AEPD (Spain) - EXP202209596
From GDPRhub
| AEPD - EXP202209596 | |
|---|---|
 | |
| Authority: | AEPD (Spain) |
| Jurisdiction: | Spain |
| Relevant Law: | Article 5(1)(f) GDPR Article 63 GDPR Article 4.7 and 5.1(f) RGPD |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | 14.09.2022 |
| Decided: | |
| Published: | 15.11.2024 |
| Fine: | 2000 EUR |
| Parties: | BLU MANAGEMENT SPAIN, S.L.. A.A.A. |
| National Case Number/Name: | EXP202209596 |
| European Case Law Identifier: | n/a |
| Appeal: | Not appealed |
| Original Language(s): | Spanish |
| Original Source: | AEPD (in ES) |
| Initial Contributor: | Rosa Ruiz |
The DPA fined Blu Management, S.L. €2000 for unlawfully disclosing a private individual's personal information to a third party leading to the individual receiving a communication from that third party through WhatsApp.
English Summary
Facts
The data subject filed a complaint with the Spanish Data Protection Agency (AEPD) against Blu Management Spain, S.L., a recruitment agency, alleging the unauthorized disclosure of her personal information. According to the complaint, the data subject had contacted the agency in May 2023 and participated in a phone interview. Subsequently, on July 27, 2021, she received several WhatsApp messages from a third party who claimed the interviewer at Blu Management had shared her name and phone number.
The data subject contacted the agency to inquire about the unauthorized disclosure and submitted both a data deletion request and a data access request. In response, the controller claimed to only possess the personal data included in her resume, such as identification details, academic history, and professional experience, and provided her with a copy. The controller also stated that it had deleted all personal data related to the data subject, including emails, messages, and other communications.
The data subject requested compensation, citing the controller's failure to adequately protect her personal information. The controller countered that the disclosure was made by an exchange student who had obtained the data during the interview conducted by one of the controller's employees, asserting that there had been no breach of its systems.
Holding
This incident was deemed a personal data breach under Article 5(1)(f) GDPR, as defined by Article 4(12) GDPR. Consequently, the Spanish DPA imposed a fine of €2,000, calculated based on Blu Management Spain's annual turnover. On February 29, 2024, the controller acknowledged responsibility and opted to take advantage of a 20% reduction by voluntarily paying the fine within the established timeframe and admitting responsibility, resulting in a reduced penalty of €120,000.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/18
File No.: EXP202209596
RESOLUTION TO TERMINATE THE PROCEDURE FOR VOLUNTARY
PAYMENT
From the procedure instructed by the Spanish Data Protection Agency and based
on the following
BACKGROUND
FIRST: On February 22, 2024, the Director of the Spanish Data Protection
Agency agreed to initiate sanctioning proceedings against BLU MANAGEMENT
SPAIN, S.L. (hereinafter, the respondent party), by means of the Agreement transcribed below:
<<
File No.: EXP202209596
IMI Reference: A56ID 437951- Case Register 550411
AGREEMENT TO START SANCTIONING PROCEEDINGS
From the actions carried out by the Spanish Data Protection Agency and based on the
following
FACTS
FIRST: A.A.A. (hereinafter, the complaining party) filed a claim with the
French data protection authority. The claim is directed against BLU
MANAGEMENT SPAIN, S.L. with NIF B66500661 (hereinafter, BLU MANAGEMENT).
The reasons for the claim are as follows:
The complainant contacted BLU MANAGEMENT, which is a recruitment agency, to apply for a job around May 2021, and had a telephone interview with B.B.B. (hereinafter, the BLU MANAGEMENT consultant).
Subsequently, on July 26, 2021, the complainant received a series of messages via WhatsApp (…), where the complainant had worked.
The person who sent these WhatsApp messages indicated to the complainant that the person who had provided him with his contact details was the BLU MANAGEMENT consultant.
The complainant indicates that he had not given permission to BLU MANAGEMENT to share his data with third parties. For this reason, she contacted BLU MANAGEMENT
on July 26, 27 and 30, 2021, having obtained a response from them, but
she considers that what they have done is not enough to deal with these facts
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 2/18
Along with the claim, the following is provided:
- Printout of the email sent by the complainant to
contact@blueselection.com dated July 26, 2021 in which the complainant
sets out the facts and requests that the email be sent to the company's
data protection officer (hereinafter, DPO), expressed in the following
terms:
“T(...) message is aimed at the DPO of your company.
Dear Madam, Sir,
Tonight, I have been approached by a close friend of one of your employees who
gave away my personal phone number.
Long story short, I was in touch with one of your employees from the recruitment
team a couple of month ago. T(...) employee - I'll be happy to provide you (...)
name - gave away my phone number to (...) friend so I can help (...) resolving (...)
issues (...).
Your employee's friend contacted me by whatsapp tonight and I was able to get
clear confirmation that my interviewer from Bluselection was the one who gave
my phone number away. Tchat transcript ready to be provided to you as proof.
I would like to highlight the fact that t(...) is a serious matter. First of all, I find
quite alarming that your employees use your company data to resolve their
friends private matters. (...). Second, I certainly did not consent my data to be
used for your employees private matters. Third, I know quite well the GDPR and
the scenario where an employee of a company uses personal data for (...) own
sake or (...) friends' sake is definitely not allowed.
I want to be contacted urgently on t(...) matter that is unacceptable. You can
contact me by phone (***PHONE.1) or by email in english or french.
If I don't hear from your real DPO soon, I will quickly launch all procedures to sue
your company.”
