AEPD (Spain) - PS/00268/2022
AEPD - PS-00268-2022 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 5(1)(f) GDPR Article 25(1) GDPR Article 32 GDPR Article 33 GDPR §72(1) LOPDGDD §73(1)(d) LOPDGDD §77 LOPDGDD |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | |
Published: | |
Fine: | 0 EUR |
Parties: | Madrid Public Health Service |
National Case Number/Name: | PS-00268-2022 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Spanish |
Original Source: | AEPD (in ES) |
Initial Contributor: | Michelle Ayora |
The Public Health Service of Madrid was reprimanded for the violation of Articles 5(1)(f), 25(1), 32 and 33 GDPR due to a website failure which resulted in the exposure of personal data. The system was launched to allow citizens to get a vaccination appointment against Covid-19.
English Summary
Facts
A consumer association (FACUA) submitted a complaint against the Regional Ministry of Health (Madrid Public Health Service), the controller, due to a defective appointment system put in place on the controller’s website which allowed citizens to request the Covid-19 vaccine.
The website was affected by a security breach. Furthermore, it had insufficient blocking mechanisms in cases of multiple authentication login attempts and the controller did not communicate the incident to the DPA.
The Spanish DPA requested the controller to provide detailed information regarding facts of the incident and security measures adopted prior to the security breach. The controller claimed that the launch of the system responded the urgency of the population’s vaccination in May and June 2021, a critical moment for the management of the pandemic. The controller fixed the system after having become aware of the breach. It improved and updated the system as well as implemented security measures, such as the reduction of information to be exchanged between the user’s browser and the server (by eliminating the phone number and gender), two-step authentification system, and that the security measures implemented on the controller’s IT applications were according to the Madrid Autonomous Community’s standards.
The controller’s allegations were extended, justifying the failure to communicate the data breach to the DPA due to their evaluation of the lack of damage to the data subject’s fundamental rights and freedoms.
Holding
Regarding Article 5(1)(f) GDPR, the DPA stated that personal data contained in the controller’s database were unlawfully exposed to third parties. Considering the national legislation, Article 72.1 LOPDGDD, this violation was considered very serious.
Considering Article 25(1) GDPR, the DPA held that the application of appropriate technical and organisational measures was not achieved due to the described system’s failure. Considering the national legislation, Article 73.1(d) LOPDGDD, this violation was considered a serious violation.
Moreover, according to the DPA, at the time of the data breach occurrence, the controller did not have appropriate technical and organisational measures to avoid the incident since the system did not have two-step authentication nor did the personal data appear pseudonymised, which resulted in the violation of Article 32 GDPR. This was considered a serious violation under national law, Article 73.1(f) LOPDGDD.
In addition, the controller did not notify the data breach within the time limit which implied a violation of Article 33 GDPR, also considered a serious violation under the national law, Article 73.1(f) LOPDGDD.
Finally, the Spanish DPA explained that Articles 25(1) and 32 GDPR highlight the need for the implementation of appropriate technical and organisational measures according to the risk when deciding both on the purposes and means at the moment of the processing itself. It is supposed to ensure an effective application of the data protection principles as well as adequate security level for that risk. In the present case, the urgency due to a sanitary emergency could not be accepted as an exemption since the launch of a defective application, which exposed personal data on a large scale, could cause even greater damage.
In conlusion, the Spanish DPA reprimanded the controller for the afore-discussed violations as Article 77 LOPDGDD foresees that public administration bodies must only be reprimanded for the violation of data protection legislation, not applying a financial penalty.
Comment
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/23 File No.: PS/00268/2022 RESOLUTION OF PUNISHMENT PROCEDURE Of the procedure instructed by the Spanish Agency for Data Protection and based on to the following BACKGROUND FIRST: ASSOCIATION OF CONSUMERS AND USERS IN ACTION OF MADRID FACUA, (hereinafter, FACUA), on June 14, 2021 filed claim before the Spanish Data Protection Agency. The claim is directed against the MINISTRY OF HEALTH OF THE COMMUNITY OF MADRID, with NIF S7800001E, (hereinafter COUNSELING). The grounds on which the claim is based are the following: -That, due to a programming error, data from personal character (DNI, telephone number, date of birth and numbers of health identification) of citizens when accessing the self-citation website, activated by the Community of Madrid on May 24. This platform of the Community of Madrid has been created so that citizens who had not yet received any dose of the COVID-19 vaccine could schedule an appointment for your vaccination, depending on has been able to check the digital communication medium EL DIARIO.ES. Together with the claim, a screenshot of the application's home page is provided. COVID self-citation from the Ministry of Health of the Autonomous Community of Madrid, and the news published by elDiaro.es on 06/15/2021, which includes a screenshot of the data that appears in said application, although in the one attached as an example anonymized all except the name "A.A.A." SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5 December, of Protection of Personal Data and guarantee of digital rights (in hereinafter LOPDGDD), the claim presented by FACUA was transferred to the MINISTRY, to proceed with its analysis and inform this Agency in the period of one month, of the actions carried out to adapt to the requirements provided for in the data protection regulations. The transfer, which was carried out in accordance with the regulations established in Law 39/2015, of October 1, of the Common Administrative Procedure of the Administrations Public (hereinafter, LPACAP), was collected on 06/18/2021 as recorded in the acknowledgment of receipt that works in the file. No response has been received to this transfer letter. THIRD: On September 10, 2021, in accordance with article 65 of the LOPDGDD, the claim presented by the FACUA was admitted for processing. FOURTH: The General Subdirectorate for Data Inspection proceeded to carry out of previous investigative actions to clarify the facts in question, by virtue of the functions assigned to the control authorities in the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 2/23 article 57.1 and the powers granted in article 58.1 of the Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter RGPD), and in accordance with the provisions of Title VII, Chapter I, Second Section, of the LOPDGDD, having knowledge of the following extremes: INVESTIGATED ENTITY During these proceedings, the following entity has been investigated: MINISTRY OF HEALTH OF THE COMMUNITY OF MADRID, with NIF S7800001E with address at C/ MELCHOR FERNÁNDEZ ALMAGRO, Nº 1 - 28029 MADRID (MADRID) C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 3/23 RESULT OF THE INVESTIGATION ACTIONS 1.