the General Subdirectorate of Data Inspection the duty to inform the claimant about the course and outcome of the claim filed with the Spanish Data Protection Agency, in accordance with the provisions of the article 77.2 of the aforementioned Regulation. (…) e) The evaluation of the admissibility for processing of the claims that are submitted to the Spanish Data Protection Agency, and the proposal to the Presidency of decision on the admission or non-admission for processing, in accordance to the provisions of article 65 of Organic Law 3/2018, of December 5. (…) h) Carrying out prior investigation actions agreed upon by the Presidency on his own initiative, following a complaint, or at the request of another control body or authority, in order to achieve a better determination of the facts and circumstances that justify the processing of the procedure, according to the provisions of article 67 of Organic Law 3/2018, of 5 December. (emphasis is ours) Therefore, with respect to the Technological Innovation Division of the AEPD, which In accordance with the Statute, its functions include “analyzing and classifying the security breaches and, where appropriate, propose with reasons to the Presidency the initiation of an investigation when there are indications of the commission of an infringement” (article 31 e) of the AEPD Statute), this does not mean that it is the only and exclusive means by which this Agency can initiate investigative actions. So, This investigative power that the AEPD has, as has been reflected in the described regulations, is carried out by the General Subdirectorate of Inspection of Data, which may initiate investigative actions ex officio, by order of the Director, either as a consequence of the admission of claims presented before the AEPD. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 51/88 The Technological Innovation Division, after analyzing the documentation provided by I- DE (not all the circumstances of the incident) has indicated that it does not foresee the start of other actions, and not that I do not consider the provisions of the RGPD violated or that the decision had been made not to carry out any action related to the mentioned gap. The Technological Innovation Division did not make a decision, but rather was limited to informing I-DE of a forecast, which does not prevent them from being taken into account. takes into account other circumstances, such as the presentation of claims by those affected due to the gap, which makes it advisable to separate from this forecast. Therefore, the aforementioned document does not have the decisive and decisive nature that I-DE intended, neither by its content nor by its form and this is not an obstacle nor can it prevent in no way the investigative power that the AEPD has and its exercise through the inspection and investigation functions that the Subdirectorate General of Inspection of Data is entrusted. Above all, after the presentation of claims for part of affected people and that the LOPDGDD requires its processing. Thus, article 65 of the LOPDGDD, relating to the “Admission for processing of claims”, establishes that 1.When a request is submitted to the Spanish Data Protection Agency claim, it must evaluate its admissibility for processing, in accordance with the forecasts of this article. 2. The Spanish Data Protection Agency will not accept claims presented when they do not concern data protection issues personal, manifestly unfounded, abusive or not provide rational evidence of the existence of an infringement. Therefore, when complaints are submitted to the AEPD, it is obliged to analyze their admissibility in advance, and may disallow them only in the cases of section 2 of article 65 transcribed, which did not occur in the case that we occupies Therefore, once admitted for processing, prior investigation actions were initiated. precisely to find out the facts and circumstances that occurred and if the These could lead to a possible violation of the regulations regarding data protection, as permitted and empowered by articles 64 and 66 of the LOPDGDD, which were already transcribed in the response to the allegations to the Startup Agreement and which, for the sake of expository clarity, are indicated again: Article 64. Form of initiation of the procedure and duration. 1.When the procedure refers exclusively to the lack of attention of a request to exercise the rights established in articles 15 to 22 of the Regulation (EU) 2016/679, will begin by agreement of admission to processing, which will be will be adopted in accordance with the provisions of article 65 of this organic law. In this case, the period to resolve the procedure will be six months from from the date on which the claimant had been notified of the agreement C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 52/88 admission for processing. After this period, the interested party may consider estimated your claim. 2.When the procedure aims to determine the possible existence of a violation of the provisions of Regulation (EU) 2016/679 and in This organic law will begin by means of an initial agreement adopted by own initiative or as a result of a claim. If the procedure is based on a claim made before the Agency Spanish Data Protection Authority, in advance, will decide on your admission for processing, in accordance with the provisions of article 65 of this organic law. When the rules established in article 60 of the Regulation (EU) 2016/679, the procedure will begin by adopting the draft agreement to initiate the sanctioning procedure, which will be given formal knowledge to the interested party for the purposes provided for in article 75 of this organic Law. The claim is admitted for processing, as well as in cases in which the Agency Spanish Data Protection Agency acts on its own initiative, prior to the initiation agreement, there may be a phase of prior investigation actions, which will be governed by the provisions of article 67 of this organic law. Article 67. Previous investigation actions. 1.Before the adoption of the agreement to initiate the procedure, and once admitted processing the claim if there is one, the Spanish Data Protection Agency may carry out prior research actions in order to achieve a better determination of the facts and circumstances that justify the processing of the procedure. The Spanish Data Protection Agency will act in any case when it is requires research into treatments that involve massive data traffic personal. 2.Preliminary investigation actions will be subject to the provisions of the Section 2 of Chapter I of Title VII of this organic law and may not have a duration exceeding twelve months from the date of the admission agreement to procedure or the date of the agreement by which its initiation is decided when the Spanish Data Protection Agency acts on its own initiative or as consequence of the communication that had been sent to him by the authority of control of another Member State of the European Union, in accordance with article 64.3 of this organic law. (emphasis is ours) Therefore, it is reiterated that from said regulations it is not inferred in any way that the AEPD have to justify in the manner required by I-DE the initiation of prior actions in the sense that there must be something new or some new circumstance or that the claims have had to provide new and different circumstances regarding of the documentation provided by I-DE in its notification of the breach to this Agency, since this is not required by the indicated regulations, in addition to the fact that it cannot be C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 53/88 pretend that those affected contribute something new, apart from knowing that it has been violated the confidentiality of your personal data due to a cyber attack whose circumstances unknown. Precisely the previous investigative actions are carried out to clarify the facts and circumstances of what happened, gathering more information in order to be able to determine or not the existence of a possible violation of the regulations in data protection matters. In this sense, the beginning of previous investigations and its realization, the power of the AEPD with or without claims, does not prejudge anything, but that allows gathering the necessary information to determine whether or not there are indications of infringement. Even after said investigation, the proceedings may be archived to understand, in view of the information collected, that there are no indications of infringement. Which, in the present case, has not happened. What the reflected regulations do indicate is that, after the presentation of claims, This Agency must decide whether to admit them for processing or not, having finally decided on their admission through, this time, an Admission Agreement for processing, signed by the Director of the Agency dated May 9, 2022. And, as indicated in article 67.2 referenced LOPDGDD, the AEPD can carry out prior actions of investigation in order to achieve a better determination of the facts and the circumstances. It is a power attributed to it by the RGPD and the LOPDGDD. Likewise, and to make matters worse, as indicated, even in the assuming that the claims have not existed, the forecast of the Division of Technological Innovation would not have been an obstacle or obstacle to the exercise, ex officio, of the investigative powers that the AEPD has in accordance with the cited article 64.2 which determines that “The claim is admitted for processing, as well as in the cases in which the Spanish Data Protection Agency acts on its own initiative, prior to the initiation agreement, there may be a phase of previous investigation actions…” Therefore, this sanctioning procedure has not been initiated due to the content or by some new information provided in the claims, but by the information and documentation obtained after the period of prior investigation actions, to the possible violations of protection regulations may be inferred from it. of data. THIRD: Regarding the arguments supported by the Proposed Resolution for consider that bis in idem does not occur. I-DE once again indicates that the non bis in idem principle in taxation has been violated of the two violations, since it understands that the AEPD is not prosecuting the violation of article 5.1.f) of the RGPD for a reason other than that derived from, in their opinion, inadequate security of personal data, but solely and exclusively for that reason. In this regard, the Judgment of the National Court of July 23, 2021 (rec. 1/2017), which provides, C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 54/88 “(…) In accordance with the legislation and jurisprudence set forth, the non bis in idem principle prevents punishing the same subject twice for the same act with support in the same foundation, the latter understood as the same legal interest protected by the sanctioning regulations in question. In fact, when there is the triple identity of subject, fact and foundation, the sum of sanctions creates a sanction unrelated to the judgment of proportionality carried out by the legislator and materializes the imposition of a sanction not legally provided for, which also violates the principle of proportionality. But in order to speak of "bis in idem" a triple identity must occur. between the terms compared: objective (same facts), subjective (against the same subjects) and causal (for the same basis or reason for punishing): a) Subjective identity assumes that the affected subject must be the same, whatever the nature or judicial or administrative authority that prosecute and regardless of who the accuser or specific body is that has been resolved, or that it is tried alone or in conjunction with other affected. b) Factual identity assumes that the facts prosecuted are the same, and rules out the cases of real competition of infractions in which there is no before the same illegal act but before several. c) The identity of foundation or cause implies that the measures sanctions cannot occur if they respond to the same nature, that is That is, if they participate in the same teleological foundation, what happens between criminal and administrative sanctions, but not between punitive and merely coercive.” Taking as reference what was previously explained in the procedure sanctioning agent, the non bis in idem principle has not been violated, since, although Roughly understood, the facts are detected as a result of a data breach personal, the violation of art. 5.1.f) of the RGPD results in a clear loss of confidentiality that affected certain clients, the violation of art. 32 of GDPR boils down to poor security measures (security only) detected, present regardless of the personal data breach. Of In fact, if these security measures that I-DE had implemented had been detected by the AEPD without loss of confidentiality having occurred, It would only have been sanctioned by art. 32 of the GDPR. As we have indicated, through art. 5.1.f) of the RGPD, a loss of confidentiality and availability and through art. 32 of the GDPR the deficiency of security measures implemented by the person responsible for the treatment. Measures of poor security, we add, that violate the GDPR, regardless of whether whether or not the personal data breach occurred. Article 32 of the GDPR is violated regardless of whether a breach occurs or not. personal data breach. That is, it is violated by not having appropriate measures to guarantee adequate security in the processing of data without necessary or essential for a security breach to occur in the personal data that, where appropriate, may affect the confidentiality of the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 55/88 data, either only to availability, or only to integrity, or to some or all of them. Another thing is that the deficiency in security measures becomes evident, in the specific case, on the occasion of a breach of data security personal data (violation of confidentiality in this case), as has occurred in the present assumption. On the other hand the art. 5.1.f) of the RGPD is violated when there is a loss of confidentiality or integrity of personal data, which may or may not occur due to absence or