AEPD (Spain) - EXP202205206
From GDPRhub
| AEPD - EXP202205206 | |
|---|---|
 | |
| Authority: | AEPD (Spain) |
| Jurisdiction: | Spain |
| Relevant Law: | Article 5(1)(f) GDPR Article 32 GDPR |
| Type: | Investigation |
| Outcome: | Violation Found |
| Started: | 15.03.2022 |
| Decided: | 07.02.2024 |
| Published: | |
| Fine: | 3,500,000 EUR |
| Parties: | I-DE Redes Eléctricas Inteligentes, S.A.U. |
| National Case Number/Name: | EXP202205206 |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | Spanish |
| Original Source: | AEPD (in ES) |
| Initial Contributor: | lm |
The DPA fined a controller €3,500,000 after it failed to conduct an adequate risk assessment, overlooking avoidable security vulnerabilities that resulted in a data breach affecting 1,350,000 data subjects.
English Summary
Facts
On 15 March 2022, I-DE Redes Eléctricas Inteligentes, S.A.U. (the controller) detected an attack on its GEA management portal (GEA portal), which is a web portal that manages service connections between the electric distribution network. At that point, the controller had yet to detect any effect on personal data.
The following day (16 March), a brute force attack was made against the same webpage, resulting in a general slowdown. The controller adopted security measures in order to repel the attack. The controller analysed the attack’s activity and concluded that it has extracted the personal data of 1.35 million clients. The breached data included names, surnames, email addresses, phone numbers, addresses, national identification card numbers and client codes. On 18 March 2022, the controller notified the breach to the AEPD.
The controller is Iberdrola's energy distribution brand. Spanish law concerning the electricity sector requires that regulated activities (such as distribution of electricity) and unregulated activities (such as marketing) be unbundled. In accordance with such law, the controller stated that it could only access the personal data of users of its electric service. It thus claims that it does not have access to the data of data subjects managed by other distribution companies.
Despite this separation, the controller communicated the breach to other companies of the Iberdrola group on 28 March 2022, noting that it could have affected information referring to clients of these companies. The controller included internal codes corresponding to the affected clients so that the companies could verify if those clients’ data had been compromised. Two companies, Iberdrola Clientes, S.A. and Curenergía Comercializador de Ultimo Recurso SA, subsequently reported to the AEPD that personal data of 92,550 and 1,515,000 clients was affected, respectively. Due to the numerous companies affected, the AEPD initiated investigations into four entities.
The controller requested that its case be joined with the AEPD’s investigation of Iberdrola (EXP202305587). It noted that the attack on its GEA portal was the common security incident that prompted both cases. With regard to the data breach and its security measures, the controller stated that had adopted the totality of security measures established by Iberdrola. It also argued that there had been no harm to the data subjects as a result of the breach.
Holding
The AEPD found that the controller violated Articles 5(1)(f) and 32 GDPR, imposing a fine of €3,500,000.
It began by rejecting the controller’s request for joinder, finding that even though there was a common security incident, the cases involve distinct breaches of different sets of personal data.
With regard to the violation of Article 32 GDPR, the AEPD considered that the vulnerability resulting in the data breach was foreseeable and avoidable. The controller failed to carry out an appropriate assessment of the risks of harms to data subjects that were inherent in its processing, and it did not account for risks to confidentiality, availability or integrity of the data. Furthermore, the AEPD noted that there were vulnerabilities in the portal that could have been detected prior to the cyberattack, including an inadequate password policy and a failure to limit access to the portal from suspicious IP addresses. The precise details of the vulnerabilities are redacted in the decision, but the AEPD noted that the shortcomings were exploited in the cyberattack and resulted in the breach. It further stated that the vulnerability could have been identified in security assessments, but that the controller had not conducted a security review of its critical applications since 2019 – over two years before the incident. Due to the shortcomings in security measures that resulted in oversights of the GEA portal’s vulnerabilities, the AEPD found the controller violated Article 32 GDPR.
The AEPD also found that the controller violated Article 5(1)(f) GDPR. It focused in particular on the failure to protect confidentiality of the personal data affected. In addition to lacking the security measures discussed above, the controller also did not have technical measures in place, such as pseudonymisation, that corresponded to the detail of the personal data it was regularly processing. The AEPD rejected the argument that none of the data subjects were adversely affected by the breach, emphasizing that the loss of confidentiality is, in of itself, a harm to the fundamental right to data protection.