- On June 10, 2021, the digital medium ElDiario.es publishes an article in which reported, among others, the following: “The Community of Madrid activated its self-citation system on May 24 by age groups so that citizens who had not yet received no doses of the COVID-19 vaccine could schedule an appointment. From that day and until this Thursday, the web page enabled by the Ministry of Health to request that citation has had a security breach that has affected all people with a health card in the region, according to been able to check elDiario.es. Due to a programming error, the page left the name complete, DNI, telephone number, date of birth and the numbers of both regional and national health identification of any citizen when an appointment request was made with his CIPA number (Code of Personal Identification of the Community of Madrid). Said article also publishes what it claims are the data of a citizen affected by the security breach of the “self-appointment” portal to be vaccinated against the coronavirus of the Community of Madrid, in which it can be seen that in the web code the data corresponding to the following fields are crossed out: NIF, name, surname1, surname2, date of birth, phone number, gender and the numbers of both regional and national health identification. In the image published by the media, it can be seen that in the tab "network", within the browser inspection tool, a JSON (database notation) JavaScript object, is a simple text format for data exchange) in the that the aforementioned data appears with the content hidden willfully. The article also mentions that this information was not visible to the naked eye, but rather was present in the computer code of the Web and that to access it you had to enable the browser's developer tools, an option that is available to any user but not usually used without some knowledge prior technicians. It also informs that the gap has been closed after receiving a notice from of the media. 2.- On October 5, 2021, the data inspection was requested from the MINISTRY OF HEALTH OF THE COMMUNITY OF MADRID, hereinafter the Counseling, the following documentation and information: 1. Detailed and chronological description of the events that occurred. 2. Detailed specification of the causes that have made the incident possible. 3. Number of people affected by the data security breach personal. 4. Category of personal data involved. 5. Possible consequences for affected people. 6. Detailed description of the actions taken to solve the incident and minimize its impact on affected people. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 4/23 7. Security measures of personal data processing adopted with prior to the incident, as well as supporting documentation of the Analysis of Risks that has entailed the implementation of said security measures and, if applicable, a copy of the Impact Assessments of the treatments where The personal data security breach has occurred. 8. Copy of the Activity Record of the treatments where the incident. 9. If the security breach has been notified to the affected people, indicate than the channel used, date of the communication and details of the message sent. If not, indicate the reasons. 10. Reason why the breach has not been notified within 72 hours of the happened. 11. Any other that you consider relevant. Said requirement was notified through the Electronic Address service Enabled Unique and was accepted by the recipient on October 10, 2021, according to accredit this service. On October 21, 2021, a letter is received from the Delegate Committee for the Protection of Details of the Ministry requesting an extension of the term to respond to the request. 3.- After the period given to respond to the request for information without obtaining response, dated December 1, 2021, the request for information was reiterated to the Counseling, through the Single Enabled Electronic Address service and was accepted by the recipient on December 2, 2021, as evidenced by said service. 4.- In the absence of a response to the data inspection requirements, dated March 14, 2022 the Director of the Spanish Agency for Data Protection agrees to initiate a sanctioning procedure against the Ministry, for the infraction of the Article 58.1 of the General Data Protection Regulation (RGPD), typified in the art. 83. 5 e) of the aforementioned RGPD, within the framework of which, the claimed body alleges that the Delegate Committee for Data Protection of the Ministry, in the exercise of its functions, sent a response to the request for data inspection through document dated February 1, 2022 with reference to the Filing Registry REGAGE22e00002434053 and provides proof of presentation documentation in the record and copy of the letter of attention to the request for information, in which reveal the following: Regarding the causes that made the incident possible: - After analyzing the facts, they conclude that the failure detected related to this information system is due to an exposure of data information personal (public) accessed through a valid session cookie, and editing the URL accessed one of the input fields called "idPatient" with a DNI valid. In this way, a series of personal data can be displayed corresponding to the person with the DNI used. Additionally, it is found that the web application had insufficient blocking mechanisms before retries when entering the authentication data (Code of Autonomous Population Identification [CIPA], Date of birth and DNI) for request the appointment. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 5/23 Regarding the affected data - There is no record in the Ministry of Health that the failure occurred has affected any citizen, beyond the information published in the media Communication. Likewise, there is no evidence that there has been any damage to the freedoms and rights of citizens. - Only identification data of the users could have been affected. citizens: Name and Surname, CIPA, Date of birth, Patient ID, DNI, Phone number, Gender. - There is no record in the Ministry of Health that there has been a damage to the freedoms and rights of citizens, without any evidence of until the date that material or immaterial damage has been derived in the citizens who may have been affected. The correction of this vulnerability was prior to its dissemination in the media. Detailed description of the actions taken to solve the incident and minimize its impact on affected people: - The application was modified in order to improve the information system and the version was uploaded, being the following the most relative changes: June 9th: Minimize the information to be exchanged between the user's browser and the server. Only information that is displayed on the screen or that the user has previously entered. No number is exchanged in any case telephone, CIP SNS (Population Identification Code of the National System of Health), sex. The rest (date of birth, name and surname), are shown by screen. Request the verification code