AEPD (Spain) - EXP202213638
From GDPRhub
| AEPD - EXP202213638 | |
|---|---|
 | |
| Authority: | AEPD (Spain) |
| Jurisdiction: | Spain |
| Relevant Law: | Article 5(1)(f) GDPR Article 25(1) GDPR Article 32(1) GDPR Article 33 GDPR Article 34 GDPR Article 35 GDPR |
| Type: | Investigation |
| Outcome: | Violation Found |
| Started: | |
| Decided: | 27.01.2025 |
| Published: | |
| Fine: | 4,000,000 EUR |
| Parties: | Generali España, Sociedad Anónima de Seguros y Reaseguros |
| National Case Number/Name: | EXP202213638 |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | Spanish |
| Original Source: | AEPD (in ES) |
| Initial Contributor: | frabiss |
The DPA fined an insurance company €4,000,000 after an unauthorised third party was able to access the data of over 25,000 former clients of the controller due to inadequate security measures.
English Summary
Facts
The controller is an insurance company. On 5 October 2022, the controller experienced high traffic on one of its servers, namely the one hosting the client managing tool. The controller noticed that an unauthorised third party stole the login details of an insurance broker and used them to access the platform.
The controller investigated the matter and came to the conclusion that the breach at hand affected 37 data subjects, i.e. only the data subjects that were being handled by the controller’s broker whose login details were stolen.
The controller did not have a log system tracking the logins and, therefore, was not able to identify the entity of the attack. However, it deemed that the data breach was unlikely to result in a risk to the rights and freedoms of natural persons and, thus, did not notify the DPA pursuant to Article 33(1) GDPR.
However, on 11 November 2022, it was noticed that a database containing a sample of 24315 records concerning personal data of the controller’s former clients was being sold on a Telegram group.
At the same time, the controller discovered that, due to a bug on its IT system, the third party that performed the attack could not only access the data of that specific broker’s clients, but also the data of all the other clients of the controller. This data involved name, national number, telephone number, date and place of birth, civil status and IBAN.
At this point, the controller performed a new assessment of the risks involved by the data breach, deeming that it was indeed necessary to notify both the DPA and the data subjects involved.
Therefore, the DPA opened an investigation on this matter. Moreover, some data subjects filed a complaint with the DPA.
Holding
First, the DPA pointed out that, at the moment of the unauthorised access, the controller had not performed any data protection impact assessment concerning the processing activity at hand.
Secondly, the DPA noted that the controller had not implemented a 2-factor authentication system for the platform that was hacked.
Thirdly, the DPA recalled that, due to a technical failure in updating the system, the insurance brokers were able to access both their customers’ data and also the profiles of other data subjects.
Fourthly, the DPA pointed out that, due to these failures, the data breach at hand occurred. Therefore, it found a violation of Article 5(1)(f) GDPR. It pointed out that the latter sets an obligation of result on the controller, whereas the result is to protect the data subject’s confidentiality.
On the other hand, according to the DPA, Article 32 GDPR sets an obligation of means, imposing to the controller to implement the appropriate technical and organisational measures to ensure a level of security appropriate to the risk, rather than guaranteeing a specific outcome. The DPA held that the measures adopted by the controller were inadequate and, therefore, found a violation of this article.
Moreover, the DPA held that the controller had not complied with Article 25(1) GDPR. More specifically, the controller, in designing the IT system, did not take into account the principle of data minimisation. Indeed, the controller kept in the same database data of former clients and data of the actual clients, without differentiating them.
Additionally, the DPA found that the controller should have conducted a Data Protection Impact Assessment and therefore had violated Article 35 GDPR. The reasons for the necessity of the DPIA were that the controller conducted large-scale processing of data.
On these grounds, the DPA issued a fine of €5,000,000 which was reduced to €4,000,000 due to the voluntary payment procedure under Spanish law. The fine was composed of €1,000,000 for the violation of Article 5(1)(f) GDPR, €1,000,000 for the violation of Article 32 GDPR, €2,000,000 for the violation of Article 25 GDPR and €1,000,000 for the violation of Article 35 GDPR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/53
File No.: EXP202213638
SANCTIONING PROCEDURE RESOLUTION
From the procedure instructed by the Spanish Data Protection Agency and based
on the following
BACKGROUND................................................................................................................2
FACTS...................................................................................................................2
FIRST:...................................................................................................................3
SECOND:...................................................................................................................3
THIRD:...................................................................................................................4
FOURTH:...................................................................................................................4
FIFTH:...................................................................................................................8
SIXTH:...................................................................................................................9
SEVENTH:...................................................................................................................9
EIGHTH:...................................................................................................................12
PROVEN FACTS......................................................................................................12
FIRST:.......................................................................................................................12
SECOND:..........................................................................................................................13
THIRD:..........................................................................................................................13
FOURTH:........................................................................................................................13
FIFTH:........................................................................................................................14
SIXTH:..............................................................................................................................14
SEVENTH:.......................................................................................................................14
EIGHTH:.......................................................................................................................14
LEGAL BASIS........................................................................................................15
I Jurisdiction..............................................................................................................15
II Termination of the procedure.................................................................................15
III Response to the allegations made against the initiation agreement................................16
Regarding the inaccuracies contained in the initiation agreement of the present
sanctioning procedure..............................................................................................16
Second allegation: Regarding the affectation to the principles of the
Third allegation: Regarding the alleged infringements attributed to Generali
...............................................................................................................................26
Fourth allegation: Regarding the violation of the principle of proportionality...32
IV Unfulfilled obligation of article 5.1 f).................................................................33
V Classification and qualification of the infringement of article 5.1.f) of the GDPR................35
VI Penalty for non-compliance with article 5.1 f).................................................................36
VII Unfulfilled obligation of article 32.................................................................................38
VIII Classification and qualification of the infringement of article 32 of the GDPR................................40
IX Penalty for the infringement of article 32 of the GDPR..................................42
GDPR.................................................41
X Unfulfilled obligation under Article 25 of the GDPR................................................42
XI Classification of the infringement of Article 25 of the GDPR.................................................46
XII Penalty for the infringement of Article 25 of the GDPR................................................47
XIII Penalty for the infringement of Article 35 of the GDPR................................................48
XIV Classification and qualification of the infringement of Article 35 of the GDPR................................52
XV Possible sanction for the infringement of Article 35 of the GDPR................................53
XVI Adoption of measures.................................................................................................54
XVII Voluntary payment.................................................................................................54
RESOLVES:...................................................................................................................55
FIRST:...................................................................................................................55
SECOND:...................................................................................................................56
THIRD:...................................................................................................................56
FOURTH:.......................................................................................................................56
BACKGROUND
FIRST:
(…) (hereinafter, the complaining parties) filed a
complaint with the Spanish Data Protection Agency on November 18, 2022. The
complaint is directed against GENERALI ESPAÑA, SOCIEDAD ANONIMA DE SEGUROS Y
REASEGUROS with NIF A28007268 (hereinafter, GENERALI). The reasons on which the
complaint is based are the following:
In their writings, the complaining parties state that they have received a
communication via email or by post from GENERALI in which they were informed of the
occurrence of a cyber security incident in their systems. According to the content
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 3/53
of said communication, the incident was due to “unlawful access to the Information Systems, which has caused part of the information they hold from when you were a client of GENERALI Spain, and in compliance with our legal and contractual obligations, to be exposed.” The communication also indicates that said information "could include your data and that of the insured in your old policy regarding name, surname, address, landline and mobile phone, email, ID, date and country of birth, marital status and the IBAN code of your current account."
The following are highlighted from the documentation provided by the claimants in their various documents:
- Screenshots showing the communication received via email or postal mail from GENERALI through which the information is provided about the aforementioned security breach and its impact on the personal data of the claimants.
- Screenshot of an email sent by one of the claimants to the respondent party requesting the exercise of the right to delete their data.
- Screenshot of a letter sent by one of the claimants to the respondent party requesting the non-renewal of the policy and the cancellation of all their personal data.
- Screenshot of an email from one of the complainants requesting
information on the reason why they kept their data since they had not been a client of
the company since 2018, as well as a screenshot of the response from
the respondent party
SECOND:
In accordance with article 65.4 of Organic Law 3/2018, of December 5, on
Protection of Personal Data and Guarantee of Digital Rights (hereinafter
LOPDGDD), these claims were forwarded to the respondent party, so that
they could proceed to analyze them and inform this Agency within a period of one month, of the
actions carried out to comply with the requirements provided for in the data
protection regulations.
The transfers, which were carried out in accordance with the rules established in Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations (hereinafter, LPACAP), were formally notified
as stated in the corresponding receipts included in the file.
On 02/03/2023, this Agency received written responses to said transfers, the content of which is set out below in the investigation report
carried out by the Subdirectorate General for Data Inspection of this authority.
THIRD:
On 02/07/2023, in accordance with article 65 of the LOPDGDD, the
claims submitted by the complaining parties were admitted for processing.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 4/53
FOURTH:
The General Subdirectorate of Data Inspection proceeded to carry out
preliminary investigative actions to clarify the facts in
question, by virtue of the functions assigned to the control authorities in
Article 57.1 and the powers granted in Article 58.1 of Regulation (EU)
2016/679 (General Data Protection Regulation, hereinafter RGPD), and in
accordance with the provisions of Title VII, Chapter I, Section Two, of the
LOPDGDD, which ended with a report containing the following
conclusions:
In relation to the detection of the breach, the entry vector and its impact, it is
concluded in the investigative actions report that:
- The attack was detected on 5 October 2022 after noticing performance and saturation problems on the application server. This problem was
a consequence of the high number of requests that the attack was carrying out
in the customer maintenance application (SMC), which was
used by insurance brokers to access the data of clients mediated by them. It has been confirmed that the attackers compromised
the access credentials of one of the brokers and used them to enter
this application and execute an automated brute force attack against the customer enquiry form, making attempts with multiple
random NIF numbers. On that same date it was confirmed that the
attack had been carried out since September 19, 2022 without being
detected by the defendant's systems.
- On October 6, 2022, the user through whom the attack was being carried
out was found out and their credentials were changed, which contained the attack.
- According to the statement of the person responsible, it has been confirmed that, after the
attack was detected, it was not possible to have evidence of the affectation of personal data
since there were no logs or traces in the affected application, so it was not possible
to know how many of the requests launched by the attackers were successful. They affirm that on this date only the possible
potentially affected scenario was known, which corresponded to the 37 natural persons
(clients or former clients) of that insurance broker. However, on a
later date (November 11, 2022) it was learned that the
potentially affected scenario had been much higher due to a failure in the
software that was allowing a broker to access personal data not only of its
clients but also of any former client of GENERALI. On
October 6, 2022, an initial assessment of the risk level and severity of the breach was carried out (with the information available) and it was concluded
that it was not necessary to notify the AEPD or those affected of the incident.
- On November 11, 2022, the leak of personal data became known when it became known that a database of former GENERALI clients had been sold through a Telegram group, obtaining as evidence a sample of 24,315 records that corroborated the impact of the following leaked personal data:
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 5/53
o Name and Surname.
o ID of affected person.
o ID of policyholder.
o Telephone 1 and Telephone 2.
o Date and country of birth.
o Marital Status
o Full Address, Postal Code, City, Community.
o IBAN.
It was on this same date that the existence of an error in the SMC software was detected that had allowed the attackers to access not only the clients of the affected broker itself, but also all the former clients of the defendant party. On this date, a new assessment of the risk and severity of the incident was carried out, concluding the need to notify both AEPD and the affected persons.
In relation to the communication of the breach to those affected, it has been confirmed that GENERALI proceeded to communicate to the potentially affected former clients in the following way:
- For the people included in the sample file obtained from the attackers,
they were informed on November 15, 2022 by email or postal mail. In total, 24,352 people were informed.
- For former policyholders not included in the sample file, communication was made via email or post on dates between November 16 and 28, 2022 (1,092,543 potentially affected persons).
- For former policyholders of individual policies, contact information was not available and
it was decided to include the information in the communication made to the former policyholder (399,153 potentially affected persons).
- For former policyholders of group policies, it was decided to make a public communication on the WEB due to the lack of contact information. This communication was visible from November 30, 2022 to March 31, 2023 (1,66,621
potentially affected persons).
It has been noted that there was no risk analysis for the rights and
freedoms of individuals in the processing activity affected by the breach, where
the possible threats that generate damage or harm to the individuals affected by these treatments had been identified and
assessed, and which concluded with the appropriate technical and organizational measures to manage these risks. On the
contrary, there was only one document where a general analysis or description of the treatment was carried out with the purpose of determining the need to
carry out an impact assessment (EIPD), concluding that the treatment has
a low level of impact and that it is not necessary to carry out this EIPD.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 6/53
In relation to the technical and organisational preventive measures implemented in
the moments prior to the breach, it is proven:
- (…)
Regarding the reactive measures implemented after the security breach, it has been
proven:
- (…)
The shortcomings in the technical measures deployed to record and monitor the
activity of users in the SMC application (…) had the consequence that, after
the detection of the attack on 5 October 2022, it was not possible to have proof of
its real impact and the personal data of former clients of the defendant party that had
been accessed, not being until 11 November 2022 when the
impact of the leak was known through the sample obtained. Following the breach,
new reactive measures are introduced to have complete traces in this application and
to control the transactions requested by users.
In relation to the retention periods of personal data of former clients
who ended their contractual relationship (end of insurance policies) it has been
established:
- (…).
- That after the end of a client's contractual relationship (end of the policy), the
retention period of personal data for the purpose for which they had been
initially collected (insurance contract) was terminated. However, it has
been established that personal data continued to be processed for other purposes,
which are justified by reference to the following regulations:
o Law 50/1980 on the development of insurance contracts (retention period
2 years).
o Law 58/2003 on prescription in tax matters (retention
period 4 years).
o Commercial Code on the retention of business supporting documents
(retention period 6 years).
o Law 20/2015 on fraudulent conduct relating to insurance (retention period 5 years).
o Law 10/2010 on the prevention of money laundering (retention period 5 years).
Despite changing the purpose for which personal data continued to be processed, it has been
established that both insurance agents (who have the status of
data processors) and insurance brokers (who have the status of
data controllers) continued to access the personal data of these
former clients, although without the possibility of editing them. As a reactive measure after the breach, the SMC application was
modified so that the brokers only had access to
data of clients with a valid policy (policyholders, insured and beneficiaries).