Comment
The AEPD rejected the controller’s request for joinder with EXP202305587, an investigation against Iberdrola arising out of the same incident. Even though there was a common security incident, the cases involve distinct breaches of different sets of personal data. Indeed, the AEPD considered that the cyberattack was significant not only because it accessed the controller’s database, but because it also accessed the databases of two other Iberdrola companies (Iberdrola Clientes and Curenergía Comercializador de Ultimo Recurso). The different databases are hosted on a system maintained by Iberdrola, which is in charge of all of these companies. As a result of this, there has been a separate sanctioning procedure against Iberdrola focusing on its responsibility as the entity in charge of the processing of Ibercli y Curenergía and exclusively for the breach of personal data that affected those two companies. In this sense, the AEPD concluded, the impact on personal data of clients hosted in databases other than the controller’s cannot be part of the sanctioning procedure, which is meant to examine the conduct specifically of the controller.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/88
File No.: EXP202205206
- RESOLUTION OF SANCTIONING PROCEDURE
From the procedure instructed by the Spanish Data Protection Agency and based
to the following
index
BACKGROUND................................................. .................................................. .......3
FIRST................................................. .................................................. ...............3
SECOND................................................. .................................................. ..............4
THIRD................................................. .................................................. ...............4
ROOM................................................. .................................................. .................4
FIFTH................................................. .................................................. ..................4
SIXTH................................................. .................................................. ....................4
SEVENTH................................................. .................................................. ................5
EIGHTH................................................. .................................................. ..................5
Regulatory framework................................................ .................................................. ...5
Systems and database architecture. GEA Application.................................7
Regarding the chronology of the events. Actions taken in order to
minimize adverse effects and measures adopted for their final resolution.....10
Regarding the causes that made the gap possible................................................13
Regarding the affected data................................................. ............................16
Regarding the treatment manager contract................................................... .18
Regarding security measures................................................... ....................18
Regarding communication to those affected................................................... ...........25
Information on the recurrence of these events and number of analogous events
events over time.............................................. .......................................26
NINETH................................................. .................................................. ...............26
TENTH................................................. .................................................. ................26
ELEVENTH................................................ ...................................................27
TWELFTH................................................ ................................................29
THIRTEENTH................................................ ...................................................29
FOURTEENTH................................................ .................................................. .30
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 2/88
PROVEN FACTS................................................ ................................................30
FIRST: First notification of personal data breach...................................30
SECOND: Second notification of personal data breach...................................30
THIRD: Chronology of the attack................................................ ..................................31
FOURTH: About the GEA application.............................................. ................................33
FIFTH: Causes that made the gap possible................................................ ...........3. 4
SIXTH: Recommended measures................................................ ..................................36
SEVENTH: immediate measures after the breach................................................... ..............37
EIGHTH: security measures implemented prior to the incident......38
NINTH: Risk analysis of the treatment affected by the data breach
personal................................................ .................................................. .............39
TENTH: Number of people affected and type of data affected...................................39
ELEVENTH: Communication to those affected................................................. .....40
LEGAL FUNDAMENTALS................................................. ...................................40
Competence................................................. .................................................. ........40
Previous questions................................................ .................................................. .40
Regarding the request for accumulation and the suspension of the deadline to formulate
allegations................................................. .................................................. ...........41
Response to the allegations to the Startup Agreement................................................... ..........43
FIRST: ON THE ACCUMULATION OF PROCEDURES.................43
SECOND. – ABOUT THE SPECIAL CIRCUMSTANCES THAT OCCURRED IN
RELATIONSHIP WITH THE PROCESSING OF THIS FILE AND THE
VIOLATION OF THE PRINCIPLES OF GOOD FAITH, LEGITIMATE TRUST AND
LEGAL SECURITY................................................ .......................................44
THIRD.- ON THE ADDITIONAL AFFECTION OF THE PRINCIPLES OF THE
SANCTIONAL LAW DERIVED FROM THE INTERPRETATION
CARRIED OUT BY LAAEPD................................................... ...................................49
FOURTH.- ON THE ALLEGED VIOLATION BY I- OF THE ARTICLE
32 OF THE RGPD................................................. .................................................. ......57
FIFTH. – ON THE ALLEGED DELART INFRINGEMENT. 5.1.F) OF
GDPR................................................. .................................................. ................63
Response to the allegations to the Proposed Resolution...................................................68
SECOND: About the previous acts of the AEPD and the violation of the
principles of good faith, legitimate trust and legal certainty...................................69
THIRD: About the arguments supported by the Proposed Resolution
to consider that bis in idem does not occur................................................. ..............74
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 3/88
FOURTH: On the application of the principles of the right to sanctions to
activity of the AEPD and the concurrence of a media contest................................77
FIFTH: Regarding the lack of violation by I-DE of article 32 of the RGPD
.................................................. .................................................. .........................82
SIXTH: Regarding the absence of violation of the principle of confidentiality and
integrity................................................. .................................................. ...........92
SEVENTH: Regarding the violation of the principle of proportionality to the detriment of
I-DE rights................................................ ................................................96
Integrity and confidentiality................................................ ...................................102
Classification of the violation of article 5.1.f) of the RGPD................................................... ..103
Penalty for violation of article 5.1.f) of the RGPD................................................. ......104
Article 32 of the GDPR................................................ ................................................105
Classification of the violation of article 32 of the RGPD................................................. ....110
Penalty for violation of article 32 of the RGPD................................................. .......111
BACKGROUND
FIRST: On March 18, 2022, the Innovation Division was notified
Technology of this Spanish Data Protection Agency (hereinafter AEPD or the
Agency) a security breach of personal data sent by I-DE REDES
ELÉCTRICAS INTELLIGENTES, S.A.U. with NIF A95075578 (hereinafter, I-DE) as
responsible for the treatment, in which it informs this Agency of the following:
On the afternoon of March 15, 2022, an attack was detected against the information management website.
