APDCAT (Catalonia) - PS 57/2023
From GDPRhub
| APDCAT - PS 57/2023 | |
|---|---|
 | |
| Authority: | APDCAT (Catalonia) |
| Jurisdiction: | Spain |
| Relevant Law: | Article 5(1)(f) GDPR Artículo 85, Ley 39/2015, de 1 de octubre, del Procedimiento Administrativo Común de las Administraciones Públicas (LPAC) |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | |
| Decided: | 23.01.2024 |
| Published: | |
| Fine: | 3000 |
| Parties: | Eulen, Servicios sociosanitarios SA |
| National Case Number/Name: | PS 57/2023 |
| European Case Law Identifier: | n/a |
| Appeal: | Not appealed |
| Original Language(s): | Catalan, Valencian |
| Original Source: | Autoritat Catalana de Protecció de Dades (in CA) |
| Initial Contributor: | lm |
The Catalan DPA fined a controller €3000 for violating the principle of confidentiality when it sent emails to numerous family members of patients at an occupational health center without using the blind copy option.
English Summary
Facts
On 18 February 2023, 5 May 2023, 8 May 2023, 10 May 2023 and 14 June 2023, the Catalan DPA received a number of complaints against Eulen, Servicios sociosanitarios SA (the controller), an occupational center for people with disabilities. The complaints claimed that on six occasions, employees of the controller sent several emails to the family and guardians of patients without using the blind copy option (BCC).
The emails were sent on separate occasions and by different employees. The incidents involved mailing lists of over 50 data subjects, which differed in each instance. As a result of the failure to BCC, the names, surnames and email addresses of several data subjects, as well as their status as ‘family and guardians’, were disclosed to unauthorized third parties. Because some email addresses featured a corporate domain, the disclosure in some cases permitted inference of the organization to which data subjects belong.
In response to the complaints, the DPA initiated an investigation. In its defense brief, the controller stated that the lack of BCC had been caused by human error and a breach of internal procedures, as the usual operation according to distributed employee instructions was to BCC email addresses. The controller also stated that it carried out periodic trainings in data protection. With regard to the creation of mailing lists, it stated that family members voluntarily provided their electronic address information at the beginning of service.
After the investigation had already been initiated, the DPA received additional complaints against the controller for the same breach of personal data via emails sent without BCC. In response to these complaints, the DPA initiated a disciplinary procedure against the controller on 3 October 2023 for violating Article 5(1)(f) GDPR.
Holding
On 1 January 2024, the investigator for the Catalan DPA proposed a fine of € 3000 for the controller’s infringement of Article 5(1)(f) GDPR’s principle of confidentiality.
On 16 January 2024, the controller submitted a letter acknowledging its responsibility for the acts and stated that it had made a voluntary payment advance of € 1800.
In assessing the adequacy of the sanction, the DPA considered the responsibility of the controller for the emails. The DPA considered that, even where human error in breach of company policy occurs, the responsibility for lack of diligence of personnel must be answered by the controller. The DPA also took into account mitigation and security measures taken by the controller, including continued training efforts and a new protocol introducing warnings where a large number of non-corporate emails are included in an email. Based on these considerations, the DPA concluded that a sanction of € 3000 was appropriate.
In accordance with Article 85(3) of the LPAC, the DPA noted that where a controller has acknowledged responsibility or made the voluntary payment of a pecuniary penalty, a reduction of 20% to the penalty is appropriate. Where both are done, a 40% reduction is warranted. In this case the controller both acknowledged its responsibility and paid a 60% advance of the total penalty. The DPA thus considered that the penalty should be reduced 40% to € 1800, which the controller had paid.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Catalan, Valencian original. Please refer to the Catalan, Valencian original for more details.
File identification
Resolution of sanctioning procedure no. PS 57/2023, referring to Eulen, Services
Sociosanitarios, SA
Background
1. On 18/02/2023, the Catalan Data Protection Authority received a
complaint against Eulen, Servicios sociosanitarios, SA (from now on, Eulen), with reason
of an alleged breach of the regulations on the protection of personal data. In
concretely, the reporting person (henceforth, reporting person A) stated that, in
date 06/17/2022, Eulen, concessionaire that manages the Llar residence and Centre
Ocupacional Torremar (from now on, Torremar), "has published my email address
email to a whole distribution list made up of about 50 email addresses
open electronic, so that everyone on this list has received them
everyone's email addresses.”
Complainant A provided a copy of an electronic message sent on the day
06/17/2022, at 3:50 p.m., by (...), from the email address (...). This message
it was sent to a plurality of electronic addresses, including his, without being used
the blind copy option (BCC). In the aforementioned email, the addresses
electronics were mostly identified in a first term with the name and an o
two surnames of the recipient, followed by the full email address. For
as for the body of the message, it was addressed to "familias y tutelas" and contained a short text of
informative about the centre's range of activities.