sent by SMS as a first step, nothing more enter the identification data. Do not return specific error codes, only generic ones. The data required in the identification process is increased, offering two possibilities to the user: o CIPA + Date of birth + DNI o DNI/NIE/PASSPORT + Date of birth + First surname - The design of the application architecture does not allow the modification of the data of user affiliation. Because the application makes use of a database independent and the requested mobile is only used as part of the OTP implemented to validate the appointment request. Regarding security measures - The SERMAS development team uses a development methodology continuously updated collected in (...) in the Ministry of Health of the Madrid's community. They provide a copy of (...), whose objective is to have the standards that must be fulfill the applications from the technical and functional point of view, as well as the whitepapers describing the platforms with which they should be integrated C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 6/23 the same. The indications and guidelines (...) are mandatory for all the development of new applications for the DGSIS. - The point (...) establishes with respect to the access to the applications of the citizens what Next: (…) - Manifest in relation to the impact assessment (EIPD) on the present treatment, taking into account its nature, scope, context and purposes, as well as that in the present treatment there is no systematic evaluation and exhaustive of personal aspects that is based on automated processing, nor is there a treatment of special categories of data. Therefore, it considers that in the present treatment it is not necessary to carry out a EIPD. 5.- It has been verified by data inspection that the Internet Archive (library managed by a non-profit organization containing millions of Internet pages recorded since 1996) has registered the web page https://autocitavacuna.sanidadmadrid.org existing on June 14, 2021, in which it can be verified that to request an appointment for the vaccine, it is requested only the CIPA code and in case of not having said code, a DNI is requested and Date of Birth. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 7/23 CONCLUSIONS - Regarding the causes that have made possible the incident published in ElDiario.es, the representative of the Ministry states that, after analyzing the facts conclude that the failure detected related to this system of information is due to an exposure of personal data information (public) accessed via a valid session cookie, and editing the URL accessed one of the input fields called "idPatient" with a valid DNI. This explanation is inconsistent with the security incident reported to this Agency by FACUA, incident in which personal data was left exposed when making an appointment request with a CIPA number (Code of Personal Identification of the Community of Madrid) existing. It has been proven for the inspection of data that the Internet Archive maintains the website https://autocitavacuna.sanidadmadrid.org existing on the date of June 14, 2021, in which it can be verified that to request an appointment for the vaccine, only requests the CIPA code and in case of not having said code, request ID and date of birth. On the other hand, the representative of the Ministry recognizes that, among the actions taken to solve the incident, the information has been reduced to a minimum. exchange between the user's browser and the server. only broadcast information that is displayed on the screen or that the user has entered previously. Telephone number is not exchanged in any case, CIP SNS (Population Identification Code of the National Health System), sex. The rest (date of birth, name and surname), are displayed on the screen. Also, The data required in the identification process has been increased, offering two possibilities for the user: CIPA + Date of birth + DNI or DNI/NIE/PASSPORT + Date of birth + First surname. - Regarding security measures, the Madrid Health Service (SERMAS) dependent on the Ministry, uses a methodology for the development of computer applications that is collected in (...) of the Community of Madrid. o The (…) related to authentication establishes regarding access to Citizen applications the following: (…) It has been verified by data inspection that the Internet Archive maintains the existing website https://autocitavacuna.sanidadmadrid.org on the date of June 14, 2021, in which it can be verified that for request an appointment for the vaccine, only the CIPA code is requested and in case If this code is not available, ID and date of birth are requested. o The (...) called (...) establishes, among others, the following: (…) It is unknown if the Ministry has carried out a risk analysis, as established by the methodology (...). o The same (...) establishes the following: (…) C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 8/23 It is unknown if tests and analyzes have been carried out of this treatment by the Security Office, according to establishes the methodology (...). FIFTH: On July 15, 2022, the Director of the Spanish Agency for Data Protection agreed to initiate a sanctioning procedure against the claimed party, for the alleged infringement of Article 5.1.f) of the RGPD, Article 33 of the RGPD, Article 25 of the RGPD and Article 32 of the RGPD, typified in Article 83.5 of the RGPD. Once the Start Agreement was notified, the MINISTRY presented a brief of allegations in the which in summary stated: -That in the months of May and June 2021, we were at a very critical related to the management of the pandemic. In this period, when the vaccination process for the general population - albeit in a staggered manner age groups-, the organization and opening of said process massively and, consequently, it was necessary to offer a system with clear and simple information on the process to be followed by the citizenship and the urgency required for its adoption at the organizational level, including also several channels to facilitate citizen citations. This state of health emergency made it necessary to develop a large number of new tools with great speed to be able to provide the best service to citizens by developing and deploying the citation process for vaccination in an agile way in authorized centers, even allowing the citizen to select the time and center of his preference, which facilitated the Community of Madrid reached a high number of vaccinated population, contributing with said action to be able to face this situation of pandemic as soon as possible, and facilitate the mobility of the population before the start of periods traditionally considered as vacations in which there would be the mobility of the population. -In this regard, this Agency recalls that both article 25.1 of the RGPD as 32 of the same legal text, stress the need that, both in the time of determining the means of treatment as well as at the time of treatment itself, the controller adopts technical and organizational measures appropriate to effectively apply the principles of data protection and guarantee a level of security appropriate to the risk, without being able to accept as excuse the circumstance of urgency alleged by health emergency. It is not possible to appreciate, in