connections (GEA) of I-DE. (…). At this time, no condition has yet been identified.
personal information. The next day, March 16, a brute force attack is detected
directed against the same target (GEA) as the incident the previous day. It repels
taking action. On March 17, GEA reopens and the activity record is analyzed
and it is concluded that there has been extraction of personal data. It is indicated that the number
affected is 4.5 million clients of this company.
SECOND: On March 29, 2022, I-DE presents a new notification
expanding the information on the security breach reported on the 18th of the same month,
in which he indicates that, after the forensic analysis of the incident, the number of his clients
whose data has been affected is 1.35 million and that the
existence of affected data of clients of other companies of the Iberdrola group, since
that the attacker could potentially have exceeded security conditions
of the exclusive information of I-DE, jumping to ranges of information from other
societies, which has already been transmitted to the Company's Systems management
for a detailed analysis of other conditions in other companies or businesses of the
Iberdrola group.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 4/88
Likewise, they indicate that the exact start date of the breach is March 7, 2022.
and report that the breach has not yet been communicated to the affected people and
which, at the latest, will be informed by March 31, 2022.
Along with the notification, the following is provided:
- Report “GEA cyber incident. Incident description and actions”, in which
describes the attack suffered and also includes the text of the
communication that will be sent to those affected.
THIRD: dated March 29, 2022, CURENERGIA COMERCIALIZADOR DE
ULTIMO RESOURCE SA, with N.I.F. A95554630 (hereinafter CURENERGÍA) presents
security breach notification, in which it indicates that it was aware of it on 28
March 2022 that it has been affected by the security breach suffered by I-DE,
indicating the violation of the confidentiality of the personal data of 1,550,000
of its clients, whom it has not yet informed but will do so no later than
03/31/2022.
FOURTH: dated March 28, 2022, IBERDROLA CLIENTES, S.A.,
with N.I.F. A95758389 (hereinafter IBERCLI) presents notification of breach of
security, in which it indicates that it has been aware on March 28, 2022 that
has been affected by the security breach suffered by I-DE, indicating the violation
of the confidentiality of the personal data of 85,000 of its clients, to whom
has not yet reported but will do so no later than 03/31/2022.
FIFTH: Since April 2, 2022, they have been presented to this Agency
claims from clients affected by the security incident, which have been
progressively admitted for processing from May 9, 2022.
SIXTH: On April 6, 2022, IBERCLI presents an extension of the notification
gap in which it reports that the people affected by it are 1,515,000 and
that they have been informed of the same on March 31, 2022 by communication
addressed personally to each affected person (postcard, email, SMS or similar).
Along with the notification, the following is provided:
- Report “Cyberattack incident 03/28/2022. Incident description and
Actions"
- Annex Communication to interested parties
SEVENTH: On April 6, 2022, CURENERGÍA presents an extension of the
breach notification in which it informs that the people affected by it are
92,550 and that they have been informed of the same on March 31, 2022 through
communication addressed personally to each affected person (postal, email, SMS or similar).
Along with the notification, the following is provided:
- Report “Cyberattack incident 03/28/2022. Incident description and
Actions"
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 5/88
- Annex Communication to interested parties
EIGHTH: The General Subdirectorate of Data Inspection proceeded to carry out
of previous investigative actions to clarify the facts in
issue, by virtue of the functions assigned to the control authorities in the
article 57.1 and the powers granted in article 58.1 of the Regulation (EU)
2016/679 (General Data Protection Regulation, hereinafter GDPR), and
in accordance with the provisions of Title VII, Chapter I, Second Section, of the
LOPDGDD, having knowledge of the following points:
During these actions, the following entities have been investigated:
- I-DE REDES ELECTRICAS INTELLIGENTES S.A. with NIF A95075578 (in
forward, I-DE)
- IBERDROLA S.A. with NIF A48010615 with address at C/ TOMAS REDONDO,
1 - 28033 MADRID (MADRID) (hereinafter IBERDROLA)
- IBERDROLA CLIENTES S.A.U. with NIF A95758389 (hereinafter, IBERCLI)
- CURENERGIA COMERCIALIZADOR DE ULTIMO RESURSO S.A. with NIF
A95554630 (hereinafter, CURENERGIA)
Regulatory framework
- The regulations governing the electricity sector, Law 54/1997, of November 27,
of the Electrical Sector, imposes an obligation of total separation between the
regulated activities, such as distribution, and liberalized activities, such as
marketing.