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 7/53
FIFTH:
According to the report collected from the AXESOR tool, the entity GENERALI
ESPAÑA, SOCIEDAD ANONIMA DE SEGUROS Y REASEGUROS is a company
with (…) euros in 2022. In relation to the business volume according to the
cited report, it reaches (…), expressed in “Premium volume for the year 2022”, in
the document “Report on the financial and solvency situation” for said year
2022 and which has been incorporated into the file.
SIXTH:
On February 6, 2024, the Director of the Spanish Data Protection Agency agreed to initiate sanctioning proceedings against the respondent party, for the alleged
infringement of articles 5.1.f), 25, 32 and 35 of the GDPR, classified in articles 83.4
and 83.5 of the GDPR.
SEVENTH:
On 03/14/2024, a document submitted by GENERALI was entered into the registry of this authority, in which various allegations were made
against the initiation agreement dated February 6, 2024. The following is highlighted from the content of said
document:
Regarding the inaccuracies contained in the initiation agreement of this
sanctioning procedure:
Generali's representation alleges several inaccuracies in the initiation agreement of the
sanctioning procedure of the Spanish Data Protection Agency.
Thus, first of all, Generali questions the claim that the data of 800,000
former clients, including sensitive information such as IBAN, appeared on a Telegram
forum and were accessible to the public. According to Generali, this claim does
not correspond to the documents in the administrative file. They argue that a
Telegram forum user claimed to have the personal data, but did not
provide specific information or evidence of public access to this data. The cybersecurity
company Lazarus detected the message and notified Generali, providing a
limited sample of data to verify the veracity of the claim. It has not
been proven that the data was publicly available or accessible on the
Telegram forum, only that someone claimed to possess it.
As for the damages suffered by the interested parties, Generali argues that no
actual damages have been proven to those affected by the security breach. They claim
that only one claimant has expressed the intention to seek compensation for
unproven moral damages, and there are no other claims for damages in the
administrative file, so it considers that the risks and damages mentioned
are merely potential and not real.
It also opposes the claim that the infringement is aggravated by the processing
of sensitive data, including health data. Generali refutes this, pointing out that the affected system does not contain special categories of data according to article 9 of the GDPR. It points out that Generali has provided records of processing activities and communications to affected parties, indicating that the compromised data were
identification, contact and payment data, but not health data.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 8/53
On the other hand, Generali argues that, contrary to what the AEPD has stated, it is
legal and necessary for insurance brokers to access information from former clients
in order to comply with various obligations. In addition, the Insurance Contract Law
establishes limitation periods (two years for property insurance, five for
personal insurance) during which claims may arise from contracts that have already been terminated. In this sense, mediators need access to information to justify their remuneration and to comply with tax and accounting obligations, while insurance agents, acting as insurers' data processors, need access to relevant information to comply with their legal and contractual obligations.
Regarding the impact on the principles of sanctioning law arising from the interpretation made by the AEPD.
Generali alleges that the initiation agreement incurs in significant violations of the principles of administrative sanctioning law, particularly the non bis in idem principle and the provisions of article 29.5 of the Law on the Legal Regime of the Public Sector (LRJSP) in relation to the medial concurrence of infringements.
Generali maintains that the AEPD is imposing multiple sanctions for acts that are, in essence, identical or intrinsically related, which compromises the non bis in idem principle. This principle establishes that a person cannot be sanctioned twice for the same
facts. In this case, the AEPD considers that Generali has committed four different violations of the GDPR: not adopting adequate
security measures (article 32.1), not complying with the principle of data protection by
design (article 25.1), not carrying out a data protection impact assessment (DPIA) (article 35), and violating the principle of confidentiality
(article 5.1 f).
Generali argues that these four charges arise from the same fact: the
security breach in the SMC application. It indicates that the AEPD, by imposing sanctions
for each of these violations, would be duplicating the sanctions for the same fact, since all the violations are inextricably linked. It points out that
the AEPD is not alleging a lack of security measures in general, but
specifically in relation to data processing in the SMC. Generali
argues that the AEPD follows an inverse reasoning: it takes the result of the security breach
to deduce the lack of security measures, the absence of protection
by design and the lack of a DPIA. This approach, according to Generali, is incorrect and
leads to the imposition of multiple sanctions for a single act.
Regarding the alleged infringements imputed to Generali.
In this allegation, Generali exhaustively addresses the specific infringements
that the Spanish Data Protection Agency imputes to it. The company follows an
argumentative order that differs from the initial agreement, starting with the principle of
data protection by design.
First, Generali explains the scope of the data protection by design principle, as set out by the European Data Protection Board (EDPB) in its Guidelines 4/2019. These guidelines detail that technical and organisational measures can range from advanced technical solutions to basic staff training. Generali argues that it has complied with its obligations under Article 25.1 of the GDPR, ensuring that it has carried out a thorough risk analysis and implemented the necessary measures to mitigate these risks. It claims that the fact that Generali's system allowed brokers to access former client data, which, according to Generali, is justified by insurance distribution regulations that impose certain legal obligations.
Regarding the alleged breach of Article 35 of the GDPR, Generali argues that
a Data Protection Impact Assessment (DPIA) was not necessary for the
SMC application. Generali maintains that it has carried out a risk analysis that
concluded that the data processing did not entail a high risk for the rights and
freedoms of data subjects. In addition, it argues that the AEPD intends to introduce
new criteria not contemplated in the GDPR, which exceeds its competence.
Regarding the inadequacy of security measures (Article 32 of the GDPR), Generali
reaffirms that it has implemented adequate measures to protect personal data
and that the security breach was the result of factors beyond its control, such
as the compromise of a mediator's credentials. Generali argues that it has
taken reactive measures diligently and that the fact that these measures have been
implemented quickly demonstrates its commitment to data security,
not an admission of prior inadequacy.
Finally, regarding the alleged violation of the confidentiality principle (Article 5.1.f of the GDPR), Generali argues that the AEPD is sanctioning the existence of the security breach as a result rather than a lack of means, which
contradicts the Supreme Court's jurisprudence which establishes that the obligation of
security is an obligation of means, not of results. Generali argues that the
notification of the breach to those affected should not be interpreted as an admission
of inadequacy of the security measures.
In conclusion, Generali argues that each of the accusations made by the AEPD is based on incorrect assumptions or erroneous interpretations of the
applicable regulations, and that it has complied with its obligations under the GDPR in a
diligent and appropriate manner.
Regarding the violation of the principle of proportionality:
Generali argues that, in the event that it is determined that it has infringed the data protection
regulations, the principle of proportionality must be considered when determining the sanction. To this end, Generali cites the Supreme Court's case law,
which establishes that the sanction must be proportional to the infringement committed,
considering all the concurrent circumstances.
Generali criticises the AEPD for not having carried out a meticulous evaluation of these
circumstances, and points out that relevant mitigating factors have not been considered, such as
reactive measures adopted quickly, the lack of prior sanctions, the voluntary notification of the
incident to the AEPD, and adherence to codes of conduct.
Generali also refutes the aggravating circumstances applied by the AEPD,
arguing that these are based on inaccurate facts or on an objective assessment
without specific evidence of negligence.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 10/53
In conclusion, Generali maintains that, if an infringement were to be determined, the
sanction should be significantly lower due to the presence of several
mitigating circumstances and the lack of justification for the aggravating circumstances invoked by the AEPD.
EIGHTH:
On April 12, 2024, a letter from Generali was entered into the registry of this authority,
through which it states that it has proceeded to pay the voluntary payment without acknowledgment of liability, in the following terms:
“XI: That in exercise of the power granted by the aforementioned article 85.2 of the LPACAP,
Generali has proceeded to pay the amount of 80% of the proposed sanction, that is,
of the amount mentioned in the previous explanatory. To this end, proof of payment made by Generali is provided as
DOCUMENT NUMBER 1.
XII. That, as a consequence of the aforementioned payment, my client waives the exercise before the AEPD of any action or appeal through administrative channels against the sanction that, eventually and in contrast to what Generali has argued, could be imposed,
as prescribed in article 85.3 of the LPACAP, and therefore declares that it will not file an optional appeal for reconsideration against the resolution that is finally issued before the AEPD.
XIII. That, however, and as indicated in the previous expository paragraphs, the
mentioned payment is made in exercise of the power established in article 85.3 and does not
in any case imply compliance with the content of the Commencement Agreement or with that of the
resolution that may be issued, if it corresponds, in whole or in part,
with the content of said Agreement. Likewise, the making of the aforementioned payment should in
no case be interpreted as an acknowledgement by Generali of
responsibility for the commission of the alleged infringements that could be imputed to it in the aforementioned resolution. To this end, Generali's intention to challenge the aforementioned resolution, if it does not imply the filing of the present case, before the contentious-administrative jurisdiction is expressly reiterated."
In view of all the actions taken by the Spanish Data Protection Agency
in the present procedure, the following facts are considered proven:
PROVEN FACTS
FIRST:
It is proven that on October 5, 2022, the respondent party detected a brute force attack against the customer query form
through the use of a broker's credentials, making attempts with
multiple random NIF numbers and regarding which it was decided not to notify the
incident.
This fact has been confirmed by the respondent party itself during the course of
the investigation proceedings “On 10/5/22, a brute force attack was detected using
a broker's credentials. After applying the ENISA and AEPD rules, it was decided not
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 11/53
to report the incident (which could affect 37 interested parties). On that date, access to said broker was blocked and its credentials were modified, ceasing the attack.”
SECOND:
On November 11, 2022, the respondent party became aware of the
filtration of personal data by virtue of the attack that occurred after a communication from
the cybersecurity company (…) that affected the following personal data:
o Name and Surname.
o ID of the affected person.
o ID of the policyholder.
o Telephone 1 and Telephone 2.
o Date and country of birth.
o Marital Status
o Full Address, Postal Code, City, Community.
o IBAN.
THIRD:
It has been confirmed that GENERALI proceeded to inform former clients
potentially affected by the breach, pursuant to article 33 of the GDPR
in the following way:
- For the persons included in the sample file obtained from the attackers
a total of 24,352 people were informed on November 15, 2022 via email or postal mail.
- For former policyholders not included in the sample file, a total of 1,092,543 potentially affected people were informed
via email or postal mail on dates between November 16 and 28, 2022.
- For former insured persons with individual policies, contact information was not available and
it was decided to include the information in the communication made to the former
policyholder (399,153 potentially affected persons).
- For former insured persons with collective policies, it was decided to make a public
communication on the WEB due to the lack of contact information. This communication was
visible from November 30, 2022 to March 31, 2023 (166,621
potentially affected persons).
FOURTH:
It has been established that at the time of the attack the respondent party did
not have a risk analysis for the rights and freedoms of persons in the
processing activity in order to identify and evaluate the possible threats that generate
damage or harm to persons affected by these treatments.
This fact is evident in the investigation actions through which the contribution of the aforementioned risk analysis was
repeatedly requested, receiving the response
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 12/53
that “the processing is prior to the entry into force of the GDPR, (…), so
it has not been subject to an analysis subsequent to that already provided, without prejudice to the
measures adopted as a consequence of the security breach detected”.
FIFTH:
It is proven that, at the time of the attack, the respondent party did not
have an approved Data Protection Impact Assessment (DPIA) for the
processing of its activity.
This is clear from the respondent's own statement, as well as from the
document provided by the respondent through which an analysis or
general description of the processing was carried out with the purpose of determining the
need to carry out an impact assessment (EIPD), concluding that the processing had
a low level of impact and that it was not necessary to carry out this EIPD.
SIXTH:
It is proven that, at the time of the attack, the
second authentication factor was not implemented in the respondent's application for
insurance brokers.
This fact has been stated by the respondent party and confirmed by the
accreditation of the reactive measures implemented after the breach occurred:
“(…)”
SEVENTH:
It is proven that, until the adoption of the reactive measures by the respondent party
after the breach occurred, and due to a technical failure in the update of the
Customer Maintenance System (SMC) software, insurance brokers could access both data of their clients and of former clients who
no longer had a contractual link and were former policyholders and former insured
in the policy.
This has been corroborated by the respondent party and confirmed in the communication of
the reactive measures: “(…).”
EIGHTH:
The absence of transaction logs to guarantee
traceability in the system has been confirmed, which prevented the real impact of the breach and the personal data affected from being known
immediately. This is clear from
the defendant's own statement during the course of the investigation:
"There are no application logs that can help define
how many hits the massive attack had."
NINTH:
From the investigation actions carried out, it is proven that GENERALI
had, at the time prior to the breach, the following technical and organizational
preventive measures:
- (…)
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 13/53
TENTH:
It is proven that GENERALI adopted the reactive measures implemented after the
security breach:
- (…)
LEGAL BASIS
I Competence
In accordance with the powers that article 58.2 of Regulation (EU) 2016/679
(General Data Protection Regulation, hereinafter RGPD), grants to each
control authority and as established in articles 47, 48.1, 64.2 and 68.1 of Organic Law 3/2018, of 5 December, on Personal Data Protection and Guarantee of Digital Rights (hereinafter, LOPDGDD), the Director of the Spanish Data Protection Agency is competent to initiate and resolve this procedure.
Likewise, article 63.2 of the LOPDGDD determines that: "The procedures
processed by the Spanish Data Protection Agency will be governed by the provisions
of Regulation (EU) 2016/679, in this organic law, by the regulatory
provisions issued in its development and, as long as they do not contradict them, on a subsidiary basis, by the general rules on administrative procedures."
II Termination of the procedure
Article 85, paragraph 2 of the LPCAP establishes that “When the sanction is
only of a monetary nature or it is possible to impose a monetary sanction and another
of a non-monetary nature but the inadmissibility of the second has been justified, the
voluntary payment by the presumed responsible party, at any time prior to the
resolution, will imply the termination of the procedure, except in relation to the
restitution of the altered situation or the determination of the compensation for the
damages and losses caused by the commission of the infringement.”
Said voluntary payment implies, as indicated in the third section of the
same article, the corresponding reduction on the amount of the sanction: “In both
cases, when the sanction is only of a monetary nature, the competent body
to resolve the procedure will apply reductions of at least 20% on the
amount of the proposed sanction, these being cumulative with each other. The aforementioned
reductions must be determined in the notification of initiation of the
procedure and their effectiveness will be conditional on the withdrawal or waiver of
any action or appeal through administrative channels against the sanction."
In these terms, taking into account the voluntary payment that Generali has made and
communicated before the resolution proposal was issued by this authority, the present sanctioning procedure is terminated in
the terms indicated in the operative part of this resolution.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 14/53
However, it is worth highlighting that, prior to the aforementioned voluntary payment,
Generali submitted a written statement of allegations against the initiation agreement, proceeding to a
detailed analysis of the indicated infringements and legally refuting each
of them. This fact obliges the present authority to rule on such
allegations and this by virtue of the provisions of article 88 of the LPACAP, which
expressly establishes that:
“The resolution that ends the procedure will decide all the questions raised
by the interested parties and those other questions derived from it.”