deficiency of security measures. This principle only determines the channel through which the maintenance of the confidentiality, integrity or availability when it explains “through the application of appropriate technical and organizational measures”, which are not strictly security measures. Likewise, it means again that article 5.1.f) of the RGPD is one of the principles relating to treatment. The principles relating to treatment are, on the one hand, side, the starting point and the closing clause of the legal protection system of data, constituting true informing rules of the system with an intense expansive force; On the other hand, since they have a high level of concreteness, they are standards of mandatory compliance susceptible to being infringed. The violation of confidentiality that is attributed to I-DE is for failing to comply with the obligation imposed in article 5.1.f to process the data in such a way that ensures adequate security, including protection against unauthorized or illicit treatment, through the application of technical measures or appropriate organizational structures. Finally, it should be added that, in relation to the alleged violation of the principle of non bis in idem, a response to this allegation was already given in the Proposal of Resolution, in which the non-existence of the triple identity of facts, subject and foundation, as required by jurisprudence, response that appears fully transcribed in the Third section of the Fundamentals of Law IV of this Resolution and to which reference should be made. Finally, regarding the allegations by I-DE regarding the fact that in the imputation of the violation of article 5.1.f) an obligation of result is being required, which is contrary to the Judgment of February 15, 2022 (cassation appeal 7359/2020), which indicates that the obligation imposed by the regulations for the protection of personal data, to adopt technical and organizational measures is an obligation to means and not results, it means that what is analyzed in said Judgment is the compliance with technical and organizational measures in the sense of whether they are adequate to guarantee the safety of the treatments, that is, we would be not in the scope of compliance with article 5.1.f, but in the scope of compliance of article 32 RGPD when dealing with security measures. Therefore, the argument given by I-DE and the analysis of the same that is going to be carried out must refer exclusively in relation to the violation of article 32 GDPR, which will be develop in the Fifth section of this Legal Basis relating to the violation of article 32. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 56/88 FOURTH: On the application of the principles of the right to sanctions to the activity of the AEPD and the concurrence of a media competition. I-DE alleges again that, if the existence of the bis in idem is not appreciated, when least one of the infractions would be subsumed and embedded in the other, since that the imputation of the violation of article 5.1.f) of the RGPD is due to the fact that the treatment has not been carried out, in the opinion of the AEPD, in compliance with the necessary security measures. Therefore I-DE understands the existence of absolute link between the alleged absence of adequate security measures and the breach of the principle of confidentiality. That is to say, it is the supposed insufficiency of security measures which directly leads to the violation of article 32 and the violation of 5.1.f). There is, therefore, a clear case of medial competition, since the two infractions charges cannot be committed one without the other. Next, I-DE argues the reasons why it considers that it is application of article 29 of the LRJSP and that, with its non-application, the AEPD is implicitly repealing, in terms of data protection, all guarantees of the sanctioning regime established by the Constitutional Court. In this regard, since this allegation was already formulated against the Agreement of Beginning and that it was widely responded to in the Proposed Resolution, the which is transcribed in full in the Third section of the Fundamentals of Law IV, It is necessary to refer to it in its entirety. On the other hand, in relation to the mention made by the AEPD regarding the non- applicability of art. 29 of Law 40/2015, of October 1, on the Legal Regime of the Public Sector (hereinafter, “LRJSP”), I-DE brings up Royal Decree 389/2021, of June 1, which approves the Statute of the Spanish Protection Agency of Data, in which article 3 establishes that the AEPD is governed by the provisions of the RGPD, and additionally, by the LRJSP. I-DE understands that the above implies that, in relation to everything not expressly regulated in the RGPD or the LOPDGDD will comply with the provisions for this purpose in the LRJSP, as is the case of contests of infractions provided for in article 29 of the LRJSP in relation to the principle of proportionality as a principle of sanctioning power. Faced with this, it means that article 3.2 of the aforementioned Statute of the AEPD establishes the next: 2. Additionally, as soon as it is compatible with their full independence, will be governed by Law 40/2015, of October 1, on the Legal Regime of the Sector Public, particularly what is provided for autonomous organizations; by the law 39/2015, of October 1, of the Common Administrative Procedure of the Public administrations; by Law 47/2003, of November 26, General Budgetary; by Law 9/2017, of November 8, on Sector Contracts Public, by which the Directives of the European Parliament and of the Council 2014/23/EU and 2014/24/EU, February 26, 2014; by Law 33/2003, of November 3, of the Heritage of Public Administrations, as well as the rest of the regulations C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 57/88 of general and special administrative law that may apply. In defect of administrative rule, common law will apply. Therefore, what is being indicated is that the regime is additionally applied legal of the Public Sector, but in relation to its consideration as an organism public belonging to the General Administration of the State, that is, to considerations such as its composition, organization, structure, etc. For its part, article 3.3 of the AEPD Statute indicates the following: 3. The procedures processed by the Spanish Agency for the Protection of Data will be governed by the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council, of April 27, 2016, the Organic Law 3/2018, of December 5, on Protection of Personal Data and guarantee of digital rights, by the regulatory provisions issued in their development and, insofar as they do not contradict them, on a subsidiary basis, by the general rules on administrative procedures. Therefore, in the procedures processed by it, among them, the procedure sanctioning, neither the LRJSP nor the LPAC is applied additionally, but instead declares that the procedures processed by the AEPD will be governed by the RGPD and the LOPDGDD. And on a subsidiary basis (not supplementary) by the rules on the administrative procedures. In this regard, it is insisted that there is no supplementary application of the aforementioned precept, for as there is no legal loophole regarding the application of the media competition provided for in said article 29 of the LRJSP. Neither the RGPD allows nor the LOPDGDD provides the supplementary application of the provisions of art. 29 of the LRJSP. In Title VIII of the LOPDGDD related to “Procedures in case of possible violation of data protection regulations”, article 63 that opens the Title is provides that "The procedures processed by the Spanish Agency for the Protection of Data will be governed by the provisions of Regulation (EU) 2016/679, in this law organic, by the regulatory provisions dictated in its development and, as do not contradict them, on a subsidiary basis, by the general rules on the administrative procedures.". Although there is a referral to the LPACAP, it is not establishes in no way a subsidiary application with respect to the LRJSP that does not contains in its articles any provision relating to administrative procedure some. In the same way that the AEPD is not applying the aggravating and mitigating circumstances provided in the same art. 29 of the LRJSP, since the RGPD establishes its own, for Therefore, there is no legal loophole or subsidiary application of the same, nor is there any application of the section relating to media competition and for identical reasons.” As already indicated, in addition to the application of rules other than the GDPR regarding the determination of fines in each of the Member States applying their national law, whether due to aggravating or mitigating circumstances not provided for in the RGPD -or in the LOPDGDD in the Spanish case-, either by the application of a media contest other than that provided for in the RGPD, would reduce the effectiveness of the system that C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 58/88 would lose its meaning, its teleological purpose, resulting in the fines imposed by different infringements would no longer be effective, proportionate and dissuasive. And of This way would also deprive the interested parties of the effective guarantee of their rights and freedoms, weakening the uniform application of the GDPR. The mechanisms for the protection of the rights and freedoms of citizens and would be contrary to the spirit of the GDPR. Clarify, in advance, that supplementary status refers to cases in which, in a certain norm does not regulate a specific assumption, legal loophole, giving give rise to the application of another legal norm that regulates such a situation, provided that it does not is inconsistent with the legal system. While subsidiarity refers to a competition of standards, which means that for a given case two or more rules may be applicable, so so that the subsidizing norm cedes to the benefit of the main one. Well, having examined both suppletoriness and subsidiarity, we conclude the not application of article 29 of the LRJSP but of article 83 of the RGPD in relation with the principle of proportionality. This is so because: • The principle of proportionality applies to the sanctioning procedure. • The principle of proportionality is fully regulated in article 83 of the GDPR. • There is no legal loophole. • Neither the RGPD nor the LOPDGDD refer to the application, due to the existence of a legal loophole, of article 29 of the LRJSP. • In the procedures processed by the AEPD, for the procedures administrative procedures processed, the subsidiary application of the general rules is foreseen on administrative procedures. • In the procedures processed by the AEPD, for the procedures administrative procedures processed and not in relation to the principles of the procedure sanctioning, a subsidiary application of the LRJSP is not established in the LOPDGDD. Therefore, there is neither supplementary nor subsidiarity that would make the article apply. 29 of the LRJSP. Regarding the fact that, as I-DE indicates, the Agency itself has previously said article 29 is considered applicable considering the existence of cases of media contest, as in its Resolution of April 23, 2021, issued in the procedure PS/00240/2019, it should be noted that the Administration can separate from what was previously resolved. Thus, article 35 of the LPACAP establishes that: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 59/88 1. They will be motivated, with succinct reference to facts and legal bases: c) Acts that are separated from the criteria followed in preceding actions or of the opinion of advisory bodies. Therefore, it is legitimate for the Administration to separate itself from the criteria followed in preceding actions, as long as said change is motivated, which occurs in the present case. Thus, in addition to what has just been argued in this own section, it is worth remembering again that this allegation was already made against the Initiation Agreement, relating to the media contest and responded to it by motivating and arguing why the existence of the medial competition is not considered and, furthermore, The non-applicability of article 29 LRJSP is motivated. Therefore, it is necessary to refer to the arguments put forward and that appear transcribed in the Third section of the Legal basis IV of this Resolution. Therefore, once argued and motivated, not only is the existence of concurrence of infractions, as well as the reasons why it is not considered applicable to article 29 LRJSP, the change of criterion. In this sense, the Sentence of March 12, 2018, of the Superior Court of Justice of Madrid, Administrative Litigation Chamber, Section 4 (Rec. 761/2017), points out, on the occasion of the review of a sanctioning procedure, that: “(…) the Administration can separate itself from what was previously resolved motivating the change (art. 35.c) of Law 39/2015, of October 1, of the Common Administrative Procedure of Public Administrations). As points out the Supreme Court in its Order of December 4, 1998 "... so that the doctrine of the acts of the Administration has application is It is fundamentally necessary that a first body of the Administration has issued a first act declaring rights and then in the second revoke the decision taken in the first", and said circumstance does not occur in this case because the present administrative act of tax settlement does not revokes any decision taken in a preceding act relating to it tax concept nor is there an express declarative act that is now modify. For these purposes, it is necessary to distinguish between the effectiveness of the acts of the Administration and the connection of the Administration to the precedents interpretative measures applied in previous situations since, in the event that is questioned, and using the words of the Supreme Court (ruling of 25 February 2000), it is not possible to speak of "own act but at most a change of criterion and interpretation, which is perfectly valid." Likewise, the STS of June 27, 2000 states: "...the principle of acting against one's own acts could not be taken to extremes such that they obstruct the conformity with the