[Unofficial translation:
“This message is addressed to your company's DPO.
(…)
This evening, I was approached by (…) to whom you gave my personal
phone number.
In short, I was in contact with one of your (…) from the
recruitment team a couple of months ago. (…) — I will be happy to provide your name —
gave my phone number to your ***PARENT.1 so that he can help you
(…).
The ***PARENT.1 of your ***POSITION.1 contacted me by whatsapp this
evening and I was able to get a clear confirmation that my ***POSITION.2 of
BluSelection was the one who gave him my phone number. I have a transcript of the
chat ready to provide to you as proof.
I would like to highlight the fact that this is a serious matter. Firstly,
I find it quite alarming that your ***POSITION.1 uses your company's data
to resolve private matters of your friends (…). Secondly,
I certainly did not give permission for my data to be used by your ***POSITION.1 for private matters. Thirdly, I am quite familiar with
the GDPR and the scenario where a ***POSITION.1 of a company uses personal
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 3/18
data for his own benefit or for that of his friends
is definitely not allowed.
I want to be contacted urgently regarding this matter which is unacceptable.
You can contact me by phone (***PHONE.1) or by email in English or French.
If I do not hear from your DPO very soon, I will promptly initiate all procedures to sue your company.”]
- Printout of email sent by the complainant to ***EMAIL.1
dated July 27, 2021 in which the complainant confirms that he has been
contacted by phone by a ***POST.1 of BLUE MANAGEMENT and requests the
exercise of his rights in the following terms:
“Thank you for your call today.
Following our conversation today, I was contacted yesterday evening by a friend
of one of your former employees B.B.B.. had access to my data while (…) was
an employee of yours and gave my personal phone number away to (...) friend
(tchat transcript attached).
I never consented for my data to be disclosed to third parties such as friends of
your employees; hence, as I, the data subject, am victim of a breach of my data, I
request:
1- Immediate erasure of the data you hold about me. I also want a copy of these
data that you should provide me with within 30 days from today as per the
GDPR. T(...) is a Data Access Request.
2- I understand B.B.B. is no longer one of your employees. However, it raises
some concerns. I would like to know the actions you are gonna take to make
sure t(...) kind of scenario never happens again to someone else.
3- As there is a violation of my rights (you have not been able to hold my data
safely and avoid your former employee to send them away), I would like to be
compensated.
Failing to respond to my requests within 30 days from today will result in a
complaint filed to the AEPD. They will then decide what compensation is fair for
t(...) data breach.”
[Unofficial translation:
“Thank you for your call today.
Following our conversation today, I was contacted last night by
a ***PARENT.1 (…) of his ex ***POST.1 B.B.B.. had access to my
data while I was ***POST.1 his and gave my personal phone number to
his ***PARENT.1 (chat transcript attached).
I never consented to my data being disclosed to third parties, such as friends of his
***POST.1; therefore, as I, the data subject, am a victim of a
data breach of my data, I request:
1- Immediately delete the data you have on me. I also want a
copy of this data which you must provide to me within 30 days from
today as per the GDPR. This is a data access request.
I understand that B.B.B. is no longer one of your ***POST.1. However, it
raises some concerns. I would like to know the actions you are going to take to
make sure this type of scenario never happens to anyone else again.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 4/18
3- As there is a violation of my rights (you have failed to keep my data
securely and prevent your ***POST.1 from sending it), I would like to receive
compensation.
Failure to respond to my requests within 30 days from today will result in a
complaint filed with the AEPD. They will then decide what compensation is fair for this
data breach.”]
It is noted that a text document is attached to this email which the
complaining party indicates is the transcript of the whatsapp conversation that is
mentioned within the body of the email.
- Printout of email sent by ***EMAIL.1 to the complainant,
dated July 27, 2021, confirming receipt of the previous email in the following terms:
“Hi A.A.A.,
Thank you for your time during our phone call and the information you gave me.
By my email reply, I confirm the reception of your requests.
As mentioned on our call, I will directly transfer t(...) topic to my address and our
Legal advisor.
We will come back to you as soon as possible.
I wish you a pleasant day.
Kind regards,”
[Unofficial translation:
“Hello A.A.A.,
Thank you for your time during our phone call and the information you
gave me.
With my email reply, I confirm the reception of your
requests.
As mentioned on our call, I will directly transfer this topic to my
address and our legal advisor.
We will reply as soon as possible.
I wish you a pleasant day.
Kind regards,"]
- Printout of email sent by ***EMAIL.2 to the complaining party,
dated July 30, 2021 in which the following information is offered:
“First of all, please accept our apologies for the unwanted events, of which we
found out through your email and the telephone conversation held on July 26th
with our Recruitment Manager, C.C.C..
We would like to inform you that B.B.B. you have not been a member of t(...)
organization since last June 30. That on the date he left our Company, all access
permissions to the candidates database were withdrawn and (...) email account
you have been blocked. Additionally, we have contacted B.B.B. with whom we have
signed a confidentiality and non-concurrence agreement and he has certified the
destruction of (...) contact information (name and mobile phone number).
Likewise, we inform you that, to avoid t(...) situation to occur again, all Blu
Selection employees who terminate their contracts or are dismissed will sign a
Confidentiality and Non-Attendance Agreement, so as to guarantee that they do
do not have in their possession personal data of which our company is a Data
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 5/18
Controller. In addition, we are going to initiate a Data Protection Impact
Assessment and the activity of employees regarding access to personal data will
be monitored.