For the above reasons, in compliance with this legal mandate, through this
resolution, the objections made by Generali are answered
against the initiation agreement, as well as declaring the termination of the procedure for prompt payment in the terms established in article 85.2 and 88 of the LPACAP.
III Answer to the objections made against the initiation agreement
Regarding the inaccuracies contained in the initiation agreement of this
sanctioning procedure.
First of all, Generali claims that the data of former clients were not accessible to the
public through a Telegram forum. However, from the investigation actions carried out, it is clear that on November 11, 2022, the sale of a database of former Generali clients in a Telegram group was confirmed,
which corroborates the public exposure of this data. Thus, in the aforementioned conclusions
of the acting inspector, it is expressly indicated that GENERALI was aware of the leak of personal data:
“On November 11, 2022, the leak of personal data became known when
the sale of a database of former GENERALI clients was known through a
Telegram group, obtaining as evidence a sample of 24,315 records that
corroborated the affectation of the following leaked personal data:
o Name and Surname.
o ID of affected person.
o ID of policyholder.
o Telephone 1 and Telephone 2.
o Date and country of birth.
o Marital Status
o Full Address, Zip Code, Town, Community.
o IBAN”
This evidence contradicts Generali's claim that there was no public access to
the compromised data.
On the other hand, this fact was confirmed by Generali during the course of the
investigation, in response to the previous request of the
present authority regarding the possible websites where the information was
leaked, indicating in relation to this that the provider Lazarus informed them that the data
had been located through a Telegram group.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 15/53
Notwithstanding the above, it should be noted that regardless of whether the data
was or was not accessible in a forum, the simple fact that it has been exposed to an
unauthorized third party already constitutes a violation of the principle of confidentiality in
the terms established by article 5.1 f) RGPD.
In relation to the damages suffered by those affected, Generali maintains that no real damage has
been proven. In this regard, it is essential to highlight that, taking into account the content of the GDPR, it is not necessary for “real” damage to occur
for the infringements proposed in the initiation agreement to be committed. In the GDPR,
the violation of the principle of confidentiality provided for in article 5.1.f), the
protection of data due to the defect indicated in article 25, the adoption of security measures
appropriate to the risk provided for in article 32, or the obligation of the
Impact Assessment required by article 35 of the GDPR, none of them require that “real” damage occur for these precepts to be understood
as infringed.
In this regard, it is important to determine what is understood by damage or harm in
the context of the GDPR and the rights of the interested parties. Generali argues that no "real" damage has been proven, but does not specify whether it refers to tangible or physical damage, economic damage, or whether it is limiting the damage to a material and concrete manifestation.
The GDPR clearly establishes in its article 5.1.f) that the loss of confidentiality of personal data constitutes an infringement, since the exposed data becomes available to unauthorized third parties. This fact undoubtedly affects the data owner, as he loses his ability to control his personal data. Furthermore,
Recital 85 of the GDPR indicates that the loss of confidentiality and integrity
poses a risk that may lead to physical, material or immaterial damage, which
shows that tangible or economic damage is not necessary for the GDPR
to consider that the right of the interested party has been violated:
“Risks to the rights and freedoms of natural persons, of varying severity and
probability, may arise from the processing of data that could lead to
physical, material or immaterial damage and harm, in particular where
the processing may give rise to problems of discrimination, identity theft or fraud,
financial loss, damage to reputation, loss of
confidentiality of data subject to professional secrecy, unauthorized reversal of
pseudonymisation or any other significant economic or social harm; where
data subjects are deprived of their rights and freedoms or are prevented from exercising control over their personal data; …”
In short, a breach of the GDPR does not require "real" or tangible damage to be
considered as such. The loss of control over the data and the materialization of the
risk already constitutes a violation of the rights of the interested party, in accordance with the
previously indicated.
The protection of personal data is a fundamental right that must be
guaranteed and the violation of the obligations indicated by the GDPR occurs
regardless of whether or not it materializes in tangible damage to the
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 16/53
affected individuals. It should be noted that the regulation focuses on
risk prevention and the protection of the rights and freedoms of individuals
which implies that on many occasions the mere possibility that the data
may be used improperly is sufficient to consider that one of the obligations provided for by the regulation has been
violated.
For the reasons set out above, Generali's argument on the alleged absence of
real damage is not sufficient to justify the breach of its
obligations. The data protection regulations are based on identifying the risks to
the rights and freedoms of natural persons arising from the processing of personal
data, as well as preventing and mitigating the materialization of the risks associated
with the processing of personal data. The lack of proof of specific damage for each
affected party does not exempt Generali from its responsibility in complying with the
obligations provided for in the GDPR.
Regarding data belonging to special categories, Generali claims that the affected system did not contain special categories of data as provided for in the GDPR. However, it is important to note that, as the respondent is aware, Generali manages health insurance, which necessarily involves the processing of health-related data, which are included in Article 9 of the GDPR as special categories of personal data.
The fact that the personal data breach did not specifically affect this type of data on this occasion does not exempt Generali from compliance with the obligations provided for in the GDPR, taking into account the nature of this type of special data of which its processing is a part. This implies that data protection impact assessments (DPIAs), security measures and the design of default systems must take into account the special circumstances, as well as the risks inherent in the management of the aforementioned data.
For the above reasons, Generali's argument (…) is not sufficient to
disprove the broader obligations that they have under the GDPR. Although the
existence of such data is not the main basis for Generali's failure to comply with its
obligations, it can be taken into account for the purposes of
assessing the seriousness of the infringement.
Finally, Generali defends the legal need for insurance brokers
to access information on former clients in order to comply with various
contractual and regulatory obligations. In this regard, it is crucial to distinguish between
compliance with the obligation to maintain the data of former clients for the purposes of
legal obligations and the access to such data by brokers in relation to
persons who no longer have the status of client.
In this context, Generali is obliged to retain the personal data of former clients in order to comply with various regulatory provisions, such as those related to tax obligations, money laundering, and contractual claims that may arise even after the termination of the contractual relationship. However, this obligation to retain data does not justify open access to these data by insurance brokers. Allowing insurance brokers unrestricted access to the information of former clients, in addition to violating the principle of confidentiality, seriously compromises the protection and security of personal data.
Although Generali is obliged to retain this data for legal reasons,
this obligation does not exempt it from the responsibility of ensuring that access is
restricted exclusively to authorised personnel, in relation to the functions of the
job and under justified circumstances.
Retaining the personal data of former clients does not imply that any employee or
insurance broker has the right to freely access this information, since
this constitutes improper and disproportionate use that is not justified by the
nature of the obligation to retain it.
In fact, such claims are also shared by the respondent party. From the
investigation actions it is clear that, after the breach, Generali implemented
measures to restrict the access of mediators only to the data of clients with
current policies, a fact that shows that the previous actions were
insufficient to guarantee the adequate protection of personal data, as
shown in the seventh proven fact
Second allegation: Regarding the impact on the principles of
sanctioning law derived from the interpretation made by the AEPD
Generali argues that the initiation agreement incurs in violations of the principles
of administrative sanctioning law, particularly the non bis in idem principle and
the provisions of article 29.5 of the Law on the Legal Regime of the Public Sector
(LRJSP) in relation to the medial competition of infringements. In this regard, it is appropriate
first to make a brief reference to the application of the aforementioned principle in
the European sphere, taking into account the nature of the GDPR.
Article 50 of the Charter of Fundamental Rights of the European Union (CFREU)
establishes the principle of non bis in idem, which prohibits double jeopardy and double
penalty within the European Union. Unlike Article 4 of Protocol 7
to the European Convention on Human Rights (ECHR), which applies only at
national level, Article 50 of the CFREU has a transnational scope, protecting
individuals from being tried or punished twice for the same offence in
any Member State of the European Union, provided that Union law applies.
Under the heading "Right not to be tried or convicted twice for the
same offence", Article 50 provides:
"No one may be tried or convicted of a criminal offence for
an offence for which he or she has already been acquitted or convicted in the Union by a final
criminal judgment according to law."
The Charter, considered the primary source of Union law according to Article 6 of the
Treaty on European Union, regards all Member States as a single
legal area with regard to the non bis in idem rule, provided that they apply
Union law.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 18/53
The Court of Justice of the European Union has also applied the Engel criteria,
originating from the case law of the European Court of Human Rights (ECHR),
to interpret Article 50 of the CFREU. These criteria determine whether a sanction
has a criminal character based on the legal qualification of the infringement, the nature
of the infringement and the sanction, as well as the severity of the sanction. Thus, the
prohibition of double punishment can be extended not only to criminal proceedings but
also to administrative procedures with sanctions of a criminal nature.
The Charter, in its Article 52.3, provides that the rights corresponding to rights
guaranteed by the ECHR shall have the same meaning and scope. The CJEU has stressed
that Article 50 of the CFREU must be interpreted in a uniform and autonomous manner,
without depending on ratification or reservations to the ECHR by the Member States.
As regards the case law requirements established by the CJEU for the aforementioned principle recognised in Article 50 to take place, the European Court has
stated in various judgments (CJEU of 18 July 2007, Lucchini
Siderurgica, C-119/05, EU:C:2007:434, CJEU of 16 November 2010, Mantello,
C-261/09, EU:C:2010:683, Judgment of 20 March 2018, Menci, C-524/15,
EU:C:2018:197) the need for three criteria to be met for the aforementioned
principle to be met:
- Identity of the offender: The same person or entity must be the subject of the
proceedings or sanctions. "The same individual must be the subject of both
proceedings or sanctions. This ensures that different persons are not prosecuted or
sanctioned for the same acts."
- Identity of the facts: The facts must be the same ("idem factum"), that is, a set of specific circumstances inextricably linked to each other.
"The material facts must be the same. This means that they must be
a set of specific circumstances arising from events that are, in essence, the same to the extent that they involve the same author and
are inextricably linked in time and space."
- Identity of the protected rule: “The infringement must affect the same protected legal
interest.”
However, this principle has been nuanced and modulated by the case law of the
CJEU, among which we can highlight the following resolutions referring to its
scope:
- Judgment of March 22, 2022, Nordzucker, C-151/20, EU:C:2022:203: The
CJEU reaffirms in this judgment the importance of the identity of the
material facts ("idem factum") to apply the non bis in idem principle. The court
allows the accumulation of sanctioning procedures when the
sanctions arise from different legal violations that pursue different
general interests. In the case of Nordzucker, although the sanctioned
conducts were related, the legal violations were different,
thus justifying the accumulation of sanctions.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 19/53
- Judgment of 20 March 2018, Menci, C-524/15, EU:C:2018:197:The
Menci judgment addresses the issue of duplication of criminal sanctions in
the context of tax evasion. The CJEU establishes that the principle non bis in
idem prohibits the duplication of criminal sanctions for the same acts, but
allows exceptions when the sanctions pursue complementary objectives of
general interest. In addition, the court underlines the need for
proportionality and coordination in the accumulation of sanctions. In this
case, the accumulation of tax and criminal sanctions was considered justified
due to the complementary objectives at stake.
- Judgment of 26 February 2013, Åkerberg Fransson, C-617/10,
EU:C:2013:105 :In the judgment in Åkerberg Fransson, the CJEU analyses the
application of the non bis in idem principle in the context of tax and
criminal penalties for the same offence of failure to declare taxes. The Court
concludes that the accumulation of administrative and criminal penalties for the
same acts is not contrary to the non bis in idem principle if the principles of
proportionality and coordination are respected. In this case, both the tax penalty and the
criminal proceedings were considered to be of a criminal nature, but the accumulation of
penalties was permitted under certain conditions.
In summary, the non bis in idem principle according to article 50 of the CFREU and its
interpretation by the CJEU protects people from being sanctioned twice for the
same infringement in any Member State of the European Union, guaranteeing a
single and coherent legal space in the application of Union Law. This
legal and jurisprudential framework is useful to analyze Generali's claim about the
alleged violation of this principle by the AEPD.
In the case at hand, with respect to the infringements indicated in the
initiation agreement, although there is an identity of the infringer, the
same does not occur with the identity of the facts and the protected legal asset. In this sense, taking into account the
administrative and specific nature of the rule, the protected legal asset cannot
be understood in a general way as the protection of personal data, but rather the
principle or principles or essential content on which the obligation or specific infringement is based and which motivates the sanction. Taking into account the criteria cited above,
it follows that each of the infringements indicated in the agreement are
independent and distinct, in the terms set out below:
Violation of the principle of confidentiality (article 5.1.f of the GDPR)
The obligation of confidentiality that article 5.1.f) of the GDPR imposes on the
data controller is an obligation of result, such that for the precept to be infringed, the confidentiality of the data must be broken.
In this way, we would be faced with an infringement of result,
unlike the provisions of article 32 of the GDPR, which, as will be seen later, imposes
an obligation of means.
In the case at hand, the facts that imply the violation of said principle and,
consequently, the infringement, are manifested in the breach of personal data that
occurred. As a result of the attack, unauthorized exposure of personal data occurred, including names, addresses, telephone numbers, ID numbers, and bank details such as IBAN.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 20/53
Certainly, the principle of responsibility provided for in article 28.1 of Law
40/2015, of October 1, on the Legal Regime of the Public Sector, provides that: "Only
natural and legal persons may be sanctioned for acts constituting an administrative infringement, as well as, when a Law recognizes their capacity to act, groups of affected persons, unions and entities without legal personality and independent or autonomous assets, who are responsible for them by
the title of fraud or fault."
However, according to the ruling in STS 7887/2011 of November 24, 2011,
Rec. 258/2009, "(...) since its ruling 76/1990, of April 26, the Constitutional Court has declared that there is no room in the scope of administrative sanctions for
objective liability or liability without fault, a doctrine that is reaffirmed in ruling
164/2005, of June 20, 2005, by virtue of which the possibility of imposing
sanctions for mere results is excluded, without proving a minimum of guilt even on the grounds of
mere negligence. However, the way of attributing responsibility to legal
persons does not correspond to the forms of willful or imprudent guilt that are attributable to human conduct."
