AEPD (Spain) - EXP202100318
From GDPRhub
| AEPD - EXP202100318 | |
|---|---|
 | |
| Authority: | AEPD (Spain) |
| Jurisdiction: | Spain |
| Relevant Law: | Article 5(1)(f) GDPR Article 32 GDPR |
| Type: | Investigation |
| Outcome: | Violation Found |
| Started: | |
| Decided: | 16.03.2024 |
| Published: | |
| Fine: | 145,000 EUR |
| Parties: | AFIANZA ASESORES, S.L. |
| National Case Number/Name: | EXP202100318 |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | Spanish |
| Original Source: | AEPD (in ES) |
| Initial Contributor: | lm |
The DPA fined a controller €145,000 after a USB stick, which was not encrypted and contained personal data relating to a criminal proceeding, was stolen. It found a breach of the confidentiality principle even though there was no evidence the data was accessed.
English Summary
Facts
AFIANZA ASESORES, S.L. is a consultancy company engaged in, among other work, the provision of legal advice. A USB stick with a large amount of personal data, including data pertaining to a criminal proceeding, was stolen. The USB was not encrypted.
The controller conducted an internal investigation. It informed the Spanish DPA (AEPD) of the incident 13 days after its occurrence. On 2 July 2021, the AEPD ordered the controller to communicate the breach to data subjects.
On 24 June 2022, the AEPD initiated sanctioning proceedings against the controller and proposed a sanction of €160,000. The AEPD considered that the controller had suffered a breach resulting in the unauthorized disclosure of personal data. The AEPD noted that it considered the controller’s storage of personal data on a removable device without encryption negligent, resulting in an aggravating factor for the fine.
The controller argued that there was no evidence that a third party had ever accessed the information contained in the USB. Instead, the infringing ‘disclosure’ or ‘breach’ was entirely hypothetical. Thus, the controller argued, it could not be proved that any third party ever improperly accessed the information contained in the USB and no breach of confidentiality could be demonstrated.
The controller also argued that it protected its data diligently and had adequate security measures in place. For instance, all personnel with access to personal data were instructed of their obligations and responsibilities. It also conducted IT audits to verify appropriate measures and security standards in place. The controller emphasised that Article 32 GDPR does not regulate a closed list of security measures – instead, it requires the controller to apply appropriate measures. It thus challenged the focus of the sanctioning proceedings on the absence of encryption on the USB because it was not an obligatory security measure and this did not take account of the controller’s other security measures. Penalising this, the controller argued, was contrary to the principle of culpability.
The controller also defended its delay in notifying the AEPD of the breach, stating that in the 13 days it conducted an internal investigation. It argued that the 72 hour period articulated in Article 33 GDPR is not imperative.
Holding
The AEPD found that the controller infringed Articles 5(1)(f) and 32 GDPR and imposed a fine of €145,000.
Article 5(1)(f) GDPR: The AEPD recognised that the controller had technical and organisational measures in place. It also recognised that the incident occurred as a result of a criminal act – not due to the lack of security measures on the part of the controller. The fact that a third party had overtaken the controller’s security measures does not imply a per se infringement of the controller’s obligations. Controllers, it considered, are bound to obligations concerning measures, not obligations of results.
The AEPD considered that the loss of the USB containing unencrypted personal data was itself a breach of confidentiality. The fact that the USB was unencrypted and had no way to restrict unauthorized access supposes the violation of the principle of confidentiality under Article 5(1)(f) GDPR.
Article 32 GDPR: The controller argued extensively that it had numerous technical and organisational measures in place for data protection. However, the AEPD noted that with regard to the USB specifically, there was no type of protection measure or impediment to access for unauthorised third parties (such as encryption). In addition, the AEPD noted that it appeared that several security measures were in fact not being observed, permitting the theft of the USB and the breach. Article 32 GDPR is just as breached, the controller noted, when there are no measures adopted as when measures are not properly observed.
While the AEPD recognised that the controller had technical and organisational measures in place, it considered it a different issue that on a particular day and due to particular circumstances, some of the security measures were not properly applied. As a company dedicated to providing legal advice, the AEPD noted that the controller handles considerable personal data including those relating to criminal offences and penalties. For these reasons, the controller must take greater care to comply with security obligations.
Article 33 GDPR: The AEPD did not find an infringement of Article 33 GDPR because, although the controller exceeded the imperative 72 deadline for reporting the breach to the AEPD, the AEPD did not cite this as an infringement in its resolution to initiate sanctioning proceedings and the limitation period of one year had been exceeded in accordance with national law (Law 3/2018).
Comment
The AEPD does not specify why the fine was ultimately lowered from the €160,000 recommended fine to the final €145,000 amount.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/44
File No.: EXP202100318
SANCTIONING PROCEDURE RESOLUTION
From the procedure instructed by the Spanish Data Protection Agency and based
on the following
BACKGROUND
FIRST: On July 2, 2021, the General Subdirectorate of Data Inspection
(SGID) received for assessment a notification letter of a personal data security breach sent by AFIANZA ASESORES, S.L with NIF
B83117804 (hereinafter, AFIANZA), received on June 30, 2021 in which it
informs the Spanish Data Protection Agency of the following:
(…)
SECOND: In accordance with the provisions of articles 34.4 of the GDPR and in view of the fact that the
breach affects the confidentiality of personal data (…), which may pose a
high risk to the rights and freedoms of the affected persons, on July 2, 2021, the Director ordered AFIANZA to carry out the communication
of the aforementioned personal data breach to the interested parties, without undue delay,
so that, once they are aware of this, they can adopt the measures they
deem appropriate to avoid those risks that could affect them,
in accordance with the provisions of article 34 of the GDPR.
Likewise, confirmation of compliance with the communication order to
those affected is required within a maximum period of 30 days.
THIRD: On July 2, 2021, the Director ordered the Subdirectorate General of Data Inspection to assess the need to carry out the appropriate
prior investigations in order to determine a possible violation of the data protection
regulations.
FOURTH: By means of a document submitted on July 8, 2021, AFIANZA indicates that it has
proceeded to request the ***COURT.1, to provide information on the security breach suffered by all persons whose personal data appear
(…).
FIFTH: The General Subdirectorate of Data Inspection proceeded to carry out preliminary investigation actions to clarify the facts in question, pursuant to the functions assigned to the control authorities in Article 57.1 and the powers granted in Article 58.1 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter GDPR), and in accordance with the provisions of Title VII, Chapter I, Section Two, of the LOPDGDD, having knowledge of the following:
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 2/44
Date of notification of the personal data security breach (hereinafter breach): June 30, 2021, by AFIANZA ASESORES, S.L., data controller.
Date of breach detection: 06/17/2021
Breach start date: 06/17/2021.
Date of breach resolution: 06/17/2021.
Breach detection mode: Employees of the responsible entity.
Confidentiality breach
Notification summary:
(…)
During these proceedings, the following entities have been investigated:
AFIANZA ASESORES, S.L, with NIF B83117804 and address at c/ Alfonso XII, 20, 1st
Floor - 28014 MADRID
The responsible entity states that, due to an error in reporting the
incident, the company name has been reported as AFIANZA AUDITORES,
S.L., when, in reality, the name of the company is AFIANZA ASESORES, S.L. This is
a mere typographical error, which affects only the name, with the NIF and
the address that have been communicated in the AFIANZAASESORES, S.L. incident being correct.
Regarding the communication to those affected:
On July 2, 2021, the Director of the Spanish Data Protection Agency
signed a resolution ordering the communication of the breach to the interested parties
without undue delay.
(…)
1.- Information and documentation have been requested from the notifying entity, and the following can be seen from the response received:
(…)
SIXTH: On June 24, 2022, the Director of the Spanish Data Protection Agency agreed to initiate sanctioning proceedings against the respondent party,
in accordance with the provisions of articles 63 and 64 of Law 39/2015, of October 1,
on the Common Administrative Procedure of Public Administrations (hereinafter, LPACAP), for the alleged violation of Article 5.1.f) of the GDPR and Article
32 of the GDPR, classified respectively in Article 83.5 of the GDPR and Article 83.4
of the GDPR. SEVENTH: Notified of the aforementioned initiation agreement in accordance with the rules established
in Law 39/2015, of October 1, on the Common Administrative Procedure of the
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 3/44
Public Administrations (hereinafter, LPACAP), on July 14, 2022
AFIANZA submitted, in a timely manner, a written statement of allegations in which, in summary,
it states the following:
I. SECURITY BREACH
Afianza points out that article 4.12) of the General Data Protection Regulation
(hereinafter, “RGPD”) defines the “violation of the security of personal data”,
as any violation of security that causes the accidental or unlawful destruction, loss or alteration
of personal data transmitted, stored or otherwise processed, or unauthorized communication or access to such data.
It also indicates that the Guide for the notification of personal data breaches of the
AEPD establishes three types of breaches, indicating that it affects
confidentiality, when it produces an unauthorized or accidental disclosure of
personal data, or its access.
It then indicates that this Control Authority, in its Agreement to initiate
sanctioning proceedings, states that AFIANZA has suffered a breach of
confidentiality, that is, under the criteria of the AEPD, there has been an unauthorized or accidental
disclosure of personal data, or its access.
AFIANZA points out that, if the proven and stated facts are taken into account, the only
certainty is that there has been a theft of a backpack, in which, in addition to
personal documentation, there was a USB with information under the control of AFIANZA
as the data controller. Although, one year later, there is no evidence
that any third party has accessed the information contained in that USB,
so the “access” or “accidental disclosure” remains mere assumptions.
AFIANZA informed the AEPD of the criminal act acting diligently and in support of its proactive responsibility. In no case, neither at the time
of notification, nor now (one year later) has the subsequent processing by third parties of the information contained in the USB been verified.
Therefore, it concludes that neither AFIANZA, nor the AEPD, nor any other third party have
the capacity to prove that, as of today, there has been “improper access” or
an “accidental disclosure” of the information contained in the USB, with evidence of
the theft of a backpack, which contained a USB, and therefore, stating with total
certainty that there has been a breach of confidentiality is totally
disproportionate in relation to the proven facts.
II. SECURITY MEASURES IMPLEMENTED BY AFIANZA
Without prejudice to the above, and in the event that this Control Authority
understands that a security breach has occurred, AFIANZA wishes to
disclose the security measures it has implemented, insofar as in the
Agreement to initiate the Sanctioning procedure, the AEPD maintains that the
identification of a security breach does not imply the imposition of a sanction
directly (…), since it is necessary to analyse the diligence of those responsible and
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 4/44
in charge and the security measures applied. In this regard, AFIANZA
states the following:
I. In 2018, with the direct application of the General Data Protection Regulation and, subsequently, with the entry into force of Organic Law 3/2018, of December 5, on the Protection of Personal Data and the guarantee of digital rights,
AFIANZA carried out a procedure to adapt the company to the new legal framework and implemented both technical and organizational security measures associated with each of the treatments carried out and included in its
Processing Activities Register (Annex II)
II. All AFIANZA personnel who access personal data have received training
and are aware of their obligations in relation to the processing of personal data (Annex III)
III. An IT Audit has been carried out in which the level of technical compliance of the personal data processing carried out under the responsibility of AFIANZA has been analyzed, verifying the degree of adequacy of AFIANZA to the measures and controls provided for in the regulations on the protection of personal data, and associated security regulations (Annex IV)
IV. At AFIANZA all possible measures have been implemented to prevent unauthorized persons from accessing personal data, for this purpose:
(…)
AFIANZA points out that, as stated in recital 83 of the GDPR, in order to maintain security and avoid violations, the controller or the person in charge
must evaluate the risks inherent to the processing and apply measures to mitigate them.
These measures must guarantee an adequate level of security, including
confidentiality, taking into account the state of the art and the cost of its
application, and this is precisely what AFIANZA has been doing since the direct
application of the GDPR.
ALIANZA indicates that article 32 does not regulate a list of the security measures that are applicable, but rather establishes that the controller and the person in charge of the
treatment will apply technical and organizational measures that are appropriate to the risk that the treatment entails, taking into account the state of the art, the costs of
application, the nature, scope, context and purposes of the treatment, the risks of
probability and severity for the rights and freedoms of the interested parties,
so that pivoting the sanctioning argument on the lack of encryption of the stolen USB
is not appropriate, because
(i) it is not a mandatory security measure and
(ii) none of the security measures implemented by AFIANZA and previously communicated are taken into consideration.
In light of the above, AFIANZA understands that it processes personal data in a manner
that guarantees adequate security of the same, including protection against
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 5/44
unauthorized or unlawful processing and against accidental loss, destruction or damage,
through the application of the indicated technical or organizational measures.