the present case, a state of necessity that justifies the put into production of a faulty application, which allowed access to personal data of a large number of citizens, without making previously the necessary checks to determine its correct operation, and whose use can cause greater harm than that which is intends to avoid. -That in the initial agreement reference is made in the section “Regarding the security measures” to the point (…), which is generic, and which for Self-citation is enabled other access procedures so that citizens who do not had a Health Card of the Community of Madrid, they could request the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 9/23 vaccination through the website. They consider, therefore, that the reference (...) should be deleted as it bears no relation to this particular case. -In this regard, this Agency has simply reflected the information provided by the MINISTRY itself in its response to the request for information made by the AEPD, in which they attach a (...) to which they make reference in paragraph 6 of your answer: “6. Security measures of personal data processing adopted prior to the incident, as well as supporting documentation of the Risk Analysis that has led to the implementation of said safety measures security and, if applicable, a copy of the Impact Assessments of the treatments where the data security violation has occurred personal”. And that, according to the MINISTRY itself, is the development methodology used. -That measures have been established for the continuous improvement of crisis management and cyber incidents, focused on the prevention, detection and response to incidents of security. Specifically, the following measures have been implemented to strengthen security: • The process of development and start-up of applications has been reviewed, such as part of the continuous improvement process in the development and commissioning cycle of applications, with special emphasis on the following aspects: o Reinforcement of the resources allocated to the prior validation of the security of the application before going into production. o Reinforcement of penetration testing and analysis methods code to all self-developed systems and will not be put into production even with solving the possible vulnerabilities detected. o Reassessment of all self-developed systems to verify that they the vulnerabilities with High or Critical typology have been corrected, detected during the “pentest” phase. • The (...) has been reviewed, updating the main areas to take into account when of developing applications, as well as the main tasks tasks to consider when implementing applications in the Continuous Integration structure and Continuous Deployment in the CSCM, in order to have the highest standards that the applications must comply with from the technical point of view and functional, as well as the technical documents that describe the platforms with which which must be integrated. • Use cases in security audits have been improved. Lastly, it is relevant to mention that work is currently being done on a project to adopt a tool (...). C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 10/23 -In this regard, this Agency values positively the adoption of new measures that result in greater security in terms of the treatment of personal data refers and that can prevent, in the future, incidents such as the one substantiated in this proceeding. -That the (...) is part of the security regulatory body of the CSCM and is is qualified as a RESTRICTED USE document, so it is considered a controlled release document and its use is restricted to personnel organization, since its public dissemination may pose a risk for security. The content (...) constitutes confidential information whose dissemination, outside the organization or the scope of the people who do not need to know said information, it can cause damage or cyberattacks on the services considered essential by law. Therefore, it is required that such information, given its extraordinary sensitivity, be object of reservation and, consequently, that information about the content is not displayed (...) in the Resolution that falls on this procedure and that could, in its case, be published. -In this regard, this Agency states that the documentation contained in the file is used exclusively to carry out an exhaustive and correct instruction of the same, not being, in any case, of public access. Even in the event that in the resolution that falls some type of information of restricted use, it would be anonymized as a step prior to publication. SIXTH: On August 12, 2022, a resolution proposal was formulated, proposing that the Director of the Spanish Data Protection Agency sanction the MINISTRY OF HEALTH, with NIF S7800001E, -Due to an infringement of Article 5.1.f) of the RGPD, typified in article 83.5 of the GDPR, with a warning. -For an infringement of Article 25 of the RGPD, typified in article 83.4 of the RGPD, with a warning. -For an infringement of Article 32 of the RGPD, typified in article 83.4 of the RGPD, with a warning. -For an infringement of Article 33 of the RGPD, typified in article 83.4 of the RGPD, with a warning. SEVENTH: Once the proposed resolution has been notified, the MINISTRY presents a new brief of allegations in which, in summary, reproduces those already presented to the Agreement Home, and adds that: – Of the notification to the AEPD. As stated in the first letter sent to the AEPD in relation to this sanctioning procedure, depending on the level of risk of the incidence, taking into account the low volume of data that could have been affected, the typology of the same, being only data of a C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 11/23 identification, and the non-existent impact caused on the interested parties, it was estimated that it was mandatory to inform the Control Authority. Thus, article 33 of the RGPD states that "In case of violation of the security of personal data, the person responsible for the treatment will notify the authority of competent control in accordance with Article 55 without undue delay and, if possible, no later than 72 hours after you have been aware of it, to unless such breach of security is unlikely to constitute a risk for the rights and freedoms of natural persons”. Therefore, in the present case, as we have indicated, taking into account that neither At that time, nor currently, there is evidence that no citizen has suffered negative consequences on their rights and freedoms, taking into account further consideration that a significant number have not been affected of personal data, nor have been affected special category data of the citizens, it was considered at the time that such communication was not necessary since it was unlikely to constitute a risk to the rights and freed citizens. – Security measures initially taken. In addition to the above, as indicated In the initial communication to the AEPD, from the design the tool had adequate security measures to avoid, so much so that the impact of possible security incidents were high, as they happened. Thus, in the first letter sent, it was already indicated that at all times the communication between the user and the SERMAS servers are secured. The The design of the application