- The right that consumers of electrical energy have to access and
connection to the transportation and distribution networks of electrical energy in the
Spanish territory is specifically included in Law 24/2013, of 26
December, from the Electrical Sector.
Distribution companies and marketing companies are two
differentiated entities in the field of the Electrical Sector. In this sense the
Law 24/2013, of December 26, of the Electrical Sector defines them as subjects
different.
- In accordance with the regulation of the electrical sector, the consumer, to receive
electricity at your home, you need to be the holder of two contracts
differentiated in relation to their point of supply (CUPS):
On the one hand, the energy purchase contract, “contract of
supply”, which is signed between a consumer and a company
electricity marketer.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 6/88
Although it is also possible that the consumer acquires the
electricity directly on the market, without the need for
marketer, is not typical of natural person clients but of
large electricity consuming companies, indicate I-DE, IBERCLI
and CURENERGÍA in their response.
On the other hand, the network access or distribution or transportation contract,
“ATR contract”, which the consumer signs with the intermediation
as agent of the marketing company with which it has
contracted the purchase of electrical energy.
Although you can also subscribe directly with the owner company
of the network, is not typical of natural person clients but of
large electricity consuming companies, indicate I-DE, IBERCLI
and CURENERGÍA in their response.
- When a customer wants to contract electricity at a supply point or
make any contractual modification, said client goes to a
marketing company, who on behalf of the client and as his agent
contracts on its behalf the ATR contract, access contract to the
distribution.
Any contractual modification requested by a marketer to a
distributor is made through XML digital requests complying with the
exchange formats between agents established by the National Commission
of Markets and Competition (CNMC), by virtue of the Resolution of 20
December 2016, which approves the formats of the data files
exchange of information between energy distributors and marketers
electricity and natural gas, and Resolution of December 17, 2019, by which
New formats for information exchange files are approved
between distributors and marketers and the Resolution of 20 December is modified.
December 2016.
Taking into account the above:
- I-DE, electricity distributor of the Iberdrola group, states that
can only access the data of its clients, that is, users
of the electrical service whose supply point is within the network
whose management, as a distributor, corresponds to you and not to those managed by
other distribution companies.
In relation to the users of your network, you know the information of the marketer
of each consumer as a consequence of the signature with him (or with the
marketer as agent of the consumer) of the ATR contract.
- I-DE indicates that it would not have the capacity to know any type of information
related to those who, being clients of IBERCLI or CURENERGIA,
electric energy marketers of the Iberdrola group in the free market and
regulated market, respectively, were not of this distributor.
Systems and database architecture. GEA application
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 7/88
(…)
IBERDROLA indicates that the audit to verify the logical separation of the
access to information by I-DE has its cause in what is established in the
regulatory regulations of the electrical sector, which imposes an obligation of separation
total between regulated activities, such as distribution, and liberalized activities, such as
is marketing, so that distribution companies must prove the
aforementioned separation.
I-DE informs that, annually, it issues a report that is presented to the Ministry
for the Ecological Transition and the Demographic Challenge (MITERD) and the National Commission
of Markets and Competition (CNMC) to account for compliance with the
obligations regarding separation of activities by the companies of the
group formed by Iberdrola España and the companies in which it participates with
regulated activities, that is, the company I-DE REDES ELÉCTRICAS
INTELIGENTES, S.A.U., article 12.2 b) of the Electricity Sector Law and article 14 of the
Code of separation of Activities of the Companies of the Iberdrola Spain Group
with Regulated Activities (“CSA”) available on the Iberdrola Spain website,
during exercise.
(…)
Regarding the chronology of the events. Actions taken in order to minimize
the adverse effects and measures adopted for their final resolution.
I-D states the following:
- On March 15, in the afternoon, an attack was detected against the management website
I-DE attacks, (GEA), the sequence of events being the following:
(…)
- On the morning of March 16, 2022, there is a general slowdown
access to various Iberdrola group websites.
(…)
- Starting March 17, 2022:
(…)
As of the 17th, no suspicious traffic or impact has been observed in
none of the Iberdrola group's internet service systems.
From the analysis of the activity log of the GEA application of the last
days it is concluded on March 17 that a
exfiltration, between March 7 and 15, 2022, of
approximately 4.5 million interested parties (natural persons).
(…)
On March 28, 2022, the Systems Directorate communicates to
IBERCLI and CURENERGIA the existence of a security incident in
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 8/88
the I-DE systems that could have affected the information referring to
the clients of these companies and includes information regarding the
internal customer codes of those affected, so that the companies
verify whether data corresponding to
Your clients. Information analyzed by IBERCLI and CURENERGIA
verify that the security breach has affected personal data of
clients of said companies.