For the reasons set out above, AFIANZA considers that it has been proven that it complies with each and every one of the principles relating to the processing of data in the GDPR, especially with the principle of confidentiality, in the same way that it has complied with its obligation to
implement security in each and every one of the data processing it carries out, indicating that this Control Authority must know that security is not
impregnable, and therefore, the regulations value the security measures that are
adopted so that, in the event of a security incident occurring, it has the
minimum possible consequences. AFIANZA cannot be held responsible for having
been the victim of a criminal act, just as it cannot be held responsible
for a third party's violation of the implemented security measures. Likewise, the AEPD cannot guarantee or prove that there has been a
violation of the rights and freedoms of third parties.
III. SECURITY BREACH NOTIFICATION PERIOD
AFIANZA points out that Article 33 of the GDPR states that, in the event of a breach of the
security of personal data, the data controller shall notify the
competent Supervisory Authority without undue delay and, if possible, no later than
72 hours after having become aware of it, unless it is unlikely that
the breach of security constitutes a risk to the rights and freedoms of natural persons. If the notification to the supervisory authority does
not take place within 72 hours, it must be accompanied by an indication of the reasons for
the delay. In this regard, AFIANZA believes that it is important to remember that in the 13 days that
passed from the theft of the USB until the AEPD was notified, AFIANZA filed the
corresponding complaint and, in support of its proactive responsibility, initiated an
internal investigation procedure in order to find out and assess the possible
damages resulting from the theft of the backpack. (…). In addition to the above, communications were made and sent to the community of owners informing them of the criminal act. That is, AFIANZA maintains that it acted proactively and diligently in the days following the
theft and that there was no undue delay, since the rule expressly
refers to “and if possible, no later than 72 hours”, not being an
mandatory period.
AFIANZA understands that the AEPD Agreement appears to infer a criticism of the
time that elapsed between the theft and the notification, without highlighting the justification
that led to the delay, nor the completion of the notification itself.
Any other data controller could have chosen not to have
never communicated the criminal act to the AEPD, however, AFIANZA, complying
with its due diligence, as well as with its internal Protocol, informed the AEPD as
soon as it had an assessment of the possible damage caused, and in no case did there occur a greater risk or a greater dissemination of the data.
AFIANZA highlights that, more than a year after the date of the theft, there has been no publication or any other improper use of the information contained in the USB, so the security breach for the legal purposes indicated in the GDPR
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 6/44
has not materialized since, as already reported, neither AFIANZA, nor the AEPD, nor any other third party have the capacity to prove that there has been improper access to the information contained in the USB, the only evidence being the theft of a
backpack, which contained a USB, which proves that the period of 13 days
from the theft to notification has not entailed a reduction in the rights of third parties.
IV. AGGRAVATING FACTORS
AFIANZA recalls that in the Agreement to initiate the sanctioning procedure it is
proposed to sanction it for:
- Violation of article 5.1.f) RGPD a fine of €100,000
- Violation of article 32 RGPD a fine of €60,000
And that both infringements are aggravated by:
- Art. 83.2.b) RGPD intentionality or negligence in the infringement. According to the AEPD, although
intentionality is not appreciated, negligence is observed because "there was a
storage of personal data on a removable device without being encrypted."
At this point, AFIANZA reiterates what was stated in the section on the "Implemented Security Measures", understanding that, pivoting the sanctioning argument on the lack of encryption of the stolen USB, is not appropriate, because:
it is not a mandatory security measure and
none of the security measures implemented by AFIANZA have been taken into consideration
For this reason, AFIANZA maintains that the diligence in the care of
the protection of personal data for which it is responsible cannot be questioned,
solely, because a stolen USB was not encrypted, when there are and
were many other security measures.
Likewise, he continues to argue that, according to the provisions of articles 1,104, 1,101 and
1,089 of the Civil Code, and the doctrine that interprets them, “negligence” is the omission of
that diligence that is required by the nature of the obligation and corresponds to the
circumstances of the people, time and place. The legal reproach is the lack of
a proper and appropriate behavior of a moderately responsible person,
according to the circumstances of the specific case. There are also sentences that
qualify negligence as “carelessness” an action contrary to the objective duty of
respect and care for the legal asset protected by the law, including here the
“disregard” or “undermining” of the duties of vigilance or care.
It is important not to forget in what circumstances the events occur, and that is that the
loss of the USB occurs during a crime of theft with force against things, provided for in
article 237 of the Penal Code. If the crime had not occurred, no one would have been able to
access the USB. We are not dealing with carelessness or negligence, since there were
security measures (it is important to remember that the location of the USB drive was
inside a backpack, on a shelf in a private office, which is also located
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 7/44
in offices that can only be entered after passing through two main doors
at the entrance to the building, one more to access AFIANZA, walking down a twenty-metre corridor and finally opening and entering that office).
- Art. 83.2.c) RGPD any measure taken by the controller or processor to
mit the damages and losses suffered by the interested parties.
AFIANZA states that, according to this Control Authority, "there is no evidence that AFIANZA
reacted as quickly as possible and proceeded to take the necessary measures to mitigate
the effects and the risk", however, since the notification of the security breach,
the AEPD has in its possession the complaint filed by AFIANZA when not even 24 hours had passed since the theft. The most useful way to mitigate the effects of
a crime is to report it, and that is exactly what AFIANZA did. This is without
detracting from the activation of the relevant security measures, the sending of
communications to the community of owners, as well as the notification itself to the
AEPD.
In addition to the above, AFIANZA recalls that, on July 2, 2021, the
Director of the AEPD required the communication of the breach to the interested parties,
a communication that AFIANZA made through the National Court and informed the
AEPD on July 8, 2021. An issue that has not been valued by this Control Authority either.
It reiterates that, more than a year later, there has been no damage or/and harm suffered by
any interested party, so aggravating an infringement with this argument is completely
disproportionate.
- Art. 83.2.g) GDPR the categories of personal data affected by the infringement.
AFIANZA points out that the AEPD establishes this aggravating factor because it understands that the USB
contained data "relating to infringements and criminal sanctions", although, (...), it included the
preliminary proceedings of the procedure, that is, the information was related to the
investigation process, there being no criminal sanctions in it.
V. MITIGATING CIRCUMSTANCES
AFIANZA alleges that, although the AEPD has agreed to include the aggravating factors indicated in
the previous point in both infringements, it has not taken into consideration any of
the possible mitigating factors that could be applicable to the case:
- Art. 83.2.a) GDPR the nature, seriousness and duration of the infringement. The alleged breach of confidentiality occurs in the context of a crime committed by a third party outside the organization, bypassing the established security measures.
Furthermore, as has been reiterated, there is no evidence that any third party has made use of the information contained in the USB, so the seriousness of the access from the perspective of data protection is non-existent.
- Art. 83.2.c) GDPR any measure taken by the controller or processor to mitigate the damages and losses suffered by the interested parties and Art.83.2.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 8/44
f) GDPR, the degree of cooperation with the supervisory authority in order to remedy the infringement and mitigate the possible adverse effects of the infringement. As
indicated in the previous section, the AEPD has used this argument as an
aggravating factor, although both provisions should be taken into consideration given the
proactive attitude that AFIANZA has shown at all times, not only in collaboration
with the AEPD (providing additional information, informing those affected about the
communications...), but also with those affected.
- Art. 83.2.h) the way in which the control authority became aware of the infringement,
in particular whether the person responsible or the person in charge notified the infringement and, in such case, to
what extent. The AEPD would never have been aware of the fact, had it not
been because AFIANZA, in order to fulfil its proactive responsibility,
communicated it directly. The time elapsed has shown that, if AFIANZA had not
notified it, the AEPD would never have been aware of the fact, as there has
not been anyone who has seen their freedoms or rights diminished by this event.
- Art. 83.2.k) any other mitigating factor applicable to the circumstances of the case,
applied by the AEPD in other proceedings, such as:
-The non-existent extent of the damage. No natural person has seen his or her rights and freedoms
impaired.
-AFIANZA has adopted measures to prevent similar incidents from occurring.
-AFIANZA has responded to the Agency's request for information, which
affects cooperation with the control authority in order to remedy the infringement and
mitigate the possible adverse effects thereof.
-There is no evidence that AFIANZA acted fraudulently or
with a lack of diligence.
-AFIANZA is a small company.
VI. LACK OF GUILT PRINCIPLE
AFIANZA claims that the events that occurred would imply a result not sought by it, as it was motivated by the commission of a criminal act by a third party
totally unrelated to the data controller and its staff and that it must be taken into account that, as the National Court has shown, and to the extent that:
(i) there is no voluntariness in the act,
(ii) there has not been a particularly harmful result,
(iii) there is no evidence of a lack of care in the actions of AFIANZA in its
activities and functions,
It would be contrary to the nature of the administrative sanctioning field, subject to the
principles of minimum intervention and proportionality, to impose a sanction in respect of
the event that occurred, not deserving of sanctioning action as the
element of guilt is not present.
AFIANZA indicates that the Judgment of the National Court of 14 December 2006, appeal no. 1363/2005, states the following in its Legal Grounds: “The
resolution of this appeal must firstly recall that guilt
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 9/44
is an essential element for the sanction imposed on the plaintiff, as prescribed by article 130.1 of Law 30/1992 of 26 November, which
establishes that only those responsible for the acts constituting an administrative infringement may be sanctioned, even if they are simply ignored.”
Therefore, it alleges that the communication made by AFIANZA cannot be a reason that
governs objective liability to establish a sanction within the framework of administrative law. Indeed, in matters of sanctions the principle of guilt applies
(STC 15/1999, of July 4; 76/1990, of April 26; and 246/1991, of December 19),
which means that some kind of intent or fault must be present.
As stated in the Supreme Court ruling of January 23, 1998, "...we can
speak of a decided line of jurisprudence that rejects objective responsibility in the field of sanctions of the Administration, requiring the concurrence of intent or
fault, in line with the interpretation of STC 76/1990, of April 26, when it indicates that
the principle of guilt can be inferred from the principles of legality and prohibition of
excess (article 25 of the Constitution) or from the requirements inherent to the Rule of Law."
This argument has already been raised by the AEPD in similar proceedings, where
the filing of the proceedings has been agreed (Procedure No.: PS/00112/2021), and
it is that:
(i) The theft of the backpack does not respond to a voluntary act by AFIANZA but by
a third party outside the entity.
(ii) There has been no type of injury to the rights and freedoms of
third parties. The extent of the damage is totally non-existent.
(iii) AFIANZA's actions at all times respond to the due diligence
required of a data controller.
For all these reasons, AFIANZA requests:
I. The filing of the AEPD's sanctioning procedure to the extent that there is
no sanction for alleged violations of the GDPR that have not resulted in a
reduction in the rights and freedoms of any third party. The extent of the damage is not measurable or
quantifiable because it is non-existent. As has been proven, neither the AEPD nor any
other third party has the capacity to prove that, as of today, there has been
"improper access" or "accidental disclosure" of the information contained in the USB,
so the security breach for the legal purposes indicated in the GDPR has not
materialized. Likewise, the principle of guilt does not apply in any way, so any sanction would be contrary to the nature of the administrative
sanctioning field, subject to the principles of minimum intervention and
proportionality.
II. The security measures implemented by AFIANZA and consistent with the current regulatory framework are taken as true and applied.
III. The activities carried out by AFIANZA throughout the proceedings and made clear in the mitigating factors raised are valued.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 10/44
EIGHTH: On January 23, 2023, the body in charge of the sanctioning procedure formulated a resolution proposal, in which it proposes that the Director of the AEPD
should sanction AFIANZAASESORES, SL, with NIF B83117804:
-for an infringement of Article 5.1.f) of the GDPR, classified in Article 83.5 of the GDPR, with a fine of NINETY THOUSAND EUROS (90,000 euros)
-for an infringement of Article 32 of the GDPR, classified in Article 83.4 of the GDPR,
with a fine of FIFTY-FIVE THOUSAND EUROS (55,000 euros)
This resolution proposal, which was notified to GUARANTEE in accordance with the rules
established in Law 39/2015, of October 1, on the Common Administrative Procedure
of Public Administrations (LPACAP), was collected on January 26, 2023, as stated in the receipt that is in the file.
In said resolution proposal, in response to the allegations made by AFIANZA,
the following response was given:
1. Security breach
The entity claims that it has not suffered a breach of confidentiality because it has not
been possible to prove that there has been access by an unauthorized third party
to the information contained in the stolen USB, since the only proven fact is the theft
of such device, but not access to its content.
In this regard, it should be noted that in the case at hand, an external storage device (USB) containing a large amount of personal information relating to a criminal investigation procedure was stolen, and that it was not encrypted nor did it have any other measure aimed at preventing access to said information by unauthorized third parties in the event of loss or theft, which undoubtedly represents a violation of the confidentiality of the personal data contained therein, as it has clearly been compromised due to the lack of any protection of the device.