In relation to your request to exercise your right of access to the personal data
held by Blu Selection, according to arts. 15 and 13 respectively of the GDPR and
the Spanish Data Protection Act, we indicate that we only have the personal data
included in your resume (identification data, academic data and data on
professional experience) that you sent us on May 1, 2021 in order to participate
in the selection processes managed by t(...) company. We attach a copy of it.
Finally, we inform you that we have proceeded, as you have requested, to cancel
and erase all your personal data for which Blu Selection is Controller in
in accordance with the GDPR and the Spanish Data Protection Act, including all
emails and other messages and communication received.
Serve t(...) communication as a means of proof of the cancellation of your
personal data.”
[Unofficial translation:
“First of all, please accept our apologies for these unwanted events,
which we learned about through your email and the telephone conversation held on July 26th with our
Recruitment Manager, C.C.C..
We would like to inform you that B.B.B. is not a member of this organization since
last June 30th. That on the date you left our Company, all access permissions to the candidate database were withdrawn and your email account has been blocked. In addition, we have contacted B.B.B. with whom we have signed a confidentiality and non-competition agreement and have certified the destruction of your contact information
(name and mobile phone number).
We also inform you that, in order to prevent this situation from happening again,
all ***POSITION.1s at Blu Selection who terminate their contracts or are
dismissed will sign a Confidentiality and Non-Attendance Agreement, in order
to ensure that they do not have in their possession personal data for which our
company is Data Controller. In addition, we will initiate a Data Protection Impact
Assessment and the activity of the ***POSITION.1s will be monitored with
respect to access to personal data.
In relation to your request to exercise your right of access to personal data
held by Blu Selection, according to articles 15 and 13
respectively of the GDPR and the Spanish Data Protection Law,
we indicate that we only have the personal data included in your resume
(identification data, academic data and data on professional experience)
that you sent us on May 1, 2021 in order to participate in the selection
processes managed by this company. We attach a copy of it.
Finally, we inform you that we have proceeded, as you have requested, to
cancel and delete all your personal data for which Blu Selection is
the Data Controller in accordance with the GDPR and the Spanish Data
Protection Law, including all emails and other messages and communications
received.
This communication serves as proof of the cancellation of your personal
data.”]
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 6/18
It is noted that a PDF document called
“***URL.1” is attached to this email.
- Printout of email sent by the complaining party to ***EMAIL.2
dated July 30, 2021, in response to the previous email, with the following
content:
“Dear Data Protection Officer,
Thank you for your email.
I appreciate you fulfilled most of my requests within a short period of time.
The content of your email is an admission of liability on your part (especially
paragraph 3). In fact, your employee at that time (up until June 30th 2021) was
able to circumvent your systems to extract my data without your knowledge and
at my prejudice. Even though you should have performed the DPIA way before
such critical situation happened to prevent it from occurring, I appreciate you are
now willing to assess your company.
Nevertheless, as the employer of B.B.B. you failed to store my data safely. As a
victim of a prejudice I ask for a reasonable compensation for your failure.
If I do not hear from you before August, 27th 2021 or if your final answer stands
where it is at t(...) point, I will have to contact the AEPD to make them aware of
t(...) situation and ask for their guidance to find an amicable solution.
“I look forward to hearing from you.”
[Unofficial translation:
“Dear Data Protection Officer:
Thank you for your email.
I appreciate that you have complied with most of my requests in a short period of
time.
The content of your email is an admission of liability on your part
(especially paragraph 3). Indeed, your ***POST.1 at that time
(until June 30, 2021) was able to bypass your systems to extract my data
without my knowledge and to my detriment. Even though I should have
performed the DPIA long before such a critical situation occurred to prevent it from
occurring, I appreciate that you are now willing to evaluate your company.
However, since ***POST.1 of B.B.B. did not store my data securely, I am
asking you, as a victim of harm, for reasonable compensation for
your failure. If I do not hear from you by August 27, 2021 or if your final response remains at this point, I will have to contact the AEPD to
inform them of this situation and ask for their guidance to find an amicable
solution.
I look forward to hearing from you.”]
- Transcript of a WhatsApp conversation dated July 26, 2021 in which, among other information, the following is stated:
“07/26/2021, 8:39 PM - ***PHONE.2: Hello! I hope you are doing well. My
name is D.D.D. and I got your phone number from a friend who did an interview
with you. Since he knew that I had problems with my ***ACCOUNT.1 he kindly
gave me your number. The problem with my business and my private account is,
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 7/18
that I got permanently banned from ***ACCOUNTA.1. I do not know why t(...)
happened since I used my accounts in a normal way. When I ask for help or
contact the support they will not give me an answer or solutions for t(...) problem,
so I wanted to ask you If you know a way to solve t(...) misunderstanding. Item
it would mean a lot if you could take the time to answer. Thank you in advance.
07/26/2021, 20:39 - ***PHONE.2: Kind Regards
07/26/2021, 20:39 - ***PHONE.2: D.D.D.
07/26/2021, 20:42 - A.A.A.: Hi. What is the name of your friend who supposedly
did an interview with me?
07/26/2021, 20:46 - ***PHONE.2: I will ask for permission to give out (...)
name and come back to you in a second.
26/07/2021, 20:46 - A.A.A.: If you dont tell me how you got t(...) number I wont
be able to assist
26/07/2021, 20:47 - ***TELÉFONO.2: I fully understand that, I just want to make
sure my friend is ok with t(...)