Thus, in the case of infringements committed by legal persons, although
the element of guilt must be present (see the judgment of this Chamber of the
Supreme Court of 20 November 2011, appeal in cassation in the interest of law
48/2007), this is necessarily applied in a different way than in the case of
natural persons. According to STC 246/1991 "(...) this different construction of the
imputability of the authorship of the infringement to the legal person arises from the
nature of legal fiction to which these subjects respond. They lack the
volitional element in the strict sense, but not the capacity to infringe the rules to which they are subject. Capacity to infringe and, therefore, direct blameworthiness that
derives from the legal asset protected by the rule that is infringed and the need for
said protection to be truly effective and from the risk that, consequently, the legal person that is subject to compliance with said rule must
assume."
In addition to the above, following the judgment of 23 January 1998,
partially transcribed in STS 6262/2009, of 9 October 2009, Rec 5285/2005,
and STS 6336/2009, of 23 October 2009, Rec 1067/2006, "although the
guilt of the conduct must also be the subject of proof, it must be considered in
order to assume the corresponding burden, that ordinarily the volitional and cognitive elements necessary to assess it form part of the proven
typical conduct, and that their exclusion requires that the absence of such elements be proven, or in its normative aspect, that the diligence that was
required by the person who claims their nonexistence has been used; in short, it is not enough for exculpation in the face of
typical behaviour unlawful the invocation of the absence of fault".
Thus, none of the circumstances concurrent in the case allow to exclude
this subjective element of the infringement.
As for the legal right protected by article 5.1.f of the GDPR, it is the
confidentiality of personal data. This principle establishes that personal data
must be treated in a way that guarantees adequate security,
including protection against unauthorized or unlawful processing. Confidentiality
implies that personal data are not accessible or disclosed to unauthorized
persons and that they remain protected at all times during their
processing.
Data protection by design and by default (Article 25.1 GDPR)
Article 25.1 GDPR establishes the obligation for data controllers to
integrate appropriate technical and organisational measures of all kinds, by design
and by default. This provision ensures that the protection of personal data is
considered and applied from the earliest stages of development and throughout the
data processing lifecycle. Protection by design involves identifying,
assessing and analysing the risks to the rights and freedoms of data subjects,
by adopting all kinds of appropriate technical and organisational measures in order to
mitigate such risks related to the intended processing before starting it, in order to
effectively apply the principles of data protection, such as data minimisation, and to integrate the necessary guarantees in the
processing, in order to comply with the requirements of the GDPR and protect the rights of data subjects. On the other hand, data protection by default refers to applying appropriate technical and organizational measures of all kinds in order to ensure that,
by default, only the personal data that are necessary for each of the specific purposes of the processing are processed. Such measures will ensure in
particular that, by default, personal data are not accessible, without the intervention of the person, to an indeterminate number of natural persons, limiting
the amount of personal data collected and processed to what is strictly necessary, ensuring that personal data are accessible only to authorized
persons and for authorized purposes, and establishing default settings
that prioritize security.
In the case of Generali, the infringement is evident in (…). The lack of these measures
allowed unauthorized access to personal data of former clients, and the configuration
of the system did not guarantee the principle of minimization in the processing of personal
data nor did it restrict access only to necessary data and limited to specific
purposes.
It is crucial to understand that in this case the fact that is the subject of infringement is not the
breach of personal data itself, but the deficiencies in the design and
configuration of its systems and processes. In this case, the breach was the
event that allowed the implemented system to be discovered and, therefore, the
non-compliance with the principle, but not the cause of the non-compliance. Article
25.1 of the GDPR obliges data controllers to integrate data
protection measures from the design phase of any system that processes personal
data and to ensure that, by default, only the data necessary for each specific
purpose is processed. This implies that, regardless of whether or not a breach occurs, the system must be designed and operated in such a way as to
minimize the possibility of undue exposure of personal data. Therefore, the fact that is subject to
sanction under Article 25.1 of the GDPR (…), and not the breach of personal data that
subsequently occurred. It is therefore an infringement in itself and independently of the personal data breach.
The legal right protected by Article 25.1 of the GDPR is the protection of personal data from its conception and throughout its life cycle. This article ensures
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 22/53
that proactive measures are adopted to integrate data protection safeguards
in the design of systems and processes and that these systems are configured in such a way that
protection is prioritized by default. The essential content focuses on ensuring
that data protection is not an afterthought or a secondary consideration, but an integral part of the design and operation of all systems
and processes that process personal data.
Insufficient security measures appropriate to the risk (Article 32 of the
GDPR)
Article 32 of the GDPR is a key provision that sets out the obligation for controllers and processors to implement appropriate technical and
organisational security measures to ensure the security of personal data. This article highlights the importance of protecting data against various
threats, such as destruction, loss, alteration, unauthorised disclosure or access. Through these measures, the GDPR seeks to ensure that personal data is kept safe and secure at all times.
Article 32 does not specify exact measures to be taken, but requires that
these measures be appropriate to ensure a level of security appropriate to the risk posed by the processing of personal data. This means that controllers must continually assess the risks and adapt their security measures accordingly. This obligation is not a guarantee that personal data breaches will not occur, but rather an obligation to ensure a level of security appropriate to the risk of the specific processing.
The security of personal data, as a legal interest protected by Article 32,
covers both technical aspects (such as the use of encryption and pseudonymisation) and
organisational aspects (such as access policies and training procedures). This comprehensive approach
ensures that all aspects of data security are addressed, from the technical infrastructure to the conduct of staff.
Article 32 GDPR, unlike 5.1 f), imposes an obligation of means, which
means that controllers must demonstrate that they have taken all appropriate
technical and organisational security measures to ensure a level of security appropriate to the risk,
rather than guaranteeing a specific result.
This translates into the need for a proactive and continuous approach to data security
management, adjusting measures as risks and threats evolve.
In the case at hand, the failure to adopt appropriate technical and organisational
measures manifested itself through the personal data breach; However, it was not
this that led to the breach of the obligation provided for in article 32.
On the contrary, it was the subsequent verification of the measures adopted, which
revealed the breach of said obligation independently of the personal data breach (there were no adequate measures even if the breach had not occurred) and, consequently, the infringement provided for in the GDPR.
The purpose of article 32 of the GDPR is to ensure a level of security appropriate to the
risk of processing personal data, through the application of appropriate technical and organizational security
measures, specifically security, since
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 23/53
here the Law does distinguish. And all this is independent of whether there is a loss of confidentiality and/or integrity, since the absence of such a level of security
appropriate to the risk is in itself sufficient to determine the violation of the
precept.
Likewise, we refer to the non-compliance with this obligation to what has been answered in the third allegation in relation to the lack of technical and
organizational measures in relation to the personal data breach.
Lack of Data Protection Impact Assessment (Article 35 of the GDPR)
Article 35 of the GDPR establishes the obligation to carry out a Data Protection Impact Assessment
when a type of processing may entail a high risk for the rights and freedoms of natural persons.
As set out in the Article 29 Working Party Guidelines on data protection impact assessments (DPIAs) and determining whether processing is “likely to result in a high risk” for the purposes of Regulation (EU) 2016/679 Adopted on 4 April 2017:
“A DPIA is a process designed to describe the processing, assess its
necessity and proportionality and help manage the risks to the rights and freedoms of natural persons arising from the processing of personal data4
by assessing them and identifying measures to address them. DPIAs are
important accountability instruments, as they help controllers not only to comply with the requirements of the GDPR, but also to demonstrate that
appropriate measures have been taken to ensure compliance with the Regulation.”
In the present case, the fact that led to the non-compliance and the infringement was
precisely the failure to carry out a DPIA, even though the risks
inherent in its data processing required it. Consequently, neither the breach
that occurred nor the failure to adopt the measures have any relevance in the
breach of the obligation; only the absence of such an assessment when
obliged to do so is the fact that determines the breach of Article 35 of the
GDPR.
Generali did not carry out a DPIA even though its data processing operations
posed high risks to the rights and freedoms of the data subjects. As indicated in the initiation agreement, Generali operates in an environment where large volumes of personal data are processed, some of which are sensitive in nature.
The legal interest protected by Article 35 of the GDPR is the assessment and mitigation of risks to the rights and freedoms of natural persons associated with the processing of personal data. This article requires data controllers to carry out a DPIA when processing operations may pose a high risk to the rights and freedoms of data subjects. The purpose is to ensure that potential risks are identified and mitigated before damage materialises, as well as to establish containment measures if the risk has materialised, thereby effectively protecting personal data.
In conclusion, each of the infringements indicated in the initiation agreement
represents a separate and autonomous infringement, without there being a competition between
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 24/53
them, including the media. The non-compliance with article 32 of the GDPR focuses on the
lack of adoption of appropriate technical and organizational security measures to
guarantee a level of security appropriate to the risk, while the lack of
data protection by design in article 25.1 of the GDPR focuses on the
absence of integration of safeguards and measures of all kinds from the conception
of the systems in order to comply with the principles of the GDPR and with all its
requirements, protecting the rights of the interested parties. The lack of a data protection impact assessment under Article 35 GDPR constitutes the failure to carry out a mandatory and specific risk analysis when processing involves high risk and reflects the failure to proactively identify and mitigate risks, while the breach of the confidentiality principle under Article 5.1.f GDPR, established to ensure the integrity and confidentiality of personal data, highlights the personal data breach resulting in the unauthorized exposure of personal data. These breaches protect different legal assets and arise from different events in certain critical aspects of personal data management, constituting different breaches and justifying separate sanctions.
On the other hand, it is worth referring to Generali's argument that
penalties should be considered under the principle of medial competition according to
Article 29.5 of the LRJSP, which establishes that when the commission of one infringement
necessarily results in the commission of another, only the penalty corresponding to the most serious infringement
should be imposed. However, in the context of the GDPR,
Article 83.3 provides a specific framework for addressing concurrent infringements,
ensuring that all relevant violations are imputed and considered, but without resulting in excessive or unfair
penalization.
In addition, the European Data Protection Board (EDPB) guidelines on the
calculation of fines also recognize the possibility of concurrent infringements and
establish that each infringement should be considered separately in its own
context, although the total penalty is adjusted to avoid unfair duplication.
However, in the present case, Article 83 of the GDPR does not apply
since, as indicated, we are dealing with breaches based on
perfectly different conduct that autonomously motivate the commission
of different infringements provided for in the GDPR. Each of the infringements
attributed to Generali responds to specific facts and different legal grounds,
without it being necessary for one of them to occur for the others to occur.
Third allegation: Regarding the alleged infringements attributed to Generali
In this allegation, Generali exhaustively addresses the specific infringements
that were indicated in the initiation agreement. Below, the
arguments indicated regarding each of them are analyzed and refuted.
Principle of data protection by design (Article 25.1 of the GDPR).
Generali claims that it has complied with the principle of data protection by design by conducting a thorough analysis of the risks associated with data processing and implementing the necessary measures to mitigate them. However, Generali confirmed that the Customer Maintenance Service application allowed brokers to access data of former clients. This unauthorized access to personal data of former clients demonstrates that Generali did not adequately implement the necessary technical and organizational measures from the design of its systems to limit access to data only for the specific purposes for which it was collected. In addition, Generali maintains that this access is justified by the regulations governing the distribution of private insurance, which require distributors to be able to access information on clients whose policies have been terminated. Although this argument contradicts its own actions - since Generali
has indicated that it has adopted the measure consisting of (…) - this
argument does not exempt Generali from its obligation to implement measures from the
design stage. Data protection regulations and sectorial regulations must coexist, and
Generali has the responsibility to ensure that both are complied with, where appropriate,
implementing measures that limit access to personal data to persons
authorized by reason of their functions and to what is strictly necessary in attention to the
purpose for which they are processed. Data protection by design requires, among
other issues, that, before the processing is carried out, the roles and responsibilities of the persons who will handle personal data in the
scope of the data controller be evaluated to prevent access to an
undetermined number of natural persons.
Generali also argues that the application was launched before the full application of the GDPR, and that it is therefore unreasonable to expect that the obligations imposed by the regulation were taken into account in its initial design.
In this regard, it should be noted that the entry into force of the GDPR requires data controllers to review and update their systems and processes to comply with new legal obligations. The implementation of appropriate measures from the design stage is not limited to the initial moment of creation of a system, but is an ongoing process that must adapt to changes in the regulations and to the (changing) risks to the rights and freedoms of natural persons regarding the processing of personal data. On the contrary, the failure to adequately update the SMC application to comply with the GDPR shows a lack of diligence on the part of Generali in this regard. It should also be noted that the fact that the application was launched before the full application of the GDPR as stated does not exempt it from compliance with the obligation provided for, once the regulation took full effect after full applicability in May 2018.
Finally, Generali claims that it has implemented reactive measures after the security incident, a fact that actually reinforces the AEPD's argument that not all the implications in terms of data protection were taken into account in relation to data protection by design and by default, specifically, we are referring to the measure consisting of the lack of segmentation of profiles that was adopted after the personal data breach.
In conclusion, Generali's argument does not adequately justify the lack of data protection measures by design and by default. Generali's actions and
omissions demonstrate that all necessary measures were not taken
to ensure that personal data were protected from the outset, and that access
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 26/53
was strictly limited to the appropriate persons and for the necessary purposes,
as required by the GDPR.
Violation of Article 35 of the GDPR in relation to the Data Protection Impact
Assessment:
Generali claims that it was not necessary to carry out a DPIA for the SMC application
because, according to its risk analysis, the processing did not entail a high risk for the
rights and freedoms of natural persons. However, as indicated in the
initiation agreement, there are several factors that justify the need for a DPIA,
including the considerable volume of personal data processed and the combination of
financial data (in this case the IBAN) with identification and contact data, as it
multiplies the risk of identity theft and serious financial damage.
Article 35 of the GDPR requires a DPIA for processing that, due to its
nature, scope, context or purposes, may involve a high risk. The management of
data from a large number of customers certainly falls into this category, as the
impact of a potential data breach would be considerably greater. Generali
cannot rule out the need for a DPIA based solely on its own
analysis, especially when it deals with data of a large scale and sensitive nature.
Generali also argues that it does not process special category data in the SMC,
based on its own interpretation of the data handled. However, the fact that
Generali manages health insurance involves the processing of medical data at
some point, even if these specific data were not directly
involved in the SMC. The risk assessment must consider all possible
processing scenarios and the data that may be being processed. The lack of
a DPIA to assess these risks demonstrates a lack of foresight and diligence on the part
of Generali.
In this regard, we must note that the CJEU case law has
recognised the broad concept of special categories of personal data.