This complaint was assigned complaint number IP 95/2023.
2. Also on 02/18/2023, the Authority received another complaint against Eulen,
due to an alleged breach of data protection regulations
personal Specifically, the reporting person (henceforth, reporting person B)
exhibited:
— That "The residence and CO Torremar (...) has transferred management to the company Eulen
Sociosanitarios (...) has published and disseminated my email address, to one
plurality of recipients included in a distribution list."
— That "At no time have I authorized either the Generalitat de Catalunya, or the
concessionaire of the Eulen management to publish, issue or disseminate any personal data
to third parties."
The reporting person provided a copy of the same electronic message mentioned in
the antecedent 1.
This complaint was assigned complaint number IP 96/2023.
3. On 05/05/2023 and 05/10/2023, the Spanish Data Protection Agency (AEPD) will
transfer to this Authority two complaints with subjective identity with the IP complaint
95/2023, in which the reporting person A set out, for what is of interest here:
1/16 — That "Eulen Sociosanitarios, has sent communications by email to one
plurality of more than 50 different recipients without hidden copy, so that
spread the email account of all these people.”
— That "the distribution list of the 3 emails that have been detected are different, the
which implies that there is no single official distribution list that contains all of them
relatives and guardian entities of the people residing in Torremar but not se
have created different distribution lists without any type of control (…).”
— That "The different mails have been sent by different workers from Eulen, lo
que quiere decir, that it has not been the product of a one-off error by a trabajador but
that Eulen's workers do not have adequate training and/or that they do not exist
technical and organizational measures necessary to guarantee the security of
data processing.”
— That "Two of the distribution lists have more than 50 email accounts and the other
has more than 60 email accounts; therefore, the number of people affected is
considerable.”
— That "(...) the email accounts that have been published or disseminated are from people who
they have disabled relatives in said residence and that, therefore, can be done
a disabled person's family email account association (…)."
— That "(...) in all distribution lists numbers and surnames are shown and, a
then the number of the email account, a clear association is produced
number and surnames - email account (…).”
The reporting person A provided a copy of the same electronic message mentioned in a
the antecedent 1.
4. On 05/05/2023, the AEPD sent the Authority a new complaint against Eulen,
due to an alleged breach of data protection regulations
personal Specifically, the reporting person (henceforth, reporting person C),
set out the same facts that the reporting person A had indicated in his
complaints and that have been reproduced in the precedent 3.
The reporting person C provided a copy of the same electronic message mentioned in a
the antecedent 1 and, in addition, other messages that are related below:
— Message sent on 10/23/2020, at 9:54 a.m., by (...) to a plurality of addresses
electronic, without using the CCO option, including that of the reporting person.
Many of these e-mail addresses contain the first and last names or surnames
of its holders and a corporate domain, which in some cases allows to infer
the organization to which they belong (fundaciosantaclara, cataloniafundacio, latutela,
somfundacio, aspanin, kibuk). This message is signed by (...), addressed to "families" and
contains information related to the use of the Zoom platform.
— Message sent on 5/11/2021, at 9:33 a.m., by (...) to a plurality of addresses
electronic, without making use of the CCO option, including that of the person
2/16 complainant. Some of these electronic addresses contain the first and last name
of its owners and a corporate domain (segurosdkw, fundaciosantaclara,
cataloniafundacio, latutela, somfundacio, aspanin, kibuk). This message is signed by him
(...), is addressed to "families and guardianship entities" and contains information about menus of the
month of november
This complaint was assigned complaint number IP 242/2023.
5. In relation to complaint no. IP 96/2023, on 08/05/2023 the AEPD sent a
other complaint against Eulen, in which the complainant B presented identical facts that
the person denouncing A in his complaints before the AEPD and which have been reproduced in
the antecedent 3.
6. In relation to complaint no. IP 242/2023, on 05/10/2023 had entry to
the Authority another complaint against Eulen, due to an alleged breach of the
regulations on personal data protection. Specifically, the complainant C
presented, for what is of interest here:
— That Eulen “sent e-mail communications to a plurality of more than
50 recipients on different occasions and on different distribution lists without copying
hidden, so the email account of all of them has been broadcast
people and in some emails, including the first and last name.”
— That "(...) the distribution list of the 3 emails that have been detected are different, something
which implies that there is no single "official" distribution list that contains all the
relatives and guardian entities of the people residing in Torremar but who have left
creating different distribution lists without any control.”
— That "(...) have detected these shipments in the years 2020, 2021 and 2022 which is a
very broad period of time. (...) This wide period of time shows
that it was not a one-off incident and that the workers did not have the
adequate training on the protection of personal data and/or there is none
no protocol or organizational measure to protect that data.”
— That "The different emails have been sent by different company personnel
Eulen, which means that it was not the product of a one-off error by a worker
but that Eulen's workers do not have the appropriate training and/or that there is none
technical and organizational measures necessary to guarantee the security of the treatment
of the data.”