In this regard, the European Data Protection Board (hereinafter, the Board) makes it
clear and without any doubt when, in Guidelines 01/2021 <<on
examples regarding personal data breaches. Notification>>, adopted on
December 14, 2021, it states precisely, in its section 5.2, Case No. 11:
Stolen material that stores unencrypted personal data, that "This data
breach concerns the confidentiality of the data stored on the stolen device" (point 94).
In this regard, the Committee is clear in stating that the device that
contained the personal data was “vulnerable in this case because it did not have any
password protection or encryption” (point 95)
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 11/44
The Committee also considers that, due to these circumstances,
notification to the Control Authority and notification to the interested parties is also necessary
(point 98).
Therefore, to maintain that even though a device with personal data stored on it was stolen without any type of protection against access is not a
breach of confidentiality because it cannot be proven that someone has
accessed it, would be the same as stating that, in the case of a stolen folder or book containing the same documentation in paper form, it would not constitute a
breach of confidentiality arguing the impossibility of proving reliably that the person who stole it or another third party had not opened it. In both
cases, what is relevant to understanding that confidentiality has been breached is that the information
is completely freely available to unauthorized third parties.
However, in the case of portable electronic storage devices, there is the ability and possibility to protect them by means of technical
security measures that make it impossible or considerably difficult for third parties to access them, so that, in the present case, since none of these measures were established in the stolen USB, it represents a violation of
confidentiality and, therefore, of article 5.1 f) of the GDPR, which requires precisely that
personal data be treated in such a way that adequate security of the personal data is guaranteed, including protection against unauthorized or
unlawful processing and against accidental loss, destruction or damage, through the
application of appropriate technical or organizational measures ("integrity and
confidentiality").
Therefore, it cannot be argued in any way that the confidentiality of the personal data was maintained intact, since, as no prior security measures were adopted, the personal data stored on that device are
accessible.
The duty of confidentiality is binding not only on the data controller but on anyone
who intervenes in any phase of the processing. This duty of confidentiality
means that the person responsible for the stored data cannot reveal or make known its
content, having the “duty to keep it”. It is an elementary requirement and
prior to the recognition of the fundamental right to computer freedom referred to in
Constitutional Court Judgment 292/2000, of 30/11, and for what is of interest
now, it means that the processed data cannot be known by any
person or entity outside the cases authorized by the Law, since that is precisely what
secret consists of.
This duty of confidentiality is essential in today's increasingly complex societies, where technological advances place people in risk zones for the protection of fundamental rights, such as privacy or the right to data protection, as set out in Article 18.4 of the Spanish Constitution. Indeed, this precept contains an "institute for guaranteeing the rights of citizens, which is also in itself a fundamental right or freedom, the right to freedom from potential attacks on the dignity and freedom of the person arising from the illegitimate use of mechanized data processing" (Judgment of the Constitutional Court 292/2000, of 30/11). This fundamental right
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 12/44
to data protection aims to guarantee that person the power of control over
their personal data, over their use and destination, which prevents situations that are detrimental to the dignity of the person from occurring, that is, the power to protect
their private life from unwanted publicity.
In the case at hand, it has been proven that AFIANZA has violated this
duty of confidentiality in relation to the personal data contained in the USB and
relating to a criminal case. This information cannot be provided to third parties, except with
the consent of the affected parties or if there is a legal authorization that allows its
communication, circumstances that do not occur in the present case. All of this constitutes
a violation of article 5.1. f) GDPR, having enabled, due to the absence of
protection measures, third parties to have access to personal data of affected clients.
2. Security measures implemented
AFIANZA claims to have implemented all the technical and organizational measures
necessary to guarantee a level of security appropriate to the risk involved in the
processing of personal data, referring in its written allegations to a list
of them and stating that with this it complies with the requirements of article 32 of
the GDPR, as well as with each and every one of the principles relating to processing,
especially with that of confidentiality, remembering that security is not
impregnable and that it cannot be held responsible for having been the victim of a
criminal act or for the violation by a third party of the security measures
implemented.
In this regard, it also indicates that the aforementioned provision does not regulate a list of the security measures that are applicable, so AFIANZA understands that it is not appropriate to pivot the sanctioning procedure on the lack of encryption of the stolen USB, since it is not a mandatory measure under article 32 RGPD and, in addition, it
considers that none of the security measures implemented by FIANZA and previously communicated have been taken into account.
In view of this, it should be noted that, from the events that occurred, the opposite can be deduced.
Thus, in the case at hand, a person outside the entity accessed the premises of the same without the security measures implemented working or being observed and the theft of an unencrypted USB device (or without any
other protection measure), containing numerous personal data related to a criminal judicial investigation procedure.
As regards the fact that it had all the appropriate security measures and that these were not
taken into account by this Agency, it is meant that, as already indicated in the
Agreement to Initiate this sanctioning procedure, the security measures
that AFIANZA refers to as having been implemented were not being complied with at the
time of the events.
Thus, from the analysis of the documentation provided by AFIANZA in response to the
request for information regarding the causes that made the breach possible, and
of the security measures existing before the breach stated by it at that
time, the following results:
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 13/44
(…)
However, in the case at hand, the device was not encrypted nor did it
have any other information protection measures.
Therefore, all of this leads to a lack of due diligence both in the
compliance with the established security measures, as well as in the supervision or
verification of their observance and/or their suitability.
In this regard, it is noted that article 32 of the GDPR is infringed both if the controller does not
adopt the appropriate technical and organisational measures
to guarantee the security of personal data, and if, once these are established, they are
not observed. It is precisely this lack of compliance that constitutes the
infringement indicated in article 73 of the LOPDGDD, indicating that, in accordance with the provisions of
article 83.4 of Regulation (EU) 2016/679, infringements that constitute a substantial violation of the articles mentioned therein and, in particular, the following are considered serious and will be subject to a two-year statute of limitations:
g) The breach, as a consequence of the lack of due diligence, of the
technical and organisational measures that have been implemented in accordance with the requirements of article 32.1 of Regulation (EU) 2016/679”. (…)
Finally, as regards the fact that article 32 does not regulate a list of specific security measures, encryption not being a mandatory security measure,
it should be noted that said provision establishes, in its section 1, the obligation for those responsible for and in charge of processing to apply the appropriate technical and
organisational measures to guarantee a level of security appropriate to the risk,
taking into account the state of the art, the costs of application, and the nature, scope, context and purposes of the processing, as well as risks of variable probability and
seriousness for the rights and freedoms of natural persons.
Furthermore, paragraph 3 of the same provision determines that, when assessing the adequacy of the level of security, particular account will be taken of the risks presented by the processing of data, in particular as a result of the accidental or unlawful destruction, loss or alteration of personal data transmitted, stored or otherwise processed, or unauthorized communication or access to such data.
Therefore, Article 32 does not, in fact, establish specific and static security measures, but it will be up to the controller to determine those security measures that are necessary to guarantee the confidentiality, integrity and availability of personal data. Consequently, the same data processing may involve different security measures depending on the specific circumstances in which the data processing takes place.
Recital 83 of the GDPR also states: In order to maintain security and
to prevent processing in violation of this Regulation, the
controller or processor should assess the risks inherent in the processing and
implement measures to mitigate them, such as encryption. These measures should ensure an
appropriate level of security, including confidentiality, taking into account the
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 14/44
state of the art and the cost of their implementation in relation to the risks and the nature of
the personal data to be protected. When assessing the risk in relation to data security, account must be taken of the risks arising from the
processing of personal data, such as accidental or unlawful destruction, loss or
alteration of personal data transmitted, stored or otherwise processed, or unauthorized disclosure of or access to such data, which may, in particular,
cause physical, material or immaterial damage or harm.
In short, the first step in determining the security measures to be applied to the specific
processing will be the risk assessment. Once assessed, it will be necessary to determine the security measures aimed at
reducing or eliminating the risks to the processing of data.
The principle of data security requires the application of appropriate technical or
organizational measures in the processing of personal data to protect such data against accidental, unauthorized or
unlawful access, use, modification, dissemination, loss, destruction or damage. In this sense, security measures are
key when it comes to guaranteeing the fundamental right to data protection. The fundamental right to data protection cannot exist if it is not possible
to guarantee the confidentiality, integrity and availability of these data.
And it is stressed that, in accordance with article 32.1 of the GDPR, the technical and
organisational measures to be applied to guarantee a level of security appropriate to the risk must
take into account the state of the art, the costs of application, the nature, scope, context and purposes of the processing, as well as the risks of variable probability and
seriousness for the rights and freedoms of natural persons.
Therefore, due to the activity it is engaged in and the personal data it processes, AFIANZA is obliged to carry out a risk analysis and implement appropriate technical and organisational measures to ensure a level of security that is appropriate to the risk posed by its activity to the rights and freedoms of individuals, taking into account in particular that its activity involves processing personal data relating to criminal convictions and offences.
When we talk about data relating to “criminal convictions and offences”, we are referring to a category that includes personal data processed for the purposes of
prevention, detection, investigation and prosecution of criminal offences and the execution of criminal sanctions.
The processing of this category of personal data poses a high risk for the
rights and freedoms of the natural persons who own them, a risk whose
assessment and analysis by the data controller is required by the GDPR in
several of its provisions and recitals, as well as in its article 32, and which
will entail the adoption of appropriate security measures.
Likewise, the risk posed by its storage in external and portable devices (specific context of
the processing) must be assessed, including clearly the
risk of loss or theft (high probability risk) and appropriate security
measures must be adopted, in accordance with the state of the art and the costs of
implementation. In relation to the latter, the state of the art allows for the easy and
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 15/44
inexpensive implementation of a security measure for protection in the case of
storage of personal data on external and portable USB devices: their
encryption or any other technical measure for protection against access by
unauthorized third parties (encryption of data, password for access, etc.). It is a
basic, accessible and easy-to-implement measure, in accordance, as has been
said, with the current state of the art.
In the present case, as has been indicated above, AFIANZA suffered the
theft of a USB device in which personal data had been stored, without any type of
protection (…).
Therefore, what is being criticized is the storage of this category of
personal data on a completely unprotected USB, that is, on an external device
without any type of technical security measure, without any type of protection
to prevent access by unauthorized third parties, which clearly constitutes a
breach of article 32 of the GDPR.
3. Deadline for notification of the security breach
In this section, AFIANZA makes various statements.
Thus, it maintains that the deadline established in article 33 of the GDPR is not a mandatory
deadline.
In contrast, it should be noted that the deadline for notification to this Agency in the event of a
breach of the security of personal data is a mandatory deadline: without undue
delay and, if possible, no later than 72 hours after having become aware of it. Therefore, this is the maximum deadline that is available to make the
notification. Likewise, and in accordance with the fact that it is a mandatory period, article 74 m) of the LOPDGDD classifies as a minor infringement the incomplete, late or
defective notification to the data protection authority of information related to
a breach of personal data security in accordance with the provisions of
article 33 of Regulation (EU) 2016/679.
AFIANZA also indicates that as soon as it had the assessment of the possible damage or risk
of the breach, it notified the Agency and that, as there was no publication or
any other improper use of the information contained in the USB, the security breach has not
materialized.
In this regard, it is noted that the fact that there has been no evidence of any
damage or publication of the data does not mean that the breach has not materialized,
since this occurs from the moment the security incident that caused a breach of the confidentiality of the data occurs.
Finally, AFIANZA states that any data controller could have chosen
to never have communicated the criminal act to the AEPD and that, by
doing so, they thereby demonstrated a proactive attitude.
In light of this, it is recalled that the notification of security breaches to the
control authorities and communications to those affected, when the
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 16/44
assumptions established by articles 33 and 34 of the GDPR occur, are not an option but
an obligation imposed by legal imperative, in this case, by a directly applicable
European regulation and that, failure to do so, constitutes a violation of the
legalized as an infraction in its article 83.4.
4. Aggravating circumstances
AFIANZA states that it does not agree with the aggravating circumstances
taken into account when determining the calculation of the sanction. Thus:
-Art. 83.2b) GDPR. Intention or negligence in the infringement
AFIANZA points out that it is not appropriate to observe the existence of negligence when
personal data is stored on a removable device without being
encrypted, since it again understands that it is not appropriate to pivot the
sanctioning argument on the lack of encryption of the stolen USB and the fact that the rest of the measures have not been
taken into account.
In this regard, it is appropriate to refer to the arguments in the previous section (section
2) of this Legal Basis, regarding the lack of observance or
compliance with the organizational and technical security measures that AFIANZA
states to have implemented (which allowed an outsider to access AFIANZA's premises without
problem, without forcing anything, and to steal the USB), as well as the
failure to adopt a basic security measure such as having
stored personal data related to a criminal judicial procedure on a
completely unprotected removable device, despite the risk of theft or loss
that this entails.