In this regard, the ECJ of 4 October 2024, in Case C 21/23, and
specifically with regard to health data, determines that when the processing of
personal data may indirectly reveal sensitive information about a
person, such data fall within the regime provided for in Article 9 of the GDPR:
“82 In particular, such provisions cannot be interpreted as meaning that the
processing of personal data that may indirectly reveal sensitive information
about a natural person falls outside the enhanced protection regime
established by the aforementioned provisions, since to do so would
undermine the effectiveness of that regime and the protection of the fundamental rights and freedoms of natural
persons that it seeks to guarantee (judgment
of 1 August 2022, Vyriausioji tarnybinės etikos komisija, C 184/20,
EU:C:2022:601, paragraph 127)“.
The aforementioned CJEU even indicates that it determines that special categories of personal data are subject to the prohibition of art. 9 of the GDPR regardless of
whether the information is accurate or not and whether the processing is intended to obtain
personal data belonging to said category: “87 This prohibition in principle
is independent of whether the information revealed by the processing in question is or is
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 27/53
not accurate and whether said pharmacist acts with the aim of obtaining information
included in one of the special categories contemplated in article 8,
paragraph 1, of Directive 95/46 and article 9, paragraph 1, of the GDPR. Indeed,
taking into account the significant risks to the fundamental freedoms and fundamental rights of data subjects generated by any processing of personal data falling within these categories, these provisions are intended to prohibit such processing, regardless of the stated purpose and
the accuracy of the information in question (see, to that effect, judgment of 4 July 2023, Meta Platforms and Others (General terms and conditions of service of a
social network), C 252/21, EU:C:2023:537, paragraphs 69 and 70).”
Generali also states that Article 35.3 of the GDPR and the list of processing operations requiring a DPIA do not apply to its specific processing. However, this interpretation is restrictive and does not take into account the full nature of Generali's
data processing, and the list is indicative and not exhaustive and is intended to guide data controllers to
identify those processing operations that require a DPIA.
In conclusion, Generali has not adequately justified the lack of a DPIA. The
management of a large volume of personal data and the processing of special
categories of personal data, as in this case, require a thorough
risk assessment, which must be documented by a DPIA. The absence
of this assessment reflects a lack of compliance with Article 35 of the GDPR.
Insufficient security measures (Article 32 of the GDPR):
Generali argues that the AEPD has incorrectly interpreted the nature of the
obligations imposed by said article and that it has based its decision on an
erroneous assessment of the facts.
Generali claims that the obligation to take security measures is an obligation of means, not results, according to Supreme Court case law. This
means that the company must prove that it has taken all reasonably necessary and
appropriate measures to protect personal data, but it cannot be automatically held liable for a security breach if
those measures were insufficient to prevent it.
It should be noted again that the breach of Article 32 GDPR is not due to the
personal data breach itself, but that the personal data breach
simply revealed the shortcomings and deficiencies in the security
measures that Generali should have previously implemented. These shortcomings did
not become apparent directly from the breach, but rather after verification and analysis that took place
after the breach occurred. The subsequent verification revealed that the existing security measures were not sufficient to prevent unauthorized access, which demonstrates a breach of the obligation to adopt adequate security measures proportionate to the risk. This was regardless of the occurrence of the personal data breach.
It should be noted that the measure referred to by Generali as an example corresponds to a measure of data protection by design.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 28/53
Generali has mentioned the implementation of reactive security measures after the incident, such as:
or (…)
The aforementioned measures show that the measures implemented previously were clearly insufficient to guarantee a level of security appropriate to the risk, regardless of the breach that occurred.
Thus, for example, it had not been foreseen (…).
In conclusion, Generali has not complied with the obligations of Article 32 of the GDPR
effectively. The post-breach analysis, as well as the reactive measures
adopted subsequently, show an inadequacy in the preventive security
measures that should have been determined, implemented and applied, something that
Generali has not demonstrated to have done satisfactorily before the incident.
Violation of the confidentiality principle (Article 5.1.f of the GDPR):
Generali argues that there has not been a breach, since the
confidentiality principle would have been compromised only due to the personal data
breach, and not due to an intrinsic lack of adequate measures.
However, this position is not sustainable.
Thus, for example, the (…).
Furthermore, although they had measures in place before the personal data breach for the (…).
This security measure is not useful for detecting other types of common attacks. It was
a clearly insufficient security measure.
In this sense, it should be noted that it is very common nowadays for denial of service attacks to be distributed, that is, to be launched from
many different IP addresses, so measures commonly used to prevent, detect and react to this other type of
attacks should have been provided for. These types of measures were not implemented, resulting in the personal data breach
occurred because a distributed attack was not detected.
Generali also states that the attack (…) was a factor beyond its control. However, the security of information systems must contemplate the possibility
of external brute force attacks, such as the one that occurred – (…)-; hence the
preventive measures such as multi-factor authentication, which should have been
implemented before the incident; it is not possible to understand (…), resulting in
it being a security measure that was not properly implemented and that was
established after the personal data breach. Thus, as has been
proven:
- (…).
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 29/53
The personal data breach allowed unauthorized access to a
considerable number of personal data, including identification data,
contact information, financial information and residential addresses, resulting in a
loss of confidentiality.
Generali also maintains that the need to communicate the facts to such a
large number of affected persons reflects the seriousness of the incident. This argument, far
from exonerating Generali, shows the impact that the personal data breach may have in its
relationship with the principle of confidentiality. The large scale of the
notification is a clear indication of the magnitude of the breach of the
principle of confidentiality in that the personal data breach entails a high risk
for the rights and freedoms of natural persons.
In summary, the violation of the principle of confidentiality has been
perfectly demonstrated by the disclosure of personal data to unauthorized third parties.
The disclosure of personal data on the scale observed is a clear
indication that the obligation to guarantee the confidentiality of personal data, as required by article 5.1.f of the GDPR, was not fulfilled.
Fourth allegation: on the violation of the principle of proportionality
Generali's fourth allegation on the violation of the principle of proportionality
is unfounded when the facts and the applicable legal provisions are analyzed. The AEPD has carefully evaluated the concurrent circumstances and
has applied the principle of proportionality when determining the sanctions, in accordance
with article 83 of the GDPR. Generali maintains that the AEPD did not consider certain
mitigating circumstances and applied aggravating circumstances without justification, which is refutable in the terms
set out below.
Generali argues that the reactive measures adopted after the incident
should be considered mitigating. However, the fact that reactive measures were
taken does not exempt the company from initial liability for failing to
implement security measures appropriate to the level of risk, and appropriate
diligence must be exercised when dealing with a company that manages a
large volume of personal data, including special categories of personal
data. Corrective actions, although necessary, do not compensate for the lack of
adequate proactive measures to protect personal data in companies of
such nature, the potential consequences of which may be aggravated and amplified
taking into account the large-scale processing they carry out.
Generali also argues that it has not been subject to previous sanctions and that
this should be considered a mitigating factor. However, the seriousness of the current infringement and
the potential impact on a large number of people in this case justify an
appropriate sanction regardless of the entity's previous sanctioning history. In
this sense, the National Court in its judgment 1437/2020 of May 5, 2021
stated that Article 83.2 of the GDPR establishes that, for the imposition of the administrative fine, among others, the circumstance "e) any previous infringement committed by the controller or the processor" must be taken into account. This is an
aggravating circumstance, the fact that the condition for its application is not met
means that it cannot be taken into consideration, but it does not imply or
allow, as the plaintiff claims, its application as an attenuating circumstance";
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 30/53
Regarding Generali's statement that the AEPD was aware of the
incident through the company's voluntary notification, it should be remembered that
such communication is an obligation provided for by the GDPR itself and not a
voluntary act that deserves consideration as an attenuating circumstance.
As for adherence to codes of conduct, Generali mentions its participation in
the development of good practice guides. Although these efforts are positive, they do
not exempt the entity from the responsibility of complying with all the provisions of the
GDPR effectively and continuously.
The AEPD has correctly applied the aggravating circumstances. The large scale of data
processing, the nature of the data processed and the particular negligence in the
adoption of adequate protection measures justify the application of aggravating circumstances.
These aggravating circumstances are not based on unfounded subjective assessments, but on
a detailed assessment of the facts, risks and impact of the infringement that
are set out in this resolution.
In conclusion, the AEPD has followed an appropriate and justified methodology to
assess both the mitigating and aggravating circumstances in this case,
motivating it, and has applied the principle of proportionality in accordance with the regulations in force.
The proposed sanctions reflect the seriousness of the infringements.
IV Unfulfilled obligation of Article 5.1 f)
According to paragraph 1.f) of Article 5 GDPR, data must be:
“processed in a manner that ensures appropriate security of the personal data,
including protection against unauthorised or unlawful processing and against accidental
loss, destruction or damage, by applying appropriate technical or organisational
measures (“integrity and confidentiality”)”
Similarly, Recital 39 GDPR provides that: “Personal data
must be processed in a manner that ensures appropriate security and confidentiality of the personal
data, including preventing unauthorised access to or use of the data and the equipment used in the processing.”
The purpose of the aforementioned principle of confidentiality is to ensure that personal
data are accessible only to those persons authorised to use them and for the specific purposes for which they have been collected. In these terms, any unauthorized exposure or processing of personal data
would constitute a violation of the aforementioned principle. This occurs when personal data
are accessible to unauthorized individuals or entities, or when they are used for purposes
other than those for which they were originally collected or consented to by their owner.
In the present case, the investigations carried out by this authority
show a violation of the principle of confidentiality by not guaranteeing
adequate security of personal data, including protection against unauthorized or
unlawful processing, through the application of appropriate technical and
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 31/53
organizational measures, which has materialized with the unauthorized
exposure of personal data of a considerably high number of people.
Among the exposed data were personal identification data,
contact data, financial information and residential addresses.
The number of those affected and potentially affected is the result of formal communications of the incident made by the defendant party to the affected parties and which were also provided during the aforementioned proceedings. Thus, it claims to have communicated the incident to 24,352 people directly affected who were included in the sample file obtained from the attackers through the cybersecurity company Lazarus. In addition, there was communication to 1,092,543 former policyholders not included in the sample file and 399,153 former policyholders of individual policies, whose contact details were not available. Finally, there is a public communication to 166,621 former policyholders of group policies, which brings the total number of people potentially affected to more than 1.6 million.
The need to communicate the facts to such a large number of people (more than
one and a half million), in addition to reflecting the relevance of the personal data breach,
also demonstrates the recognition of its seriousness by the respondent party. The
detection of the attack and the subsequent investigation that revealed the production of unauthorized access
to personal data confirms this statement.
The number of personal data compromised by each affected party is also notable.
The fact that detailed data such as ID, contact details,
and personal addresses, among others, have been exposed, demonstrates the magnitude of the breach. It should
be taken into account that, in a considerable number of cases, financial data such as the IBAN were exposed, which, together with the combination of identification and location data, exposes the affected persons to a significant risk of fraud, such as
identity theft and financial fraud, criminal acts that, unfortunately, are frequent today.
The fact that someone claimed to possess certain
data of former clients (800,000, according to the defendant) in a Telegram forum, and that the cybersecurity company Lazarus provided a sample to the defendant, cannot be ignored either. Telegram being a messaging platform accessible to the public,
this raises a worrying scenario, since making this information available in
an open and easily accessible environment increases the risk of such data being
misused.
Finally, the investigation shows that the violation of the
principle of confidentiality, in the present case, is not limited only to the
cyber attack that occurred. Similarly, the fact that insurance brokers, both agents and brokers, at the time of the incident were able
to view and access the data of former clients, despite having ended their commercial
relationship with the defendant, represents a new manifestation of the violation
of this principle.
Likewise, we refer to the non-compliance with this obligation as answered in the third allegation regarding the lack of technical and organizational measures in relation to the personal data breach.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 32/53
Based on the above, a violation of article 5.1.f) of the GDPR is evident by not
guaranteeing adequate security of personal data, including protection
against unauthorized or unlawful processing, through the application of appropriate
technical and organizational measures.
V Classification and qualification of the infringement of article 5.1.f) of the GDPR
If confirmed, the aforementioned infringement of article 5.1.f) of the GDPR could entail the
commission of the infringements classified in article 83.5 of the GDPR, which under the heading "General conditions for the imposition of administrative fines" provides:
"Infringements of the following provisions shall be punishable, in accordance with
paragraph 2, by administrative fines of a maximum of EUR 20 000 000 or,
in the case of an undertaking, an amount equivalent to a maximum of 4% of the
total global annual turnover of the preceding financial year, whichever is higher:
a) the basic principles for processing, including the conditions for
consent pursuant to articles 5, 6, 7 and 9; (…)”
In this regard, the LOPDGDD, in its article 71 “Infringements” establishes that
“The acts and conduct referred to in sections 4,
5 and 6 of article 83 of Regulation (EU) 2016/679, as well as those that are contrary to this organic law, constitute infringements”.
For the purposes of the limitation period, article 72 “Infringements considered very serious” of the LOPDGDD indicates:
“1. According to the provisions of article 83.5 of Regulation (EU) 2016/679, infringements that constitute a substantial violation of the articles mentioned therein and, in particular, the following are considered to be very serious and will be subject to a three-year statute of limitations:
a) The processing of personal data in violation of the principles and guarantees established in article 5 of Regulation (EU) 2016/679. (…)”
VI Penalty for non-compliance with article 5.1 f)
According to article 83.2 of the GDPR “Administrative fines shall be imposed, depending on the circumstances of each individual case, as an additional or substitute for the measures provided for in article 58, paragraph 2, letters a) to h) and j). When deciding on the
imposition of an administrative fine and its amount in each individual case, due account shall be taken of:
a) the nature, seriousness and duration of the infringement, taking into account the
nature, scope or purpose of the processing operation in question, as well as the
number of data subjects affected and the level of damage suffered by them;
b) the intent or negligence of the infringement;
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 33/53
c) any measures taken by the controller or processor to
mitigate the damage suffered by the data subjects;
d) the degree of responsibility of the controller or processor,
taking into account any technical or organisational measures they have implemented pursuant
to Articles 25 and 32;
e) any previous infringement committed by the controller or processor;
(f) the degree of cooperation with the supervisory authority in order to remedy the breach and mitigate any adverse effects of the breach;
(g) the categories of personal data affected by the breach;
(h) the manner in which the supervisory authority became aware of the breach, in
particular whether and, if so, to what extent the controller or processor notified the breach;
(i) where measures referred to in Article 58(2) have been previously ordered against the
controller or processor concerned in relation to the same matter, compliance with those measures;
(j) adherence to codes of conduct pursuant to Article 40 or to certification mechanisms approved pursuant to Article 42; and
(k) any other aggravating or mitigating factors applicable to the circumstances of the case,
such as financial benefits obtained or losses avoided, directly or
indirectly, through the breach.”