— That “Two of the distribution lists have more than 50 email accounts and the other has
more than 60 mail accounts; therefore, the number of people affected is
considerable.”
— That "The context in which the postal items are located must be taken into account, one
residence and occupational center for disabled people, so that the
Email accounts that have been published or disseminated are from people who have family members
disabled in this residence and that, therefore, an association of
disabled person's family email account (...)."
3/16 — That "In this case, the creator of the distribution lists, in addition, has added
first and last names and then the name of the mail account and the extension that identifies it
the entity, company or group to which it belongs. Thus, the accounts of
mail from different entities and corporations, e.g. you can see mails from the
Catalonia Foundation, of La Tutela, We are Foundation, Generalitat de Catalunya, the College
Barcelona Lawyers, Aspanin, etc. It produces a clear and dangerous association
between first and last name_email account_entity or collective to which it belongs, fact that without
doubt is much more serious because different data have been published together that can facilitate
the identification of a person or the creation of a specific profile. This denotes (...) the
lack of adequate training of the people who created each of the lists
of distribution.”
The reporting person C provided a copy of the same electronic messages described in
the antecedent 4.
7. Also on 05/10/2023, the Authority received five more complaints against
Eulen, due to an alleged breach of data protection regulations
personal Specifically, whistleblowers (henceforth, whistleblowers
D, E, F, G and H) highlighted the same facts and in the same terms as they have
reproduced in antecedent 6 and provided a copy of the same electronic messages described
in the antecedent 4.
These complaints were assigned the numbers IP 246/2023, IP 247/2023, IP 249/2023,
IP 252/2023 and IP 253/2023.
8. On 14/06/2023, complainant A expanded his previous complaint (IP
95/2023) against Eulen through a letter in which he set out:
— That “there has been a new mailing without a blind copy to a new list of
distribution, from a new Eulen email account and with the signature of (...).”
— That "(...) it is important that an audit be carried out at Eulen mercantile on the
compliance with each and every one of the requirements and conditions regarding data protection
of a personal nature to the residents and their families."
On this occasion, the complainant provided a copy of an electronic message sent
on 05/31/2023, at 12:57 p.m., by (...), from the electronic address (...), to a
plurality of emails without using the BCC option. In this message
electronic, two addresses were identified in a first term with the name and one or two
surnames of the recipient and, then, the full email address. In regard
for the rest of the recipients, there was only the email address, which in the majority of
cases was composed of initials and a full surname. As for the body of the
message, was addressed to "families" and contained a short informative text about
the center menus.
9. On 14/06/2023, the Catalan Data Protection Authority received a
new complaint against Eulen, due to an alleged breach of the regulations
on personal data protection. The reporting person (henceforth, person
complainant I) stated that "on several occasions they have sent emails to relatives and
4/16 guardianship entities where they have not hidden the recipients' emails
(...).”
The reporting person provided copies of the following electronic messages — some
of which had already been presented together with the previous complaints—, in which no
the BCC option had been used and that they were addressed to numerous electronic addresses,
among which was that of the reporting person I:
— Message sent on 11/06/2019, at 1:20 p.m., from the account (...), with
the matter "Informative newsletter Torremar Vol. 7.”
— Message sent on 09/23/2021, at 1:34 p.m., from the account (...), with
the matter "resumption of two external activities C.O Torremar."
— Message sent on 05/11/2021, at 9:33 a.m., from the account (...), with
the subject "Menu November 2021."
— Message sent on 06/17/2022, at 3:50 p.m., from the account (...), with
the matter "Comunicado Centro Ocupacional Torremar."
— Message sent on 08/01/2023, at 12:30 p.m., from the account (...), with
the subject "Torremar contact phone number - 08/01 and 01/09."
— Message sent on 05/31/2023, at 12:57 p.m., from the account (...), with
the subject "June Menus."
This complaint was assigned complaint number IP 313/2023.
10. Given the previous complaints, the Authority initiated a preliminary investigation to determine
if the facts were likely to motivate the initiation of a disciplinary procedure, yes
with what is foreseen in article 7 of Decree 278/1993, of November 9, on the
sanctioning procedure for application to areas of competence of the Generalitat, i
article 55.2 of Law 39/2015, of October 1, on the common administrative procedure of
public administrations (LPAC).
In this information phase, on 03/07/2023 the reported entity was required
to report the reasons why the CCO option was not used in the shipment
of the mentioned electronic messages. He was also asked how many lists of
distribution had and the reason why the email address of some users is related to it
with their first and last names, so that they appear visible. Finally, it was requested
to Eulen if there was any protocol or instruction on the use of e-mail and if there was any
Torremar staff trained in data protection.