Law of a certain action, by the mere fact of" (the existence of) "another previous one of a different sign although this was not protected by legality, in the same way that equality only falls within the scope of legality, as is sufficiently known, C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 60/88 under penalty of being able to consolidate illegal or inappropriate resolutions forever to Law, irreversible and impossible to modify later. The High Court has expressed itself in the same sense in other Sentences. So, In that of February 1, 1999, it declares that "this principle cannot be invoked to create, maintain or extend in the field of public law, situations contrary to the legal system, or when the preceding act results in contradiction with the purpose or interest protected by a legal norm that, due to its nature, is not capable of protecting a discretionary action of the Administration that involves the recognition of rights and/or obligations that arise from its own acts. Or said by another In this way, the doctrine of proper acts without the limitation that has just been explained could introduce into the field of public law relations the principle of the autonomy of the will as an ordering method of regulated matters by norms of a mandatory nature, in which the public interest prevails safeguarded by the principle of legality; a principle that would be violated If an action by the Administration contrary to the legal system for the sole fact that this has been decided by the Administration or because it responds to a precedent thereof. (...) or, said in In other words, it cannot be said that the trust placed in an act or precedent that is contrary to the mandatory norm” (the emphasis is ours). Likewise, and for greater completeness, this criterion of understanding the article as not applicable 29 LRJSP is not new as it has been applied in previous sanctioning proceedings at the moment. As an example, PS/00020/2023 and PS/00667/2023 are noted. Finally, I-DE alleges that the application of Article 29 is also a possibility recognized by Guidelines 4/2022, on the calculation of administrative fines under the RGPD, which expressly stipulates the criteria that the authority must follow administrative to evaluate, prior to imposition of the sanction, the possible concurrence of these. In light of this, it is noted that, in relation to the citation of Guidelines 04/2022 of the CEPD on the calculation of administrative fines under the GDPR, in its version 2.1, adopted on May 24, 2023, in section 22 reference is made to three types of concurrence, namely, infringement, unity of action and plurality of actions: “When examining the analysis of the traditions of the Member States in matter of competition rules, as indicated in the jurisprudence of the CJEU, and taking into account the different areas of application and the consequences legal, these principles can be roughly grouped into the three categories following: - Concurrence of violations (chapter 3.1.1), - Unity of action (chapter 3.1.2), - Plurality of actions (chapter 3.2). In cases of concurrence of infractions, the provision established in this regard is that contained in article 83.3 of the RGPD, which establishes a quantitative limit in these cases of concurrence: “If a person responsible or in charge of the treatment breaches intentionally or negligently, for the same operations of treatment or related operations, various provisions of this C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 61/88 Regulation, the total amount of the administrative fine will not be higher than the amount provided for the most serious infractions.” Likewise, at this moment we must remember that the seriousness of the infractions of the GDPR is determined in accordance with the rules established in it and not in the LOPDGDD. The classification of infractions is regulated in article 83, sections 4, 5 and 6 of the GDPR, while the classification of infringements as very serious, serious or minor for the sole purposes of the prescription is provided in the articles 72, 73 and 74 of the LOPDGDD. Last but not least, the AEPD does not sanction for the same offense, such as claims I-DE, but have been verified through proven facts not refuted by I-DE, the commission of two differentiated infractions, classified differently, Furthermore, in the specific case, there is no medial competition. For all the above reasons, this allegation is rejected. FIFTH: Regarding the lack of violation by I-DE of article 32 of the RGPD Indicates again that I-DE had carried out an analysis of the risks that the treatment of the data from access to GEA could generate the rights and freedoms of interested parties, as well as implemented security measures that allowed mitigating the aforementioned risks I-DE does not agree that this Agency understands that the measures of security were insufficient due to the existence of a vulnerability in GEA that has given rise to the personal data breach, as understands that the measures adopted by I-DE were robust despite having existed a security incident, which he does not deny, but he does deny that it can be considered that this result must necessarily determine the insufficiency of the measures adopted by I-DE. I-DE also points out that, even if the AEPD intends to indicate that the vulnerability finally detected was “avoidable and identifiable”, the truth is that it had not been been despite the adoption by i-DE of all the guidelines established by the Iberdrola Group to preserve the security of the information being processed, and in the same way it was not “avoidable and identifiable” that a compromise in the credentials of a GEA user (…), as indicated in the conclusions of the forensic report provided by my client (page 519 of the administrative file), without in any case being able to prove that the exfiltration took place as a consequence of the way in which it had been established the generation of passwords in the application, as the AEPD categorically states. And in this sense, I-DE understands that it is obvious to indicate that the state of the art of pentesting techniques do not guarantee one hundred percent the detection of each and every of vulnerabilities, which cannot even be qualified, as the AEPD of obvious, let alone considered “avoidable and identifiable”. Therefore, it maintains that the reasoning supported by the AEPD can only be qualified to circulate because, being clear that jurisprudence has highlighted that the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 62/88 obligation to adopt security measures is one of means and not of result, The AEPD carries out an assessment of the alleged non-compliance by I-DE with the obligation to implement security measures by reversing the reasoning that must be followed for this, by indicating throughout his Proposed Resolution that, ultimately, the measures were objectively inadequate as a consequence of the fact that The attack could indeed occur and the security breach took place. Therefore, I-DE maintains that, in this way, the AEPD intends to avoid the doctrine supported by the Supreme Court in its ruling of February 15, 2022 referring to the insufficiency of the measures, but ultimately their reasoning is that the result is taken into consideration as a premise for consider that the means were inadequate before it occurred. For this reason, I-DE reiterates everything indicated in the document of allegations to the Startup Agreement and bring up again the ruling of the Supreme Court that has just been be mentioned, since the AEPD only intends to create an appearance that the result is not taken into consideration as a determining fact of the alleged violation of article 32, when, as has been proven, said result is the premise on which the AEPD bases the alleged insufficiency of the measures adopted by My client. Faced with this, it should be indicated, first of all, that the analysis of the risks of the treatment carried out from access from the GEA application does not show measurement something to be adopted to alleviate the alleged risks detected. In fact, it is a analysis based on a document attached by I-DE as Document No. 8 document explaining the logic followed to calculate the risk level according to to this methodology. This methodology is implemented in a way automated in the corporate activity registration tool itself treatment, so that in the registration process itself it determines the level of risk of the treatment. Thus, the application of said methodology in relation to the treatment ***TREATMENT.1 resulted in a MEDIUM risk level, as stated in Document No. 7 referred to above.” In the aforementioned Document 8, certain threats or circumstances are detailed such as “vulnerable groups” “access to personal data by more than 10 people” “international transfers” “large-scale treatments” “profiles with legal”. These circumstances are stated as questions and, as answered “yes” or “no”, a result is applied: (…) Several of these questions appear in Document 7 referenced by I-DE, which appears to be the Treatment Activity Record of the activity affected by the personal data breach, in which the answer is “Yes” or “No” and a “Medium” risk, but nothing more. That is, there is no indication of any measure adopted or that should be adopted to alleviate this medium risk. Nor whether it is an inherent risk or of a residual risk. Likewise, as indicated in the Proposed Resolution in response to this same allegation, nor, in view of the aforementioned Document 8, said analysis is C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 63/88 focused on risks of variable probability and severity that for the “rights and freedoms of natural persons may entail processing, such as physical, material or immaterial damages, in particular problems of discrimination, identity theft, fraud, financial loss, harm to the reputation, loss of confidentiality of data subject to professional secrecy, unauthorized reversal of pseudonymization or any other economic damage or significant social; in cases where the interested parties are deprived of their rights and freedoms or are prevented from exercising control over their personal data; In the cases in which personal aspects are evaluated, in particular the analysis or prediction of aspects related to performance at work, economic situation, health, personal preferences or interests, reliability or behavior, situation or movements, in order to create or use personal profiles; in cases where personal data of vulnerable people, in particular children, are processed; or in cases in which the processing involves a large amount of personal data and affects a large number of interested parties, etc., all in accordance with Considering 75 of the GDPR For its part, art. 28.2 LOPDGDD determines that “For the adoption of the measures referred to in the previous section, those responsible and in charge of the treatment will take into account, in particular, the increased risks that could arise in the following assumptions: a) When the treatment could generate situations of discrimination, identity theft or fraud, financial loss, damage to the reputation, loss of confidentiality of data subject to professional secrecy, unauthorized reversal of pseudonymization or any other harm economically, morally or socially significant for those affected. b) When the treatment could deprive those affected of their rights and freedoms or could prevent them from exercising control over their data personal (,,,)” Likewise, as explained in the guide “Risk management and impact assessment in processing of personal data” of the AEPD, “The RGPD establishes the obligation of manage the risk that a risk to people's rights and freedoms poses treatment. This risk arises both from the very existence of the treatment and from its technical and organizational dimensions. The risk arises both from the automated data processing and manual processing, human elements and the resources involved. The risk arises from the purposes of the treatment and its nature, and also by its scope and the context in which it is unwraps.” However, as already indicated, these risks have not been assessed. Not have assessed the damages to natural persons, material or immaterial, or at least not it is proven that it has been done, lacking, therefore, a risk analysis focused on the protection of the rights and freedoms of the interested parties. Likewise, neither indicates what security measures to adopt to mitigate this “Medium” risk. Therefore, I-DE has not proven what it states regarding that “it had led to carried out an analysis of the risks that the processing of data from access to C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 64/88 GEA could generate in the rights and freedoms of the interested parties, as well as implemented security measures that allowed mitigating the aforementioned risks." Secondly, in that I-DE had robust measures implemented and that This Agency has linked the alleged non-compliance with article 32 to the result of the incident, bringing up again what was stated by the Supreme Court in its ruling of February 15, 2022 (cassation appeal 7359/2020), it means that, As was already responded to this same allegation in the Proposed Resolution, the deficiencies detected and which represent non-compliance with article 32 of the RGPD They existed independently of the attack and the security breach that occurred. Thus, in the present case there was a vulnerability in the GEA web application, so prior to the attack and which was used by the cybercriminal. So, as it has proven in the Proven Facts, the attack occurred from a user validly logged (…). Therefore, the above shows the existence of a web application with a vulnerability that allowed: -(…) Likewise, as a subsequent measure to avoid incidents such as the one that occurred, proceeded through I-DE to modify the GEA application (…). On the other hand, as security measures existed before the incident, they pointed out, among others, the following: (…). And it is precisely this vulnerability that was used by the attacker during the security breach. (…). From the above, it follows that this attack would have been avoided if that code would not have been