26/07/2021, 20:48 - A.A.A.: Well, if your friend gave you my private number it
means he is also my friend. That shouldnt be an issue to provide (...) name
26/07/2021, 20:49 - ***TELÉFONO.2: He got your number from a interview with
(...). You contacted the company he worked in, so you do not know (...)
personally
26/07/2021, 20:50 - A.A.A.: What company?
26/07/2021, 20:51 - ***TELÉFONO.2: As soon as my friend will give me the Ok I
will be transparent with all the information you need
26/07/2021, 20:53 - A.A.A.: Look mate. You are coming out of the blue
requesting my help but you dont want to tell me where you got my private
number from. If I dont have at least the name of the company and ideally the
ame of the person who gave it to you within 5min, you are gonna have to deal
with ***CUENTA.1 directly I am afraid
26/07/2021, 20:55 - ***TELÉFONO.2: ok I just called (...), the company is called
blue selection
26/07/2021, 20:56 - A.A.A.: In spain
26/07/2021, 20:56 - A.A.A.: ?
26/07/2021, 20:56 - ***TELÉFONO.2: yes”
…
“26/07/2021, 21:10 - A.A.A.: Is it B.B.B. who gave you my number?
26/07/2021, 21:11 - ***TELÉFONO.2: I agreed with (...) that I do not give the
name away, I also do not know your name or anything
26/07/2021, 21:11 - A.A.A.: So t(...) is (...)?
26/07/2021, 21:12 - ***TELÉFONO.2: Why is t(...) necessary?
26/07/2021, 21:12 - A.A.A.: Because I dont know you
26/07/2021, 21:13 - A.A.A.: I need some reassurance here
26/07/2021, 21:13 - ***TELÉFONO.2: I fully understand, but you know that my
request is legit since I know the name of the company
26/07/2021, 21:14 - A.A.A.: I had contact only with (...), so t(...) is (...)
26/07/2021, 21:15 - ***TELÉFONO.2: I will not give away the name of the
person, I know that I can not give you any value for helping me
26/07/2021, 21:15 - ***TELÉFONO.2: I could pay you if it is possible to solve t(...)
problem
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 8/18
26/07/2021, 21:17 - A.A.A.: Look mate you are going too far. T(...) has to stop. I
am no longer an employee of ***CUENTA.1 and surely did not consent for my
personal number to be given away. Please contact ***CUENTA.1
26/07/2021, 21:17 - ***TELÉFONO.2: Ok, I am sorry for disturbing you. I will
delete your number right away.
26/07/2021, 21:19 - You blocked t(...) contact. Tap to unblock.”
[Traducción no oficial:
“26.7.2021, 20:39 — ***TELÉFONO.2: ¡Hola! Espero que estés bien. Mi nombre
es D.D.D. y obtuve tu número de teléfono de un ***PARENTESCO.1 que hizo
una entrevista contigo. Ya que sabía que tenía problemas con mi cuenta de
***CUENTA.1, amablemente me dio su número. El problema con mi negocio y mi
cuenta privada es que ***CUENTA.1 me prohibieron permanentemente utilizarla.
No sé por qué sucedió esto porque usé mis cuentas de una manera normal.
Cuando pido ayuda o contacto con el soporte no me dan una respuesta o
soluciones para este problema, así que quería preguntarte si sabes una manera
de resolver este malentendido. Significaría mucho si pudieras tomarte el tiempo
para responder. Gracias de antemano.
26.7.2021, 20:39 — ***TELÉFONO.2: Saludos cordiales
26.7.2021, 20:39 — ***TELÉFONO.2: D.D.D.
26.7.2021, 20:42 — A.A.A.: Hola. ¿Cuál es el nombre de tu ***PARENTESCO.1
que supuestamente hizo una entrevista conmigo?
26.7.2021, 20:46 — ***TELÉFONO.2: Pediré permiso para dar su nombre y te
contesto en un segundo.
26.7.2021, 20:46 — A.A.A.: Si no me dices cómo conseguiste este número, no
podré ayudarte.
26.7.2021, 20:47 — ***TELÉFONO.2: Lo entiendo completamente. Solo quiero
asegurarme de que mi ***PARENTESCO.1 esté de acuerdo con esto.
26.7.2021, 20:48 — A.A.A.: Bueno, si tu ***PARENTESCO.1 te dio mi número
privado significa que también es mi ***PARENTESCO.1. Eso no debería ser un
problema para proporcionar su nombre
26.7.2021, 20:49 — ***TELÉFONO.2: Obtuvo tu número de una entrevista con
él. Se puso en contacto con la empresa en la que trabajó, por lo que no lo
conoce personalmente.
26.7.2021, 20:50 — A.A.A.: ¿Qué compañía?
26.7.2021, 20:51 — ***TELÉFONO.2: Tan pronto como mi ***PARENTESCO.1
me dé el Ok seré transparente con toda la información que necesite
26.7.2021, 20:53 — A.A.A.: Mira ***PARENTESCO.1. Vienes de la nada
solicitando mi ayuda pero no quieres decirme de dónde sacaste mi número
privado. Si no tengo al menos el nombre de la empresa e idealmente el nombre
de la persona que te lo dio dentro de 5 minutos, vas a tener que lidiar con
***CUENTA.1 directamente.
26.7.2021, 20:55 — ***TELÉFONO.2: OK, acabo de llamarlo, la compañía se
llama blu selection.
26.7.2021, 20:56 — A.A.A.: En España
26.7.2021, 20:56 — A.A.A.:
26.7.2021, 20:56 — ***TELÉFONO.2: sí”
...
“26.7.2021, 21:10 — A.A.A.: ¿Es B.B.B. quien te dio mi número?