11. On 07/18/2023, Eulen responded to the request with a letter in which he explained,
in summary, the following:
— Which "provides the Home-Residence and Occupational Center Management Service for
people with intellectual disabilities "Torremar" since October 2017. Acting,
in this case, como encargado del tratamiento [according to the contract formalized with the
5/16 Department of Work, Social Affairs and Families, currently Department of Rights
Social]."
— That "The volume of emails sent to families is
approximately 30 monthly mails”.
— That "(...) the sending of e-mails to the family distribution group
has been caused by a 'human error - breach of internal procedures',
since it has been verified that the usual operation is to use a shipment with CCO."
— That, with regard to the management of distribution lists, "the Directorate of Residence nos
convey that there are no more distribution lists."
— That, with regard to the creation and modification of distribution lists, "the mailers
family members' electronic files are provided, voluntarily, at the beginning of the
provision of the service (…) for effective communication with them.”
— That they have an "instruction on security measures to comply with the
regulations for the protection of personal data in which the measures of
minimum security that must be applied in any support, computer device
or software from any of the companies that are part of the Eulen Group where it is
store personal data."
— That [in the previous instruction] it is specifically detailed that “If you are going to send a mail
electronically to several recipients at the same time, the hidden copy (CCO) will be used.”
— That, based on the aforementioned instruction, "to facilitate compliance with the
instruction in the services, especially in the socio-sanitary, was created (...) one
guide with a more accessible format. This guide was sent to the socio-sanitary centers
last October 10, 2022.”
— That, with regard to the training provided in the field of data protection to staff
d'Eulen, carries out "periodically, trainings and awareness actions in
this matter." It then lists various formations and campaigns of
awareness carried out by the company.
— That "it is perfectly certified that Eulen Servicios Sociosanitarios, S.A. has
acted with due diligence applying the measures, both technical and
organizational, necessary to avoid the exposure of personal data. (…) me
client [Eulen] has worked diligently so that this type of case does not return
to happen."
The reported entity attached the following documentation to the letter:
— Copy of electronic messages that have been the subject of a complaint.
— A sample of several electronic messages sent with the BCC option.
— The instruction "Safety measures for compliance with the regulations of
protection of personal data". This instruction contains a specific dedicated section
6/16 to the use of e-mail in which, among other indications, it appears "If it is sent
an email to several recipients at the same time, the blind copy (BCC) will be used.”
— The "Guide to technical and organizational measures for the protection of information", la
which also contains instructions in the same sense as the previous one regarding shipping
of electronic messages to various recipients. In addition, in the same guide it is indicated
that "is obligatory and has a binding character with respect to the relationship
contract with the worker (...).”
— The Eulen Group's "Personal Data Protection Decalogue".
— The “Corporate policy for the protection of personal data.”
— The document "Good practices for the use of collaborative tools."
— The document "Confidentiality in the treatment of personal data."
— Various certificates and information relating to training in data protection and
cyber security performed by Eulen.
— Copy of a thread of electronic messages addressed to several people, including
managers and managers of socio-health services, on "The importance of the
confidentiality in the treatment of personal data."
— Agenda of the “Reunión Directors Residencias GG-DI y CD”, of 11/24/2022,
according to which, among other matters, it was about “Documentos protección de
data."
12. On 14/08/2023, 16/08/2023 and 01/09/2023, they had access to the Catalan Authority
of Data Protection three new complaints against Eulen, on the grounds of a presumptive
non-compliance with the regulations on personal data protection. Specifically, the
complainants (henceforth complainants J, K and L) set out the facts in terms
analogous to what has been exposed in the 6th precedent and provided a copy of the same messages
electronics described in the preceding 4.
These complaints were assigned complaint numbers IP 413/2023, 414/2023 and
416/2023.
13. On 03/10/2023, the director of the Catalan Data Protection Authority
agree to start a disciplinary procedure against Eulen, Servicios Sociosanitarios, SA
for an alleged violation provided for in article 83.5.a, in relation to article 5.1.f, all
those of Regulation (EU) 2016/679 of the European Parliament and of the Council, of April 27,
regarding the protection of natural persons with regard to the processing of personal data
and the free circulation of this data (RGPD). This initiation agreement was notified to
the imputed entity on 10/16/2023.
14. In the initiation agreement, the imputed entity was granted a period of 10 working days to
formulate allegations and propose the practice of tests that it considers convenient for
defend their interests.
7/1615. On 10/30/2023, Eulen filed objections to the initiation agreement, which are addressed in
section 2 of the fundamentals of law.
16. On 02/01/2024, the person instructing this procedure formulated a
resolution proposal, by which it was proposed that the director of the Catalan Authority of
Data Protection imposed on Eulen, Servicios Sociosanitarios, SA a fine
of 3,000 euros, as responsible for an infringement provided for in article 83.5.a in relation
with article 5.1.f, all of them of the RGPD.
This resolution proposal was notified on 08/01/2024 and a deadline was granted
of 10 days to formulate allegations.