(…)
- Likewise, I-DE states and certifies that since it became aware of the
incident, the necessary actions were put into practice to, in coordination
with affected organizations, comply with internal protocols
established for this purpose and the applicable legislation, and which include the following
Actions:
Communication to INCIBE-CERT, National Institute of Cybersecurity in
Spain, as a response team to security incidents
Iberdrola reference computing.
Communication to the Cybernetic Coordination Office, under the
RDL 12/2018 on security of networks and information systems that
refers the cybersecurity incident to the National Police for
investigation,
Communication to the National Center for Infrastructure Protection
Criticisms under Law 08/2011 on Infrastructure Protection
Critics.
Presentation of a complaint to the National Police (Central Unit
of Cybercrime) and the document presented by I-DE together with the
same.
Notification of the security breach to the AEPD and those affected.
- In summary, the monitoring systems allowed the detection of a
abnormal volume of traffic, a traffic analysis activity was launched
greater detail and the immediate measures that were adopted were:
(…)
-IBERCLI and CURENERGIA state that the cessation of the incident occurred
even before they were aware that it had affected
personal data referring to its clients, resulting in said cessation of the
additional security measures implemented by the Systems Directorate in the
GEA application, aimed at preventing access to it from
be exfiltrated by entering a random code information from the Database
Data referring to clients of other Group entities.
Regarding the causes that made the gap possible
- (…)
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 9/88
Regarding the affected data
- Exfiltrated customer data (…):
Name
Last names
Email
Fax
Telephone
Address
NIF/DNI
Client Code
(…).
- (…)
On March 28, 2022, the Systems Management notifies IBERCLI
and CURENERGIA the existence of a security incident in the security systems
I-DE that may have affected the information referring to the clients of these
companies and includes information referring to internal customer codes
of those affected, so that the companies verify if they have been able to see
compromised data corresponding to their clients.
IBERCLI and CURENERGÍA verify that the security breach has affected
personal data of 1,515,000 and 92,550 clients, respectively.
Regarding the data processor contract
- The Group's Framework Agreement for the Protection of Personal Data is provided
Iberdrola in which the scope of the provision of services to the
Group companies carried out by IBERDROLA. This agreement has been
updated in its Annex II, said update being pending
formalization.
Likewise, the Declaration of Acceptance of Iberdrola España S.A.U. is provided.
of its adhesion to the Framework Agreement for the Protection of Personal Data of the
Iberdrola Group, the aforementioned entity acting, in accordance with what is indicated in the
second clause, in his own name and right and on behalf of the
companies belonging to its corporate group over which it has direct or
indirectly control, among which are I-DE, IBERCLI and
CURENERGY.
- IBERCLI and CURENERGIA provide a copy of the record of the activities of
processing of personal data corresponding to the affected treatments
through the gap:
(…)
- IBERDROLA provides a copy of the records of the treatment activities
corresponding to the treatments “Support and Maintenance of
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 10/88
IT Infrastructures” and “Application Development (SWF)”, which is carried out in
your status as the person in charge of the treatment, with respect to various treatments
of the Group companies, among which are those affected by the
security breach.
Regarding security measures
Regarding the risk analysis carried out on the treatment activity that has been
suffered the security breach before the breach occurred:
- IBERDROLA states in a response letter that the Iberdrola Group has
adopted a risk analysis methodology for data processing
personal data that is implemented in an automated way in the company itself.
corporate tool for recording treatment activities, so that
In the registration process itself, the risk level of the treatment is determined.
- In the case of treatments for which IBERDROLA acts as
person in charge of the treatment, points out that the methodology involves carrying out the
risk analysis in relation to each of the treatments with respect to
those for which IBERDROLA holds said condition, so that this analysis is
developed by the entity responsible for the treatment in collaboration
with IBERDROLA
- For this reason, the result of the risk analysis related to the
specific treatments ***TREATMENT.1 and ***TREATMENT.2 figure
incorporated into the Records of Treatment Activities of I-DE and those of
IBERCLI and CURENERGIA, their results having been communicated to
IBERDROLA.
(…)
-Security measures implemented prior to the gap in treatments
of data where it has occurred:
I-DE, IBERCLI and CURENERGIA indicate in their responses that prior to the
incident, the following common security measures were implemented
to the IT infrastructure of the Iberdrola Group:
- (…)
Likewise, like IBERDROLA, they also describe the security measures
specific to the GEA system:
- (…)
Measures adopted to avoid, as far as possible, incidents such as the one that occurred
- With the data obtained from the cyberattack methodology, (...).
Regarding communication to those affected
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 11/88
- I-DE informs the Systems Directorate, on March 28, 2022, that,
of the information provided regarding the customer codes of those affected
Due to the gap, only 1.34 million records correspond to
I-DE clients.