visible. Even more so if you take into account that this is one of the requirements that are included in the indicated document, (…). Likewise, this vulnerability is identifiable in security assessments. Without However, during the investigation proceedings I-DE has not proven that detect the vulnerability of the GEA application within the framework of the security evaluation implemented in the Iberdrola Group. Furthermore, as has been indicated, the last review or security assessment of critical applications dates from 2019, almost two and a half years before the incident, so they were not being very taking into account the rapid advances in technology, as well as the sophistication of cyber attacks, in addition to the fact that the results obtained. Therefore, the GEA application contained an avoidable and identifiable vulnerability that was the one used by the attacker. This clearly shows a non-compliance with article 32 of the GDPR, as it requires appropriate measures to guarantee a level of security appropriate to the risk, and all this taking into account the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 65/88 state of the art, application costs and the nature, scope, context and the purposes of the treatment. (…) Therefore, all this shows that the security measures at the time of the incident were not appropriate for adequate data protection according to the risks of the treatments and taking into account the state of the technique and current costs. Due to the above, in no way has this Agency indicated that the exfiltration took place as a consequence of the way in which the password generation in the affected application. What has been pointed out is that the attack took place having taken advantage of the vulnerability in said application consisting of the visualization, from a correctly validated session, (...). In addition to this fact, what has been pointed out by this Agency is that it also There were other deficiencies in security measures, such as a policy of passwords (…). These are deficiencies in themselves, regardless, it is insisted, of the concrete incident that occurred and the personal data breach that occurred. However, not The fact that the vulnerability in the GEA application was precisely the one taken advantage of by the attacker who, in addition, initially access validly logged in without the exfiltration being detected at first illegitimate information and without being able to know with complete certainty why medium obtained the credentials of a user, since in the report issued by the company SIA about the incident, it is indicated that: (…) Likewise, the SIA company itself, in its recommendations, expressly indicated: • (…) Regarding the possibility of access to the web application from suspicious IPs or malicious or, at least, not necessary for the business, it should not be forgotten either that, as noted in the SIA company report, (…). Therefore, in no way has this Agency relied on the result of the cyber attack to justify non-compliance with article 32 of the RGPD, since, as has been stated noted, said non-compliance already occurred before and independently of the attack suffered, which shows that there were no appropriate measures to ensure an adequate level of security. Finally, regarding the Supreme Court Ruling of February 15, 2022 (cassation appeal 7359/2020), indicated by I-DE, means, as already stated pointed out in the Proposed Resolution that the aforementioned Judgment effectively indicates, on security measures regarding data protection, which “…the obligation that falls on the person responsible and on the person in charge of the treatment C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 66/88 regarding the adoption of necessary measures to guarantee the safety of the personal data is not an obligation of result but of means, without the infallibility of the measures adopted is required. Only the adoption and implementation of technical and organizational measures, which in accordance with the state of the technology and in relation to the nature of the processing carried out and the data personal data in question, reasonably allow to avoid its alteration, loss, “unauthorized treatment or access.” (emphasis is ours) However, the Judgment continues indicating, in the specific case analyzed in same, that “…the program used to collect customer data does not contained no security measures that would allow checking whether the address of email entered was real or fictitious and whether it really belonged to the person whose data was being processed and gave consent for it. The state of the technique at the time these events occurred made it possible to establish measures aimed at verifying the veracity of the email address, conditioning the continuation of the process for the user to receive the contract at the address provided and only from it provide the necessary consent for its collection and treatment. Measures that were not adopted in this case. (…) So, at the time these events occurred, there were technical measures related to the registration process, which would have prevented the filtration of personal data produced. This implies that the technical measures adopted did not comply with the security conditions in the terms required in art. 9.1 of the LO 15/1999, therefore incurring the infringement provided for in art. 44.3.h) consisting of "Maintain the files, premises, programs or equipment that contain personal data without due security conditions that via regulations are determined [...]". It should be noted, first of all, that this ruling is issued under the protection of the regulations prior to the RGPD, in which, in accordance with the system provided for in the LOPD and in the RLOPD, security measures were perfectly standardized. It has been gone from a system with standard and static security measures for any responsible for security measures specific to each organization (adapted to their characteristics and idiosyncrasy), which considers the specific risks of the entity of that is concerned; Furthermore, they are now dynamic, in such a way that they are not exhausted by the implementation of security measures appropriate to the risk at the beginning of the treatments, but must adapt to the risks that appear. The new regulation provided for in the GDPR significantly expands the obligations of the responsible for the treatment and its scope of action and responsibility, extending now clearly to the actions carried out by those in charge of the treatment, which fall within their scope of responsibility. Secondly, the cited Supreme Court Judgment considers, in relation to a violation of art. 9 of the LOPDP that “the obligation that falls on the responsible for the file and about the person in charge of processing regarding the adoption of measures necessary to guarantee the security of personal data It is not an obligation of result but of means, without infallibility being required. of the measures adopted. Only the adoption and implementation of C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 67/88 technical and organizational measures, which in accordance with the state of technology and in relation to the nature of the processing carried out and the personal data in question, reasonably allow to avoid its alteration, loss, treatment or unauthorized access authorized". Regarding this, he specifies that “It is not enough to design the technical and organizational means necessary, it is also necessary to correctly implement it and use it correctly. appropriate, so that he will also be responsible for the lack of diligence in his use, understood as reasonable diligence taking into account the circumstances of the case". As has been demonstrated and argued throughout this sanctioning procedure, it is considered that there were no measures of appropriate security measures to ensure security appropriate to the risk, including even if there had been no personal data breach. In this regard, this Agency wishes to point out that in no way does it consider that the obligation to implement security measures imposed by the regulations of data protection has the nature of an obligation of result and not of means. But it is no less true that I-DE did not count, before the incident occurred, with measures that “in accordance with the state of technology and in relation to nature of the processing carried out and the personal data in question, reasonably allow prevent its alteration, loss, treatment or unauthorized access.” Therefore, although it is inferred from the Judgment that the obligations established by the Article 32 of the GDPR are media, it also makes it clear that, if at the time of When the incident occurred, there were adequate technical measures to avoid or mitigate the effects thereof and were not applied, this represents a breach of the aforementioned obligation imposed by the RGPD and, therefore, a violation of it. In the present case, as has been repeatedly pointed out, there was a vulnerability in the GEA application, (…). This clearly shows a breach of the Article 32 of the GDPR, as it requires appropriate measures to guarantee a level of security appropriate to the risk, and all this taking into account the state of the technique, the costs of implementation and the nature, scope, context and purposes of the treatment. For the above reasons, the allegation is rejected. SIXTH: Regarding the absence of violation of the principle of confidentiality and integrity. I-DE once again outlines the absolute identity between the two infractions that were committed against it. charge to the extent that the alleged violation of article 5.1.f) of the RGPD or well it turns out to be the result of the alleged violation of article 32 of said Regulation or brings direct, immediate and exclusive cause of this assumption second breach, that is, due to the lack of adequate security measures. I-DE points out in this regard that the AEPD has not considered the existence of any violation that does not refer to security measures, since no C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 68/88 indicated any measure that has ceased to comply other than the security measures that may be required. In this regard, it was already indicated in the Proposed Resolution that when art. 5.1.f) of the GDPR refers to appropriate technical or organizational measures to ensure the rights and freedoms of data subjects within the framework of compliance management regulations of the RGPD does so in the sense provided for in art. 25 of the GDPR regarding privacy by design. This precept determines that, “Taking into account the state of the art, the cost of the application and the nature, scope, context and purposes of the processing, as well as the risks of varying probability and severity that the treatment entails for the rights and freedoms of natural persons, the person responsible for the treatment will apply, both at the time of determining the means of treatment as well as at the time of the treatment itself, appropriate technical and organizational measures, such as pseudonymization, designed to effectively apply the principles of data protection, such as data minimization, and integrate safeguards necessary in the treatment, in order to comply with the requirements of this Regulation and protect the rights of the interested parties” (emphasis is our) It should be noted that there are multiple technical or organizational measures that are not security and that the person responsible for the treatment can implement as a channel to guarantee this principle. In this sense, I-DE has not proven that it has complied with the provisions of said precept, since it has not been proven that, in accordance with the risks of varying probability and severity that the treatment entails, for the rights and freedoms of natural persons, has applied technical and organizational measures appropriate measures, such as pseudonymization, designed and intended to apply effectively the principles of data protection, among which is the confidentiality principle. Therefore, the GDPR requires the applicability of data protection from design and implementation. need to manage both the risks to the rights and freedoms of individuals, such as the impact on those rights and freedoms that a data breach, especially in web environments, because they can affect a large population volume. As stated in the guidelines for treatments that involve communication of data between public administrations of this Agency, whose reasoning is extrapolated to large organizations that handle large amounts of data, always There are risks related to personal data breaches. However, these will be especially considerable in the processing of personal data carried out carried out by large public and private organizations that are serving a large part of the citizens, and even much more if they are interconnected. Is very It is important to keep in mind that the risk that data breaches can pose C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 69/88 personal data in such treatments does not depend so much on whether categories of sensitive and/or specially protected data as well as the consequences for the fundamental rights that can arise from an information compromise To estimate the impact that a personal data breach could have, you must consider the consequences that would arise from its materialization. A form of To do so is, before a breach occurs, to consider the possible scenarios of materialization of a compromise of personal data, determine its consequences, and evaluate how it affects the rights and freedoms of the interested parties, especially if these are irreversible consequences on their fundamental rights Regarding measures appropriate to the level of risks to rights and freedoms, the art. 24.1 of the GDPR establishes that the measures to be adopted in a treatment to guarantee and be able to demonstrate its compliance with the Regulation must take into account the scope, context and purposes of the treatment, and must address, in particular, the extent of subjects affected by it and the risk that means for fundamental rights and not only the typology of the data In the aforementioned Guidelines it is indicated that “the technical and organizational measures that adopted must be specifically aimed at minimizing the risks identified for rights and freedoms from potential data breaches personal. This implies that the person responsible must evaluate the risks that may appear, design measures aimed at minimizing its probability and impact, and determine the extent to which such measures are appropriately managing the “concrete risks in a dynamic process” And it is added that “Appropriate measures must be selected and implemented from the design of the treatments with the aim that all risk contexts for rights and freedoms to be considered. It must be taken into account that Some measures will be more effective in avoiding or mitigating the direct impact on the individuals and other measures will be mainly about the social impact for the Fundamental rights. It is necessary to apply a high level of data protection by flaw (…)" It is not disputed that a personal data breach may occur, therefore within of the risk management of a given organization, precisely because may produce a gap, said scenario must be evaluated as inseparable part of risk management for the purposes of (i) adopting all types of appropriate technical and organizational measures to prevent it from materializing and (ii) determine post-facto measures to minimize damage. On this particular The aforementioned Guidelines explain that “given the possible scenarios of materialization of different types of gaps, the answer must be found, at least, to the following questions from the design of the treatment and prior to its implementation: • What personal and social impact a personal data breach can have if materializes. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 70/88 • What data protection measures should be implemented a priori to minimize the personal and social impact that a materialized breach could produce. • What response measures should be planned and executed after the fact, once the breach has occurred, to minimize the personal and social impact.” Therefore, its management cannot be based exclusively on the scope of the cybersecurity, but it has to encompass all the areas in which it is developed treatment, since, otherwise, risk management would not be complete, and, therefore, it would be useless. To achieve this, it is essential to adopt specific measures for the data protection by design and by default, and also measures for a effective management of the consequences of the gap aimed at protecting rights fundamentals of natural persons. As has been noted, there are multiple technical or organizational measures that are not of security and that the person responsible for the treatment can implement as a channel to guarantee the principle of confidentiality. In this sense, I-DE has not proven that it has complied with the provisions of the RGPD, since it has not been proven that, in accordance with all of the above, there has been evaluated those risks and applied appropriate technical and organizational measures aimed at effectively applying data protection principles, including measures aimed at guaranteeing the principle of confidentiality. And along with this there must be highlight that in this case the bankruptcy of the principle of confidentiality Furthermore, and apart from the above, not even in the analysis of the risks to adopt the security measures of article 32, the measures have been indicated. measures to be adopted to alleviate the “medium” risk that the activity of treatment affected by the gap, as indicated below in detail. more extensive and detailed in the response to the Fourth allegation hereof Foundation of Law. Therefore, in the case examined, as stated in the proven facts, there is a clear loss of confidentiality since access has occurred by a third party not authorized to the personal data processed by I-DE, which does not imply a objective liability, since I-DE was not diligent in not guaranteeing, in this way, adequate security through the application of technical measures and appropriate organizational measures, not only security, but of all kinds. Regarding what was pointed out by I-DE regarding that this AEPD has not accredited in no way materializes the risk posed by the loss of confidentiality. for the affected people, that no I-DE client has seen their rights as a consequence of the security breach that occurred, which includes which does not allow considering a principle violated and imposing as a consequence of said alleged infringement the fine of two million euros on the basis of a mere potential or the consideration that a high risk of fraud could occur, in in any way accredited. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 71/88 Faced with this, and as already indicated in the Proposed Resolution, what was charges I-DE is the violation of the principle of confidentiality since it is clear that, after suffer a computer attack against the GEA website, there was illegitimate access to data personal data and their extraction by an unauthorized third party, which meant the loss of confidentiality and control of numerous personal data (name and surnames, ID, postal address, fax, e-mail, telephone, customer code) and that affected 1,350,000 I-DE clients. Therefore, the risk did materialize, the loss of confidentiality and loss of control over data. What is guaranteed is the confidentiality in order to avoid the serious damage that bankruptcy may cause, since It represents a high risk for the interested parties, if confidentiality is violated, of fraudulent use of data: identity theft for recruitment online, phishing, financial fraud, etc. The loss of confidentiality has already been occurred in this case when the access and exfiltration occurred, which does not is that there is a “probability” of risk, but rather the realization of this risk causing a damage by itself. This represents a breach of the duty to guarantee the confidentiality of personal data, since as indicated, article 5.1.f) points out that they must be treated in such a way as to guarantee safety adequate protection of personal data, including protection against unauthorized processing. authorized or illegal. Likewise, regarding the fact that none of its clients have been affected in any of their rights as a consequence of the security breach, I-DE forgets that the The loss of confidentiality itself means that the core of the fundamental right to data protection, which is none other than that of have control of personal data. Regarding the high risk that this data, in the hands of cybercriminal/s, were used fraudulently, this was indicated to express what involves the loss of confidentiality, but is not necessary in any way, to understand that article 5.1.f has been violated, that said risks of fraudulent use are materialize, because what has materialized with the gap is the loss of confidentiality of the personal data processed by I-DE, which is what is attributed to it exclusively. For the above reasons, the allegation is rejected. SEVENTH: Regarding the violation of the principle of proportionality to the detriment of the I-DE rights I-DE draws attention to the fact that the same aggravating circumstances have been applied in relation to the two infractions charged, which is understood to show to what extent point the connection between both in total, proceeding with the application of what was invoked in the Second and Third allegations (violation of the non bis in idem principle and existence of medial contest) In this regard, it was already indicated, in relation to the application of identical aggravating factors in both infractions, that the circumstances provided for in art. 83.2 of the GDPR and the provided in art. 76.2 of the LOPDGDD are the only ones that can be applied by AEPD for any infraction. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 72/88 The determining factor in this case is not that they coincide in their use, but rather the foundation to be established for your consideration. Likewise, I-DE alleges the inappropriate application of article 83.2.a) of the RGPD, drawing I-DE attention to the fact that it has been considered appropriate aggravate the penalty imposed due to the fact that a loss of property has occurred confidentiality of personal data, both in relation to article 32 and article 5.1.f) Thus, I-DE maintains that, in relation to the violation of article 32, in accordance with traditional concept of security in systems, its objective is the guarantee of the integrity, confidentiality and availability of the information, therefore that, if the AEPD considers that the fact that a gap occurs confidentiality would aggravate the conduct consisting of the alleged absence of such security measures, any accusation for the alleged violation of article 32, will be aggravated by the AEPD, which would entail the inclusion in the catalog of violations of a kind aggravated by their very nature, which without However, it is not included in the RGPD or the LOPDGDD. In this regard, it should be noted, contrary to what has been argued, that the violation of Confidentiality is not necessary or essential in the commission of the violation of article 32, since as already indicated above, it can be violate the aforementioned article 32 due to the absence of appropriate security measures or due to inefficiency in its use or implementation, without necessarily having a personal data breach has occurred. Another different thing is that it is put into evidences the violation of article 32 as a consequence of the materialization of a violation of the security of personal data that, by its very definition, involves “any breach of security that results in the destruction, loss or alteration accidental or unlawful personal data transmitted, preserved or otherwise processed form, or unauthorized communication or access to said data” (section 12 of article 4 of the GDPR) Therefore, in the present case, there was a vulnerability in an I-DE application, in addition to other deficiencies such as password policy and limits existing in access to the application from suspicious IPs and not necessary for the business development, which revealed that I-DE was not applying appropriate measures to guarantee a level of security appropriate to the risk of its treatments (don't forget that it is a web application, that is, with access from internet), which in itself represents a violation of article 32. If in addition These deficiencies have allowed or facilitated, as is the case, the occurrence of a personal data breach (in this case, confidentiality breach), there is no no obstacle to considering said violation as an aggravating circumstance of the article 83.2.a), which allows taking into account the “nature, severity and duration of the infringement, taking into account the nature, scope or purpose of the operation of treatment in question as well as the number of interested parties affected and the level of the damages and losses they have suffered” (emphasis added). Regarding the application of the aggravating circumstance of article 83.2.a) for violation of the article 5.1.f), although it is true that the violation of confidentiality is not appropriate as a circumstance to be taken into account to aggravate the infringement since C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 73/88 is subsumed in the offending type itself, it is also true that said precept, the 83.2.a) of the RGPD has been applied as an aggravating circumstance, also taking into account the number of interested parties affected, which are very numerous, amounting to more than one million people (1,350,000), as well as numerous data were stolen personal information (name and surname, ID, postal address, e-mail, telephone number, client code), so it is appropriate to continue taking these circumstances into account as aggravating factors, so article 83.2.a) of the GDPR continues to apply. Regarding the fact that I-DE understands that in relation to this aggravating circumstance, it is intended to take into account account of alleged damages and losses suffered, which have not been proven by the AEPD, it means that what is taken into account in said aggravating circumstance is the damage and the risk that it poses in itself to loss of confidentiality, which entails a total loss of control over one's own personal data and the high risk that it entails of that are used fraudulently, since they have been stolen by a cybercriminal. On the other hand, I-DE argues that the aggravating circumstance of article 83.2.b cannot be applied. of the RGPD regarding the existence of negligence since, in the Court's Ruling of Justice, of December 5, 2023 (case C-807/21), it is declared that: “75 Consequently, it must be declared that article 83 of the GDPR does not allows imposing an administrative fine for an infraction contemplated in its sections 4 to 6 without proving that said infringement was committed intentionally or negligently by the person responsible for the treatment and that, for Therefore, guilt in the commission of the infraction constitutes a requirement for the imposition of the fine.” From this I-DE deduces that if this intentionality or negligence is necessary for the infringement can be considered committed, it can hardly be considered that the The most serious form of culpable guilt can act as an aggravating circumstance, and even less about a subjective criterion, such as the volume of I-DE. Faced with this, it should be noted that one thing is that, in order to impute an infringement administrative is necessary the existence of intention or negligence and another, which does not The existence of especially negligent negligence may be used as an aggravating circumstance. highlighted, due to the circumstances of the case. The opposite would be contrary to one's own article 83.2.b) which establishes that “When deciding to impose an administrative fine and its amount in each individual case will be duly taken into account: b) intentionality or negligence in the infringement” Thus, in any violation of data protection regulations, the existence of intentionality or negligence. And this both to a data controller as a natural person, as a legal entity, whether a small company with little