17. On 01/16/2024, the accused entity submitted a letter in which it acknowledges its
responsibility for the alleged acts and states that he has made the voluntary payment
advance of the pecuniary sanction that the instructing person proposed.
Along with the letter, the accused entity provided a copy of the bank transfer
made on 15/01/2024, through which he paid in advance in the amount of
1,800 euros (one thousand eight hundred euros), corresponding to the monetary penalty proposed by the
instructing person in the resolution proposal, once the reductions have been applied
provided for in article 85 of Law 39/2015.
proven facts
Eulen, Servicios Sociosanitarios, SA sent six emails from several
corporate accounts to fifty electronic addresses, linked to relatives and guardians of
users of the Torremar Home-residence and Occupational Center, without making use of
the hidden copy tool. The e-mails mentioned were sent on the dates
23/10/2020, 23/09/2021, 05/11/2021, 17/06/2022, 08/01/2023 and 31/05/2023. With shipping
of these messages, the reported entity disseminated the following information to the recipients
of the other recipients: the email address and, in some cases, the first and last name and the
institution with which they have some connection, data easily deducible from the domain
corporate of certain recipient addresses.
Fundamentals of law
1. The provisions of the LPAC and article 15 of the Decree apply to this procedure
278/1993, according to the provisions of DT 2a of Law 32/2010, of October 1, of
the Catalan Data Protection Authority. In accordance with articles 5 and 8 of the Law
32/2010, the resolution of the sanctioning procedure corresponds to the Director of the Authority
Catalan Data Protection Authority.
2. In accordance with article 85.3 of the LPAC, both the recognition of responsibility and
the advanced voluntary payment of the proposed monetary penalty entails the application of
single reductions of 20% of the amount of the penalty, cumulative with each other. The effectiveness
of these reductions is conditional on the withdrawal or renunciation of any action
or administrative appeal against the sanction. For both cases, sections 1 and 2
of article 85 of the LPAC provide for the termination of the procedure.
8/16 Although it presented allegations in the initiation agreement, the accused entity has not
submitted allegations to the proposed resolution, since both options have been accepted for
reduce the amount of the penalty. However, it is considered appropriate to reiterate below the most
relevant to the reasoned response that the instructing person gave to the allegations
before the initiation agreement.
2.1. About the shipment being due to human error and about the lack of
responsibility of the entity
In its statement of objections to the initiation agreement, the accused entity set out, among
other things:
— That "It has been certified that Eulen Servicios Sociosanitarios S.A. sent six
emails, from various corporate accounts, addressed to relatives and guardians
of users of the Residencia Torremar, without making use of the functionality of
hidden copy (CCO).”
— That "From the analysis of the aforementioned incident, the Data Protection and Privacy Office
of the EULEN Group and the Data Protection representative concluded that there was
it was caused by a human error caused by the non-compliance of them
internal procedures. (…)”.
— That "Since Eulen Servicios Sociosanitarios has been aware of the facts
that are imputed to him, as a result of the requirement relating to the previous information phase that
the APDCAT made the entity on July 3, 2023, the workers of the
Residencia Torremar, applying due diligence, have not sent an email again
electronically without using the hidden copy."
— That "the concurrence of these concrete and punctual human errors must be put to rest."
in relation to the principle of culpability that governs in penal matters", en
connection with the provisions of article 28 of Law 40/2015, of October 1, on the regime
legal of the public sector, which states that "They can only be sanctioned for facts
physical and legal persons, (...) that constitute an administrative infraction
responsible for those by way of grief or guilt.”
As the instructor explained in the proposed resolution, it is necessary to start from the premise that
the entity recognized the commission of the alleged acts. In this sense, the allegations
formulated did not tend to distort the reality of the events that motivated the initiation of the
procedure nor the legal qualification established in the initiation agreement, but that
focused on rebutting the responsibility of the reported entity, with the argument that the six
Controversial emails were sent due to human error by staff at the
residence
The Court has recently ruled on the culpability of legal entities
National which, in its judgment of 16/10/2023, analyzes precisely this issue
in a case of violation of data protection regulations:
"The Constitutional Court has repeatedly declared that the principles of order
penal, among which there is the one of culpability, are applicable, con ciertos
nuances, to the sanctioning administrative law, to be both manifestations of the
9/16 punitive order of the State (STC 18/1987, 150/1991), and that does not fit in the
administrative sanctioning scope the objective responsibility or without fault, in which
virtue excludes the possibility of imposing sanctions for the mere result, sin
prove a minimum of culpability even for mere negligence (SSTC 76/1990 y
164/2005).
The principle of guilt, guaranteed by article 25 of the Constitution, limits the
exercise of the State's ius puniendi and demands, as referred to by the Constitutional Court in
the sentence 129/2003, of June 20, that the imposition of the sanction is sustained in
the requirement of the subjective element of guilt, to guarantee the principle of
responsibility and the right to a sanctioning procedure with all guarantees
(STS of March 1, 2012, Rec 1298/2009).