All of this shows a clear lack of diligence on the part of AFIANZA in
checking and monitoring compliance with the security measures implemented and/or their
continuous effectiveness and suitability, as indicated in the
Initiation Agreement and reproduced in this resolution proposal at the time of motivating the circumstances to be taken into account in the
grading of the sanctions (Legal Grounds VI and IX) and to which we refer in order to
avoid repetitions.
-Art. 83.2 c) GDPR. Any measure taken by the controller or processor to
alleviate the damages and losses suffered by the interested parties.
AFIANZA claims not to agree that the fact that it did not react as quickly as possible and proceeded to take the necessary measures to
mitigate the effects and risks on the rights and freedoms of the affected individuals, including notifying this Agency and communicating the incident to those affected without undue delay, was considered an aggravating circumstance.
In this regard, it should be noted that notifying the control authorities and
informing those affected of the security breach are obligations imposed on the
data controller by the GDPR (articles 33 and 34 respectively), that is,
compliance with them is by legal imperative, so compliance or
non-compliance, in accordance with the requirements of said provisions, may constitute
infringements of the same.
The circumstance to be taken into account contained in article 83.2 c), therefore, must
refer to other types of measures that the controller or processor may adopt in order to reduce as far as possible the impact of an infringement or a
violation of security.
For the reasons set out above, it is not appropriate, in the present case, to consider the aggravating circumstance
indicated in the Commencement Agreement, so the amount of the sanctions for both infringements should be reduced accordingly.
-Art. 83.2 g) GDPR. The categories of personal data affected.
AFIANZA points out in this regard that the data contained in the USB was information
relating to the criminal investigation process, so there was no data relating to
criminal sanctions.
In this regard, it is meant that when data relating to “criminal convictions and
offences” are mentioned, reference is being made to a category that includes
personal data processed for the purposes of prevention, detection, investigation and
prosecution of criminal offences and the execution of criminal
sanctions. The information stored on the stolen USB belongs to this category, as it
contained personal data (…).
5. Mitigating circumstances
AFIANZA claims that when assessing the amount of the offence, the
mitigating circumstances it points out should be taken into account. However, in
contrast this, the following is pointed out:
-As regards considering art. 83.2.a) GDPR (nature, seriousness and
duration of the offence) as a mitigating circumstance, in the sense that, as it cannot be proven that a third party
has accessed the USB, the seriousness of the access from the perspective of data protection is non-existent, it is meant that such an interpretation is not appropriate. Thus, on the one hand, it has already been stated in section 1 of this Legal Basis that the
theft of an external device without any type of protection measure against its access and with personal data contained therein already constitutes a violation of
their confidentiality, which constitutes a violation of art. 5.1 f) of the
RGPD, classified as a very serious infringement in art. 83.5 of the aforementioned Regulation.
-As regards the circumstances included in arts. 83.2 c) GDPR (any measure taken by the controller or processor to mitigate the damages and losses suffered by the data subjects) and 83.2 f (degree of cooperation with the supervisory authority in order to remedy the infringement and mitigate the possible adverse effects of the infringement),
since AFIANZA understands that it acted at all times with a proactive and collaborative attitude with this Agency by notifying it of the security breach and by responding to the request for notification to those affected and informing it of this, it is necessary to clarify
that all of this does not reflect a proactive and collaborative attitude, but rather they are
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 18/44
legal requirements that AFIANZA is obliged to comply with as controller of the
processing of personal data, under penalty of incurring in breaches of the GDPR.
Therefore, the degree of cooperation with the Agency cannot be considered an
extenuating circumstance since the orders and requirements issued by the Agency are mandatory.
The consideration of cooperation with the Agency as an extenuating circumstance, as claimed by the entity, is not linked to any of the cases in which
there may be collaboration or cooperation or a requirement due to a legal mandate, when the actions are required and required by law, as in the case at hand.
6. Non-existence of the principle of guilt
AFIANZA claims that the events that occurred represent a result not sought by
AFIANZA, since they were produced by the commission of a criminal act by a third party who was
completely unrelated to the data controller and his staff, and that
there was involuntariness in the act, there was no particularly harmful result and there is
no evidence of a lack of care in the actions of AFIANZA, so the element of guilt necessary to impose a sanction does not exist.
In view of this, as has been set out in previous sections of this legal basis, AFIANZA is not sanctioned for having suffered a criminal act
(theft of the device), but for the lack of adequate measures both to
safeguard the confidentiality of the personal data it handles (storage
of personal data relating to infractions and criminal sanctions on an external
device without any protective measures against access by unauthorized third parties) and for the non-observance or non-compliance with the security
measures it had implemented (physical and logical controls in its premises).
All of this reveals a lack of due diligence in the measures that
AFIANZA, as the controller of personal data, is obliged to
effectively adopt and to verify that they are observed and that they are
effective and adequate, including, above all, those aimed at preventing unauthorized access by third parties to the personal data for which it is
responsible.
The principle of guilt is required in the sanctioning procedure, but the
principle of guilt does not imply that only an intentional act can be sanctioned.
The Supreme Court (STS 16 April 1991 and STS 22 April 1991) considers
that the element of guilt implies “that the action or omission, qualified as an
administratively sanctionable infringement, must be, in any case, imputable to its
author, due to intent or imprudence, negligence or inexcusable ignorance.” The
same Court reasons that “it is not
sufficient...for exculpation in the face of typically unlawful behaviour to
invoke the absence of guilt” but rather it is necessary “that the
diligence required by the person claiming its nonexistence has been used.” (STS 23 January
1998). Furthermore, the National Court on personal data protection has declared that “simple negligence or failure to comply with the duties imposed by law on persons responsible for files or data processing to exercise extreme diligence is sufficient...” (SAN 29 June 2001).
For all the reasons set out above, the allegations made must be rejected.
NINTH: On February 9, 2023, this Agency received, in a timely manner, a letter from AFIANZA in which it makes allegations regarding the resolution proposal
in which, in summary, it states that:
I. SECURITY BREACH AND SECURITY MEASURES IMPLEMENTED
The AEPD brings up in its Resolution Proposal that the European Data Protection Committee (hereinafter, Committee), in its Guidelines 01/2021, indicates
that:
(i) This breach of data security affects the confidentiality of the
data stored on the stolen device (point 94).
(ii) the personal data was vulnerable in this case because it lacked
password protection or encryption (point 95).
(iii) Due to these circumstances, notification of the AC is necessary, so
notification of the affected interested parties is also necessary
(point 98).
It is essential to note that these arguments put forward by the AEPD
point to a specific example raised in these Committee Guidelines and do not
respond to the reality of the event that occurred and was communicated by AFIANZA, so
using them as support for the legal argument of this Control Authority
supposes absolute defenselessness on the part of AFIANZA who, using this
same criterion, could argue that in the Guidelines on the notification of
personal data security breaches in accordance with Regulation
2016/679 of the Art. 29 Working Party (Guidelines on which the
Guidelines 01/2021 are based), it also indicates as an example that i. A data controller who
saved a backup copy of an encrypted personal data file on a USB key. The key disappears during a theft, should not notify either
the Control Authority or those affected. Certainly, as has been reported
from the beginning, the USB was not encrypted, but there were other security measures
in AFIANZA aimed at making access to the information impossible or considerably difficult.
Similarly, the stolen backpack also contained an iPad, the conditions of which are
in accordance with 5.1 CASE No. 10: stolen material storing encrypted personal data
of Guidelines 01/2021, and in which, as concluded therein:
(i) In this specific case, the data controller adopted appropriate measures to
prevent and mitigate the effects of a possible data security breach by encrypting devices, introducing
adequate password protection and protecting data stored on the tablets (point 88).
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 20/44
(ii) The data security breach described above would have
affected the confidentiality, availability and integrity of the data in
question, however, due to the appropriate procedures of the data
controller before and after the data security breach,
none of these aspects were affected (point 89).
Thus, the AEPD's sanctioning and pointing out attitude
regarding the USB is striking, while, as regards the iPad, the security
measures implemented are not even recognised, valued or taken into
consideration.
In its Resolution Proposal, the AEPD states that “what is relevant to understand that confidentiality has been violated is that the information is completely freely available to unauthorized third parties.” To affirm this is to assume that AFIANZA has not
complied with any of the obligations inherent to its role as data controller and that it has not only not established security measures, but also
“facilitates” third parties' access to the information for which it is responsible.
Referring to Guidelines 01/2021, this Control Authority must be aware that, in
them, in addition to multiple practical examples of specific situations on what is or is not a security breach, a list of measures is included, which is
by no means exclusive or exhaustive, on what organizational and technical measures are
recommended to prevent or mitigate the impact of the loss or theft of devices, including:
• Use an access code or password on all devices.
• Use multi-factor authentication.
• Activate mobile device features that allow access permissions to be revoked in the event of loss or misplacement.
• If the workstation is connected to the corporate LAN, automatically back up work folders whenever personal data is unavoidably stored there.
• Use a secure VPN (e.g., requiring a separate second-factor authentication key to establish a secure connection) to connect mobile devices to back-end servers.
Each and every one of these measures was in place at AFIANZA as of June 17, 2021, as evidenced by how the remote deactivation and subsequent revocation of access to the iPad that was also in the backpack was carried out.
In addition to the above, the Guidelines also include as recommended security measures: providing physical locks to employees so that they can physically protect the mobile devices they use while they are
unsupervised and installing physical access controls, measures that, as has been argued and tested throughout this procedure, were also implemented in AFIANZA1.
In any case, these Guidelines are about the notification of security breaches, which implies that they are merely tools to determine whether or
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 21/44
we are facing a security breach, and if one has occurred, how we should act with respect to the communication of the same. In no case is the obligation to notify a security incident attached to a breach or lack of security measures, or to a breach of the principle of confidentiality, and much less to an automatic imposition of sanctions.
II. INFRINGEMENT OF ARTICLE 32 OF THE GDPR
This Control Authority understands that AFIANZA has clearly breached art.
32 of the GDPR by storing personal data on the USB completely unprotected, that is, on an external device without any type of technical security measure, without any type of protection to prevent access by unauthorized third parties.
The first step in determining the security measures that must be applied to the specific
processing will be the risk assessment, once this has been carried out, it will be necessary to
determine the security measures aimed at reducing or eliminating risks for the
processing of the data.
In this regard, AFIANZA, prior to the theft, and in compliance with the principle of proactive responsibility, had carried out its risk analysis and defined its security measures, both technical and organizational measures, measures that go beyond mere encryption, which, we reiterate, was implemented in other AFIANZA tools (such as the iPad itself). To state that "there was no type of security or protection measure" is to deny the proven facts and act punitively.
AFIANZA assumes that, at the exact moment of the theft, a series of circumstances occurred that led to the lack of applicability of some of the security measures implemented and already discussed, but this is very different from stating that there were none. The clear proof is the comparison between the treatment that has been given to the iPad and the USB.
The intention to impose a fine of €55,000 is absolutely disproportionate, and
not only because of the AEPD's lack of assessment of AFIANZA's control measures, or the
null impact that the incident has had, but also because of the comparison with the
sanctioning resolutions that this Control Authority has been imposing on
other entities for committing the same infringement. And after analysing the total
of 61 Resolutions available through the AEPD website relating to the
infringement of art. 32 of the GDPR in sanctioning procedures, it follows that, in relation to the private sector:
(I) In cases where a security incident has occurred, in which article 32 of the GDPR has been violated, resulting from the abandonment
of documents that, in some cases, even contain sensitive personal data, allowing access to them by third parties
in violation of the established measures, the sanction imposed
by the AEPD has been €3,000.
In these cases, although there is no accreditation of access to the information by third parties, the attitude of the person responsible for
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 22/44
processing is active in the sense of abandoning the documentation
(including medical data) to free access by third parties.
(II) There are other cases in which, according to the AEPD, there are
clear indications that the sanctioned party has violated article 32 of the GDPR,
when a security incident occurred in its system allowing access to
personal data of a third party, allowing access to information that
contained data of third parties, in violation of the established measures.