Similarly, article 76 of the LOPDGDD establishes a series of criteria
to grade the possible sanction, following the provisions of section k) of the previous
article:
“In accordance with the provisions of article 83.2.k) of Regulation (EU) 2016/679, the following may also
be taken into account:
a) The continued nature of the infringement.
b) The link between the offender's activity and the processing of personal
data.
c) The benefits obtained as a result of the commission of the infringement.
d) The possibility that the conduct of the affected party could have led to the commission of the infringement.
e) The existence of a merger process by absorption after the commission of the infringement, which cannot be attributed to the absorbing entity.
f) The impact on the rights of minors.
g) Having, when not mandatory, a data protection officer.
(h) The voluntary submission by the controller or processor to
alternative dispute resolution mechanisms, in cases where
there are disputes between them and any interested party.”
Taking into account these provisions, in the present case it is considered that
it is appropriate to graduate the sanction to be imposed in the following terms:
Aggravating factor provided for in section a) of article 83.2 of the GDPR:
a) the nature, seriousness and duration of the infringement, taking into account the
nature, scope or purpose of the processing operation in question, as well
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 34/53
as well as the number of interested parties affected and the level of damages and losses they
have suffered;
In the present case, the seriousness of the infringement is evident from several aspects: the
considerable number of affected interested parties and their personal data,
as well as the fact that several of said personal data will be for sale on an electronic messaging network. These circumstances, taken together,
increase the potential risk of damage to the affected individuals, since
the data they own may fall into the hands of malicious actors
with the intention of committing fraud, extortion or other criminal activities.
Aggravating factor provided for in section b) of article 83.2 of the GDPR:
b) the intentionality or negligence in the infringement;
In this case, serious negligence on the part of the defendant can be appreciated. In this
sense, the Supreme Court has understood that there is imprudence whenever
a legal duty of care is disregarded, that is, when the offender does not behave
with the required diligence. In assessing the degree of diligence, the professionalism or lack thereof of the subject must be especially considered, and there is no doubt that, in the case
now examined, given that the appellant's activity is one of constant and abundant
management of personal data, greater rigor and exquisite care are required
in order to comply with the provisions (Judgment of the National Court of 17
October 2007 (rec. 63/2006).
Aggravating factor provided for in section b) of article 76 LOPDGDD: The connection between the
offender's activity and the processing of personal data.
The occurrence of the aforementioned aggravating factor derives from the nature of the activity of the
respondent. It is clear that, as an insurer, it periodically carries out
operations that involve the management and processing of large volumes of personal data. This special connection with the personal data it manages
implies greater responsibility in preventing said data from being exposed or
improperly processed by authorized persons. On the contrary, the violation of the
principle of confidentiality by entities whose activity presents such a connection
aggravates the offending conduct, which, consequently, motivates the occurrence of the
present aggravating factor.
The occurrence of mitigating circumstances is not appreciated.
Taking into account the general conditions for the imposition of administrative fines
established by the aforementioned article 83.2 of the GDPR, considering the
circumstances of the present case, the agreement to start the process proposed a fine of €1,000,000 (ONE MILLION EUROS) as a
sanction.
VII Unfulfilled obligation of article 32
Article 32 “Security of processing” of the GDPR establishes:
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 35/53
“1. Taking into account the state of the art, the costs of implementation, and the
nature, scope, context and purposes of processing as well as the risks of
varying likelihood and severity for the rights and freedoms of natural persons, the
controller and processor shall implement appropriate technical and
organisational measures to ensure a level of security appropriate to the risk,
which may include, where appropriate, inter alia:
a) pseudonymisation and encryption of personal data;
b) the ability to ensure the permanent confidentiality, integrity, availability and
resilience of processing systems and services;
c) the ability to restore the availability of and access to personal data
quickly in the event of a physical or technical incident;
d) a process of regular verification, evaluation and assessment of the effectiveness of the
technical and organisational measures to ensure the security of processing.
2. When assessing the adequacy of the level of security, particular account shall be taken of the risks presented by the processing of personal data, in particular arising from accidental or unlawful destruction, loss or alteration of, or unauthorised disclosure of or access to, personal data transmitted, stored or otherwise processed.
3. Adherence to a code of conduct approved pursuant to Article 40 or a certification mechanism approved pursuant to Article 42 may serve as an element of
demonstrating compliance with the requirements set out in paragraph 1 of this Article.
4. The controller and the processor shall take measures to ensure that any person acting under the authority of the controller or the processor and
having access to personal data is permitted to process those data only on instructions from the controller, unless required to do so by Union or Member State law.
It is important to note that the aforementioned provision does not establish a list of specific security measures
in accordance with the data being processed, but rather
establishes the obligation for the controller and the processor to apply
technical and organisational measures that are appropriate to the risk that such
processing entails, taking into account the state of the art, the costs of
application, the nature, scope, context and purposes of the processing, the risks of
probability and severity for the rights and freedoms of the interested parties.
Likewise, the security measures must be adequate and proportionate to the
risk detected, determining those appropriate technical and organisational measures
taking into account pseudonymisation and encryption, the ability to
guarantee confidentiality, integrity, availability and resilience, the ability to restore the
availability and access to data after an incident, verification process (not
audit), evaluation and assessment of the effectiveness of the measures.
In any case, when assessing the adequacy of the level of security appropriate to the risk, particular account must be taken of the risks presented by the processing of data,
as a result of the accidental or unlawful destruction, loss or alteration of personal data
transmitted, stored or otherwise processed, or the unauthorized communication or
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 36/53
access to such data and which could cause physical, material or immaterial damage.
For its part, recital 83 of the GDPR states that “(83) In order to maintain
security and prevent processing infringing the provisions of this Regulation,
the controller or processor must assess the risks inherent in the processing and
implement measures to mitigate them, such as encryption. These measures must ensure an
appropriate level of security, including confidentiality, taking into account the
state of the art and the cost of their implementation in relation to the risks and the
nature of the personal data to be protected. When assessing the risk in relation to data security, account must be taken of the risks
arising from the processing of personal data, such as accidental or unlawful destruction, loss or
alteration of personal data transmitted, stored or otherwise processed, or unauthorized
disclosure of or access to such data, likely to cause in particular physical, material or immaterial damage or harm.”
In the present case, the investigations carried out by the present supervisory authority have revealed that, regardless of the breach produced, although the respondent party had implemented certain data security measures, they were not sufficient to comply with the requirements provided for in the aforementioned article 32. As indicated, this provision establishes the need to implement appropriate technical and organisational measures to guarantee a level of security appropriate to the risk. The inadequacy or insufficiency in this case is evident from several statements made by the respondent party itself during the course of the aforementioned investigations.
Likewise, this entity has confirmed deficiencies in the technical measures deployed (…). This deficiency prevents the respondent party from carrying out an analysis of the activity being carried out in the aforementioned application. This makes it
greater difficult to identify anomalous patterns of use, unauthorized access, or
any other form of abuse or misuse of personal data, including that which
may be carried out by its own personnel.
Furthermore, it is worth referring to the numerous reactive measures
adopted by the respondent party after the incident and which were brought to the
attention of this authority during the investigation. The
adoption of such reactive measures reveals the absence of certain
basic security measures taking into account the risk derived from its activity.
(…).
Thus, for example, (…), insufficient security measure independent of the
personal data breach.
Although reactive measures are essential to resolve vulnerabilities and
prevent future breaches, the need for their adoption highlights an inadequacy or
insufficiency of the measures adopted, which implicitly implies a
recognition by the respondent party of the existence of deficiencies in its data
security approach.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 37/53
Finally, the considerable number of users managed by the respondent party in carrying out its activity cannot be hidden, a circumstance that intrinsically entails a
high risk in terms of personal data protection and, consequently, the
implementation of security measures appropriate to the level of risk. It must be
taken into account that, in this context, the risks associated with processing are
amplified due to the amount of data managed and the potential seriousness of
any breach. This implies that any failure in the security measures would not only
affect a greater number of individuals, but could also have
more serious consequences, both in terms of impact on those potentially affected
and liability for the respondent party.
Likewise, we refer to the non-compliance with this obligation as stated in the third allegation regarding the lack of technical and organizational security measures appropriate to the level of risk.
Based on the above, the aforementioned investigation actions and statements by the entity itself, regardless of the incident that occurred and its consequences, show a lack of adaptation to the risk of the security measures adopted by the respondent party, taking into account the amount of data that the latter managed.
VIII Classification and qualification of the infringement of article 32 of the GDPR
If confirmed, the aforementioned infringement of article 32 of the GDPR could entail the
commission of the infringements classified in article 83.4 of the GDPR, which under the heading "General conditions for the imposition of administrative fines" provides:
"Infringements of the following provisions shall be punishable, in accordance with
paragraph 2, by administrative fines of up to EUR 10 000 000 or,
in the case of an undertaking, of an amount equivalent to a maximum of 2% of the
total global annual turnover of the preceding financial year, whichever is higher:
a) the obligations of the controller and the processor pursuant to Articles 8, 11, 25
to 39, 42 and 43; (…)”
In this regard, the LOPDGDD, in its article 71 “Infringements” establishes that
“The acts and conduct referred to in sections 4,
5 and 6 of article 83 of Regulation (EU) 2016/679, as well as those that are contrary to this organic law, constitute infringements.”
For the purposes of the limitation period, article 73 “Infringements considered serious”
of the LOPDGDD indicates: “In accordance with the provisions of article 83.4 of
Regulation (EU) 2016/679, infringements that constitute a substantial violation of the articles
mentioned therein and, in particular, the following are considered serious and will be subject to a two-year limitation period:
(…) f) The failure to adopt those technical and organizational measures that are
appropriate to guarantee a level of security appropriate to the risk of the treatment,
in the terms required by article 32.1 of Regulation (EU) 2016/679.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 38/53
IX Penalty for infringement of Article 32 of the GDPR
Under the terms indicated by the aforementioned Article 83.4 of the GDPR, infringement of
Article 32 shall be punished with “administrative fines of EUR 10,000,000 as
a maximum or, in the case of a company, an amount equivalent to 2% as
a maximum of the total global annual turnover of the previous financial year,
whichever is the highest amount shall be chosen
a) the obligations of the controller and the processor pursuant to Articles 8,
11, 25 to 39, 42 and 43;”
Taking into account the aforementioned article 82.2 of the GDPR in the present case
it is considered that it is appropriate to graduate the sanction to be imposed in the following terms:
a) the nature, seriousness and duration of the infringement, taking into account the
nature, scope or purpose of the processing operation in question, as well as
the number of interested parties affected and the level of damages they have suffered;
In the present case, the seriousness of the infringement arises from the potential risk that
exists in the protection of personal data with the lack of adoption of basic security measures by the defendant party, taking into account the considerable volume
of data that it manages and the nature of the same. These circumstances make
the effects of any breach of personal data that may occur
amplified with considerable damages to the possible affected parties resulting from it.
b) the intentionality or negligence in the infringement;
Taking into account the doctrine indicated above, this aggravating circumstance derives from a
lack of due diligence in the adoption of security measures appropriate to the
risk by the respondent party. It must be taken into account that in the present case,
taking into account the nature and volume of data managed by the respondent party, a special legal duty of care is required, which, in the present case, has not been met,
which entails serious negligence in its actions. (Judgment of the
National Court of 17 October 200, appeal number 63/2006).
Taking into account the general conditions for the imposition of administrative fines established by the aforementioned article 83.2 of the GDPR, taking into account the circumstances of the present case, the agreement to start the process proposed as a possible sanction a fine of €1,000,000 (ONE MILLION EUROS)
X Unfulfilled obligation of article 25 of the GDPR
For its part, article 25 of the GDPR, in relation to Data Protection by design and by default, establishes the following:
“1. Taking into account the state of the art, the cost of implementation and the
nature, scope, context and purposes of processing as well as the risks of varying
probability and severity that processing entails for the rights and freedoms of
natural persons, the controller shall, both when determining the means of processing and at the time of processing,
implement appropriate technical and organisational measures, such as pseudonymisation,
designed to effectively implement the principles of data protection, such as
data minimisation, and to integrate the necessary safeguards into the processing, in order to
comply with the requirements of this Regulation and protect the rights of data subjects. 2. The controller shall implement appropriate technical and organisational measures to ensure that, by default, only personal data that are necessary for each of the specific purposes of the processing are processed. This obligation shall apply to the quantity of personal data collected, the extent of their processing, their retention period and their accessibility. Such measures shall ensure in particular that, by default, personal data are not made available to an indeterminate number of natural persons without the intervention of the data subject. 3. A certification mechanism approved pursuant to Article 42 may be used as evidence of compliance with the obligations set out in paragraphs 1 and 2 of this Article.”
In line with these provisions, recital 78 of the GDPR provides:
“The protection of the rights and freedoms of natural persons with regard to the
processing of personal data requires appropriate technical and
organisational measures to ensure compliance with the requirements of
this Regulation.
In order to be able to demonstrate compliance with this Regulation, the
controller must adopt internal policies and implement measures that comply in
particular with the principles of data protection by design and by default. Such
measures could include, inter alia, minimising the processing of personal
data, pseudonymising personal data as soon as possible, making
personal data processing and functions transparent, allowing data subjects to
monitor data processing and the controller to create and improve
security features.
When developing, designing, selecting and using applications, services and products that
are based on the processing of personal data or that process personal data
in order to fulfil their function, producers of the products, services
and applications should be encouraged to take into account the right to data protection when
developing and designing these products, services and applications, and to ensure,
with due regard to the state of the art, that controllers and processors are able to fulfil their data protection obligations.
The principles of data protection by design and by default should also
be taken into account in the context of public contracts.”
As can be seen, Article 25 GDPR contemplates data protection, not
as an afterthought, but as an integral and priority element in the design of
systems, processes and products. This implies that security measures must be
considered from the earliest stages of development of any system or process
that handles any type of personal data, which leads to placing data
protection at the heart of the design of such systems and processes.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 40/53
The principle of data protection by design reflects a fundamental change from
a reactive to a proactive stance, which is a manifestation of the risk-based approach
promoted by the GDPR, emphasizing anticipation and prevention in the
management of personal data. Under this approach, the responsibility to protect personal
data begins from the earliest stages of planning of any data processing activity. This means that the data controller
must incorporate measures that guarantee its protection at the same time that the processing of personal data is being designed and planned.
Such a proactive approach involves identifying and addressing potential risks from the
outset, by integrating the necessary safeguards directly into data processing processes and
systems.