Likewise, it determines that it will proceed to communicate the security breach to the
affected through the communication channels that I-DE maintains with the
themselves. The communications were sent via email; to the
clients whose email address was available to them, through the
making several shipments between March 31 and April 12, 2022; and by
postal mail to the rest between March 30 and April 7, 2022.
- On March 28, 2022, the Systems Department notifies IBERCLI
and CURENERGIA the existence of a security incident in the security systems
I-DE that may have affected the information referring to the clients of these
companies and includes information referring to internal customer codes
of those affected, so that the companies verify if they have been able to see
compromised data corresponding to their clients.
IBERCLI and CURENERGÍA state that after analyzing the information by their respective
systems teams verify that the security breach has affected data
personal of 1,515,000 and 92,550 clients, respectively.
Likewise, they resolve to notify those affected of the security breach. The notification to
those affected was carried out, between March 31 and April 1, 2022, at the
clients whose email address was available, by sending
massive electronic communications; and by postal mail to the rest on the 4th and
April 5, 2022.
- The three companies provide the communication model sent to those affected
and it is verified that it complies with what is specified in article 34 of the RGPD.
Information on the recurrence of these events and number of analogous events
events in time.
IBERDROLA states that apart from the security incident that is the subject of this
procedure, no other procedure of a similar nature has occurred.
NINTH: The entity I-DE REDES ELÉCTRICAS INTELLIGENTES, S.A.U. it is a great
company established in 2000, and with a turnover, according to AXESOR
of ***QUANTITY.1 euros in the year 2021 and ***QUANTITY.2 euros in the year 2022.
TENTH: On May 5, 2023, the Director of the Spanish Agency for
Data Protection agreed to initiate sanctioning proceedings against I-DE, in accordance with the
provided in articles 63 and 64 of Law 39/2015, of October 1, of the
Common Administrative Procedure of Public Administrations (hereinafter,
LPACAP), for the alleged violation of Article 5.1.f) of the RGPD and Article 32 of the
GDPR, typified in Article 83.5 of the GDPR and Article 83.4 of the GDPR.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 12/88
The aforementioned Startup Agreement was notified in accordance with the rules established in the Law
39/2015, of October 1, of the Common Administrative Procedure of the
Public Administrations (hereinafter, LPACAP).
ELEVENTH: On May 24, 2023, I-DE presents a document by which
requests the accumulation of this file with EXP202305587, as well as the
suspension of the deadline for issuing allegations until it is resolved
about this petition, stating the following:
I-DE understands that the facts that serve as a basis for the exercise of power
sanctioning that the Agency tries to exercise are or have a unique basis that affects
the two sanctioning files that have been opened as differentiated, for
which requests the accumulation of both sanctioning procedures when understanding
that there is a necessary connectivity between them, that is, that it is a
same situation that can result in the responsibility of both. Understand by
I-DE that the terms of said responsibility, total, partial, at the level of author,
collaborator or any other that comes from criminal references can only
be appreciated if the procedure is analyzed as a whole.
I-DE maintains that the lack of accumulation in the present case could imply a
double imputation to two entities of the same facts, which the greater the
many belong to the same business group, specifically the Iberdrola group
of which IBERDROLA is the parent company.
If both files are not consolidated, I-DE states that it would be impossible to determine which
is the degree of responsibility of each of them, since the facts are
would be analyzed separately and without assessing the supposed simultaneous action,
in terms of responsibility, of the two entities against which both
procedures are directed. In this way, a double
imputation of the same facts to both entities without assessing whether or not it is
shared or if the sanctioning reproach directed separately against both does not
should be subject to reduction as a consequence of this supposed concurrence of
responsibility. With this, it is limited, in the terms established in the jurisprudence
constitutional that is reproduced below, the right to defend I-DE, by not
be able to analyze the concurrent circumstances in the case in a unified way as
consequence of the fragmentation caused by the opening of two procedures
differentiated.
I-DE understands that the budgets established in article 57 of the Law are met
39/2015, of October 1, of the Common Administrative Procedure of the
Public Administrations (hereinafter, LPACAP) that justify the accumulation of the
procedures, as well as the individualization of the relevance of their application to the
present assumption:
A) Existence of "intimate connection" or "substantial identity."
I-DE points out that, in the present case, on March 18, 2022, a
personal data security breach, initially reported by I-DE. Is this
same security breach that determines the opening of this procedure
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 13/88
in which responsibility is attributed to i-DE, as well as that of the one that is intended
accumulate with the present, open to elucidate the responsibility of IBERDROLA.
I-DE indicates that connectivity, in the present case, derives, therefore, from the fact that
It tries to purge responsibility of two legal entities, but for the same fact:
It is the Agency itself that makes it clear that this is a single security breach and
that on it is the one on which, where appropriate, the responsibilities will be based.
subjective opinions of I-DE, in this procedure, and of IBERDROLA in the
procedure whose accumulation is requested.