According to Law 40/2015, art 27, they only constitute administrative infractions
violations of the legal system provided as such infractions by law.
And the art. 28 of the same that can only be sanctioned by constitutive acts of
administrative infraction those responsible for them, even as simple
non-observance Obviously, this assumes that said responsibility can only be
demanded for tort or guilt, being banished from the scope of law
administrative sanctioning the so-called "objective responsibility", and understanding the
I blame imprudence, negligence.
However, the mode of attribution of responsibility to legal persons is not known
corresponds to the willful or imprudent forms of culpability that are imputable
to human behavior. So that, in the case of infractions committed by
legal persons, although the element of culpability must be met, this is
it necessarily applies in a different way to how it is done with respect to people
physical According to STC 246/1991 "(...) this construction differs from the imputability of
the authorship of the infringement to the legal person is born from the very nature of fiction
legal to which these subjects respond. They lack the volitional element in sense
strict, but not the ability to infringe the rules to which they are subject.
Ability to infringe and, therefore, direct reprehensibility that derives from the good
legal protected by the rule that is infringed and the need for said protection
be really effective and for the risk that, consequently, the person must assume
legal that is subject to compliance with said rule "(in this sense STS of 24
November 2011, Rec 258/2009).”
In the case analyzed here it is clear that the shipments of the controversial mails — the
which occurred, not just once in a timely and isolated manner, but on six occasions—
they were the result of a lack of diligence on the part of Eulen's staff. The same entity recognizes
this circumstance, when it states that "as a result of the requirement relative to the phase of
previous information that the APDCAT made to the entity on July 3, 2023, los
workers of the Residencia Torremar, applying due diligence, have not returned to
send an email without using the hidden copy”; and this lack of diligence
of its staff must be answered by the accused entity. To all of the above we must add that the
liability regime provided for in the data protection regulations, specifically a
Article 70 of Organic Law 3/2018, of December 5, on the protection of personal data
and guarantee of digital rights (LOPDGDD), falls, among other subjects, on the
responsible for the treatment.
10/16 2.2. With regard to the measures that the organization has taken to prevent them from being reproduced
facts
Regarding this, the imputed entity alleged the following in its statement of allegations a
the initiation agreement:
— That "(...) we want to highlight, in addition to the security measures that were already in place
mentioned in the information request phase, new measures of
seguridad que se están teniendo en cuenta or are going to be implemented as a result of the
incident To avoid human errors and guarantee the confidentiality of data
personal (...) it has been decided to bet on the implementation of a tool of
communication for those services in which the sending of is necessary
communications to different groups."
— That "The Data Protection Office, for its part, will continue with its campaigns
of awareness and training in the field of data protection, making it special
emphasis on the importance of guaranteeing the confidentiality of the data.”
— That "Equally, we are working with the TIC Area of the Eulen Group for the
implementation of new security measures, such as introducing warnings
in cases where a large number of non-corporate mails are included
include them in blind copy.”
With the previous allegations, the reported entity showed that it had
implemented certain security measures in order to avoid events like those that have
gave rise to this sanctioning procedure and that, moreover, he was working for
implement new measures for this purpose.
With regard to this allegation, it should be noted that no penalty is imposed in this procedure
the lack of implementation of security measures, but the fact that the
data confidentiality. This obligation is provided for in articles 5.1.f of the RGPD and
5 of the LOPDGDD and has a different content from the obligations described in articles 25 and 32
of the RGPD, linked to security measures. In other words, it is one thing
the obligation of the person responsible or in charge of the treatment to implement the measures
relevant technical and organizational measures to avoid loss, destruction or damage
accidental loss of the data, or its unauthorized or illegal treatment; and another the duty of
confidentiality incumbent on those in charge, those in charge and all the people who
provide service in their organizations, in relation to the subject data
treatment. Therefore, there may be a violation of the confidentiality of the data,
as is the case that concerns us here, regardless of whether the person in charge or in charge
of the treatment have implemented appropriate security measures.
This Authority positively values Eulen promoting new measures to prevent the
facts occur again, but these actions do not affect the declared facts proven in
this procedure, nor its legal qualification. It is an undisputed fact that
on the dates 23/10/2020, 23/09/2021, 05/11/2021, 17/06/2022, 08/01/2023 and 31/05/2023,
personnel in Eulen's service sent a total of six electronic messages to a plurality
of people, without using the hidden copy tool; in this way he spread the
data of the other recipients, as indicated in the proven facts.
2.3. About the type of data contained in the electronic messages
11/16 In relation to the content of electronic messages regarding personal data,
the accused entity set out the following in its statement of objections to the initiation agreement:
— That “(…) These are emails that contain generic information without
expose personal data, beyond email addresses
of the group of recipients to whom the messages were directed.”