connection with the processing of personal data, whether it is a large company, a multinational, etc., and with processing of personal data in a manner continuous and on a large scale, for example. Therefore, once it has been determined that, as a premise, this subjective element occurs base guilt, this does not prevent the aggravating factor from being considered intentionality or negligence indicated by considering that, in accordance with the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 74/88 specific circumstances of the case, a different degree of intentionality is considered or negligence in the actions of the offending subject. Thus, in accordance with the Guidelines 04/2022 of the European Data Protection Board on the calculation of administrative fines under the GDPR, version 2.1, adopted on 24 May 2023, notes the following: “4.2.2 — Intentional or negligent nature of the infringement 55. In its previous guidance the EDPB stated that "in general, the intention includes both knowledge and will in relation to the characteristics of a crime, while "unintentional" means that there was no intention to cause the infringement, although the controller/processor breached the duty to care required by law. Example 4 — Illustrations of intent and negligence (from WP 253) "Circumstances indicative of intentional violations may be a illicit processing explicitly authorized by the senior management hierarchy of the responsible for the treatment, or despite the advice of the protection delegate of data or violating existing policies, for example, obtaining and processing of data about the employees of a competitor with the intention of discredit that competitor in the market. Other examples here can be: - the modification of personal data to give a (positive) impression misleading about whether objectives have been met; we have seen it in the context of targets for hospital waiting times - the trading of personal data for commercial purposes, i.e. the sale of data as “opted in” without checking or ignoring the opinions of users. interested parties about how their data should be used Other circumstances, such as failure to read and follow policies existing, human error, lack of verification of personal data in the published information, the lack of application of technical updates in the timing, lack of policy adoption (rather than simply lack of of application) may be indicative of negligence"; 56. The intentional or negligent nature of the infringement [Article 83(2)(b) of the GDPR] must be evaluated taking into account the objective elements of conduct obtained from the facts of the matter. The EDPB highlighted that it is generally accepted that intentional violations, "demonstrate contempt for the provisions of the law, are more serious than unintentional ones. In the case of intentional infringement, it is The supervisory authority is likely to give more weight to this factor. According to the circumstances of the case, the supervisory authority may also attribute weight to the degree of negligence. At best, negligence could be considered neutral." (emphasis is ours) In the present case, the aggravating circumstance of negligence was appreciated since the detected vulnerability could have been avoided, and is also a vulnerability identifiable in security assessments. Likewise, in relation to the infringement C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 75/88 of article 5.1.f) of the RGPD, negligence was also seen as an aggravating circumstance shown by I-DE because, as has been pointed out, due to its subjective circumstances and due to the high number of clients it has, a higher degree of professionalism and diligence in the duty to guarantee the confidentiality of the personal data of its numerous clients. Regarding the consideration of the size of I-DE as an aggravating factor, it should be noted that the same level of diligence cannot be demanded from a company like I-DE, which required from a natural person or a small business, for example. This means that A higher level of diligence is required because the level of professionalism is elderly. It is appropriate to recall again, in this sense, the Judgment of the National Court of 10/17/2007 (rec. 63/2006), that with respect to entities whose activity involves the continuous processing of customer data, indicates “…the Supreme Court comes understanding that imprudence exists whenever a legal duty of care, that is, when the offender does not behave with the required diligence. And in the assessment of the degree of diligence, special consideration must be given to professionalism or not of the subject, and there is no doubt that, in the case now examined, when the activity of the appellant is constant and abundant handling of data of a personnel must insist on rigor and exquisite care to conform to the legal provisions in this regard. Finally, contrary to what was stated by I-DE, the consideration of this aggravating circumstance of negligence has at no time meant that the limit has been increased maximum of the sanction to be imposed, since the maximum limits are established in sections 4 and 5 of article 83 of the RGPD, which allow imposing a penalty, respectively of 10,000,000 euros or 2% of the business volume global annual total and 20,000,000 euros or 4% of the total annual business volume global. Therefore, at no time has the maximum amount of the sanction that could be imposed as a consequence of the application of the aggravating circumstances as indicated by I-DE. Regarding the aggravating circumstance included in article 76.2.b of the LOPDGDD, I-DE points out that his behavior is getting worse due to the mere fact of belonging to a specific sector of activity. In this regard, it is meant that this provision does not The specific activity to which I-DE is dedicated (distributor) is taken into consideration. of energy), but its connection with the performance of data processing personal, since it carries out massive and large-scale treatments (21 million clients), through computer applications and web applications and continuously. In this sense, the Spanish legislator has considered including in article 76 of the LOPDGDD that: “2. In accordance with the provisions of article 83.2.k) of the Regulations (EU) 2016/679 may also be taken into account: (…) b) The linking of the offender's activity with the performance of medical treatments. personal information." This Agency simply takes into consideration that circumstance, provided for by the legislator, when deciding the imposition of the administrative fine. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 76/88 Finally, I-DE alleges the breach of the principle of equal treatment if it is taken into account consideration of the precedents of this Agency. Thus, it indicates the procedure PS/000179/2020 in which it indicates that a minor penalty was imposed despite understand that the circumstances were more serious, but that, above all, in said file, no sanction was imposed for violation of article 5.1.f) of the RGPD, despite the existence of a data confidentiality breach being evident, The AEPD having therefore modified its criteria, since by now converting what was considered a violation of article 32 of the GDPR in two violations, by making now refers to 5.1.f) of the RGPD, and considerably multiply the total amount of The infringement represents a flagrant breach of the principle of equality, security legal and public faith. Likewise, he points out that this also goes against the doctrine of own acts. Faced with this, as already pointed out in the Proposed Resolution, the circumstances and facts of procedure PS/000179/2020 are not the same nor comparable, just as there is no equality in illegality, so there is no try to equate sanctions in the face of different facts and circumstances. Therefore, It is necessary to refer to the response to this same allegation and which appears transcribed in its entirety in the Sixth section of the Fundamentals of Law IV of the present Resolution. Regarding what I-DE maintains regarding the fact that the principle of equality also in the fact that PS/000179/2020 only sanctioned for a violation of article 32 and was not considered a violation of article 5.1.f) of the RGPD, there having also been a confidentiality breach, and that this also goes against the doctrine of proper acts, it means that I-DE has only selected and brings up this file to defend an alleged treatment unequal but which, however, ignores the numerous sanctioning procedures existing prior to the present in which, after a gap of confidentiality, has been sanctioned for violating both precepts. By way As an example and without exhaustive character, since there are more, the following should be indicated: PS/00444/2021, PS/00420/2021, PS/00528/2021, PS/00099/2022, PS/00113/2022, PS/00164/2022, PS/00419/2022, PS/00168/2022. Finally, regarding the procedure PS/0002/2023 in which they have been imposed also two sanctions for violating both article 32 and 5.1.f) of the RGPD and that for also refer to a company in the electrical sector, brings up I-DE to make a comparison, because there it was imposed, in the total sum of the two sanctions for these two infractions, an amount that only exceeds 500,000 euros than those imposed to I-DE, despite the fact that there were affected parties, it means again that the facts and circumstances are different and that, for this reason, a fine was imposed different (in this case higher), in addition to other fines for other violations different ones that were considered. In this sense, it is once again recalled that, in terms of data protection, the technical and organizational security measures to be adopted by those responsible for the treatment and other obligations to comply required by the RGPD, must be the appropriate in relation to the specific risks posed by the specific treatments carried out by each person responsible. Therefore, when analyzing the diligence of some C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 77/88 and others in compliance with the regulations must be based on the circumstances of each case, taking into account the nature, scope, context and purposes of each treatment, therefore there are no identical cases. In this sense, it must be remembered that article 83, in section 2, establishes that “Administrative fines are will be imposed, depending on the circumstances of each individual case…” (the emphasis is ours) Therefore, it is necessary to attend to the circumstances of each individual case, there being no two identical files and, therefore, with equal results. As a general and final consideration, it should be noted that none of the sanctions applied violates the principle of proportionality. Thus, it must be remembered that the articles 83.4 and 83.5 of the RGPD, where the violation of article 32 and article 5.1.f), establish limits on the amounts of the fines that can be imposed, very far from those that have finally been imposed established. Thus, article 83.4 of the aforementioned Regulation establishes that sanctions will be imposed, in accordance with paragraph 2, with administrative fines of a maximum of EUR 10 000 000 or, In the case of a company, an amount equivalent to a maximum of 2% of the total global annual business volume of the previous financial year, opting for the of greater amount. In this regard, according to the Axesor entity, the volume of business for 2022 from I-DE was ***AMOUNT.2 euros, which would have allowed to impose a penalty of up to ***AMOUNT.3 euros, for the violation of article 32. For its part, article 83.5 of the RGPD establishes that sanctions will be imposed, in accordance with paragraph 2, with administrative fines of a maximum of EUR 20 000 000 or, In the case of a company, an amount equivalent to a maximum of 4% of the total global annual business volume of the previous financial year, opting for the of greater amount. In this regard, in accordance with the turnover indicated, would have allowed imposing a penalty of up to ***AMOUNT.4 euros, for violation of article 5.1.f). Therefore, taking into account the above, as well as the negligence of I-DE in having a web application with the vulnerability detected, with a weak password policy and with access permissions from suspicious IPs and not necessary for development of your business activity (and much less for the purpose of the application in issue), from which the personal data of its clients is accessed and taking into account takes into account the high number of affected people whose personal data were exfiltrated by a cybercriminal, which represents a loss of control over the personal data irremediably, with the risk that this entails, cannot be It can be said that the sanctions finally imposed violate the principle of proportionality, taking into account that “Each supervisory authority will ensure that the imposition of administrative fines in accordance with this article for the infringements of this Regulation indicated in paragraphs 4, 5 and 6 are in each individual case effective, proportionate and dissuasive” (emphasis is our) C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 78/88 SAW Integrity and confidentiality Article 5.1.f) “Principles relating to processing” of the GDPR establishes: "1. The personal data will be: (…) f) treated in such a way as to ensure adequate safety of the personal data, including protection against unauthorized processing or unlawful and against its loss, destruction or accidental damage, through the application of appropriate technical or organizational measures ("integrity and confidentiality»).” The principle of data integrity and confidentiality requires a guarantee of security in the application of technical or organizational measures that prevent alteration of personal data, its loss, unauthorized or illicit processing or access. It's not the existence of this fundamental right is not possible if the confidentiality, integrity and availability thereof. Hence, the integrity and confidentiality of personal data are considered essential to prevent the interested parties from suffering negative effects. Therefore, they must be treated in a manner that ensures adequate integrity and confidentiality of personal data, especially to prevent access, processing or use authorized users of said data. In short, it is the data controller who has the obligation to integrate the necessary guarantees in the treatment, with the purpose of, by virtue of the principle of proactive responsibility, comply and be able to demonstrate compliance, while while respecting the fundamental right to data protection. In this regard, it must be remembered that the confidentiality of personal data is regulated in article 5 of the RGPD, being, therefore, one of the principles relating to treatment. The principles relating to treatment are, on the one hand, the starting point and the closing clause of the legal data protection system, constituting true informing rules of the system with an intense expansive force; for another On the other hand, as they have a high level of specificity, they are mandatory standards. likely to be infringed. Article 5.1.f) of the GDPR establishes a clear obligation of consistent compliance in preventing unauthorized or illicit treatments by implementing measures of all kinds adequate to guarantee the confidentiality, integrity and availability of the data. Consequently, those responsible for the treatment must be available to guarantee the confidentiality of personal data to prevent a third party access data that does not belong to them, since it is precisely their responsibility to process the personal data in accordance with the RGPD and LOPDGDD. For this reason, it is an activity in where the diligence provided by them is essential to avoid this type of access Not allowed. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 79/88 In the present case, the principle of confidentiality has been violated since it is clear that after suffering a computer attack against the I-DE connection management website (GEA), taking advantage of its vulnerability, an illegitimate access occurred to personal data and their extraction, which meant the loss of confidentiality and control of numerous personal data (name and surname, ID, postal address, fax, e-mail, telephone, customer code) and which affected, among others, 1,350,000 I-DE clients. This represents a breach of the duty to guarantee the confidentiality of personal data, since as indicated, article 5.1f) points out that they must be treated in such a way as to guarantee safety adequate protection of personal data, including protection against unauthorized processing. authorized or illegal. Therefore, the risk of loss of confidentiality has materialized, having been usurped by a cybercriminal, which means that they can be used for not known (sold, communicated, published, etc.), all without consent of its owners, leading to a total and absolute loss of control over them. In addition, it also poses a very high risk of fraudulent use of them. (identity theft, fraud, financial losses, etc.) or that serve to any other utility that in certain circumstances constitutes a threat for its owners. It should also be taken into account that most of the data Leaked personal information is data that cannot be modified or changed by others. (name, surname, ID, address...) This loss of control over one's own personal data results in a violation of the fundamental right to data protection recognized in the article 18 of the Spanish Constitution, as the Constitutional Court has indicated (Sentence 292/2000, of November 30, 2000) “the fundamental right to Data protection seeks to guarantee the person power of control over their personal data, about its use and destination, with the purpose of preventing its illicit trafficking and harmful to the dignity and rights of the affected person (…) The right to data protection "It guarantees individuals the power to dispose of these data." For all the above and in accordance with the evidence available in At this time of proposal for a resolution, it is considered that the known facts could constitute an infraction, attributable to I-DE, for violation of the article 5.1.f) of the RGPD. VII Classification of the violation of article 5.1.f) of the RGPD The aforementioned violation of article 5.1.f) of the RGPD implies the commission of the violations typified in article 83.5 of the RGPD that under the heading “General conditions for the imposition of administrative fines” provides: “Infringements of the following provisions will be sanctioned, in accordance with the paragraph 2, with administrative fines of a maximum of EUR 20 000 000 or, In the case of a company, an amount equivalent to a maximum of 4% of the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 80/88 global total annual business volume of the previous financial year, opting for the largest amount: a) the basic principles for the treatment, including the conditions for the consent under articles 5, 6, 7 and 9; (…)” In this regard, the LOPDGDD, in its article 71 “Infringements” establishes that “The acts and conduct referred to in sections 4, 5 and 6 of article 83 of Regulation (EU) 2016/679, as well as those that result contrary to this organic law.” For the purposes of the limitation period, article 72 “Infringements considered very “serious” of the LOPDGDD indicates: "1. Based on what is established in article 83.5 of Regulation (EU) 2016/679, considered very serious and will prescribe after three years the infractions that involve a substantial violation of the articles mentioned therein and, in particular, the following: a) The processing of personal data violating the principles and guarantees established in article 5 of Regulation (EU) 2016/679. (…)” VIII Penalty for violation of article 5.1.f) of the RGPD In accordance with the evidence available, the sanction should be graduated to impose in accordance with the following criteria established in article 83.2 of the GDPR: As aggravating factors: - Article 83.2.a) RGPD: Nature, severity and duration of the infringement. -Number of interested parties affected: there are very numerous people affected, since amounts to more than one million I-DE clients (1,350,000). -Level of damages and losses suffered: High. Numerous were stolen personal data (name and surname, ID, postal address, e-mail, phone number telephone, client code) and a very considerable number of I-DE clients (1,350,000) losing, therefore, all control over them, thus emptying of content the fundamental right to the protection of personal data that, As indicated by the Constitutional Court in the previously reviewed Judgment, seeks to guarantee the person power of control and disposition over their personal data, about its use and destination, with the purpose of preventing its traffic illegal and harmful to the dignity and rights of the affected person. - Article 83.2.b) RGPD. Intentional or negligence in the infringement: the existence of negligence in compliance and observance of technical measures and organizational measures to ensure the security necessary for data protection personal data, specifically to guarantee their confidentiality. To this C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 81/88 In this regard, it must be remembered that I-DE is a large company, which carries out treatments large scale, affecting its treatments to numerous natural persons (21 million people) so a higher level of diligence is required. It is worth remembering, in this sense, the Judgment of the National Court of 10/17/2007 (rec. 63/2006), that with respect to entities whose activity involves the continuous processing of customer data, indicates “…the Supreme Court comes understanding that imprudence exists whenever a legal duty of care, that is, when the offender does not behave with the required diligence. And in the assessment of the degree of diligence, special consideration must be given to professionalism or not of the subject, and there is no doubt that, in the case now examined, when the activity of the appellant is constant and abundant handling of data of a personnel must insist on rigor and exquisite care to conform to the legal provisions in this regard. As mitigating factors: - Article 83.2.c) RGPD. Measures taken by the person responsible to alleviate the damage and damages suffered by the interested parties: Positive. As soon as he became aware of the attack, reacted as quickly as possible and proceeded to take measures aimed at repelling the same and to avoid its repetition (suspension of the web application; blocking of IPs suspicious events, disconnections, etc.) and immediate activation of its internal protocols corresponding, which could have avoided a much more serious impact. Likewise, it is considered that it is appropriate to graduate the sanction to be imposed in accordance with the following criteria established in section 2 of article 76 “Sanctions and measures “corrective measures” of the LOPDGDD: As aggravating factors: - Article 76.2.b) LOPDGDD. Linking the offender's activity with the performance of personal data processing: The development of the activity I-DE's business involves continuous, large-scale processing of personal data, since, according to what it states, it processes data of 21 million people. By Therefore, it is a large company used to processing personal data. In accordance with the evidence available, taking into account the circumstances of the case and the criteria established in article 83.2 of the RGPD with regarding the infraction committed by violating the provisions of article 5.1.f) of the GDPR, a penalty of €2,500,000 (two and a half million euros) is established. IX Article 32 of the GDPR Article 32 “Security of processing” of the GDPR establishes: "1. Taking into account the state of the art, the application costs, and the nature, scope, context and purposes of the processing, as well as risks of variable probability and severity for people's rights and freedoms physical, the person responsible and the person in charge of the treatment will apply technical and C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 82/88 appropriate organizational measures to guarantee a level of security appropriate to the risk, which, if applicable, includes, among others: a) pseudonymization and encryption of personal data; b) the ability to guarantee the confidentiality, integrity, availability and permanent resilience of treatment systems and services; c) the ability to restore availability and access to data personnel quickly in the event of a physical or technical incident; d) a process of regular verification, evaluation and assessment of effectiveness of the technical and organizational measures to guarantee the security of the treatment. 2. When evaluating the adequacy of the security level, particular consideration will be given to takes into account the risks presented by data processing, in particular as consequence of the accidental or unlawful destruction, loss or alteration of data personal data transmitted, preserved or otherwise processed, or the communication or unauthorized access to said data. 3. Adherence to a code of conduct approved pursuant to Article 40 or to a certification mechanism approved pursuant to article 42 may serve as an element to demonstrate compliance with the requirements established in section 1 of the present article. 4. The controller and the person in charge of the treatment will take measures to ensure that any person acting under the authority of the person responsible or in charge and has access to personal data can only process said data following instructions of the person responsible, unless it is obliged to do so by virtue of the Law of the Union or the Member States.” Article 32 does not establish static security measures, but will correspond to the responsible for determining those security measures that are necessary to guarantee the confidentiality, integrity and availability of personal data, Therefore, the same data processing may involve security measures different depending on the specific specificities in which said data treatment. In line with these provisions, Recital 75 of the GDPR establishes: risks to the rights and freedoms of natural persons, serious and variable probability, may be due to data processing that could cause physical, material or immaterial damages, particularly in cases where that the treatment may give rise to problems of discrimination, usurpation of identity or fraud, financial loss, reputational damage, loss of confidentiality of data subject to professional secrecy, unauthorized reversal of the pseudonymization or any other significant economic or social harm; in the cases in which the interested parties are deprived of their rights and freedoms or are prevents you from exercising control over your personal data; in cases where the data processed personal reveals ethnic or racial origin, political opinions, religion C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 83/88 or philosophical beliefs, militancy in unions and the processing of genetic data, data relating to health or data on sexual life, or convictions and offenses criminal or related security measures; in cases in which they are evaluated personal aspects, in particular the analysis or prediction of aspects related to the performance at work, economic situation, health, preferences or interests personal, reliability or behavior, situation or movements, in order to create or use personal profiles; in cases in which personal data of vulnerable people, particularly children; or in cases where the treatment involves a large amount of personal data and affects a large number of interested. (emphasis is ours) Likewise, Recital 83 of the GDPR establishes: In order to maintain the security and prevent the processing from infringing the provisions of this Regulation, the responsible or the person in charge must evaluate the risks inherent to the treatment and apply measures to mitigate them, such as encryption. These measures must guarantee a appropriate level of security, including confidentiality, taking into account the status of the technique and the cost of its application with respect to the risks and the nature of personal data that must be protected. When assessing risk in relation to data security, the risks that arise from the processing of personal data, such as destruction, loss or