In this regard, when applying protection by design, all elements that make up data processing must be considered,
including the nature of the data, the purposes of the processing, as well as the possible consequences for the
rights and freedoms of the individuals affected. The aim is to ensure that data protection principles, such as data
minimisation, purpose limitation and data security, are implemented effectively and consistently throughout the entire data
processing lifecycle.
This is stated in the EDPB Guidelines 4/2019 on Article 25 Data Protection by Design and Default, adopted on 20 October 2020. The Guidelines state in this regard that:
“The ‘time of determining the means of processing’ refers to the period of time in which the controller is deciding how the processing will be carried out and how it will occur, as well as the mechanisms that will be used to carry out such processing. In the process of adopting such decisions, the controller must assess the appropriate measures and safeguards to
effectively implement the principles and rights of data subjects in the processing, and take into account elements such as the risks, the state of the art and the cost of
implementation, as well as the nature, scope, context and purposes. This includes the
time of acquisition and implementation of software and hardware and data processing
services.
Taking into account the PDDD from the outset is crucial for the correct application of the principles and for the protection of the rights of data subjects.
In addition, from a cost-effectiveness perspective, it is also in the interest of data controllers to take the PDDD into account as soon as possible, since it may later be difficult and costly to introduce changes to plans already formulated
and processing operations already designed.”
To do so, the data controllers must use the principles set out in Article
5 of the GDPR when designing the processing, which will serve to assess effective compliance with the GDPR. Thus, the
CEPD Guidelines 4/2019 provide that
“61. In order to make the PDDD effective, data controllers must apply the
principles of transparency, legality, loyalty, purpose limitation, data minimization, accuracy, limitation of the retention period, integrity and confidentiality, and
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 41/53
proactive responsibility. These principles are included in article 5 and
recital 39 of the GDPR.”
The AEPD Privacy by Design Guide states that “Privacy by
design (hereinafter, PbD) involves using an approach oriented to risk management
and proactive responsibility to establish strategies that incorporate the
protection of privacy throughout the entire life cycle of the object (whether it is a
system, a hardware or software product, a service or a process). The object's life cycle is understood as all the stages that it goes through, from its
conception to its retirement, through the phases of development, production,
operation, maintenance and retirement”.
The Guide states that “Privacy must be an integral and inseparable part of the
systems, applications, products and services, as well as the business practices and
processes of the organization. It is not an additional layer or module that is added to something
pre-existing, but must be integrated into the set of non-functional
requirements from the moment it is conceived and designed (…) Privacy is born in the
design, before the system is in operation and must be guaranteed throughout the
whole life cycle of the data”.
With regard to the case at hand, during the course of the investigations
carried out, it has become clear that it was not taken into account that the
data of former clients must be kept for purposes other than those existing
during the time that the policy is in force. As stated by the respondent party, the new purpose is limited to compliance with tax and insurance regulatory obligations, among others. According to its statements, these circumstances had not been taken into account because the data was not physically separated, on separate computers, nor was there a logical separation between them, since both types of clients appeared in the same database, and even in the same table (PERSONS). This meant, regardless of the breach suffered, that both insurance agents and insurance brokers had access to the personal data of former clients, even though they no longer had a valid policy. In other words, access to personal data was allowed to certain persons who were no longer authorized, since the owners of said data were no longer considered clients and, consequently, the purpose of said processing had already ended, being limited from that moment on to compliance with certain enforceable regulations. This fact, consisting of the possibility of accessing data of former clients by persons who were no longer authorized, shows that not all possible implications in terms of data protection were taken into account at the time
of creating the application that was intended to access and manage the data of said data. In this regard, it should be noted that, unlike what occurred
with the incident that occurred (…), in the present case the anomaly was not due to a
supervening cause, but existed from the beginning, that is, from the moment of the design
and implementation of the application. This is not undermined by the fact that, as a
consequence of the incident, this circumstance was known and the respondent party
proceeded to adopt reactive measures in order to solve
the problem.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 42/53
It follows from the above that, at the time of designing the application or
system in question, the principles established in article 5 were not adequately taken into account; in particular, the principle of
minimization and the principle of limitation of personal data.
Thus, with regard to the principle of minimization of personal data, as indicated in
the aforementioned article 5 of the GDPR, compliance requires that said data be "adequate, relevant and limited to what is necessary in relation to the purposes
for which they are processed ("data minimization"). From the perspective of
data protection by default and by design, it means that, from the earliest stages, consideration must be given to what data is really necessary to
fulfill the intended objective and to limit the collection and processing to said data. Similarly, implementing this principle effectively requires careful management of the life cycle of personal data, ensuring that they are processed only for the period that is strictly necessary for the purposes for which they were collected.
The fact that at the time of creation and implementation of the system the circumstance that, (…), was not taken into account, shows that the system was not
designed taking into account the principle of minimization. The consequence is that
processing takes place for a longer period than was necessary for the
fulfilment of the purpose for which it was initially authorized.
Likewise, with regard to the principle of limitation of personal data,
section b) of the aforementioned article 5 of the GDPR requires that “data shall be collected for specific, explicit and legitimate purposes, and shall not be further processed in a manner
incompatible with those purposes, …”. This principle implies that, when designing a system or
process, the purpose of data collection is clearly defined and limited. This
means that, from the conceptualization phase, the purposes for which the data is collected must be clearly established. These purposes must be specific and
explicit, and the system must be designed to support only the data processing
necessary to achieve those purposes.
Similarly, systems must be designed to control and restrict access
to data based on the purpose of the processing, which means that only authorized persons for a specific purpose can have access to data
related to that purpose. To do this, systems must be able to segregate and
manage data according to their different purposes.
In the case at hand, if mechanisms were not incorporated when designing the application
(…), the principle of limitation of personal data is not being taken into account. The
system should have taken into account the different purposes existing throughout the cycle of
treatment (for the execution of the contract, for compliance with the regulations) and
who are authorized to access said data according to the corresponding phase (mediators, staff, authorities, etc.). Otherwise, the
principle of limitation of personal data is violated, since it allows access to data to
people who are no longer legitimate.
On the other hand, the lack of a data protection approach from the beginning and by default,
also arises from the reactive measure carried out by the defendant party itself
after the incident to resolve the problem and which consisted of (…). This measure
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 43/53
was necessary, but its late implementation indicates a lack of data protection by default from the beginning and by default. Data protection by default
requires that measures are applied automatically, without requiring additional
actions from the data controller or the user.
Finally, it is also worth highlighting the nature of the activity of the respondent party, which as an insurance company manages a large volume of personal data, collecting and processing a significant amount of it, including sensitive information related to the health, finances, and other personal data of its clients, including minors. The high volume of data, as well as its nature,
increases both the complexity and the potential risk associated with its treatment, which
requires greater rigor in the need to adopt a data protection approach from the design and by default. It must be taken into account that, in
massive data processing as occurs in the present case, any failure in the
protection measures can have significant implications for a large number of
individuals, so it is crucial that the entities that manage them
implement systems and processes that incorporate security measures from the
beginning.
For the reasons stated above, (…), despite having been subsequently resolved, it shows the
breach of article 25 of the GDPR as adequate measures have not been adopted
that comply with the principles of data protection by design and by default.
XI Classification of infringement of Article 25 GDPR
The infringement of Article 25 GDPR is classified in Article 83.4 of the
same legal text, according to which:
“Infringements of the following provisions shall be punishable, in accordance with
paragraph 2, by administrative fines of not more than EUR 10 000 000 or,
in the case of an undertaking, not more than 2% of the total annual turnover of the
previous financial year, whichever is higher:
a) the obligations of the controller and the processor pursuant to Articles 8,
11, 25 to 39, 42 and 43;”
As regards the limitation period, the infringement mentioned in the previous paragraph is considered serious and is subject to a two-year limitation period, in accordance with article 73 d)
of the LOPDGDD, which establishes that:
“In accordance with the provisions of article 83.4 of Regulation (EU) 2016/679, infringements that constitute a
substantial violation of the articles mentioned therein and, in particular, the
following are considered serious and subject to a two-year limitation period:
d) The failure to adopt those technical and organisational measures that are
appropriate to effectively apply the principles of data protection from
the design stage, as well as the failure to integrate the necessary guarantees in the processing, in
the terms required by article 25 of Regulation (EU) 2016/679.”
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 44/53
XII Penalty for infringement of Article 25 of the GDPR
Under the terms indicated by the aforementioned Article 83.4 of the GDPR, infringement of
Article 32 shall be punished “with administrative fines of a maximum of 10,000,000 EUR or, in the case of a company, an amount equivalent to a maximum of 2% of the total annual global turnover of the previous financial year,
whichever is the highest.
Furthermore, taking into account Article 82.2 of the GDPR and Article 76 of the
LOPDGDD, in the present case it is considered that the penalty to be imposed should be graded in the following terms:
- Article 82.2 b) of the GDPR: “the intentionality or negligence in the infringement;
According to the aforementioned jurisprudential doctrine, this
aggravating circumstance is also applicable in the present infringement, since, from the
investigation actions, it is clear that the defendant party lacked due diligence at the time of designing the application that was intended for the
management of the data of its clients by the intermediaries. The fact that the different purposes of the treatment were not taken into account and that, as a consequence, the intermediaries
could continue to access the data of their former clients shows serious negligence
in the implementation of the same, in the terms indicated by the aforementioned
judgment of the National Court of 17 October 2007, appeal number.
63/2006).
- Article 76 b) of the LOPDGDD: “b) The link between the activity of the infringer
with the processing of personal data.;
The occurrence of the aforementioned aggravating factor is a consequence of the nature of the
activity of the offending entity, which, as an insurer, carries out activities that
involve the management and processing of large volumes of personal data as a
fundamental part of its operation. This special connection with the personal data
it manages implies a greater responsibility to guarantee its protection from the
design stage and, consequently, there is a greater expectation of compliance with the
regulations in this area. On the contrary, failure to comply with these requirements
means an amplification of the possible risks, which justifies the occurrence of the
mentioned aggravating factor.
Taking into account the general conditions for the imposition of administrative fines established by the aforementioned article 83.2 of the GDPR, taking into account
the circumstances of the present case, the agreement proposed a fine of €2,000,000 (TWO MILLION EUROS) as a sanction
XIII Sanction for the infringement of article 35 of the GDPR
Article 35, in relation to the Impact Assessment on data protection,
establishes the following:
“1. Where a type of processing, in particular using new
technologies, is likely, by its nature, scope, context or purposes, to result in a high risk for
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 45/53
the rights and freedoms of natural persons, the controller shall, prior to processing, carry out an assessment of the impact of the processing operations on the
protection of personal data. A single assessment may cover a number of similar processing operations
involving similar high risks.
2. The controller shall seek the advice of the data protection officer, if appointed, when carrying out the data protection impact assessment.
3. The data protection impact assessment referred to in
paragraph 1 shall be required in particular in the case of:
a) systematic and in-depth assessment of personal aspects relating to natural persons
which is based on automated processing, such as profiling, and on the basis of which decisions are taken which produce legal effects concerning natural persons or
similarly significantly affect them;
b) large-scale processing of special categories of data referred to in
Article 9(1) or personal data relating to criminal convictions and
offences referred to in Article 10, or
c) large-scale systematic monitoring of a publicly accessible area. 4. The supervisory authority shall establish and publish a list of the types of processing operations that require a data protection impact assessment in accordance with paragraph 1.
The supervisory authority shall communicate those lists to the Board referred to in Article
68.
5. The supervisory authority may also establish and publish the list of the types of processing that do not require data protection impact assessments. The supervisory authority shall communicate those lists to the Board.
6. Before adopting the lists referred to in paragraphs 4 and 5, the competent supervisory authority shall apply the consistency mechanism referred to in Article
63 if those lists include processing activities that relate to the offering of goods or services to data subjects or to the monitoring of their behaviour in several Member States, or processing activities that may substantially affect the free flow of personal data within the Union.
7. The assessment shall include at least:
a) a systematic description of the envisaged processing operations and the
purposes of the processing, including, where applicable, the legitimate interest pursued by the
controller;
b) an assessment of the necessity and proportionality of the processing operations
in relation to their purpose;
c) an assessment of the risks to the rights and freedoms of data subjects
referred to in paragraph 1; and
d) the measures envisaged to address the risks, including safeguards, security
measures and mechanisms to ensure the protection of personal data, and to
demonstrate compliance with this Regulation, taking into account the rights and legitimate
interests of data subjects and other affected persons.
8. Compliance by the controllers or processors concerned with approved codes of conduct referred to in Article 40 shall be duly taken into account when assessing the impact of processing operations performed by such controllers or processors, in particular for the purposes of the data protection impact assessment.
9. Where appropriate, the controller shall seek the views of data subjects or their representatives concerning the intended processing, without prejudice to the protection of public or commercial interests or the security of processing operations.
10. Where processing pursuant to Article 6(1)(c) or (e)
has its legal basis in Union law or in the law of the Member State to which the controller is subject, such law governs the
specific processing operation or set of operations concerned, and a data protection impact assessment has already been
carried out as part of a general impact assessment in the context of the adoption of that legal basis,
paragraphs 1 to 7 shall not apply unless Member States consider it necessary to carry out such an assessment prior to the
processing activities.
11. Where necessary, the controller shall examine whether the processing complies with the
data protection impact assessment, at least where there is a
change in the risk posed by the processing operations.”
The need to implement a data protection impact assessment (DPIA)
is a consequence of the principle of proactive responsibility provided for in the
RGPD itself, and is a fundamental tool to ensure that entities that
present certain characteristics in their processing manage and treat personal data
in a responsible, secure manner and in accordance with the regulations in this
matter, thus protecting the rights of their owners and strengthening
trust in their operations.
The purpose of the DPIA, as established in the aforementioned article 35 of the
RGPD, is
multiple and focuses on ensuring the protection of the personal data of individuals. Among these purposes we can
highlight:
- Identify and assess the potential risks to the rights and freedoms of individuals that
could arise as a result of the processing of personal data.
This is especially important when new technologies are used or massive data processing is
performed.
- Helping organisations comply with the GDPR, as it ensures that regulatory requirements related to data protection are respected by design and by default.
- Implementing risk mitigation measures. Based on the risks identified, the DPIA guides entities in implementing appropriate measures to mitigate these risks. This may include adjustments to the way personal data is collected, stored, processed or shared.
- Preventing potential damage and/or data breaches, as through proactive identification and risk mitigation, the DPIA helps prevent data breaches and other damage that could result from inappropriate processing of personal data, which may lead to legal consequences.