Therefore, I-DE concludes that, since there are only a few facts for which
responsibility to both i-DE and IBERDROLA, it is evident that it is necessary
the joint assessment of them in order to determine if there is a
joint or separate responsibility of both entities, as well as whether the
responsibility would be by different title in both cases.
B) That the processing and resolution of the procedure corresponds to the same body.
I-DE points out that, together with the previous requirement, the LPACAP imposes respect for
general principle of competence of the body that must issue the resolution, requirement
which is fulfilled in the present case, given that the Law attributes the jurisdiction to
the processing of both procedures to a single sanctioning body, so with
accumulation is not lost or that competence is blurred as a consequence of the
potential existence of different instructional bodies.
In the opinion of I-DE, the essential effect of the accumulation of files is that
all issues to be resolved must be examined in a single procedure and
decided in a single final act that jointly assesses the responsibilities of
all those involved.
I-DE points out that the scheme that has just been analyzed has, without a doubt, characteristics
special in the sanctioning area due to the structure itself and the value judgment that the
itself encloses.
He brings up several Rulings of the Constitutional Court to point out that the
main principles and constitutional guarantees of the criminal order and criminal process
must be observed, with certain nuances, in the administrative procedure
sanctioning system such as the right to be informed of the accusation (SSTC 31/1986,
190/1987, 29/1989) and to use the relevant means of evidence for the defense
(SSTC 2/1987, 190/1987 and 212/1990), as well as the right to the presumption of
innocence (SSTC 13/1982, 36 and 37/1985, 42/1989, 76/1990 and 138/1990), rights
fundamental, all of them that have been incorporated by the legislator into the regulations
regulating the common administrative procedure.
I-DE understands that the fragmentation of the procedure into two procedures
separated substantially affects the determination and verification of the facts
relevant in it, as well as the delimitation of the potential
responsibilities that may correspond to the entities to which the
procedures whose accumulation is requested.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 14/88
Therefore, I-DE concludes that accumulation is a requirement of adequate
instruction and the guarantee of the right of defense and that the separate processing
of two disciplinary proceedings against two different legal entities for the same
facts is detrimental to their interests.
I-DE understands that the lack of accumulation in the present case could imply a
double imputation to I-DE and IBERDROLA, as has been said, of the same facts,
without the accumulation allowing us to elucidate what would be the degree of responsibility of
each of them, since the facts would be analyzed separately and without entering
to assess the alleged simultaneous action, in terms of responsibility, of the two
entities against which both procedures are directed.
Understands that maintaining the separation of procedures means in terms
procedural a division of the cause that conditions the instructional action and
of proposal because different instructions, evaluations and tests appear
potentially different and, therefore, criteria that can be, equally,
differentiated.
For all the above, I-DE requests the accumulation of the two aforementioned files and
that the suspension of the deadline for the
formalization of allegations until the accumulation incident that
is raised in accordance with this writing.
Likewise, I-DE understands that, taking into account the nature of the request and the
impact on the investigation of the files in question and, finally, on the law
of defense of the interested parties in both procedures, by substantially affecting the
content of the allegations that I-DE could make in the event that the
mentioned accumulation, with the consequent reduction of their right to judicial protection
effective in its modality of using the means of proof necessary for the
adequate defense of your rights, we expressly request the suspension of the deadline
for the formalization of the allegations so that they can be made
according to the instruction criteria that we are requesting.
Therefore, I-DE requests the suspension of the deadline for formalizing allegations
until the accumulation incident that arises pursuant to the
present writing.
TWELFTH: On May 30, 2023, I-DE presented a written
allegations to the Startup Agreement.
THIRTEENTH: On January 2, 2024, a Proposal for
Resolution, proposing that the Director of the Spanish Agency for the Protection of
Data will be sanctioned to I-DE REDES ELÉCTRICAS INTELLIGENTES, S.A.U. with NIF
A95075578, for a violation of Article 5.1.f) of the RGPD, typified in Article
83.5 of the RGPD, with an administrative fine of 2,500,000 euros (two and a half million
euros) and for a violation of Article 32 of the RGPD, typified in Article 83.5 of the
GDPR, with a fine of 1,000,000 euros (one million euros).
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 15/88
FOURTEENTH: On January 22, 2024, this Agency receives, in
time and form, letter from I-DE in which it alleges allegations to the proposal of
resolution.
Of the actions carried out in this procedure and the documentation
recorded in the file, the following have been accredited:
PROVEN FACTS
FIRST: First notification of personal data breach
On March 18, 2022, I-DE notifies the AEPD of a data breach
personal information in which he reports the following:
(…)
It is indicated that the number of affected people is 4.5 million clients of this company.
Indicates the start date of the gap as March 9, 2022
Indicates the date of detection of the breach, understood as the date on which the
responsible is certain that personal data has been affected: 17 of
March 2022.