These sanctions range from a warning to €5,000 for small companies, while for large companies the sanctions range from €30,000 to €60,000:
At this point, AFIANZA wonders why, if in the present case, the AEPD
maintains that there has been a violation of art. 32 of the GDPR, the sanction proposed to
AFIANZA is similar to that imposed on large companies such as XFERA
MÓVILES, S.A or VODAFONE ONO, S.A.U, even though in the present case and
unlike these:
(i) there is no evidence to prove that any third party has
effectively accessed the information contained in that USB; (ii) the AEPD has learned of the matter through AFIANZA, not from
third parties who may have seen their rights violated, as is the case
in the vast majority of the cases analysed and included here,
and,
(iii) 20 months after the robbery, the interests and freedoms of none of those affected have been affected, and there has been no complaint or
claim in any entity or institution competent for these purposes. (III) In addition to the above assumptions, below is a comparison between two events that are very similar in terms of the fact and the
type of data, but absolutely different with respect to the sanction, the
application of mitigating factors, the number of those affected and, in general, the
AEPD's assessment:
AFIANZA once again asks why (i) if the volume of data affected in the case
of CORPORACION DE RADIO Y TELEVISION ESPAÑOLA SA is 100 times greater
than that of the data affected in the case of AFIANZA;
(ii) whether the type of data in the case of CORPORACION DE RADIO Y TELEVISION ESPAÑOLA SA affects many more special categories of data (union membership data; health data; complete sentences;
embargo notifications; pension plan data, etc.) than in the case of
AFIANZA and (iii) whether there has been a claim by affected parties before this Control Authority in the case of CORPORACION DE RADIO Y TELEVISION ESPAÑOLA SA, which issue has not occurred in the case of AFIANZA,
(i) Why are mitigating factors taken into consideration in the case of CORPORACION DE RADIO Y TELEVISION
ESPAÑOLA SA and not in the case of AFIANZA?
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 23/44
(ii) Why is AFIANZA penalized for the infringement of art. 32 and, in addition, for the infringement of art. 5.1.f) of the GDPR, but not CORPORACION DE RADIO Y TELEVISION ESPAÑOLA SA?
(iii) Why is the sanction proposed to AFIANZA, in relation only to article 32 of the GDPR, practically identical, and in relation to the total proposed, almost three times more than the one finally imposed on CORPORACION DE RADIO Y TELEVISION ESPAÑOLA SA?
Through this comparative exercise, the
absolutely disproportionate nature of the sanction proposed by the AEPD to AFIANZA has been demonstrated, and
in the face of similar situations, the AEPD even goes so far as to impose a warning
when it considers that the administrative fine that could be imposed would constitute a
“disproportionate burden”.
In addition, the AEPD tends to highlight in its resolutions the fact that no previous infringement has been committed in the area of data protection, a fact that
also leads to a result without a fine, an issue that has not been taken into
consideration with AFIANZA.
III. INFRINGEMENT OF ARTICLE 5.1.F) OF THE GDPR
Art. 5.1.f) of the GDPR indicates that personal data will be treated in such a way
that adequate security of personal data is guaranteed, including
protection against unauthorized or unlawful processing and against accidental loss,
destruction or damage, through the application of appropriate technical or
organizational measures.
This principle of "security" that the GDPR imposes on those who process data
makes it necessary to carry out a risk analysis aimed at determining the
technical and organizational measures necessary to guarantee the integrity, availability and
confidentiality of personal data. Both technical and organizational measures
that, as has been stated, existed in AFIANZA. A different issue is
that on a specific day at a specific time and due to specific circumstances, there was a
lack of applicability of some of the security measures implemented and
already discussed, but this is very different from stating that none existed, as well as
it is very different from assuming that the principle of confidentiality has been breached.
In the previously described case of CORPORACION DE RADIO Y TELEVISION
ESPAÑOLA SA, this Control Authority does not even assess the possible
breach of this article.
The entire event assessed here occurs as a consequence of a criminal activity,
predictably organized and planned. We are not faced with a failure to comply with measures by AFIANZA, and the judgments of the National Court (hereinafter SAN) (Administrative Litigation Division, hereinafter SCA) of 25 February 2010 [JUR 2010/82723] and 10 November 2017 [JUR 2018/3170])
indicate that (…). Thus, the fact that a third party has exceeded said measures
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 24/44
does not imply, per se, having breached the obligation or, where appropriate, the principle of
integrity and confidentiality. The data controller is subject to an
obligation of means, not an obligation of result in the sense of understanding that
every incident is a breach of the duty to "guarantee a level of security
appropriate to the risk" (article 32 of the GDPR).
This argument seems to go hand in hand with the resolutions that the AEPD has imposed on
those who have infringed art. 5.1.f) of the GDPR, and it is that from a
brief analysis it can be seen that the AEPD has been imposing the infringement of
art. 5.1.f) in those cases in which there has actually been access to the
information by unauthorized third parties, that is, those cases in which,
it is a proven fact that third parties have accessed information of which they were not the owners,
an element that does not occur in the case we are discussing here.
However, AFIANZA reiterates compliance with the principle of confidentiality and requires
this Control Authority to differentiate between failures in the applicability of security measures at the time of the theft, from non-compliance with the principle of
confidentiality. Both infringements do not have to go hand in hand, and the AEPD has stated this on several occasions, and it is only necessary to review its
resolutions. Furthermore, in the face of very similar facts (CORPORACION DE RADIO Y
TELEVISION ESPAÑOLA SA and AFIANZA), the results proposed by the AEPD are
totally different.
IV. AGGRAVATING CIRCUMSTANCES
The proposed Resolution of the AEPD, despite having reconsidered the application
of the aggravating circumstance contemplated by article 83.2.c), maintains the following
aggravating circumstances:
- Art. 83.2 b) RGPD: Intentionality or negligence in the infringement.
In the present case, there is an evident lack of “culpability” on the part of
AFIANZA, an essential requirement in order to determine the application of the aggravating factor
set forth in art. 83.2.b). Culpability requires the assessment of intent (ruled
out at all times), imprudence or negligence, the latter two being used
indistinctly by the AEPD.
The AEPD finds negligent conduct in the two violations imputed to
AFIANZA relating to articles 5.1.f) and 32 RGPD. However, AFIANZA is unaware
of the reasons and arguments corresponding to each of the alleged violations.
The AEPD Resolution has not stated which actions or omissions of AFIANZA are to be attributed to any of the aggravating circumstances, it has simply limited itself to judging both violations jointly, without breaking down or developing the reasons why negligence is appreciated with respect to the violation of the confidentiality principle (article 5.1.f) RGPD), nor with respect to the adoption of adequate security measures (article 32 RGPD).
Given the circumstances of this case, negligent conduct cannot be appreciated. As explained in previous arguments, negligence implies a
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 25/44
omission of that diligence required by the nature of the obligation and corresponding to
the circumstances of the persons, time and place, in accordance with
articles 1.104, 1.101 and 1.089 of the Civil Code.
In the present case, AFIANZA has not carried out active conduct that
has infringed the principle of confidentiality or breached the appropriate
security measures, such as the publication of personal data on a
web page or the sending of an email to multiple recipients without the BCC function (as
is the case in the cases set out in Annex I).
AFIANZA did not at any time carry out acts that put the security and
confidentiality of the data at risk, that is, it did not consciously make decisions
knowing that they could have harmful consequences. Quite the contrary.
AFIANZA has demonstrated proactive responsibility, having established both
physical barriers related to the building infrastructure and security personnel, as well as
technical barriers with the encryption of most of the devices, although AFIANZA
recognizes and has reported from the outset that some of these
security measures were not applied on the exact day and time of the theft, which is
different from assuming that they did not exist or had never been applied before.
In this regard, the Guidelines on the application and establishment of administrative limits for the purposes of the GDPR issued by the European Data Protection Committee make the following observations regarding the aforementioned aggravating factor. The
Committee states that, in accordance with the GDPR, “the routines and documentation of
processing activities are based on risk”. Likewise, “companies must
be responsible for adopting structures and resources appropriate to the nature and
complexity of their business”.
At this point, it is only necessary to reiterate the low probability that a theft of a backpack would be committed
in facilities where there are hundreds of devices of greater value, all of them protected with encryption systems. The risk
that a crime of this calibre would be carried out in the circumstances given in this
specific case seems practically unimaginable.
- Art. 83.2.g) GDPR the categories of personal data affected by the
infringement.
With regard to this aggravating factor, AFIANZA feels the need to state
that the data relating to criminal infringements and convictions (the criminal investigation)
had already been made manifestly public on a date prior to the day of the theft. (…).
That is to say, even though the data contained in the USB that was inside the stolen backpack
relates to criminal offenses and convictions, practically all of what was included
had already been published in newspapers, radio and TV. The risk of it being leaked or something new
becoming known is non-existent.
This criterion is defended by the Judgment of the Court of Justice of the European Union of
24 November 2011 (Joined Cases C-468/10 and C-469/10), which indicates, in
Recitals 44 and 45, that when the data appear in sources accessible to the
public, the data controller and, where applicable, the third party or parties to whom the data are
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 26/44
communicated do not access data relating to the private life of the interested party,
since the information is already public knowledge. As a consequence, there is a
lesser impact on the rights of the interested party, which must be assessed at its fair
value in the balance with the legitimate interest pursued by the data controller or by the third party or parties to whom the data are communicated. The same
can be said in the case of data made manifestly public by the
interested party (article 9.2. e) GDPR) which also occurs in the present case since
many of those investigated have appeared in the media making
statements about the case.
V. MITIGATING CIRCUMSTANCES
Despite the facts set out and the obvious cooperative and favourable attitude of
AFIANZA, the AEPD Resolution rejects the consideration of the following
mitigating circumstances, which in our view must be assessed:
- Art. 83.2.a) GDPR the nature, seriousness and duration of the infringement. It is
appropriate to underline that, two years after the security breach, the disclosure of any of the data contained in the stolen Pendrive has
not been confirmed.
Likewise, none of the nearly one hundred people affected have filed any claim
in this regard. Although it is true that the USB with a considerable volume of data
was stolen, the impact has been practically non-existent. No consequences have been generated
for the affected people, who have not expressed their discomfort or disapproval.
- Art. 83.2.c) RGPD any measure taken by the person responsible for or in charge of the
treatment to alleviate the damages and losses suffered by the interested parties.
From the moment that AFIANZA became aware of the theft of the backpack, it acted
immediately and effectively. Firstly, by completely blocking the content
of the iPad, a measure that has significantly reduced access to certain information.
AFIANZA then identified the personal data involved, the affected
people and contacted them to inform them of what had happened.
Likewise, security and prevention protocols were implemented regarding
the privacy and confidentiality of the information collected by the firm, as well as
access to its facilities; training and awareness measures. None of
these measures have been considered by the AEPD, unlike what happened in the
case of CORPORACION DE RADIO Y TELEVISION ESPAÑOLA SA, previously
mentioned.
- Art.83.2. f) RGPD, the degree of cooperation with the control authority in order to
remedy the infringement and mitigate the possible adverse effects of the infringement.
Closely linked to what has been recently stated, it is pertinent to reiterate the
cooperative attitude of AFIANZA. The AEPD states in the Resolution that the fact of
collaborating and providing the required information is a legal obligation and,
consequently, should not be rewarded. Indeed, AFIANZA has complied in a timely manner with all the obligations and requirements of the AEPD from the moment it notified the security breach. From this point of view, we are unable to understand what the degree of cooperation should be for it to be considered as an attenuating circumstance, especially when there are cases in which the entity being
responded to has not complied with the obligations imposed and the consequent aggravating circumstance has not been implemented.
- Art. 83.2.h) the way in which the control authority became aware of the infringement,
in particular whether the person responsible or the person in charge notified the infringement and, in such case, to what extent.
AFIANZA indicates that it was the one who informed the AEPD of the security breach, a clear sign of the proactive responsibility and diligent action of the entity being
responded to. Although there was a certain delay in the notification period, during the present procedure this has been sufficiently proven (the weekend passed, the gathering of information and affected persons, limitation of damage, etc.).
In this sense, it is understood that the notification of the breach by AFIANZA
demonstrates proactivity. That is, the loss or theft of a USB (small device) can easily go unnoticed, not have been detected. However, AFIANZA has demonstrated that it has control over the company's devices so that, at the very least, its loss or theft is detected, so that
measures have been able to be taken from early stages. It is not a question of having been
compliant because the breach has been notified to the AEPD, but of having been
able to immediately detect that, among the stolen goods, there was a USB with
personal data. This in itself denotes due diligence in the face of a personal data security breach.
Furthermore, given the null impact and the absence of claims by the affected persons, if AFIANZA had not notified it, the AEPD would never have been aware of the fact.
- Art. 83.2.k) any other mitigating factor applicable to the circumstances of the case,
applied by the AEPD in other proceedings, such as:
The non-existent extent of the damage. No natural person has seen their rights and
liberties diminished.
AFIANZA has adopted measures to prevent similar incidents from occurring
in the future, and, to date, they have proven to be effective.
AFIANZA has responded to all the AEPD's requests, which affects the
cooperation with the control authority in order to remedy the infringement
and mitigate the possible adverse effects of it.