architecture does not allow the modification of the data of user affiliation. Because the application makes use of a database independent and the requested mobile is only used as part of the OTP (One Time Password) implemented to validate the appointment request. In the same way and to correct what happened, once the failure was known and identified the same, before it was published in the media, We proceeded to make the modification of the application in order to improve the information system and the version was uploaded, being the following the most relative changes: June 9th: (…) In view of everything that has been done, by the Spanish Data Protection Agency In this proceeding, the following are considered proven facts: PROVEN FACTS FIRST: It is proven that on 05/24/2021, the MINISTRY activated a self-appointment system so that citizens could request an appointment to be vaccinated against COVID-19. SECOND: It is proven that there was a failure in the system, due to which personal data (public) were exposed by accessing through a cookie of C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 12/23 valid session, and editing the URL accessed one of the input fields called "idPatient" with a valid DNI. THIRD: It is proven that the web application had mechanisms for Insufficient blocking before retries when entering the authentication data. FOURTH: It is proven that, after becoming aware of the security breach, the MINISTRY did not communicate it to the AEPD. FOUNDATIONS OF LAW Yo In accordance with the powers that article 58.2 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter RGPD), grants each control authority and as established in articles 47 and 48.1 of the Law Organic 3/2018, of December 5, on the Protection of Personal Data and guarantee of digital rights (hereinafter, LOPDGDD), is competent to initiate and resolve this procedure the Director of the Spanish Data Protection Agency. Likewise, article 63.2 of the LOPDGDD determines that: “The procedures processed by the Spanish Agency for Data Protection will be governed by the provisions in Regulation (EU) 2016/679, in this organic law, by the provisions regulations issued in its development and, as long as they do not contradict them, with a subsidiary, by the general rules on administrative procedures.” II In relation to the arguments presented to the resolution proposal, the MINISTRY reiterates those already presented above and adds that: 1-Regarding the notification of the breach to the AEPD, depending on the level of risk of the incidence, taking into account the low volume of data that could have been affected, the typology of the same, being only data of a identification, and the non-existent impact caused on the interested parties, it was estimated that it was mandatory to inform the Control Authority. In the present case, taking into account that, neither at that time, nor currently, there is evidence that no citizen has suffered negative consequences in their rights and freedoms, taking into account additionally that they have not been a significant number of personal data have been affected, nor have they been affected special category data of citizens, it was estimated at the time that said communication was not necessary since it was unlikely that a risk to the rights and freedoms of citizens. -In this regard, this Agency indicates that it has not been submitted by the COUNSELING an assessment of risks actually carried out, resulting, by Therefore, very indeterminate the concept of: "it was unlikely that it would be constituted a risk to the rights and freedoms of citizens” 2- Security measures initially taken. In addition to the above, as indicated In the initial communication to the AEPD, from the design the tool had C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 13/23 adequate security measures to avoid, so much so that the impact of possible security incidents were high, as they happened. -In this regard, this Agency confirms that, in fact, the incidents materialized, that a fault was detected in the system, due to a exposure of personal (public) data information accessed through a valid session cookie, and editing the URL accessed one of the fields entry called "idPatient" with a valid DNI. Additionally, it was found that the web application had mechanisms for Insufficient blocking before retries when entering the data of authentication. III Article 5.1.f) “Principles related to treatment” of the RGPD establishes: "1. The personal data will be: (…) f) processed in such a way as to ensure adequate security of the data including protection against unauthorized or unlawful processing and against its loss, destruction or accidental damage, through the application of technical measures or appropriate organizational structures (“integrity and confidentiality”).” In the present case, it is stated that the personal data of those affected, contained in the database of the MINISTRY, were unduly exposed to a third party, according to the news published in elDiario.es. From the investigation carried out in this proceeding, it is concluded that the CONSEJERIA has violated the provisions of article 5.1.f of the RGPD. IV The infringement is typified in article 83.5 of the RGPD that under the heading "Conditions rules for the imposition of administrative fines” provides: “The infractions of the following dispositions will be sanctioned, in accordance with the paragraph 2, with administrative fines of a maximum of EUR 20,000,000 or, in the case of a company, an amount equivalent to a maximum of 4% of the global total annual turnover of the previous financial year, opting for the largest amount: a) the basic principles for the treatment, including the conditions for the consent under articles 5, 6, 7 and 9; (…)” In this regard, the LOPDGDD, in its article 71 "Infringements" establishes that: “The acts and behaviors referred to in sections 4, 5 and 6 of article 83 of Regulation (EU) 2016/679, as well as those that result contrary to this organic law. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 14/23 For the purposes of the limitation period, article 72 “Infringements considered very serious” of the LOPDGDD indicates: "1. Based on the provisions of article 83.5 of Regulation (EU) 2016/679, considered very serious and will prescribe after three years the infractions that suppose a substantial violation of the articles mentioned therein and, in particular, the following: a) The processing of personal data violating the principles and guarantees established in article 5 of Regulation (EU) 2016/679. (…)” v Without prejudice to the provisions of article 83.5 of the RGPD, the aforementioned article provides in its section 7 the following: “7. Without prejudice to the corrective powers of the control authorities under the Article 58(2), each Member State may lay down rules on whether can, and to what extent, impose administrative fines on authorities and organizations public authorities established in that Member State. For its part, article 77 “Regime applicable to certain categories of responsible or in charge of the treatment” of the LOPDGDD provides the following: "1. The regime established in this article will be applicable to the treatment of who are responsible or in charge: (…) c) The General Administration of the State, the Administrations of the autonomous communities and the entities that make up the Local Administration. (…) 2. When those responsible or in charge listed in section 1 committed any of the infractions referred to in articles 72 to 74 of this law organic, the data protection authority that is competent will dictate resolution sanctioning them with a warning. The resolution will establish also the measures that should be adopted to stop the behavior or correct it. the effects of the infraction that had been committed. 