— That "The data affected are listed as basic: only they have
I expose data related to the e-mails of those interested. Among them,
around 35% are corporate emails and sometimes several of them
they are linked to a single user. (…).”
— That "(...) the number-surname association to the email address is not part of it
Eulen Servicios Sociosanitarios, but they are the users of said mail
electronic quienes, voluntarily when creating and configuring their account, associate the
email to the user, including number, last name or any other
data."
— That "(...) the electronic mails did not contain personal data, beyond
email addresses."
In accordance with the above, Eulen alleged that with the sending of the electronic messages
without making use of the bcc option only the address data was disseminated
electronic address of the recipients, since the other data (name, surname, etc.) them
associated these people with their email account at the time of the
his creation
As evidenced by the instructor in the resolution proposal, it must be taken into account that,
regardless of who the people who created the electronic accounts in their
moment they had been linked to other personal data, this does not detract from the imputed fact,
since this data was disseminated to third party users through
sending electronic messages without using the blind copy option.
2.4. About the concurrent circumstances
In relation to sending the six electronic messages without using the copy option
hidden, the accused entity alleged:
— That "It should be noted that the number of emails that have
sent to families and representatives without the hidden copy functionality implies a
very small volume in relation to the total number of mails sent since the beginning
of the management of the Residence (seven years have passed since the award (...)
the number of emails sent without hidden copy is minimal in relation to the emails
sent since the start of the service, being clearly visible that it was an error
on time."
— That "There has been no intention in the sending of the electronic mails (...)."
— That "Eulen Servicios Sociosanitarios has not been previously sanctioned, by
no control authority for breaches of data protection.”
12/16 — That "The existence of no damage or prejudice to persons has been verified
affected (…).”
The entity related here a series of circumstances that could have an impact at the time
to graduate the amount of the penalty; but it cannot be questioned, as has already been said, that
sending mail without using the bcc option resulted in processing
of data, which violated the principle of confidentiality of the personal data of the
affected people The analysis on the imposition of a financial penalty, as well as the
attenuated and aggravating factors that concur in this case, is made in the basis of law 4.
3. In relation to the facts described in the proven facts section, relating to the sending of
electronic messages without using the hidden copy option, you must go to article 5.1.f of
the RGPD, which provides for the following:
"1. The personal data will be:
(...)
f) processed in such a way that adequate security is guaranteed to them
personal data, including the protection against unauthorized treatment or
unlawful and against its loss, destruction or accidental damage, through the
application of appropriate technical or organizational measures ("integrity and
confidentiality")".
This principle of integrity and confidentiality provided for by the RGPD must be supplemented with
the duty of confidentiality contained in article 5 of the LOPDGDD, which establishes
the next:
"Article 5. Duty of confidentiality
1. Those responsible and in charge of data processing as well as all the
people who intervene in any phase of this are subject to the
duty of confidentiality referred to in article 5.1.f) of the Regulation (EU)
2016/679.
2. The general obligation indicated in the previous section is complementary to those
duties of professional secrecy in accordance with the applicable regulations.
3. The obligations established in the previous sections still remain
that has ended the relationship of the obligee with the person responsible or in charge of
treatment".
During the processing of this procedure, the fact described in the facts section has been proven
proven, which is constitutive of the offense provided for in article 83.5.a of the RGPD, which typifies
as such the violation of the "principios básicos para el tratamiento (...)", among which
confidentiality comes first.
The conduct addressed here has been included as a very serious infraction in article 72.1.i of
the LOPDGDD), as follows:
"i) The violation of the duty of confidentiality established in article 5
of this Organic Law."
13/164. By not fitting Eulen, Servicios Sociosanitarios, SA in any of the subjects provided for
article 77.1 of the LOPDGDD, results from the application of the general sanctioning regime provided for in
article 83 of the RGPD.
Article 83.5 of the RGPD establishes that the infractions provided for therein are sanctioned with
an administrative fine of 20,000,000 euros at most, or if it is a
company, of an amount equivalent to a maximum of 4% of the total annual business volume
total of the previous financial year, and you must opt for the higher amount.
Having said that, the amount of the administrative fine to be imposed must be determined.
According to the provisions of article 83.2 of the RGPD, and also in accordance with the principle of
proportionality enshrined in article 29 of Law 40/2015, as indicated by the instructor
in the proposed resolution, a penalty of 3,000 euros (three thousand euros) should be imposed.
This quantification of the fine is based on the weighting between the aggravating criteria and
attenuators indicated below.
As mitigating criteria, the following causes concur, some of them invoked by
the accused entity:
— Lack of intentionality (art. 83.2.b RGPD).
— The degree of responsibility of the person in charge or of the person in charge of the treatment, having in
account of the technical or organizational measures that have been applied by virtue of what
articles 25 and 32 of the RGPD (art. 83.2.d RGPD) provide.
