AEPD (Spain) - PS/00028/2022

From GDPRhub
Revision as of 15:10, 27 February 2023 by 10.90.129.155 (talk)
AEPD - PS-00028-2022
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 5(1)(f) GDPR
Article 32 GDPR
Article 33 GDPR
72, 73, 77 Spanish Data Protection Act
Type: Complaint
Outcome: Upheld
Started: 31.03.2021
Decided:
Published: 03.02.2023
Fine: n/a
Parties: Getafe City Council
National Case Number/Name: PS-00028-2022
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: Mapez

The Spanish DPA imposed a warning to a local administration for violating Articles 5(1)(f), 32 and 33 GDPR by making available online during several months the personal data of data subjects without their consent.

English Summary

Facts

On 31 March 2021, the City Council of Getafe (controller) accidentally published an Excel sheet on its website. This Excel sheet contained personal data of vehicle owners who had requested an address change. The Excel sheet included several categories of data, such as name, surname, tax identification number, ID number and vehicle registration number. The Excel sheet had thirty-six entries, but the vast majority of the data subjects that were mentioned were included several times in the list.

On 31 March 2021, the data subject informed both the controller and the Spanish DPA of this breach. After this, the controller unlinked the Excel sheet from its website, so that it would not be available when navigating the controller website. There was therefore no way to reach the Excel sheet any longer, navigating the controller's website. However, the Excel sheet itself was not deleted from the internet and stayed online as an "orphan document" until 24 January 2022. This meant that the Excel sheet could still be accessed, when typing the exact URL in the browser. People who were aware of the exact URL, could therefore still access the Excel sheet.

Despite the fact that the Excel sheet stayed online for several months after the initial complaint of the applicant, the controller stated that it was unlikely that any data had been retrieved by unauthorised third parties, because the Excel sheet could only be accessed through the exact URL and not through any linking on the controller's website. Also, the controller had not identified any serious harm as a result of this data breach.

Holding

First, the DPA found a violation of Article 5(1)(f) GDPR, since the publication of the Excel sheet online enabled unauthorised access to the personal data of the data subjects, in violation of the principle of confidentiality.

Second, the DPA found a violation of Article 32 GDPR, because the controller failed to properly remove the Excel sheet from its website and did not involve its own IT services in the process. Furthermore, the DPA found that the controller had failed to make an appropriate assessment of the risks as a result of the breach. The controller should have considered potential further risks.

Third, the DPA found a violation of Article 33 GDPR, because the controller failed to assess the level of severity of the data breach. In this case, the DPA found that such a confidentiality breach as in the present case would have justified a notification to the DPA, which the controller did not undertake.

On the basis of Articles 72 and 73 of the Spanish Data Protection Act - LOPDGDD, the DPA classified the infringement of Articles 32 and 33 GDPR as "serious" offences, whilst the violation of Article 5(1)(f) was considered a "very serious" offence. The DPA issued a warning pursuant to Article 77 LOPDGDD.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

https://www.aepd.es/es/documento/ps-00028-2022.pdf