alteration accidental or unlawful personal data transmitted, preserved or otherwise processed form, or unauthorized communication or access to said data, susceptible in particular of causing physical, material or immaterial damages. (he emphasis is ours) In short, the first step to determine the security measures will be the Risk assessment. Once evaluated, it will be necessary to determine the measures of security aimed at reducing or eliminating risks for the treatment of data. Data security requires the application of technical or organizational measures appropriate in the processing of personal data to protect said data against access, use, modification, dissemination, loss, destruction or accidental damage, unauthorized or illicit. In this sense, security measures are key when to guarantee the fundamental right to data protection. It is not possible existence of the fundamental right to the protection of personal data if it is not possible to guarantee their confidentiality, integrity and availability. It should not be forgotten that, in accordance with article 32.1 of the aforementioned GDPR, the technical and organizational measures to apply to guarantee a level of security appropriate to the risk must take into account the state of the art, the costs of application, nature, scope, context and purposes of the processing, as well as risks of varying probability and severity to the rights and freedoms of Physical persons. Therefore, I-DE, when evaluating risks and determining technical measures and appropriate organizational measures to guarantee a level of security appropriate to the risk, is obliged to take into account the specific activity that its business entails, which involves processing personal data continuously and on a large scale (numerous data at a time) collect, process, store...); the type of data processed: identification, C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 84/88 contact, those related to the supply and consumption of electricity, current accounts, etc); the context: use of a web application on the Internet, that is, in an environment not isolated, which entails risks derived from the interconnectivity itself that the network, which must be attended to in a specialized way. Therefore, derived from the activity to which it is dedicated, I-DE is obliged to carry out a very specialized way of analyzing risks and implementing measures appropriate technical and organizational measures to guarantee a level of security appropriate to the risk of its activity for the rights and freedoms of people. In the present case, as noted above, I-DE suffered a cyber attack on its GEA web application, causing a security breach consisting of a breach of confidentiality when there is access to personal data of its clients, contained in the Group's database and an illicit exfiltration of the same. The GEA application is an I-DE web application used for the management of electrical connections. It is published on the Internet for access by users (customers, installers, etc.) involved in the management process of those connection files. (…) All of the above shows that I-DE was not diligent enough when it came to implement appropriate security measures to prevent incidents from occurring of security like the one that took place in the present case, that is, it did not apply measures appropriate technical and organizational measures to guarantee a level of security appropriate to the risk of your personal data processing. Likewise, there is no appreciation of the necessary diligence in the process of regular verification, evaluation and assessment of the effectiveness of technical and organizational measures to ensure the safety of the treatment. (article 32.1) Therefore, in accordance with the evidence available, it is considered that The known facts constitute an infringement, attributable to I-DE, for violation of article 32 of the RGPD. x Classification of the violation of article 32 of the RGPD The aforementioned violation of article 32 of the RGPD implies the commission of the violations typified in article 83.4 of the RGPD that under the heading “General conditions for the imposition of administrative fines” provides: “Infractions of the following provisions will be sanctioned, in accordance with the paragraph 2, with administrative fines of a maximum of EUR 10 000 000 or, In the case of a company, an amount equivalent to a maximum of 2% of the global total annual business volume of the previous financial year, opting for the largest amount: a) the obligations of the controller and the processor pursuant to Articles 8, 11, 25 to 39, 42 and 43; (…)” C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 85/88 In this regard, the LOPDGDD, in its article 71 “Infringements” establishes that “The acts and conduct referred to in sections 4, 5 and 6 of article 83 of Regulation (EU) 2016/679, as well as those that result contrary to this organic law.” For the purposes of the limitation period, article 73 “Infringements considered serious” of the LOPDGDD indicates: “Based on what is established in article 83.4 of Regulation (EU) 2016/679, are considered serious and will prescribe after two years the infractions that involve a substantial violation of the articles mentioned therein and, in particular, the following: (…) f) The lack of adoption of those technical and organizational measures that are appropriate to guarantee a level of security appropriate to the risk of the treatment, in the terms required by article 32.1 of the Regulation (EU) 2016/679. XI Penalty for violation of article 32 of the GDPR In accordance with the evidence available, the sanction should be graduated to impose, in accordance with the following criteria established in article 83.2 of the GDPR: As aggravating factors: - Article 83.2.a) RGPD: Nature, severity and duration of the infringement. -It is considered that the nature of the infraction is serious since it has entailed a loss of confidentiality and, therefore, of disposition and control irremediable on personal data. -Number of interested parties affected: there are very numerous people affected, since amounts to 1,350,000 -Level of damages and losses suffered: High. Numerous were stolen personal data (name and surname, ID, postal address, e-mail, phone number telephone, client code) and a very considerable number of I-DE clients (1,350,000) losing, therefore, all control over them, thus emptying content the fundamental right to the protection of personal data that, as indicates the Constitutional Court in the previously reviewed Judgment, pursues guarantee the person power of control and disposal over their personal data, on its use and destination, with the purpose of preventing its illicit trafficking and harm to the dignity and rights of the affected person. - Article 83.2.b) RGPD. Intentional or negligence in the infringement: the existence of negligence in compliance and observance of technical measures and C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 86/88 organizational measures to ensure adequate security for data protection personal data, specifically to guarantee their confidentiality. The detected vulnerability could have been avoided, and is also a vulnerability identifiable in security assessments. In this regard, it must be remembered that I-DE is a large company, which carries out large-scale treatments, affecting numerous natural persons (21 million people) so a higher level of diligence is required and appropriate security measures to ensure the confidentiality of data personal it deals with. It is worth remembering, in this sense, the Judgment of the National Court of 10/17/2007 (rec. 63/2006), that with respect to entities whose activity involves the continuous processing of customer data, indicates “…the Supreme Court comes understanding that imprudence exists whenever a legal duty of care, that is, when the offender does not behave with the required diligence. And in the assessment of the degree of diligence, special consideration must be given to professionalism or not of the subject, and there is no doubt that, in the case now examined, when the activity of the appellant is constant and abundant handling of data of a personnel must insist on rigor and exquisite care to conform to the legal provisions in this regard. As mitigating factors: - Article 83.2.c) RGPD. Measures taken by the person responsible to alleviate the damage and damages suffered by the interested parties: Positive. As soon as he became aware of the attack, I-DE staff reacted as quickly as possible and proceeded to take action aimed at repelling the same and to avoid its repetition (suspension of the web application; blocking suspicious IPs, disconnections, etc.) and immediate activation of your corresponding internal protocols, which could have avoided a major impact More serious. Likewise, it is considered that it is appropriate to graduate the sanction to be imposed in accordance with the following criteria established in section 2 of article 76 “Sanctions and measures “corrective measures” of the LOPDGDD: As aggravating factors: - Article 76.2.b) LOPDGDD. Linking the offender's activity with the performance of personal data processing: The development of the activity business that I-DE performs involves a continuous, large-scale treatment of personal information. Therefore, it is a large company used to treating of personal data. The balance of the circumstances contemplated in article 83.2 of the RGPD and the article 76.2 of the LOPDGDD, with respect to the infraction committed by violating the established in article 32 of the RGPD, allows establishing a penalty of €1,000,000 (one million euros). C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 87/88 Therefore, in accordance with the applicable legislation and evaluated the criteria of graduation of the sanctions whose existence has been proven, the Director of the Spanish Data Protection Agency RESOLVES: FIRST: IMPOSE I-DE REDES ELÉCTRICAS INTELLIGENTES, S.A.U., with NIF A95075578, for a violation of Article 5.1.f) of the RGPD typified in Article 83.5 of the RGPD, a fine of 2,500,000 euros (TWO MILLION FIVE HUNDRED THOUSAND EUROS). SECOND: IMPOSE I-DE REDES ELÉCTRICAS INTELLIGENTES, S.A.U., with NIF A95075578, for a violation of Article 32 of the RGPD, typified in Article 83.4 of the RGPD, a fine of 1,000,000 (ONE MILLION EUROS) THIRD: NOTIFY this resolution to I-DE REDES ELÉCTRICAS INTELLIGENTES, S.A.U. FOURTH: This resolution will be enforceable once the deadline to file the optional resource for replacement (one month counting from the day following the notification of this resolution) without the interested party having made use of this power. The sanctioned person is warned that he must make effective the sanction imposed once This resolution is executive, in accordance with the provisions of art. 98.1.b) of Law 39/2015, of October 1, on the Common Administrative Procedure of the Public Administrations (hereinafter LPACAP), within the voluntary payment period established in art. 68 of the General Collection Regulations, approved by Real Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003, of 17 December, through your entry, indicating the NIF of the sanctioned person and the number of procedure that appears in the heading of this document, in the account restricted IBAN number: ES00-0000-0000-0000-0000-0000, opened in the name of the Spanish Data Protection Agency in the banking entity CAIXABANK, S.A. Otherwise, it will be collected during the executive period. Once the notification is received and once enforceable, if the enforceable date is between the 1st and 15th of each month, both inclusive, the deadline to make the payment voluntary will be until the 20th of the following month or immediately following business month, and if The payment period is between the 16th and last day of each month, both inclusive. It will be until the 5th of the second following or immediately following business month. In accordance with the provisions of article 76.4 of the LOPDGDD and given that the The amount of the penalty imposed is greater than one million euros, it will be subject to publication in the Official State Gazette of the information that identifies the offender, the violation committed and the amount of the penalty. In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties. Against this resolution, which puts an end to the administrative procedure in accordance with art. 48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the Interested parties may optionally file an appeal for reconsideration before the Director of the Spanish Data Protection Agency within a period of one month to count from the day following the notification of this resolution or directly C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 88/88 contentious-administrative appeal before the Contentious-administrative Chamber of the National Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Contentious-administrative Jurisdiction, within a period of two months from the day following the notification of this act, as provided for in article 46.1 of the referred Law. Finally, it is noted that in accordance with the provisions of art. 90.3 a) of the LPACAP, may provisionally suspend the final resolution through administrative means if the interested party expresses his intention to file a contentious-administrative appeal. If this is the case, the interested party must formally communicate this fact through writing addressed to the Spanish Data Protection Agency, presenting it through of the Agency's Electronic Registry [https://sedeagpd.gob.es/sede-electronica- web/], or through any of the other registries provided for in art. 16.4 of the cited Law 39/2015, of October 1. You must also transfer to the Agency the documentation that proves the effective filing of the contentious appeal administrative. If the Agency was not aware of the filing of the appeal contentious-administrative procedure within a period of two months from the day following the notification of this resolution would terminate the precautionary suspension. 938-16012024 Sea Spain Martí Director of the Spanish Data Protection Agency C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es