3. Without prejudice to what is established in the previous section, the data protection authority data will also propose the initiation of disciplinary actions when there are sufficient evidence for it. In this case, the procedure and the sanctions to be applied will be those established in the legislation on disciplinary or sanctioning regime that result of application. Likewise, when the infractions are attributable to authorities and managers, and proves the existence of technical reports or recommendations for the treatment that had not been duly attended to, in the resolution imposing the The sanction will include a reprimand with the name of the responsible position and will order the publication in the Official State or Autonomous Gazette that correspond. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 15/23 (…) 5. They will be communicated to the Ombudsman or, where appropriate, to similar institutions of the autonomous communities the actions carried out and the resolutions issued under this article. (…)” SAW Article 25.1 of the RGPD indicates: "1. Taking into account the state of the art, the cost of the application and the nature, scope, context and purposes of the treatment, as well as the risks of various probability and seriousness that the treatment entails for the rights and freedoms of natural persons, the data controller will apply, both at the time of determine the means of treatment as at the time of the treatment itself, appropriate technical and organizational measures, such as pseudonymisation, designed to effectively apply the principles of data protection, such as the minimization of data, and integrate the necessary guarantees in the treatment, in order to comply with the requirements of this Regulation and protect the rights of interested.” In the present case, it is known that a fault has been detected in the system, due to a exposure of personal (public) data information accessed through a valid session cookie, and editing the URL accessed one of the input fields called "idPatient" with a valid DNI. Additionally, it is detected that the application website had insufficient blocking mechanisms against retries at the time of enter the authentication data. From the investigation carried out in this proceeding, it is concluded that the CONSEJERIA has violated the provisions of article 25.1 of the RGPD, 7th The infringement is typified in article 83.4 of the RGPD that under the heading "Conditions rules for the imposition of administrative fines” provides: “The infractions of the following dispositions will be sanctioned, in accordance with the paragraph 2, with administrative fines of a maximum of EUR 10,000,000 or, in the case of a company, an amount equivalent to a maximum of 2% of the global total annual turnover of the previous financial year, opting for the largest amount: a) the obligations of the person in charge and the person in charge pursuant to articles 8, 11, 25 to 39, 42 and 43; (…)” In this regard, the LOPDGDD, in its article 71 "Infringements" establishes that “The acts and behaviors referred to in sections 4, 5 and 6 of article 83 of Regulation (EU) 2016/679, as well as those that result contrary to this organic law. For the purposes of the limitation period, article 73 “Infringements considered serious” of the LOPDGDD indicates: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 16/23 “Based on the provisions of article 83.4 of Regulation (EU) 2016/679, considered serious and will prescribe after two years the infractions that suppose a substantial violation of the articles mentioned therein and, in particular, the following: (…) d) The lack of adoption of those technical and organizational measures that are appropriate to effectively apply the principles of protection of data from the design, as well as the non-integration of the guarantees necessary in the treatment, in the terms required by article 25 of the Regulation (EU) 2016/679. (…) viii Without prejudice to the provisions of article 83.5 of the RGPD, the aforementioned article provides in its section 7 the following: “7. Without prejudice to the corrective powers of the control authorities under the Article 58(2), each Member State may lay down rules on whether can, and to what extent, impose administrative fines on authorities and organizations public authorities established in that Member State. For its part, article 77 “Regime applicable to certain categories of responsible or in charge of the treatment” of the LOPDGDD provides the following: "1. The regime established in this article will be applicable to the treatment of who are responsible or in charge: (…) c) The General Administration of the State, the Administrations of the autonomous communities and the entities that make up the Local Administration. (…) 2. When those responsible or in charge listed in section 1 committed any of the infractions referred to in articles 72 to 74 of this law organic, the data protection authority that is competent will dictate resolution sanctioning them with a warning. The resolution will establish also the measures that should be adopted to stop the behavior or correct it. the effects of the infraction that had been committed. 3. Without prejudice to what is established in the previous section, the data protection authority data will also propose the initiation of disciplinary actions when there are sufficient evidence for it. In this case, the procedure and the sanctions to be applied will be those established in the legislation on disciplinary or sanctioning regime that result of application. Likewise, when the infractions are attributable to authorities and managers, and proves the existence of technical reports or recommendations for the treatment that had not been duly attended to, in the resolution imposing the The sanction will include a reprimand with the name of the responsible position and C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 17/23 will order the publication in the Official State or Autonomous Gazette that correspond. (…) 5. They will be communicated to the Ombudsman or, where appropriate, to similar institutions of the autonomous communities the actions carried out and the resolutions issued under this article. (…)” IX Article 32 “Security of treatment” of the RGPD establishes: "1. Taking into account the state of the art, the application costs, and the nature, scope, context and purposes of the treatment, as well as risks of variable probability and severity for the rights and freedoms of individuals physical, the person in charge and the person in charge of the treatment will apply technical measures and appropriate organizational measures to guarantee a level of security appropriate to the risk, which in your case includes, among others: a) pseudonymization and encryption of personal data; b) the ability to ensure the confidentiality, integrity, availability and permanent resilience of treatment systems and services; c) the ability to restore availability and access to data quickly in the event of a physical or technical incident; d) a process of regular verification, evaluation and evaluation of the effectiveness technical and organizational measures to guarantee the security of the treatment. 