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 9/18
26.7.2021, 21:11 — ***TELÉFONO.2: Acordé con él en que no dar su nombre,
tampoco sé tu nombre ni nada.
26.7.2021, 21:11 — A.A.A.: ¿Así que es él?
26.7.2021, 21:12 — ***TELÉFONO.2: ¿Por qué es necesario?
26.7.2021, 21:12 — A.A.A.: Porque no te conozco
26.7.2021, 21:13 — A.A.A.: Necesito un poco de seguridad aquí
26.7.2021, 21:13 — ***TELÉFONO.2: Entiendo perfectamente, pero sabes que
mi petición es legítima ya que conozco el nombre de la empresa
26.7.2021, 21:14 — A.A.A.: Solo tuve contacto con él, así que es él.
26.7.2021, 21:15 — ***TELÉFONO.2: No daré el nombre de la persona, sé que
no puedo darte ningún valor por ayudarme
26.7.2021, 21:15 — ***TELÉFONO.2: Podría pagarte si es posible resolver este
problema.
26.7.2021, 21:17 — A.A.A.: Mira amigo, vas demasiado lejos. Esto tiene que
parar. Ya no soy empleada de ***CUENTA.1 y estoy segura de que no consentí
que mi número personal fuera dado a otros. Póngase en contacto con
***CUENTA.1
26.7.2021, 21:17 — ***TELÉFONO.2: OK, lamento molestarte. Eliminaré tu
número de inmediato.
26/07/2021, 21:19 — Usted bloqueó este contacto. Toque para desbloquear.”]
SEGUNDO: A través del “Sistema de Información del Mercado Interior” (en lo sucesivo
Sistema IMI), regulado por el Reglamento (UE) nº 1024/2012, del Parlamento Europeo
y del Consejo, de 25 de octubre de 2012 (Reglamento IMI), cuyo objetivo es favorecer
la cooperación administrativa transfronteriza, la asistencia mutua entre los Estados
miembros y el intercambio de información, se transmitió la citada reclamación el día 14
de septiembre de 2022 y se le dio fecha de registro de entrada en la Agencia Española
de Protección de Datos (AEPD) el 15 de septiembre de 2022. El traslado de esta
reclamación a la AEPD se realizó de conformidad con lo establecido en el artículo 56
del Reglamento (UE) 2016/679, del Parlamento Europeo y del Consejo, de
27/04/2016, relativo a la Protección de las Personas Físicas en lo que respecta al
Tratamiento de Datos Personales y a la Libre Circulación de estos Datos (en lo
sucesivo, RGPD), teniendo en cuenta su carácter transfronterizo y que esta Agencia
es competente para actuar como autoridad de control principal, dado que BLU
MANAGEMENT tiene su establecimiento único en España.
Según las informaciones incorporadas al Sistema IMI, de conformidad con lo
establecido en el artículo 60 del RGPD, la autoridad de protección de datos de Francia
actúa como autoridad interesada, de acuerdo con lo dispuesto en el artículo 4.22) letra
c) del RGPD, al ser la autoridad de control frente a la que se ha presentado la
reclamación, sin que otras autoridades de control se hubieran declarado interesadas
en el presente procedimiento.
TERCERO: Con fecha 10 de febrero de 2023, de conformidad con el artículo 64
entonces vigente de la Ley Orgánica 3/2018, de 5 de diciembre, de Protección de
Datos Personales y garantía de los derechos digitales (en adelante, LOPDGDD), se
admitió a trámite la reclamación presentada por la parte reclamante.
CUARTO: La Subdirección General de Inspección de Datos procedió a la realización
de actuaciones previas de investigación para el esclarecimiento de los hechos en
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 10/18
cuestión, en virtud de las funciones asignadas a las autoridades de control en el
artículo 57.1 y de los poderes otorgados en el artículo 58.1 del Reglamento (UE)
2016/679 (Reglamento General de Protección de Datos, en adelante RGPD), y de
conformidad con lo establecido en el Título VII, Capítulo I, Sección segunda, de la
LOPDGDD, teniendo conocimiento de los siguientes extremos:
El día 30 de junio de 2023, se presenta un escrito ante la AEPD en nombre y
representación de BLU MANAGEMENT como respuesta a un requerimiento de
información, en el que se aporta, entre otra, la siguiente información:
- Copia del correo electrónico enviado por ***EMAIL.2 a la parte reclamante, fechado
el 30 de julio de 2021, que ya había sido aportado por la CNIL junto con la
reclamación. Junto a él, se aporta un certificado de que este correo fue enviado el
30 de julio de 2021.
On September 4, 2023, a letter was submitted to the AEPD on behalf of and representing BLU MANAGEMENT in response to a request for information, in which the following information was provided, among others:
- It is indicated that a Data Protection Impact Assessment (hereinafter, EIPD) was carried out after receiving the request from the complainant. A copy of the EIPD for the data processing that "consists of conducting interviews with candidates for positions offered by third-party clients of Blu Management Spain, S.L." is provided. From this EIPD, the conclusion is drawn that it is not necessary to carry out a prior consultation with the competent authority.
- Copy of the analysis of the risks related to this processing activity and the applicable security measures, including whether or not they are already implemented and the date of implementation of the measure.
- Regarding the causes of this incident, the following is indicated:
“During the interview with the complainant, Mr.