There is no evidence that AFIANZA acted fraudulently or
with a lack of diligence.
AFIANZA is a small company.
AFIANZA has not committed any previous infringement in the area of data protection.
AFIANZA was the victim of a premeditated robbery, taking advantage of a situation of
spontaneous vulnerability of the security measures. This implies that, in addition to
having suffered the intrinsic consequences as a victim of a crime, it has been
tried for the same.
VI. NON-CONCURRENCY OF THE GUILT PRINCIPLE
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 28/44
As regards the guilt principle, AFIANZA maintains, as it did
in the allegations to the agreement to initiate the sanctioning procedure, that it has
not acted culpably, so no sanction should be imposed.
Article 28.1 of Law 40/2015, of October 1, regulates the principle of guilt,
indicating that only natural and legal persons may be sanctioned for acts constituting an administrative
infraction, as well as, when a Law recognizes their capacity to act, groups of affected persons, unions and entities without
legal personality and independent or autonomous assets, which are responsible for the same by reason of fraud or fault.
Continuing with the interpretation made by the Supreme Court, for exculpation
the invocation of the absence of fault will not be sufficient, but it will be necessary that the diligence that was required by the person claiming its nonexistence has been
used (among others, the Supreme Court ruling of January 23, 1998 [RJ 1998\601]). Likewise, the National Court has held, in cases similar to the present one, in which a third party has accessed, through criminal activities, data of interested parties held
by a data controller, that imputing such acts to the data controller could lead to a violation of the principle of culpability. As an
example, the SAN (SCA, Section 1) of 25 February 2010 [JUR 2010/82723]. "Thus,
even though article 9 of the LOPD establishes an obligation of result,
consisting of adopting the necessary measures to prevent the data from being
lost, misplaced or ending up in the hands of third parties, such obligation is not absolute and
cannot cover a case such as the one analysed. In the present case, the result is
a consequence of an intrusion activity, not protected by legal order and
in this sense illegal, (…). And, such facts, cannot be imputed to the appellant entity
because, otherwise, the principle of guilt would be violated."
In no case can the theft of the backpack imply the consideration that AFIANZA
has acted negligently. Consequently, it has acted with the due diligence that is
required and, in accordance with the provisions of the sanctioning law, the imposition of any
sanction is not appropriate.
On the other hand, it should be noted that the SAN - Administrative Litigation Chamber 392/2015,
of November 17, which in its Third Legal Basis includes the doctrine of the
Constitutional Court on the application to administrative sanctioning law of the
principles of the criminal order, in the following terms: "The Constitutional Court has
repeatedly declared that the principles of the criminal order, among which is
the principle of guilt, are applicable, with certain nuances, to administrative
sanctioning law, as both are manifestations of the punitive order
of the State (STC 18/1987, 150/1991), and that there is no room in the administrative
sanctioning field for objective or fault-free liability, by virtue of which the
possibility of imposing sanctions for the mere result is excluded, without proving a minimum of
guilt even on the grounds of mere negligence (STC 76/1990 and 164/2005). ).
The principle of guilt, guaranteed by article 25 of the Constitution, limits the
exercise of the "ius puniendi" of the State and requires, as stated by the Constitutional Court
in judgment 129/2003, of June 20, that the imposition of the sanction be based
on the requirement of the subjective element of guilt, to guarantee the principle of
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 29/44
responsibility and the right to a sanctioning procedure with all guarantees
(STS of March 1, 2012, Rec 1298/2009).
In the case at hand, the absence of unlawfulness and
fault in AFIANZA's conduct is clear; unlike the cases presented in
sections II and III of these allegations, AFIANZA does not carry out any action
aimed at breaching its obligations as data controller; AFIANZA does not
provide/send/communicate/personal data of affected parties to unauthorized third parties;
AFIANZA does not breach the principle of confidentiality; AFIANZA does not
carry out a culpable action. AFIANZA has always complied with all obligations
inherent to the regulations protecting personal data, it has been demonstrated
through the provision of documentation, the complaint, the communication of the breach and
other communications with the AEPD that its conduct has always been in accordance with the
diligence required of it, in addition, the adoption of the precautions required
to avoid the non-consensual processing of data has been accredited and all affected persons have been informed of the fact, although, we reiterate, a fact that, 20 months
later, has had no or no impact on those affected.
However, in the present case, the events that occurred would imply a result not
pursued by AFIANZA, as it was motivated by the commission of a criminal act
by a third party completely unrelated to the data controller and its staff, so
the necessary elements determined by the National Court to assume that, in fact, AFIANZA's conduct was culpable are not given, that is:
(i) there is no voluntariness in the act,
(ii) there has not been a particularly harmful result,
(iii) there is no evidence of a lack of care in the actions of AFIANZA in its
activities and functions.
This argument has already been raised by the AEPD in similar proceedings, where
the filing of the proceedings has been agreed (Procedure No.: PS/00112/2021), and
it is that:
(i) The theft of the backpack does not respond to a voluntary act by AFIANZA but by
a third party outside the entity.
(ii) There has been no type of injury to the rights and freedoms of
third parties. The extent of the damage is totally non-existent.
(iii) AFIANZA's actions at all times respond to the due diligence
required of a data controller.
For all these reasons, AFIANZA requests:
I. The filing of the AEPD's sanctioning procedure against AFIANZA to the extent
that there is no reason for a sanction for alleged violations of the GDPR that have
not resulted in a reduction in the rights and freedoms of any third party. The extent of the damage
is not measurable or quantifiable because it is non-existent. Likewise, the principle of guilt does not apply in any way, so any sanction would be contrary to the nature of the administrative sanctioning field, subject to the principles of
minimum intervention and proportionality.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 30/44
II. That, in the event of not considering the arguments put forward in relation to the
non-existence of the principle of guilt as valid, the arguments provided
with respect to the imposition of sanctions relating to art. 51.f) and 32 of the
RGPD should be taken into account. AFIANZA considers that compliance with the principle of confidentiality (art. 5.1.f) of the RGPD has been sufficiently proven, there are no sufficient legal arguments to determine the contrary, especially taking into account how this Control Authority has been sanctioning in recent years.
III. That, the grievance resulting from comparing the amount of money proposed to AFIANZA with that which the AEPD has been imposing on other entities is taken into consideration, especially if a similar case is taken into consideration, such as the one
exposed in section II, where the impact has been 100 times greater than that which AFIANZA
could have had and, however, the treatment in determining the sanction
and the assessment of other elements such as mitigating factors or the non-imposition of other
infractions has been absolutely negative for AFIANZA. Therefore, this AEPD is requested to
quantify the sanctions in accordance with its own resolutions.
IV. That, if the sanction is finally granted, the publication of the resolution is avoided for
two fundamental reasons:
a. Firstly, because by linking the facts that will be
irremediably reported in the resolution with AFIANZA it is quite easy
to identify the individuals affected by the breach.
b. Since there is no evidence that the information on the USB has been used
by the person who committed the theft, it is very possible that he is not aware of the content
of the USB. When the resolution is made public, he could become aware
of the information it contains and then want to use it in some way
that would, now, cause some harm to those affected. This would aggravate
the consequences of the breach caused by the publication of the resolution without having
dissociated the information.
V. That, if the AEPD has the obligation to publish the resolution of the sanction, any express reference
is omitted (...), as well as to the company Afianza Asesores, S.L, for
the same reasons stated in point IV above.
From the actions carried out in the present procedure and the documentation
in the file, the following have been proven:
PROVEN FACTS
FIRST: (…). The USB device is not encrypted nor does it have any other measures implemented to protect its content from unauthorized third parties.
SECOND: AFIANZA notifies the AEPD of the security breach on June 30, 2021
and begins the actions aimed at communicating to those affected on July 8, 2021.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 31/44
LEGAL BASIS
I
Competence and applicable regulations
In accordance with the powers that article 58.2 of Regulation (EU) 2016/679
(General Data Protection Regulation, hereinafter RGPD), grants to each
control authority and as established in articles 47, 48.1, 64.2 and 68.1 of the
Organic Law 3/2018, of December 5, on the Protection of Personal Data and
guarantee of digital rights (hereinafter, LOPDGDD), the Director of the Spanish Data Protection Agency is competent to
initiate and resolve this procedure.
Likewise, article 63.2 of the LOPDGDD determines that: "The procedures
processed by the Spanish Data Protection Agency will be governed by the provisions
of Regulation (EU) 2016/679, by this organic law, by the regulatory provisions
issued in its development and, insofar as they do not contradict them, on a
subsidiary basis, by the general rules on administrative procedures."
II
Preliminary issues
In the present case, in accordance with the provisions of article 4.1 of the GDPR, there is evidence
of the processing of personal data, since AFIANZA carries out,
among other processing, the collection, registration, organization, conservation, consultation,
access and deletion of personal data of natural persons, such as: name,
identification number, date of birth, sex, marital status, contact details,
image, voice and data on criminal convictions and offences, among others.
AFIANZA carries out this activity in its capacity as data controller, given
that it is the one who determines the purposes and means of such activity, pursuant to article 4.7 of the
GDPR.
Article 4, paragraph 12 of the GDPR broadly defines “personal data breaches” (hereinafter “data breach”) as “any breach of security leading to the accidental or unlawful destruction, loss or alteration of personal data transmitted, stored or otherwise processed, or unauthorized disclosure of or access to such data.”
In the present case, there is a personal data breach in the circumstances indicated above, categorized as a confidentiality breach due to the theft of an unencrypted USB device (...), with the personal data referenced above, allowing unauthorized access to them.
The security of personal data is regulated by Articles 32, 33 and 34 of the
GDPR, which regulate both the security of processing, the notification of a personal data breach to the supervisory authority, as well as the
communication to the interested party, respectively.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 32/44
III
Allegations raised
In relation to the allegations raised in relation to the proposed resolution of this sanctioning procedure, the following are answered:
1.- Security breach and measures implemented
AFIANZA points out that it does not agree that this Agency brings up the
Guidelines 01/2021 of the European Data Protection Committee (hereinafter the
Committee) to argue its position, understanding that this causes it to be
absolutely defenseless.
In this regard, it is worth recalling that AFIANZA, in its written allegations to the
Decision to Initiate this sanctioning procedure, denied that a security breach had occurred, much less that it had affected
confidentiality, in response to which, this Agency first proceeded to argue
clearly why the conditions for understanding that there was such a breach of confidentiality were met, mentioning, secondly, the aforementioned
Guidelines of the Committee as a reflection of the fact that this European Union body
maintains the same interpretation, since it reaches the same conclusion in a
basically identical case.
It should be noted that the Committee is entrusted with the task of ensuring the
consistent application of the GDPR (Article 70.1) and that, to this end, among other specific
functions and powers conferred upon it, it will examine, on its own initiative, at the
request of one of its members or of the Commission, any issue relating to the
application of this Regulation, and will issue guidelines, recommendations and good
practices in order to promote the consistent application of this Regulation (Article 70.1).
70.1.e GDPR)
Therefore, when interpreting the GDPR, the unquestionable
preponderance that this rule attributes to the Committee's guidelines, recommendations,
opinions, etc., must not be forgotten.
On the other hand, AFIANZA points out that, although the USB was not encrypted, there were other
security measures implemented in the treatments it carries out and that not taking them into account is understood to be like assuming that it has not complied with any
of the obligations inherent to its role as data controller and that it has not only not
established measures, but also "facilitates" third parties' access to the information
for which it is responsible.
In contrast, it is pointed out again that the alleged infringement is precisely the
violation of confidentiality because the USB does not contain any encryption
measures or any other measures aimed at preventing access to its content (personal
data) by unauthorized third parties. As already pointed out in the Proposal for a Resolution
of this sanctioning procedure, in the case of portable electronic storage devices, there is the power and possibility of
protecting them by means of technical security measures that make it impossible or
considerably difficult for third parties to access them, so that, in the present
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 33/44
case, since none of these measures were established in the stolen USB,
it constitutes a violation of confidentiality and, therefore, of article 5.1 f) of the
RGPD, which requires precisely that personal data be treated in such a way
that adequate security of the personal data is guaranteed, including
protection against unauthorized or unlawful processing and against its accidental loss, destruction
or damage, through the application of appropriate technical or organizational
measures ("integrity and confidentiality").
2.- Violation of Article 32 of the GDPR
AFIANZA claims that, prior to the incident, in compliance with the principle of
proactive responsibility, it had carried out its risk analysis and defined its
security measures, both technical and organizational (which it describes),
measures that go beyond mere encryption, so stating that there was no
type of security or protection measure is contrary to the proven facts.
In contrast, first of all, it is noted that it is in relation to the stolen USB that the absence of any type of protection measure or
impediment to access by unauthorized third parties has been noted.