2. When evaluating the adequacy of the security level, particular account shall be taken of takes into account the risks presented by the processing of data, in particular as consequence of the accidental or unlawful destruction, loss or alteration of data data transmitted, stored or otherwise processed, or the communication or unauthorized access to said data. 3. Adherence to an approved code of conduct under article 40 or to a certification mechanism approved under article 42 may serve as an element to demonstrate compliance with the requirements established in section 1 of the present article. 4. The person in charge and the person in charge of the treatment will take measures to guarantee that any person acting under the authority of the person in charge or the person in charge and has access to personal data can only process said data following instructions of the person in charge, unless it is obliged to do so by virtue of the Right of the Union or the Member States. In the present case, at the time of the breach, the MINISTRY did not had the appropriate technical and organizational measures in place to prevent produced an incident such as the one substantiated in this proceeding, since once the CIPA code was entered, a second authentication was not required, nor were the Personal data appeared pseudonymized. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 18/23 From the investigation carried out in this proceeding, it is concluded that the CONSEJERIA has violated the provisions of article 32 of the RGPD, X The infringement is typified in article 83.4 of the RGPD that under the heading "Conditions rules for the imposition of administrative fines” provides: “The infractions of the following dispositions will be sanctioned, in accordance with the paragraph 2, with administrative fines of a maximum of EUR 10,000,000 or, in the case of a company, an amount equivalent to a maximum of 2% of the global total annual turnover of the previous financial year, opting for the largest amount: a) the obligations of the person in charge and the person in charge pursuant to articles 8, 11, 25 to 39, 42 and 43; (…)” In this regard, the LOPDGDD, in its article 71 "Infringements" establishes that “The acts and behaviors referred to in sections 4, 5 and 6 of article 83 of Regulation (EU) 2016/679, as well as those that result contrary to this organic law. For the purposes of the limitation period, article 73 “Infringements considered serious” of the LOPDGDD indicates: “Based on the provisions of article 83.4 of Regulation (EU) 2016/679, considered serious and will prescribe after two years the infractions that suppose a substantial violation of the articles mentioned therein and, in particular, the following: (…) f) The lack of adoption of those technical and organizational measures that are appropriate to guarantee a level of security appropriate to the risk of the treatment, in the terms required by article 32.1 of the Regulation (EU) 2016/679. (…) eleventh Without prejudice to the provisions of article 83.5 of the RGPD, the aforementioned article provides in its section 7 the following: “7. Without prejudice to the corrective powers of the control authorities under the Article 58(2), each Member State may lay down rules on whether can, and to what extent, impose administrative fines on authorities and organizations public authorities established in that Member State. For its part, article 77 “Regime applicable to certain categories of responsible or in charge of the treatment” of the LOPDGDD provides the following: "1. The regime established in this article will be applicable to the treatment of who are responsible or in charge: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 19/23 (…) c) The General Administration of the State, the Administrations of the autonomous communities and the entities that make up the Local Administration. (…) 2. When those responsible or in charge listed in section 1 committed any of the infractions referred to in articles 72 to 74 of this law organic, the data protection authority that is competent will dictate resolution sanctioning them with a warning. The resolution will establish also the measures that should be adopted to stop the behavior or correct it. the effects of the infraction that had been committed. 3. Without prejudice to what is established in the previous section, the data protection authority data will also propose the initiation of disciplinary actions when there are sufficient evidence for it. In this case, the procedure and the sanctions to be applied will be those established in the legislation on disciplinary or sanctioning regime that result of application. Likewise, when the infractions are attributable to authorities and managers, and proves the existence of technical reports or recommendations for the treatment that had not been duly attended to, in the resolution imposing the The sanction will include a reprimand with the name of the responsible position and will order the publication in the Official State or Autonomous Gazette that correspond. (…) 5. They will be communicated to the Ombudsman or, where appropriate, to similar institutions of the autonomous communities the actions carried out and the resolutions issued under this article. (…)” XII Article 33 “Notification of a violation of the security of personal data to the control authority” of the RGPD establishes: "1. In case of violation of the security of personal data, the person in charge of the treatment will notify the competent control authority in accordance with the article 55 without undue delay and, if possible, no later than 72 hours after who was aware of it, unless it is unlikely that such violation constitutes a risk to the rights and freedoms of individuals physical. If the notification to the supervisory authority does not take place within the period of 72 hours, must be accompanied by an indication of the reasons for the delay. 2. The person in charge of the treatment will notify without undue delay the person in charge of the treatment the violations of the security of the personal data of which it has knowledge. 3. The notification referred to in section 1 must, at a minimum: a) describe the nature of the data security breach including, where possible, the categories and number C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 20/23 approximate number of stakeholders affected, and the categories and approximate number of affected personal data records; b) communicate the name and contact details of the data protection delegate data or another point of contact where further information can be obtained; c) describe the possible consequences of the breach of the security of the personal information; d) describe the measures adopted or proposed by the person responsible for the processing to remedy the data security breach including, if applicable, the measures taken to mitigate the possible negative effects. 