B.B.B. was present in his capacity as an intern together with the Recruitment Consultant and, we understand that during the interview he was able to see the mobile phone number of (…) and provide this information to a friend, who was the one who
contacted the complainant on July 26, 2021, date on which
B.B.B. no longer belonged to Blu as an Erasmus+ intern, since
he voluntarily withdrew from his internship on June 16, 2021, as evidenced by the email sent by the Recruitment Manager,
C.C.C. to E.E.E. responsible for Erasmus+ of ***UNIVERSITY.1.
Upon learning of the claimant's email, we made the appropriate inquiries, contacting B.B.B. to
find out first-hand what had happened, who confirmed to us that
during the interview in which he was present, he noted down the claimant's mobile phone
number to provide it to "(...)".
For all the above, this party understands that it is not appropriate to provide any contract
on the maintenance of the Information Systems, since they have not been involved."
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 11/18
- Regarding the measures adopted to modify security incidents such as the one that
occurred, the following is indicated:
“it was internally agreed that in all selection processes attended by
students on internships, they would be prevented from accessing them with tablets or
mobile phones and, always accompanied by a Selection Consultant who would
be the one to have access to the candidates' data, once they have
given their consent for the selection processes. Additionally,
all Blu ***POSITION.1s sign an NDA regarding all data that they
handle in the exercise of their functions. Finally, the employment contracts were modified
to include a clause relating to the “Use of information and technology
equipment and devices.”
-Regarding the lack of notification of this security incident to the AEPD, the following is indicated:
“In accordance with the reasons for exception in article 34 of the GDPR, where
a series of cases are stated in which this communication will not be mandatory, this company chose not to proceed with the notification of the security breach, since, after the breach, Blu Selection took
technical and organizational measures to ensure that there is no possibility of the high risk materializing and, above all, taking into account that it has only occurred on one subject and all actions were directed to prevent the events that occurred from being repeated.”
FIFTH: Volume of business or activity: According to the query made on September 8, 2023 in the Axesor Monitoriza service (https://monitoriza.axesor.es/),
BLU MANAGEMENT SPAIN SL is a "Self-employed" type company with a sales volume, in the fiscal year 2020, of ***AMOUNT.1 euros.
SIXTH: On January 8, 2024, the Director of the AEPD adopted a draft agreement to initiate sanctioning proceedings. Following the process established
in article 60 of the GDPR, on January 18, 2024, the aforementioned draft was transmitted through the IMI system and the interested authorities were informed that they had
four weeks from that moment to formulate pertinent and reasoned objections. The processing period for the proceedings was automatically suspended
for these four weeks, in accordance with the provisions of
Article 64 of the LOPDGDD.
Within the period for this purpose, the interested supervisory authorities did not submit
relevant and reasoned objections in this regard, so it is considered that all the
authorities agree with said project and are bound by it, in accordance with the provisions of
Article 60 of the GDPR.
FUNDAMENTALS OF LAW
I
Competence
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 12/18
In accordance with the powers granted to each supervisory authority by article 58.2 and 60 of Regulation (EU) 2016/679
(General Data Protection Regulation, hereinafter RGPD) and according to the provisions of articles 47, 48.1, 64.2 and 68.1 of Organic Law 3/2018, of December 5, on the Protection of Personal Data and
guarantee of digital rights (hereinafter, LOPDGDD), the Director of the Spanish Data Protection Agency is competent to
initiate and resolve this procedure.
Likewise, article 63.2 of the LOPDGDD determines that: "The procedures
processed by the Spanish Data Protection Agency will be governed by the provisions
of Regulation (EU) 2016/679, in this organic law, by the regulatory
provisions issued in its development and, insofar as they do not contradict them,
on a subsidiary basis, by the general rules on administrative procedures."
II
Preliminary questions
In the present case, in accordance with the provisions of article 4.1 and 4.2 of the RGPD,
the processing of personal data is recorded, since BLU
MANAGEMENT collects and stores, among others, the following personal
data of natural persons: name, and telephone number, among other
processing.
BLU MANAGEMENT carries out this activity in its capacity as data controller, since it determines the purposes and means of such activity, pursuant to
Article 4.7 of the GDPR. Furthermore, this is cross-border processing, since BLU MANAGEMENT is established in Spain, although it provides services to other
countries in the European Union.
Article 4, paragraph 12 of the GDPR broadly defines “personal data security breaches” (hereinafter, security breach) as “any
security breach leading to the accidental or unlawful destruction, loss or
alteration of personal data transmitted, stored or otherwise processed, or unauthorized disclosure or access to such data.”
In the present case, there is a breach of security of personal data in the
circumstances indicated above, categorized as a breach of confidentiality, insofar as a friend of BLU MANAGEMENT would have used his position to
take the complainant's phone and communicate it to a third party, who contacted the complainant via WhatsApp.
Within the principles of treatment provided for in article 5 of the GDPR, the
integrity and confidentiality of personal data is guaranteed in section 1.f)
of article 5 of the GDPR.
III
Principle of integrity and confidentiality
Article 5.1.f) “Principles relating to treatment” of the GDPR establishes:
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 13/18
“1. Personal data shall be:
(…)
f) processed in such a way as to ensure appropriate security of the personal data, including protection against unauthorised or
unlawful processing and against accidental loss, destruction or damage, by applying appropriate
technical or organisational measures ("integrity and confidentiality").
In the present case, it is clear that the personal data of the affected parties, contained in the
BLU MANAGEMENT database, were unduly disclosed to a third party,
insofar as the complainant has stated that he received a
communication via WhatsApp from a third party, in which he informed him that his
data (name and telephone number) had been obtained by a person working at BLU
MANAGEMENT. Furthermore, BLU MANAGEMENT has stated that, when contacting the
person who allegedly shared the telephone number, he has
confirmed that he had accessed the complainant's telephone number and communicated it to
the third party.