— The category of personal data affected by the infringement, given that
it is not special category data (art. 83.2 g RGPD).
— It is not recorded that profits have been obtained as a result of the commission of the
infringement (art. 83.2.k RGPD and art. 76.2.c LOPDGDD).
It must be said that some of the circumstances alleged by Eulen cannot be taken into account
consideration as mitigating factors. Like this:
— That no damage has been proven to the affected people. May they not be
accredited does not imply that they have not occurred or that they may not occur in the future. From
fact, the leakage of personal data does not cease to cause damage to the affected person,
to a greater or lesser extent. The possibility that some of the
recipients of the disputed mails use these addresses for others
purposes, possibility directly proportional to the number of recipients (approx
fifty), with the consequent inconvenience and damage that this could have for the
affected people Thus, this circumstance cannot be taken into account as a
mitigating, but not as aggravating either.
— That it is an isolated event, limited to the sending of six emails. Not this one either
circumstance can be taken into account as mitigating. As has been said, it cannot be considered
an isolated event when the shipment occurred on six different occasions and by people
different workers
14/16 — That the entity has not been previously sanctioned. Nor this circumstance
can be considered a mitigating factor, since it is an obligation of the entities subject to the
data protection regulations comply with their obligations.
On the contrary, as aggravating criteria, the following elements must be taken into account:
— The number of people affected (art. 83.2.a of the RGPD and 76.2.a of the LOPDGDD).
— The link between the activity of the offender and the practice of data processing
personal (art. 76.2.a LOPDGDD).
5. On the other hand, in accordance with article 85.3 of the LPAC and as stated in the agreement
of initiation, if before the resolution of the sanctioning procedure the imputed entity
acknowledges his responsibility or makes the voluntary payment of the pecuniary penalty, as appropriate
apply a 20% reduction on the amount of the provisionally quantified penalty. Yes
the two cases mentioned coincide, the reduction is applied cumulatively (40%).
As has been advanced, the effectiveness of the aforementioned reductions is conditional on
withdrawal or the renunciation of any action or appeal through the administrative route against the
sanction (art. 85.3 LPAC, in fine).
Well, as indicated in the antecedents, by means of a letter dated 01/16/2024 the entity
accused has acknowledged his responsibility. Likewise, on the same date he paid
in advance 1,800 euros (one thousand eight hundred euros), corresponding to the amount of the
penalty resulting once the cumulative reduction of 40% has been applied.
6. Given the findings of the violations provided for in article 83 of the RGPD in relation to
treatments of private ownership, article 21.3 of Law 32/2010, of October 1, of
the Catalan Data Protection Authority authorizes the Director of the Authority so that the
resolution that declares the infringement establishes the appropriate measures so that it ceases or ceases
correct the effects. However, in this case no measure should be required for
cease or correct the effects of the infringement, given that it is a matter of facts already accomplished and taken care of,
also, that the entity has implemented measures aimed at preventing events such as
that have led to the initiation of this sanctioning procedure occur again.
resolution
For all this, I resolve:
1. To impose on Eulen, Servicios Sociosanitarios, SA the sanction consisting of a fine of
3,000 euros (three thousand euros), as responsible for an infringement provided for in article 83.5.a
in relation to article 5.1.f, both of the RGPD.
It is not necessary to require measures to correct the effects of the infringement, in accordance with what
has been exposed to the legal basis 6.
2. Declare that Eulen, Servicios Sociosanitarios, SA has effected the advanced payment of
1,800 euros (one thousand eight hundred euros), which corresponds to the total amount of the penalty imposed,
15/16 once the percentage of deduction of 40% corresponding to the reductions has been applied
provided for in article 85 of the LPAC.
3. Notify this resolution to Eulen, Servicios Sociosanitarios, SA.
4. Order that this resolution be published on the Authority's website (apdcat.gencat.cat), from
in accordance with article 17 of Law 32/2010, of October 1.
Against this resolution, which puts an end to the administrative process in accordance with articles 26.2 of
Law 32/2010 and 14.3 of Decree 48/2003, of February 20, which approves the Statute of
the Catalan Data Protection Agency, with discretion the imputed entity can
file an appeal before the director of the Catalan Protection Authority
Data, within one month from the day after its notification, according to
with what is provided for in article 123 et seq. of Law 39/2015. It can also be interposed
directly an administrative contentious appeal before the administrative contentious courts
of Barcelona, within two months from the day after yours
notification, in accordance with articles 8, 14 and 46 of Law 29/1998, of July 13, regulating
of the administrative contentious jurisdiction.
If the imputed entity expresses to the Authority its intention to file a contentious appeal
administrative against the administratively firm resolution, the resolution will be suspended
precautionary in the terms provided for in article 90.3 of the LPAC.
Likewise, the accused entity can file any other appeal it deems appropriate
to defend their interests.
The director
16/16