4. If it is not possible to provide the information simultaneously, and to the extent that is not, the information will be provided gradually without undue delay. 5. The data controller will document any breach of data security. personal data, including the facts related to it, its effects and the corrective measures taken. Said documentation will allow the authority of control to verify compliance with the provisions of this article.” In the present case, it is clear that the MINISTRY has suffered a security breach of personal data on 05/24/2021 and has not informed this Agency. From the investigation carried out in this proceeding, it is concluded that the CONSEJERIA has violated the provisions of article 33 of the RGPD. XIII The infringement is typified in article 83.4 of the RGPD that under the heading "Conditions rules for the imposition of administrative fines” provides: “The infractions of the following dispositions will be sanctioned, in accordance with the paragraph 2, with administrative fines of a maximum of EUR 10,000,000 or, in the case of a company, an amount equivalent to a maximum of 2% of the global total annual turnover of the previous financial year, opting for the largest amount: a) the obligations of the person in charge and the person in charge pursuant to articles 8, 11, 25 to 39, 42 and 43; (…)” In this regard, the LOPDGDD, in its article 71 "Infringements" establishes that “The acts and behaviors referred to in sections 4, 5 and 6 of article 83 of Regulation (EU) 2016/679, as well as those that result contrary to this organic law. For the purposes of the limitation period, article 73 “Infringements considered serious” of the LOPDGDD indicates: “Based on the provisions of article 83.4 of Regulation (EU) 2016/679, considered serious and will prescribe after two years the infractions that suppose a substantial violation of the articles mentioned therein and, in particular, the following: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 21/23 (…) r) Failure to comply with the duty to notify the data protection authority data from a security breach of personal data in accordance with the provisions of article 33 of Regulation (EU) 2016/679. (…)” fourteenth Without prejudice to the provisions of article 83.5 of the RGPD, the aforementioned article provides in its section 7 the following: “7. Without prejudice to the corrective powers of the control authorities under the Article 58(2), each Member State may lay down rules on whether can, and to what extent, impose administrative fines on authorities and organizations public authorities established in that Member State. For its part, article 77 “Regime applicable to certain categories of responsible or in charge of the treatment” of the LOPDGDD provides the following: "1. The regime established in this article will be applicable to the treatment of who are responsible or in charge: (…) c) The General Administration of the State, the Administrations of the autonomous communities and the entities that make up the Local Administration. (…) 2. When those responsible or in charge listed in section 1 committed any of the infractions referred to in articles 72 to 74 of this law organic, the data protection authority that is competent will dictate resolution sanctioning them with a warning. The resolution will establish also the measures that should be adopted to stop the behavior or correct it. the effects of the infraction that had been committed. 3. Without prejudice to what is established in the previous section, the data protection authority data will also propose the initiation of disciplinary actions when there are sufficient evidence for it. In this case, the procedure and the sanctions to be applied will be those established in the legislation on disciplinary or sanctioning regime that result of application. Likewise, when the infractions are attributable to authorities and managers, and proves the existence of technical reports or recommendations for the treatment that had not been duly attended to, in the resolution imposing the The sanction will include a reprimand with the name of the responsible position and will order the publication in the Official State or Autonomous Gazette that correspond. (…) 5. They will be communicated to the Ombudsman or, where appropriate, to similar institutions of the autonomous communities the actions carried out and the resolutions issued under this article. (…)” C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 22/23 Therefore, in accordance with the applicable legislation and having assessed the criteria for graduation of sanctions whose existence has been proven, the Director of the Spanish Data Protection Agency RESOLVES: FIRST: IMPOSE THE MINISTRY OF HEALTH, with NIF S7800001E, -Due to an infringement of Article 5.1.f) of the RGPD, typified in article 83.5 of the RGPD, a sanction of warning. -For an infringement of Article 25 of the RGPD, typified in article 83.4 of the RGPD, a warning sanction. -For an infringement of Article 32 of the RGPD, typified in article 83.4 of the RGPD, a warning sanction. -For an infringement of Article 33 of the RGPD, typified in article 83.4 of the RGPD, a warning sanction. SECOND: NOTIFY this resolution to the MINISTRY OF HEALTH. THIRD: COMMUNICATE this resolution to the Ombudsman, in accordance with the provisions of article 77.5 of the LOPDGDD. In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties. Against this resolution, which puts an end to the administrative procedure in accordance with art. 48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the Interested parties may optionally file an appeal for reconsideration before the Director of the Spanish Agency for Data Protection within a month from counting from the day following the notification of this resolution or directly contentious-administrative appeal before the Contentious-Administrative Chamber of the National Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Contentious-administrative jurisdiction, within a period of two months from the day following the notification of this act, as provided in article 46.1 of the aforementioned Law. Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPACAP, may provisionally suspend the firm resolution in administrative proceedings if the The interested party expresses his intention to file a contentious-administrative appeal. If this is the case, the interested party must formally communicate this fact by writing addressed to the Spanish Agency for Data Protection, presenting it through Electronic Register of the Agency [https://sedeagpd.gob.es/sede-electronica- web/], or through any of the other registers provided for in art. 16.4 of the aforementioned Law 39/2015, of October 1. You must also transfer to the Agency the documentation proving the effective filing of the contentious appeal- administrative. If the Agency was not aware of the filing of the appeal C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 23/23 contentious-administrative within a period of two months from the day following the notification of this resolution would end the precautionary suspension. 938-120722 Sea Spain Marti Director of the Spanish Data Protection Agency C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es