For its part, BLU MANAGEMENT has informed the complainant that the
person who leaked the data has certified the destruction of their contact information.
Therefore, in accordance with the evidence available at this time
in order to initiate sanctioning proceedings, and without prejudice to what may result from
the investigation, it is considered that the known facts could constitute an
infringement, attributable to BLU MANAGEMENT, for violation of article 5.1.f) of the
RGPD.
IV
Classification of the infringement of Article 5.1.f) of the GDPR
If confirmed, the aforementioned infringement of Article 5.1.f) of the GDPR could entail the
commission of the infringements classified in Article 83.5 of the GDPR, which under the heading "General conditions for the imposition of administrative fines" provides:
"Infringements of the following provisions shall be punishable, in accordance with
paragraph 2, by administrative fines of not more than EUR 20 000 000 or,
in the case of an undertaking, not more than 4 % of the total annual turnover of the previous financial year, whichever is higher:
a) the basic principles for processing, including the conditions for consent pursuant to Articles 5, 6, 7 and 9; (…)”
For the purposes of the limitation period, article 72 “Infringements considered very
serious” of the LOPDGDD indicates:
“1. In accordance with the provisions of article 83.5 of Regulation (EU) 2016/679, infringements that constitute a
substantial violation of the articles mentioned therein and, in particular, the
following are considered very serious and will be subject to a three-year statute of limitations:
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 14/18
a) The processing of personal data in violation of the principles and
guarantees established in article 5 of Regulation (EU) 2016/679. (…)”
V
Proposal for a sanction for the infringement of article 5.1.f) of the GDPR
For the purposes of deciding on the imposition of an administrative fine and its amount, in accordance with the evidence available at the time of the agreement to initiate sanctioning proceedings, and without prejudice to the outcome of the investigation, it is considered that the balance of the circumstances contemplated in article 83.2 of the GDPR and 76.2 of the LOPDGDD, with respect to the infringement committed by violating the provisions of article 5.1.f) of the GDPR, allows for an initial fine of €2,000 (two thousand euros).
VI
Imposition of measures
If the infringement is confirmed, in accordance with the provisions of the aforementioned article 58.2 d)
of the GDPR, according to which each supervisory authority may “order the controller or
processor to comply with the provisions of this Regulation, where appropriate, in a certain manner
and within a specified period…” in the resolution adopted, BLU MANAGEMENT may be required to notify this Agency
within SIX MONTHS that it has adopted the appropriate measures to adapt its actions to the regulations
mentioned in this act, without prejudice to other measures that may arise from the
instruction of the procedure.
The imposition of these measures is compatible with the sanction consisting of an administrative
fine, as provided for in article 83.2 of the GDPR.
It is noted that failure to comply with the possible order to adopt measures imposed by
this body in the resolution that ends this procedure may be
considered as an administrative infringement in accordance with the provisions of the RGPD,
classified as an infringement in its article 83.5 and 83.6, and such conduct may motivate the
opening of a subsequent administrative sanctioned procedure.
Therefore, in accordance with the above, by the Director of the Spanish Data Protection
Agency,
IT IS AGREED:
FIRST: TO INITIATE SANCTIONING PROCEDURE against BLU MANAGEMENT
SPAIN, S.L., with NIF B66500661, for the alleged infringement of article 5.1.f) of the
RGPD, classified in article 83.5 of the RGPD.
SECOND: TO APPOINT R.R.R. as instructor. and, as secretary, to S.S.S.,
indicating that they may be challenged, if applicable, in accordance with the provisions of
articles 23 and 24 of Law 40/2015, of October 1, on the Legal Regime of the Public Sector
(LRJSP).
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 15/18
THIRD: INCORPORATE into the file, for evidentiary purposes, the documentation
from the IMI that has given rise to the prior investigation actions, as well as
the documents obtained and generated by the General Subdirectorate of Data Inspection
in the actions prior to the start of this procedure and
the documentation from the IMI on the draft decision.
FOURTH: THAT for the purposes provided for in art. 64.2 b) of Law 39/2015, of 1 October, on the Common Administrative Procedure of Public Administrations, the
penalty that may apply would be 2,000 euros, without prejudice to the outcome of
the investigation.
FIFTH: NOTIFY this agreement to BLU MANAGEMENT SPAIN, S.L., with
NIF B66500661, granting it a hearing period of ten working days to
formulate the allegations and present the evidence it considers appropriate. In its
written allegations, it must provide its NIF and the file number that appears in
the heading of this document.
If you do not make any objections to this initiation agreement within the stipulated period, it may be considered a resolution proposal, as established in article
64.2.f) of Law 39/2015, of October 1, on the Common Administrative Procedure of
Public Administrations (hereinafter, LPACAP).
In accordance with the provisions of article 85 of the LPACAP, you may acknowledge your
responsibility within the period granted for the formulation of objections to
this initiation agreement; which will entail a 20% reduction of the
sanction to be imposed in this procedure. With the application of this
reduction, the sanction would be set at 1,600 euros, and the procedure will be resolved with the imposition of this sanction.
Likewise, the applicant may, at any time prior to the resolution of this procedure, make voluntary payment of the proposed fine, which will
involve a 20% reduction in its amount. With the application of this reduction,
the fine would be set at 1,600 euros and its payment will imply the termination of the
procedure, without prejudice to the imposition of the corresponding measures.