Secondly, as regards the allegation of infringement of article 32 of the GDPR,
as already indicated in the Resolution Proposal in response to the same
allegation, and which is transcribed in point 2 of the Eighth Factual Background and
to which we refer in order to avoid unnecessary reiterations, it can be deduced from the
events that occurred that many of the security measures implemented -as the entity acknowledges- and necessary for a
protection and a level of security appropriate to the risk of the treatment were not being observed and that
this allowed the theft of the USB and the breach of security of the personal data and
that it also affected the confidentiality of the same.
It is reiterated again that article 32 of the GDPR is infringed both if the controller does not adopt the appropriate technical and organizational measures to
guarantee the security of the personal data, and if, once these are established, they are
not observed. It is precisely this lack of compliance that constitutes the
infringement indicated in article 73 of the LOPDGDD, indicating that, in accordance with the provisions of
article 83.4 of Regulation (EU) 2016/679, infringements that constitute a substantial violation
of the articles mentioned therein and, in particular, the following are considered serious and
will be subject to a two-year statute of limitations:
g) The breach, as a consequence of the lack of due diligence,
of the technical and organisational measures that have been implemented in accordance with the
requirements of article 32.1 of Regulation (EU) 2016/679”. (…)
3.- Infringement of article 5.1f.
AFIANZA points out that it has not breached this precept because, after the corresponding
risk analysis, it had implemented the necessary technical and organizational
measures to guarantee the integrity, availability and
confidentiality of personal data and that it is a different matter that on a specific
day, at a specific time and due to specific circumstances, there was a lack of
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 34/44
applicability of some of the security measures implemented, but that this is
very different from stating that there were none, as well as assuming that the
principle of confidentiality has been breached.
In view of this, it is appropriate to reiterate everything already argued in relation to the lack of
compliance with the security measures implemented and that this represented a security breach
affecting the confidentiality of the data stored on the USB without
a measure of protection against illegal access, thereby constituting a violation of article
5.1 f. Therefore, we refer to everything answered in the resolution proposal and
which appears reproduced in the Eighth Factual Background of this
resolution.
On the other hand, AFIANZA maintains that everything that happened occurred as a
consequence of a criminal activity and that this does not constitute a lack of
compliance with measures, since the fact that a third party has exceeded said
measures does not imply, per se, having breached the obligation, since the person responsible for the
processing is subject to an obligation of means, not to an obligation of results.
In this regard, it should be noted that the obligation of means referred to was not being
fulfilled, since the security measures indicated by the entity, both technical and organizational, were not being observed, which
allowed the incident to occur without any type of obstacles or measures that had to be resolved or
violated.
4.- Other sanctioning procedures processed by this Agency.
AFIANZA refers to a series of Resolutions of sanctioning procedures previously processed
by this Agency in order to allege disproportionality in the
sanctions imposed, including differences in the imputation of infractions in the face of what it
understands to be the same facts or major similarities.
In view of this, it should be noted that the resolutions analyzed by AFIANZA, although
they may have similarities, also have differences with the specific circumstances
of the present case. Thus, there are differences in terms of the number of people affected by
the breach of confidentiality (in many cases only one person); as regards
the processing of personal data carried out by the sanctioned party (whether it is their main activity,
if it is ancillary, if it is minimal, if greater diligence is required depending on the sector,
etc.); as regards the category of data affected; as regards the number of personal data
affected (in some cases only the email or a few more data); the moment at which the events occurred with respect to the time that the GDPR had been applicable
(in many cases just months, which is different from almost 3 years). In this
sense, it should not be forgotten that when determining the sanctions to be imposed, the specific circumstances of the case must
be taken into account.
On the other hand, AFIANZA only brings up resolutions of files that
were processed at the beginning of the application of the GDPR. However, he has not mentioned
other later cases that could be more similar to his situation in terms of the
charged infringements and the amount of the sanctions - without forgetting, it is insisted, that the
specific circumstances of the case must be taken into account - and that, in addition, it must also be taken into
account that they have been processed once there are more clarifications and
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 35/44
interpretations made by both the Control Authorities and the
European Data Protection Committee, as well as court rulings that are
issued, thus forming jurisprudence in this regard.
(…)
On the other hand, it should not be forgotten that AFIANZA is a company dedicated to legal advice, and its activity involves constant and abundant handling of personal data
-among which are, it is insisted, those related to criminal infractions and
sanctions-. Both circumstances are relevant when assessing the degree of
diligence, and the professionalism or lack thereof of the subject must be especially considered,
which is why AFIANZA must take greater rigor and exquisite care to comply with the
legal provisions in this regard.
Therefore, all these circumstances are those that have been taken into account and those that
have conditioned the amount of the sanctions imposed.
5.- Aggravating circumstances
AFIANZA again states that it does not agree with the aggravating circumstances
taken into account when determining the calculation of the sanction. Thus:
-Art. 83.2b) RGPD. Intentionality or negligence in the infringement
AFIANZA reiterates that negligent conduct cannot be considered, and also
claims that it does not know the reasons and arguments for which the aggravating circumstances are applied, since this Agency has not explained which actions and omissions are attributed to said aggravating circumstances.
In light of this, it is noted that both the Commencement Agreement and the Proposed Resolution clearly indicate the reasons and arguments for which it is appropriate to take into account the aggravating circumstances taken into account when determining the amount of the sanction. Therefore, it is appropriate to refer to everything already indicated regarding the lack of observance of the technical and organizational measures that were not being observed at the time of the incident, which reveals a clear negligence on the part of AFIANZA.
Likewise, it is appropriate to refer to what is indicated in the Proposed Resolution as a response to the allegations made against the Commencement Agreement and which is transcribed in the Eighth Factual Background, as well as to Legal Grounds VI and IX of this resolution.
-Art. 83.2 g) RGPD. The categories of personal data affected.
Regarding this aggravating circumstance, AFIANZA points out that it is not appropriate since the data had
already been made public on a date prior to the day of the robbery, since they
refer to a known criminal case, bringing to mind the ruling of the Court of Justice of the
European Union of 24 November 2011, which implies a minor impact
on the rights of the interested parties, which should be appreciated.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 36/44
(…)
Therefore, although information regarding some of the suspects may have been published in the media, it is not appropriate to accept that all the personal
data regarding all the affected persons were published prior to the incident, in addition to the fact that no evidence has been provided in this regard.
6.- Mitigating circumstances
AFIANZA reiterates a series of circumstances that it considers should have been
taken into account as mitigating circumstances.
In light of this, it is appropriate to recall that many of them cannot be considered as such, and this was pointed out in the Proposed Resolution of the present sanctioning procedure in response to this same allegation and which is transcribed in the Eighth Background Fact of the present resolution and to which it is appropriate to refer in order to avoid unnecessary reiterations.
However, in relation to the fact that the mitigating circumstance of art. 11 should be taken into account, 83.2.h (the way in which the supervisory authority became aware of the infringement, in
particular whether the controller or the processor notified the infringement and, if so, to what
extent) since AFIANZA maintains that as soon as it became aware of the incident, it
notified this Agency and that, in addition, it identified the affected persons and contacted them, informing them of what had happened, which clearly demonstrates
proactivity, it is necessary to clarify - in addition to not constituting an attenuating circumstance,
because it is mandatory by law - several issues:
Firstly, as already indicated in the proposed resolution, the deadline for
notifying this Agency in the event of a breach of the security of personal data is a mandatory deadline: without undue delay and, if possible, no later than
72 hours after having become aware of it. Therefore, this is the maximum deadline that is available to make the notification. Likewise, and in accordance with the fact that
it is a mandatory period, article 74 m) of the LOPDGDD classifies as a minor infringement
the incomplete, late or defective notification to the data protection authority of
information related to a breach of personal data security in accordance with the provisions of article 33 of Regulation (EU) 2016/679, infringement
that has not been imputed to AFIANZA because the limitation period of one year has been exceeded
at the time of issuing the Commencement Agreement, in accordance with the aforementioned
article 74.
The only case that allows not notifying it without undue delay and, where appropriate, no later than
72 hours, is the absence of evidence or any other reason that
justifies it and that must be motivated. In the case at hand, practically from the
same moment of the theft or, at the latest, the following day (when the
report of the theft is filed with the police and in which the theft of the USB and its
content are already indicated), the breach of confidentiality suffered is already known,
from which moment the indicated period begins to be computed. However, the notification was not made until 13 days later, and the reasons argued by AFIANZA are not acceptable,
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 37/44
as reasons for the delay, since none of them justify
such a delay.
Secondly, it is noted that article 34 requires that when it is probable that the
violation of the security of personal data entails a high risk for the rights and freedoms of natural persons, the data controller will
communicate it to the interested party without undue delay. It should not be forgotten that the objective of
the notifications and communications required by Articles 33 and 34 of the GDPR is
to reduce the risks to the rights and freedoms of the affected persons
when a security breach may pose a risk to them, in the
present case, a high risk. Therefore, the delay in said notification prevented this
Agency from analysing the situation as quickly as possible and, as has happened, from negatively assessing
AFIANZA's decision not to communicate it to those affected
-disregarding the seriousness of the possible adverse effects-, causing with this
delay that they could not adopt as soon as possible the measures
and reactions that they consider in order to safeguard their rights and freedoms.
7.- Non-existence of the principle of guilt
AFIANZA points out that there is no room in the scope of administrative sanctions for
objective liability or liability without fault, by virtue of which the possibility of
imposing sanctions for the mere result is excluded, without proving a minimum of guilt, even
on the basis of mere negligence. In this respect, it considers that it has not acted
in a negligent manner, the absence of unlawfulness and guilt in its
conduct being notorious, since the incident was the result of a criminal act by a third party,
and an obligation of results cannot be demanded, but rather an obligation of means.
In view of this, it should be noted that this allegation was already answered in the
Proposed Resolution of the present sanctioning procedure, so it is appropriate to refer to
it.
However, it should be clarified again that AFIANZA is not considered responsible for the
result, but for a loss of confidentiality linked to the non-compliance with
a series of security measures implemented and, ultimately, due to a lack of
diligence on the part of the entity. In this sense, the Supreme Court ruling of 15
February 2022 (Rec. 7359/2020) indicates that "It is not enough to design the
necessary technical and organizational means, their correct
implementation and appropriate use are also necessary, so that it will also be liable for the lack of
diligence in their use, understood as reasonable diligence taking into account the
circumstances of the case"
This lack of diligence on the part of AFIANZA, as the data controller, when
observing or verifying the suitability of the appropriate security measures is what
constitutes the element of culpability.
Finally, with regard to the fact that AFIANZA cannot be held responsible for criminal acts
carried out by third parties, it should be noted that this Agency does not extend the responsibility of the
entity beyond its obligations as data controller.
8.- Other issues raised
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 38/44
Finally, AFIANZA requests that the resolution not be published if the
sanction is finally imposed, arguing that this will facilitate the identification of the persons affected by the breach,
as well as encourage the person who stole the USB to access it and to possibly
use the information to the detriment of those affected.
In this regard, it is indicated that this resolution does not fall within the
cases contemplated in article 50 of the LOPDGDD in which it is obligatory
to proceed with its publication.
For all the reasons stated above, the allegations raised are rejected.
IV
Article 5.1.f) of the GDPR
Article 5.1.f) “Principles relating to processing” of the GDPR states:
“1. Personal data shall be:
(…)
f) processed in a manner that ensures appropriate security of the personal data,
including protection against unauthorized or unlawful processing and against accidental
loss, destruction or damage, by applying appropriate technical or
organizational measures (“integrity and confidentiality”).”
The principle of data security requires the application of appropriate technical or
organizational measures to ensure the security of personal data and prevent
unauthorized or unlawful alteration, loss, processing or access. In this sense,
security measures are key to guaranteeing the fundamental right to data
protection. The fundamental right to data protection cannot exist
if the confidentiality, integrity and availability of data are not guaranteed.
The security and confidentiality of personal data are therefore considered
essential to prevent data subjects from suffering negative effects. Therefore, they must
be treated in a way that guarantees adequate security and confidentiality of
personal data, especially to prevent unauthorized access to or use of
such data and of the equipment or system used in the processing.
In short, it is the data controller who has the obligation to integrate the
necessary guarantees in the processing, in order to, by virtue of the principle of
proactive responsibility, comply and be able to demonstrate compliance, while respecting the
fundamental right to data protection.
In the present case, the principle of confidentiality has been violated since it is clear that
AFIANZA suffered the theft of a USB device containing unencrypted
personal data (…).