In the present case, with regard to this requirement and as stated by the respondent itself during the course of the investigation, it is only possible to see the existence of a document where a general analysis or description of the processing was carried out with the purpose of determining the need to carry out an impact assessment (EIPD), concluding that the processing has a low level of impact and, therefore, it was not necessary to carry out this EIPD. However, taking into account the characteristics of the nature and functions of the respondent, this diagnosis turned out to be incorrect and this based on the reasons set out below.
Firstly, it should be noted that the respondent manages a considerable volume of clients, which consequently entails a large-scale processing of the personal data of said owners. In this sense, the greater the volume of data processed, the greater the potential risk of security breaches and data violations. This is due, among other reasons, to the attractive amount of
information that it represents for cybercriminals, as well as the increased
complexity of processing data on a large scale in a secure manner. Likewise,
as the volume of data increases, it becomes more complex to guarantee the
rights of data subjects, such as access to their data, rectification, deletion
or portability.
Based on these circumstances, the need arises for a prior preparation
of a DPIA as a fundamental instrument to mitigate the risks associated with the
large-scale processing of personal data, as occurs in insurance entities with a national and/or international scope of action. In massive volumes
of data processing, this assessment allows risks to be proactively identified and
addressed before they occur, developing possible mitigation measures,
which is essential to protect the rights and freedoms of individuals in the
context of large-scale data processing.
Secondly, it is also worth referring to the amount of personal data that, in entities of this nature, are collected from each client. When we talk
about the amount of personal data processed by an insurer for each client or
person, we are referring to a potentially extensive and detailed set of
information. In this sense, insurers, due to the nature of their
services, collect and process a wide variety of personal data, which may
include: identification data, contact information, financial and banking data,
employment and education, behaviour and preferences, previous claims,
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 48/53
derived and analytical data, among others, including special category data,
which will be referred to later.
It should be noted that a large amount of detailed data about individuals
increases the risk of this data being misused, either
internally by the organisation or by third parties who may access it without
authorisation. Large databases of personal information, such as those
managed by insurers, are extremely attractive to cybercriminals,
since they include financial and personal identity details, which can be
exploited for fraud, identity theft, or sale on the black market. Therefore, the
vast amount of personal data processed per client makes DPIAs
essential, not only to comply with the formal requirement, but also to
ensure the effective protection of individuals' rights and freedoms.
Finally, reference should be made to the processing of special categories of personal
data provided for in Article 9 of the GDPR. These special categories
include data that reveal ethnic or racial origin, political opinions,
religious or philosophical beliefs, or trade union membership, and the processing of
genetic data, biometric data intended to uniquely identify a natural person, data relating to the health or data relating to the sexual life or sexual orientations of a natural person.
The main characteristic of the processing of this type of special categories of data is the provision of greater protection with respect to the rest of the data,
only allowing their processing when one of the circumstances provided for in the aforementioned article 9 of the GDPR occurs. Taking into account this additional
protection, the implementation of a DPIA is even more justified. In fact, the third section of Article 35 of the GDPR itself provides that the cases in which a DPIA is expected to be required include “large-scale processing of special categories of data referred to in Article 9, paragraph 1”.
In the case of insurance companies, as is the case with the respondent party in this case, the processing of these special categories of personal data mainly affects health data, since this type of data is usually collected for the purchase of certain products. This type of data is, of course, collected for the arrangement of the health insurance offered by the insurance company itself. But this information is also collected on several occasions for other types of insurance, in order to determine the premiums in a fair and accurate manner, based on the level of risk that has been assessed after obtaining this information.
Regardless of whether it is expressly provided for in Article 35, the
processing of health data by insurers presents significant risks
that fully justify the implementation of a DPIA, as it is
essential to ensure that the specific risks associated with these data are adequately identified and
mitigated. Given its sensitive nature, the processing of
health data carries with it high risks for the fundamental rights and freedoms of individuals.
This includes the risk of discrimination,
stigmatisation and damage to personal reputation.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 49/53
In short, in the case at hand and without prejudice to what may result from the
instruction of this procedure, taking into account the volume of data
processed, including those with special categories, the technological changes that
have occurred in recent years, as well as the risks that third parties
may appropriate said data in an illicit manner, leads to the conclusion that the
respondent party should have carried out a DPIA. This instrument seeks
to better understand the existing risks and the impacts that may occur in the
processing and to try to ensure the confidentiality, integrity and availability of
personal data, thus minimising the risk of data breaches and guaranteeing the
protection of the rights and freedoms of individuals. Failure to carry out said
DPIA entails, on the contrary, a breach of the aforementioned article 35 of the RGPD.
XIV Classification and qualification of the infringement of article 35 of the GDPR
If confirmed, the aforementioned infringement of article 35 of the GDPR could entail the
commission of the infringements classified in article 83.4 of the GDPR, which under the heading "General conditions for the imposition of administrative fines" provides:
"Infringements of the following provisions shall be punishable, in accordance with
paragraph 2, by administrative fines of up to EUR 10 000 000 or,
in the case of an undertaking, of an amount equivalent to a maximum of 2% of the
total global annual turnover of the preceding financial year, whichever is higher:
a) the obligations of the controller and the processor pursuant to Articles 8, 11, 25
to 39, 42 and 43; (…)”
In this regard, the LOPDGDD, in its article 71 “Infringements” establishes that
“The acts and conduct referred to in sections 4,
5 and 6 of article 83 of Regulation (EU) 2016/679, as well as those that are contrary to this organic law, constitute infringements.”
For the purposes of the limitation period, article 73 “Infringements considered serious”
of the LOPDGDD indicates: “In accordance with the provisions of article 83.4 of
Regulation (EU) 2016/679, infringements that constitute a substantial violation of the articles
mentioned therein and, in particular, the following are considered serious and will be subject to a two-year limitation period:
(…) t) The processing of personal data without having carried out an assessment of the
impact of the processing operations on the protection of personal data in the
cases in which this is required.”
XV Possible sanction for infringement of article 35 of the GDPR
Under the terms indicated by the aforementioned article 83.4 of the GDPR, infringement of
article 35 shall be sanctioned, “with administrative fines of EUR 10,000,000
as a maximum or, in the case of a company, an amount equivalent to 2% as a
maximum of the total global annual turnover of the previous financial year,
opting for the highest amount
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 50/53
Furthermore, taking into account article 82.2 of the GDPR and article 76 of the
LOPDGDD, in the present case it is considered that the sanction to be imposed
should be graduated in the following terms:
- Article 82.2 b) of the GDPR: a) the nature, seriousness and duration of the
infringement, taking into account the nature, scope or purpose of the
processing operation in question, as well as the number of data subjects
affected and the level of damage they have suffered;
In the present case, the seriousness of the infringement arises both from the volume of
personal data and the nature of the same, given that they include
special categories. Such circumstances aggravate the infringing conduct
of not having carried out the DPIA despite being obliged to do so, since the
failure to comply with this obligation increases the risk that the owners of said data
may suffer in their rights and freedoms.
- Article 82.2 b) of the GDPR: “the intentionality or negligence in the infringement;
According to the aforementioned case law, this
aggravating circumstance is also applicable to the present infringement, since, from the
investigation actions, it is clear that there was a lack of due diligence in not
having carried out the EIDP despite the fact that the nature of the activity and the personal data
processed indicated its necessity; all of this in the terms indicated
by the aforementioned judgment of the National Court of 17 October 2007, appeal number: 63/2006).
- Article 76 b) of the LOPDGDD: “b) The link between the offender's activity
with the processing of personal data.;
The occurrence of the aforementioned aggravating factor is also a consequence of the nature of the
activity of the offending entity, which as an insurer, carries out activities that
involve the management and processing of large volumes of personal data as a
fundamental part of its operation. This special link with the personal data
it manages implies a greater responsibility to guarantee its protection and,
consequently, the non-performance of the EIPD taking into account these circumstances
aggravates the conduct, justifying the occurrence of the aforementioned aggravating factor.
Taking into account the general conditions for the imposition of administrative fines established by the aforementioned article 83.2 of the GDPR, taking into account the circumstances of the present case, the agreement to initiate the procedure proposed a fine of €1,000,000 (ONE MILLION EUROS) as a sanction.
XVI Adoption of measures
In accordance with the provisions of the aforementioned article 58.2 d) of the GDPR, each supervisory authority may "order the controller or processor to comply with the provisions of this Regulation, where appropriate, in a certain manner and within a specified period...". The
imposition of this measure is compatible with the sanction consisting of an administrative fine, as provided for in art. 83.2 of the GDPR.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 51/53
In the present case, the controller is required to notify this Agency within three months of notification of this resolution of the adoption of the following measures:
- The completion and passing of the impact assessment of the processing operations on the protection of personal data provided for in article 35 of the RGPD, with the minimum content indicated in said article, as well as the
result of said assessment.
It is noted that failure to comply with the possible order to adopt measures imposed by
this body in the sanctioning resolution may be considered an administrative infringement in accordance with the provisions of the RGPD, classified as an infringement in its article 83.5 and 83.6, and such conduct may motivate the opening of a
subsequent administrative sanctioning procedure.
XVII Voluntary payment
In accordance with the provisions of article 85 of the LPACAP, in the initiation agreement, the defendant was offered the recognition of its liability within the period granted for the formulation of allegations to this initiation agreement; which will entail a reduction of 20% of the penalty to be imposed in the present procedure. With the application of this reduction, the penalty would be established at 4,000,000 euros, the procedure being resolved with the imposition of this penalty.
Likewise, in the aforementioned agreement and in accordance with the indicated provision, it was allowed, at any time prior to the resolution of the present procedure, to
make the voluntary payment of the proposed penalty, which will entail a reduction of 20% of its amount. With the application of this reduction, the penalty would be set at 4,000,000 euros and its payment will imply the termination of the procedure, without prejudice to the imposition of the corresponding measures.
It was also indicated that the reduction for the voluntary payment of the penalty is cumulative with the one that must be applied for the recognition of responsibility, in which case, if both reductions were to be applied, the amount of the penalty would be set at 3,000,000 euros.
After the presentation of the allegations, and before the resolution proposal was issued by this authority, the respondent party, on April 12, 2024, proceeded to make the voluntary payment without acknowledging its responsibility, taking advantage of the 20% reduction and waiving any action or appeal through administrative means, also stating its intention to challenge the aforementioned resolution before the contentious-administrative jurisdiction.
It should be noted that, in accordance with the provisions of the LPCAP, as well as
the jurisprudence of the high court in this matter, the exercise of voluntary payment by
the alleged responsible party does not exempt the administration from the obligation to resolve and
notify all procedures, whatever their form of initiation. Likewise, article 88 of the aforementioned rule establishes that the resolution that ends the
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 52/53
procedure will decide all the issues raised by the interested parties and any
other issues arising from it.
Based on the above premises, taking into account also that the respondent party
prior to the voluntary payment proceeded to lodge the allegations it deemed appropriate
against the start agreement, the present authority has proceeded to answer and refute
each of them, carrying out a detailed analysis and legally justifying
the imputation of the infringements that are confirmed in the present act,
thus avoiding any defenselessness and allowing a greater understanding
regarding the issues raised by the respondent party.
Therefore, in accordance with the applicable legislation and having assessed the criteria for
graduating the sanctions whose existence has been proven, the Director of the
Spanish Data Protection Agency
RESOLVES:
FIRST:
TO DECLARE the commission of the following infringements and CONFIRM for the purposes
provided for in art. 64.2 b) of Law 39/2015, of October 1, on the Common Administrative Procedure
of Public Administrations, the penalties indicated in the initiation agreement for the commission of the aforementioned infractions:
For the violation of article 5.1.f): €1,000,000 (ONE MILLION EUROS)
For the violation of article 32: €1,000,000 (ONE MILLION EUROS)
For the violation of article 25: €2,000,000 (TWO MILLION EUROS)
For the violation of article 35: €1,000,000 (ONE MILLION EUROS)
The sum of the aforementioned amounts gives a total amount of €5,000,000 (FIVE
MILLION EUROS).
After the defendant party made prompt payment, although without acknowledging liability, pursuant to article 85 of the LPCAP, a 20% reduction of the total amount mentioned is made, which represents the final amount of €4,000,000
(FOUR MILLION EUROS)
SECOND:
TO DECLARE the termination of the procedure due to the prompt payment made by
GENERALI ESPAÑA, SOCIEDAD ANONIMA DE SEGUROS Y REASEGUROS, with
NIF A28007268, pursuant to the provisions of article 85 of the Law on Common Administrative Procedure of Public Administrations.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 53/53
THIRD:
TO REQUIRE GENERALI ESPAÑA, SOCIEDAD ANONIMA DE SEGUROS Y
REASEGUROS to notify this Agency within three months from the notification of this resolution of the adoption of the following measures:
- The completion and passing of the impact assessment of the processing operations on the protection of personal data provided for in article 35 of the
RGPD, with the minimum content indicated in said article, as well as the
result of said assessment.
It is noted that failure to comply with the possible order to adopt measures imposed by
this body in the sanctioning resolution may be considered as an
administrative infringement in accordance with the provisions of the RGPD, classified as an
infringement in its article 83.5 and 83.6, and such conduct may motivate the opening of a
subsequent administrative sanctioning procedure.
FOURTH:
In accordance with the provisions of article 85 of the LPACAP, which conditions the reduction
for voluntary payment to the withdrawal or waiver of any action or appeal through
administrative means, this authority accepts the waiver expressly
stated by the respondent party, and consequently there is no room for the filing of an
optional appeal for reconsideration against this resolution, all without prejudice
to the possibility of resorting to the contentious-administrative jurisdictional route.
Consequently, taking into account the provisions of article 90 of the LPACAP,
since no appeal may be made through administrative channels as the data subject has expressly waived the decision, this decision will be fully enforceable from the moment it is
notified.
However, in accordance with the provisions of article 90.3 a) of the LPACAP, the final decision may be provisionally suspended through administrative channels if the interested party
expresses his intention to lodge an administrative appeal. If this is the case, the interested party must formally communicate this fact by means of a written document
addressed to the Spanish Data Protection Agency, submitting it through the
Electronic Registry of the Agency [https://sedeagpd.gob.es/sede-electronica-web/], or
through one of the other registries provided for in art. 16.4 of the aforementioned Law
39/2015, of October 1. The Agency must also be provided with the documentation
that proves the effective filing of the administrative appeal. If the Agency is not aware of the filing of the administrative appeal within two months from the day following notification of this resolution, the precautionary suspension will be terminated.
938-16012024
Mar España Martí
Director of the Spanish Data Protection Agency
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es
