Banner2.png

AEPD (Spain) - EXP202412881

From GDPRhub
Revision as of 08:56, 12 March 2025 by Cwa (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
AEPD - EXP202412881
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 5(1)(f) GDPR
Type: Complaint
Outcome: Upheld
Started: 03.02.2025
Decided: 03.03.2025
Published: 03.03.2025
Fine: 1,000,000 EUR
Parties: IBERMUTUA MUTUA COLABORADORA CON LA SEGURIDAD SOCIAL Nº 274
National Case Number/Name: EXP202412881
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: cwa

An insurance company was fined €1,000,000 by a DPA after a coding error caused the personal data, including special category data, of 3,395 individuals to be erroneously sent via email to 354 recipient companies.

English Summary

Facts

The controller, Ibermurta, is an insurance company and partner of the Spanish Social Security System. They digitize and facilitate the management of queries and complaints related to the eligibility of workers in companies using the platform for economic benefits when they fall ill.

In July 2024, a weekly email sent by the controller contained a coding error and as a result additional attachments were inadvertently included in emails being sent to partner companies. The personal data of 3,395 data subjects (including special category data), all employees of partner companies, was sent to a total of 354 recipient partner companies. The personal data was comprised of: name and surname, tax identification number, social security number, age, sick leave status, date of employment, date of leaving, number of sick days taken, employee’s company, reason for sick leave, expected number of days sick leave to be taken, total cost of the process, National Occupational Code of the employee, the employee’s eligibility for the financial benefit, whether the illness was due to a work accident, whether the illness was due to a traffic accident, and the sex of each employee.

Eight complaints were filed with the Spanish DPA (AEPD) by data subjects between August and September 2024.

Holding

The DPA found that the controller had infringed Article 5(1)(f) GDPR. This principle requires that personal data is processed in a manner which ensures its security.

In doing so, the DPA highlighted the large number of email that were sent by the controller (~250,000 per month) and was critical of the lack of corresponding security measures. The DPA noted that both the volume of emails being sent and the sensitivity of the personal data in question warranted control mechanisms to prevent or detect errors in the configuration of the sending procedure for emails.

The DPA considered the infringement to be of a serious nature, considering both the large number of data subjects involved in the breach, as well as the inclusion in the breach of special category data. Accordingly, a fine of €1,000,000 was imposed.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.