The fact that the device was not encrypted, encoded, etc., that is, without
any measure or system to prevent unauthorized access and that it was
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 39/44
stolen by a third party, constitutes a violation of the obligation to guarantee the
confidentiality of the data, in addition to reflecting the storage of personal data on mobile devices
without any protection of said information - especially if the type of personal data processed is taken into account - which
shows a breach of the obligation to treat them in such a way that adequate security of the personal data is
guaranteed, including protection against unauthorized or illegal processing.
Therefore, in accordance with the evidence available, it is considered that
the known facts could constitute an infringement, attributable to
AFIANZA, for violation of article 5.1.f) of the GDPR.
V
Classification of the infringement of article 5.1.f) of the GDPR
The aforementioned infringement of article 5.1.f) of the GDPR involves the commission of the infringements
classified in article 83.5 of the GDPR which under the heading “General conditions
for the imposition of administrative fines” provides:
“Infringements of the following provisions shall be punishable, in accordance with
paragraph 2, by administrative fines of up to EUR 20 000 000 or, in the case of an undertaking, of an amount equivalent to
a maximum of 4 % of the total global annual turnover of the previous financial year, whichever is higher:
a) the basic principles for processing, including the conditions for consent pursuant to
Articles 5, 6, 7 and 9; (…)”
In this regard, the LOPDGDD, in its article 71 “Infringements” establishes that
“The acts and conduct referred to in sections 4,
5 and 6 of article 83 of Regulation (EU) 2016/679, as well as those that are contrary to this organic law, constitute infringements”.
For the purposes of the limitation period, article 72 “Infringements considered very serious” of the LOPDGDD indicates:
“1. In accordance with the provisions of Article 83.5 of Regulation (EU) 2016/679, infringements that constitute a substantial violation of the articles mentioned therein and, in particular, the following are considered to be very serious and will be subject to a three-year statute of limitations:
a) The processing of personal data in violation of the principles and guarantees established in Article 5 of Regulation (EU) 2016/679. (…)”
VI
Penalty for infringement of article 5.1.f) of the GDPR
For the purposes of deciding on the imposition of an administrative fine and its amount, in accordance with the evidence available, it is considered that the infringement in question is very serious for the purposes of the GDPR and that the penalty should be graded to
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 40/44
imposed in accordance with the following criteria established in article 83.2 of the
GDPR:
As aggravating factors:
- Article 83.2.b) GDPR. Intention or negligence in the infringement: Although it is considered that there was no intention on the part of AFIANZA, there is negligence in the compliance and observance of the technical and organizational measures to guarantee the security necessary for the protection of personal data, specifically to guarantee their confidentiality, since personal data was stored on a removable device without being encrypted, which reflects negligence in the observance of basic and simple measures, especially if one takes into account that these are data related to convictions and criminal offenses.
It is worth recalling, in this regard, the Judgment of the National Court of
17/10/2007 (rec. 63/2006), which, with respect to entities whose activity involves the
continuous processing of customer data, indicates that “…the Supreme Court has
understood that there is imprudence whenever a legal duty of care is disregarded, that is, when the offender does not behave with the required diligence. And in
assessing the degree of diligence, the professionalism or lack thereof of the subject must be especially considered, and there is no doubt that, in the case now examined, when the activity
of the appellant is one of constant and abundant handling of personal data, the rigor and exquisite care to comply with the legal provisions in this regard must be
insisted upon.
-Article 83.2.g) RGPD. Categories of personal data affected by the infringement:
Personal data relating to infringements and criminal sanctions have been affected,
(…).
Considering the factors set out, the value of the fine for the infringement of art. 5.1.f of the GDPR charged is €90,000 (ninety thousand euros).
VII
Article 32 of the GDPR
Article 32 “Security of processing” of the GDPR states:
“1. Taking into account the state of the art, the costs of implementation, and the
nature, scope, context and purposes of processing, as well as the risks of
varying likelihood and severity for the rights and freedoms of natural persons,
the controller and the processor shall implement appropriate technical and
organizational measures to ensure a level of security appropriate to the risk,
which may include, where appropriate, among others:
a) the pseudonymisation and encryption of personal data;
b) the ability to ensure the permanent confidentiality, integrity, availability and
resilience of the processing systems and services;
c) the ability to restore the availability and access to personal data quickly in the event of a physical or technical incident;
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 41/44
d) a process of regular verification, evaluation and assessment of the effectiveness
of the technical and organisational measures to ensure the security of the processing.
2. When assessing the adequacy of the level of security, particular account will be taken
into account of the risks presented by the processing of data, in particular as a result of
accidental or unlawful destruction, loss or alteration of personal data transmitted, stored or otherwise processed, or unauthorized
communication or access to such data.
3. Adherence to a code of conduct approved pursuant to Article 40 or to a certification mechanism approved pursuant to Article 42 may serve as an element
to demonstrate compliance with the requirements set out in paragraph 1 of
this Article.
4. The controller and the processor shall take measures to ensure that
any person acting under the authority of the controller or the processor and
who has access to personal data processes such data only on instructions from the controller, unless he or she is required to do so by Union or
Member State law.”
The principle of data security requires the implementation of appropriate technical or
organisational measures in the processing of personal data to protect
such data against accidental, unauthorised or unlawful access, use, modification,
dissemination, loss, destruction or damage. In this regard, security measures are
key to guaranteeing the fundamental right to data protection. The fundamental right to data protection cannot exist
if the confidentiality, integrity and availability of data cannot be guaranteed.
It should not be forgotten that, in accordance with article 32.1 of the GDPR, the technical and organizational
measures to be applied to ensure a level of security appropriate to the
risk must take into account the state of the art, the costs of implementation, the
nature, scope, context and purposes of the processing, as well as the risks of
variable probability and severity for the rights and freedoms of natural persons.
In this regard, it should be noted that AFIANZA's activity involves the
processing of data relating to convictions and criminal offenses, including personal data of
persons who testify.
In the present case, AFIANZA suffered the theft of a USB device containing
personal data (...), causing a security breach consisting of a breach of
confidentiality.
As has been explained in detail in section 2 of the Eighth Factual Background, from the events that occurred and from the analysis of the documentation in the
file, it can be deduced that a person not belonging to the entity accessed the
company's premises without the security measures implemented working or being observed, and the theft of an unencrypted USB device (or without any
other protective measure), containing numerous personal data related to a criminal judicial investigation procedure.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 42/44
Therefore, this constitutes a breach of article 32, since it is infringed
whether the controller does not adopt the appropriate technical and
organisational measures to guarantee the security of personal data, or if, once these are established, they are not observed
Based on the above, it can be deduced from all of this that there is a lack of due diligence both in the
compliance with the established security measures, as well as in the supervision or
verification of their observance and of their suitability or effectiveness.
In accordance with the evidence available, it is considered that the
known facts constitute an infringement, attributable to AFIANZA, due to
violation of article 32 of the GDPR.
VIII
Classification of infringement of Article 32 of the GDPR
The aforementioned infringement of Article 32 of the GDPR involves the commission of the infringement
classified in Article 83.4 of the GDPR, which under the heading “General conditions for
the imposition of administrative fines” provides:
“Infringements of the following provisions shall be punishable, in accordance with
paragraph 2, by administrative fines of not more than EUR 10,000,000 or,
in the case of an undertaking, not more than 2% of the total annual turnover of the
previous financial year, whichever is higher:
a) the obligations of the controller and the processor pursuant to Articles 8,
11, 25 to 39, 42 and 43; (…)”
In this regard, the LOPDGDD, in its article 71 “Infringements” establishes that:
“The acts and conduct referred to in sections 4,
5 and 6 of article 83 of Regulation (EU) 2016/679, as well as those that are contrary to this organic law, constitute infringements.”
For the purposes of the limitation period, article 73 “Infringements considered serious”
of the LOPDGDD indicates:
“In accordance with the provisions of article 83.4 of Regulation (EU) 2016/679, infringements that constitute a
substantial violation of the articles mentioned therein and, in particular, the
following are considered serious and will be subject to a two-year limitation period:
g) The breach, as a consequence of the lack of due diligence, of the
technical and organisational measures that have been implemented in accordance with the
requirements of article 32.1 of Regulation (EU) 2016/679”. (…)
IX
Penalty for infringement of Article 32 of the GDPR
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 43/44
For the purposes of deciding on the imposition of an administrative fine and its amount, in accordance with the evidence available, it is considered that the infringement in question is serious for the purposes of the GDPR and that the penalty to be imposed should be graded
in accordance with the following criteria established in Article 83.2 of the GDPR:
As aggravating factors:
- Article 83.2.b) GDPR. Intention or negligence in the infringement: Although it is considered that there was no intention on the part of AFIANZA, the existence of negligence in the compliance and observance of the technical and organizational measures to guarantee the security necessary for the protection of personal data can be observed, since neither the existing logical nor physical access controls worked due to non-compliance with them, as well as the fact that personal data was stored on a removable device without being encrypted, which again reflects negligence in the observance of such measures, especially if one takes into account that these are data related to convictions and criminal offenses.
It is worth recalling, in this regard, the Judgment of the National Court of
17/10/2007 (rec. 63/2006), which, with respect to entities whose activity involves the
continuous processing of customer data, indicates “…the Supreme Court has
understood that there is imprudence whenever a legal duty of care is disregarded, that is, when the offender does not behave with the required diligence. And in
assessing the degree of diligence, the professionalism or lack thereof of the subject must be especially considered, and there is no doubt that, in the case now examined, when the activity
of the appellant is one of constant and abundant handling of personal data, the rigor and exquisite care to comply with the legal provisions in this regard must
be insisted upon.
-Article 83.2.g) RGPD. Categories of personal data affected by the infringement:
Personal data relating to infringements and criminal sanctions have been affected,
(…).
Considering the factors set out, the value of the fine for the infringement of art 32 of the GDPR charged is 55,000 euros (fifty-five thousand euros).
Therefore, in accordance with the applicable legislation and having assessed the criteria for grading the sanctions whose existence has been proven, the Director of the
Spanish Data Protection Agency RESOLVES:
FIRST: TO IMPOSE on AFIANZA ASESORES, S.L, with NIF B83117804, for an
infringement of Article 5.1.f) of the GDPR, classified in Article 83.5 of the GDPR, a
fine of NINETY THOUSAND EUROS (90,000 euros).
SECOND: TO IMPOSE AFIANZA ASESORES, S.L, with NIF B83117804, for a
breach of Article 32 of the GDPR, classified in Article 83.4 of the GDPR, with a
fine of FIFTY-FIVE THOUSAND EUROS (55,000 euros)
THIRD: TO NOTIFY this resolution to AFIANZAASESORES, S.L.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 44/44
FOURTH: To warn the sanctioned party that he/she must make effective the sanction imposed
once this resolution is enforceable, in accordance with the provisions of
art. 98.1.b) of Law 39/2015, of October 1, on the Common Administrative Procedure
of Public Administrations (hereinafter LPACAP), within the voluntary payment period established in art. 68 of the General Collection Regulations, approved
by Royal Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003, of December 17, by means of payment, indicating the NIF of the sanctioned party and the procedure
number that appears in the heading of this document, in the restricted account nº IBAN: ES00-0000-0000-0000-0000-0000, opened in the name of the
Spanish Data Protection Agency in the banking entity CAIXABANK, S.A..
Otherwise, the collection will be carried out during the enforcement period.
Once the notification has been received and is enforceable, if the date of enforceability is between the 1st and 15th of each month, both inclusive, the deadline for making the voluntary payment will be until the 20th of the following month or the next business day thereafter, and if it is between the 16th and last day of each month, both inclusive, the payment deadline will be until the 5th of the second following month or the next business day thereafter.
Against this resolution, which ends the administrative process in accordance with art. 48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the interested parties may, at their discretion, lodge an appeal for reconsideration before the Director of the Spanish Data Protection Agency within one month from the day following the notification of this resolution or directly lodge an administrative appeal before the Administrative Litigation Division of the National Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Administrative Litigation Jurisdiction, within two months from the day following the notification of this act, as provided for in article 46.1 of the aforementioned Law.
Finally, it is noted that in accordance with the provisions of art. 90.3 a) of the LPACAP, the final resolution may be provisionally suspended by administrative means if the interested party
expresses his intention to lodge an administrative appeal.
If this is the case, the interested party must formally communicate this fact by means of a
written letter addressed to the Spanish Data Protection Agency, presenting it through
the Electronic Registry of the Agency [https://sedeagpd.gob.es/sede-electronica-
web/], or through one of the other registries provided for in art. 16.4 of the
cited Law 39/2015, of October 1. He must also transfer to the Agency the
documentation that proves the effective filing of the administrative appeal. If the Agency is not aware of the filing of the administrative appeal
within two months from the day following the notification of this resolution, it will terminate the provisional suspension.
938-181022
Mar España Martí
Director of the Spanish Data Protection Agency
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es