The reduction for voluntary payment of the fine can be added to the one that must be applied
for the recognition of responsibility, provided that this recognition of responsibility is made clear within the period granted to formulate
allegations at the opening of the procedure. The voluntary payment of the amount referred to
in the previous paragraph may be made at any time prior to the resolution. In
this case, if both reductions were to be applied, the amount of the fine would be
established at 1,200 euros.
In any case, the effectiveness of any of the two reductions mentioned will be
conditioned to the withdrawal or waiver of any action or appeal through administrative
course against the sanction.
If you choose to proceed with the voluntary payment of any of the amounts
indicated above (1,600 or 1,200 euros), you must make the payment
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 16/18
into the account number IBAN: ES00-0000-0000-0000-0000-0000 opened in the name of
the Spanish Data Protection Agency at the bank CAIXABANK, S.A.,
indicating in the concept the reference number of the procedure that appears in the
heading of this document and the reason for the reduction of the amount to which you are
adhering.
Likewise, proof of payment must be sent to the Subdirectorate General of
Inspection to continue with the procedure in accordance with the amount paid.
The procedure will have a maximum duration of twelve months from the date
of the start agreement. After this period, it will expire and, consequently, the proceedings will be filed; in accordance with the provisions of
article 64 of the LOPDGDD.
Finally, it is noted that in accordance with the provisions of article 112.1 of the LPACAP,
there is no administrative appeal against this act.
935-30102023
Mar España Martí
Director of the Spanish Data Protection Agency
>>
SECOND: On February 29, 2024, the respondent party has proceeded to pay
the penalty in the amount of 1,200 euros using the two reductions
provided for in the Initiation Agreement transcribed above, which implies the
recognition of responsibility.
THIRD: The payment made, within the period granted to formulate allegations at
the opening of the procedure, entails the waiver of any action or appeal in administrative
course against the penalty and the recognition of responsibility in relation to
the facts referred to in the Initiation Agreement and its legal qualification.
FOURTH: In the initiation agreement transcribed above it was indicated that, if the infringement is confirmed, it could be agreed to impose on the person responsible the adoption of
appropriate measures to adjust its performance to the regulations mentioned in this act, in accordance with the provisions of the cited article 58.2 d) of the RGPD, according to which
each control authority may "order the person responsible or in charge of the treatment that the treatment operations comply with the provisions of
this Regulation, where appropriate, in a certain manner and within a specified period...".
Having acknowledged the responsibility for the infringement, the imposition of the measures included in the initiation agreement is appropriate.
LEGAL BASIS
I
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 17/18
Competence
In accordance with the powers that article 58.2 of Regulation (EU) 2016/679
(General Data Protection Regulation, hereinafter RGPD), grants to each
control authority and as established in articles 47, 48.1, 64.2 and 68.1 of Organic Law 3/2018, of December 5, on the Protection of Personal Data and
guarantee of digital rights (hereinafter, LOPDGDD), the Director of the Spanish Data Protection Agency is competent to
initiate and resolve this procedure.
Likewise, article 63.2 of the LOPDGDD determines that: "The procedures
processed by the Spanish Data Protection Agency will be governed by the provisions
of Regulation (EU) 2016/679, in this organic law, by the regulatory
provisions issued in its development and, insofar as they do not contradict them,
in a subsidiary manner, by the general rules on administrative procedures."
II
Termination of the procedure
Article 85 of Law 39/2015, of October 1, on the Common Administrative Procedure
of Public Administrations (hereinafter, LPACAP), under the heading
"Termination of sanctioning procedures" provides the following:
"1. Once a sanctioning procedure has been initiated, if the offender acknowledges his responsibility,
the procedure may be resolved with the imposition of the appropriate sanction.
2. When the sanction is of a purely monetary nature or when it is possible to impose a
monetary sanction and another of a non-monetary nature but the
inappropriateness of the second has been justified, the voluntary payment by the presumed responsible party, at
any time prior to the resolution, will imply the termination of the procedure,
except in relation to the restoration of the altered situation or the determination of
compensation for the damages and losses caused by the commission of the infringement.
3. In both cases, when the sanction is of a purely monetary nature, the
body competent to resolve the procedure will apply reductions of at least
20% on the amount of the proposed sanction, these being cumulative with each other.
The aforementioned reductions must be determined in the notification of the initiation
of the procedure and their effectiveness will be conditional on the withdrawal or waiver of
any action or appeal in administrative proceedings against the sanction.
The percentage of reduction provided for in this section may be increased
by regulation.”
In accordance with the above,
the Director of the Spanish Data Protection Agency RESOLVES:
FIRST: DECLARE the termination of procedure EXP202209596, in
accordance with the provisions of article 85 of the LPACAP.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 18/18
SECOND: ORDER BLU MANAGEMENT SPAIN, S.L. to notify the Agency within 6
months from the date this resolution becomes final and enforceable of the adoption of the
measures described in the legal grounds of the
Initiation Agreement transcribed in this resolution.
THIRD: NOTIFY this resolution to BLU MANAGEMENT SPAIN, S.L..
In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once it has been notified to the interested parties.
Against this resolution, which ends the administrative process as prescribed by
art. 114.1.c) of Law 39/2015, of October 1, on the Common Administrative Procedure
of Public Administrations, interested parties may file an administrative appeal before the Administrative
Disputes Chamber of the National Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the
Administrative Disputes Jurisdiction, within two months from the day following the notification of this act, as provided for in article 46.1 of the
referred Law.
1259-151024
Mar España Martí
Director of the Spanish Data Protection Agency
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es