SECOND: Second notification of personal data breach
On March 29, 2022, I-DE presents a new notification expanding the
information about the reported personal data breach, through the contribution
from the report “GEA cyber incident. Incident description and actions.” dated 28
March 2022, according to which:
“I-DE, within the provision of services to its clients, offers a web application
called File Management and Connections (GEA): ***URL.1
This service allows customers or their representatives (installers) to carry out the
relevant procedures for the process of a connection to the network. In the course of the
application sessions, there is an exchange of client data information that
is subject to the application's own security filters, so that each
client (or delegated representative) will only be able to access the information that
corresponds to the security and intended access profiles.
It indicates that the number of affected clients of this company is 1,350,000
Indicates the start date of the gap as March 7, 2022
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 16/88
THIRD: Chronology of the attack
According to I-D, in the report “GEA cyber incident. Incident description and
Actions." dated March 28, 2022” and provided along with the second notification
of personal data breach, as well as in the written response to the request
of information carried out by this AEPD, during the previous actions of
investigation, presented on August 1, 2022 (Registration number:
REGAGE22e00033475096) the chronology of the attack is as follows:
- “On March 15, in the afternoon, an attack was detected against the information management website.
I-DE connections, (GEA)
(…)
- On the morning of March 16, 2022, there is a general slowdown
access to various Iberdrola group websites.
(…)
- Starting March 17:
(…)
As of the 17th, no suspicious traffic or impact has been observed in
none of the Iberdrola group's internet service systems.
From the analysis of the activity log of the GEA application of the last
days it is concluded on March 17 that a
exfiltration, between March 7 and 15, 2022, of
approximately 4.5 million interested parties (natural persons).
(…)
On March 28, 2022, the Systems Directorate communicates to
IBERCLI and CURENERGIA the existence of a security incident in
the I-DE systems that could have affected the information referring to
the clients of these companies and includes information regarding the
internal customer codes of those affected, so that the companies
verify whether data corresponding to
Your clients. Information analyzed by IBERCLI and CURENERGIA
verify that the security breach has affected personal data of
clients of said companies.
(…)
FOURTH: About the GEA application
Regarding the GEA application, I-DE states:
In the report “GEA cyber incident. Incident description and actions.” dated 28
March 2022:
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 17/88
-“I-DE, within the provision of services to its clients, offers a web application
called File Management and Connections (GEA): ***URL.1
This service allows customers or their representatives (installers) to carry out the
relevant procedures for the process of a connection to the network. In the course of the
application sessions, there is an exchange of client data information that
is subject to the application's own security filters, so that each
client (or delegated representative) will only be able to access the information that
corresponds to the security and intended access profiles”
-I-DE has a system (SIC) of which GEA is its own and exclusive web service
for the processing of their processes and customer data, with the business teams
and systems responsible for the development, evolution and maintenance of this system,
Likewise, exclusive for I-DE.
-In the “Access Manual for regular clients, GEA”, provided by I-DE, the
methodology for registering a user (Document No. 6 of entry
REGAGE23e00004673128), which indicates that for the development of the
Registering a new user requires an email address
valid and accessible, to which an individualized link is automatically sent
for each user, which allows setting the password for the first access,
thus validating the registration in the application.
-In the written response to the request made by this AEPD, presented with
date February 21, 2023 (Registration number: REGAGE23e00011000318) indicates I-
About what:
(…)
This URL was displayed to validated users at the time of the incident.
IBERDROLA S.A., which provides different services to I-DE and other companies in the
Group, among them, “IT infrastructure support and maintenance” and “Development
of applications”, acting accordingly, as in charge of R-D processing,
in its written response to the information request made by this AEPD
during the period of prior investigations, presented on January 24,
2023 (Registration number: REGAGE23e00004670187), upon request for information
relative to the description of the control and access permissions to the application of each one
of the identified profiles, IBERDROLA responds:
(…)
FIFTH: Causes that made the gap possible
In the “GEA Security Incident Forensic Report Summary”, dated March 23,
2022, provided by I-DE together with its written response to the request made by
this AEPD, presented on August 1, 2022 (Registration number:
REGAGE22e00033475841), it is indicated:
(…)
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 18/88
-I-DE indicates the following:
(…)
-IBERDROLA S.A., which provides different services to I-DE and other companies in the
Group, among them, “IT infrastructure support and maintenance” and “Development
of applications”, acting accordingly, as in charge of R-D processing,
in its written response to the information request made by this AEPD
during the period of prior investigations, presented on January 24,
2023(Registration number: REGAGE23e00004670187), indicates the following:
(…)
SIXTH: Recommended measures
It appears in the document “Summary Forensic Report GEA Security Incident”, of
03/23/2022, provided by I-DE in its letter of 08/1/2022, the following
recommendations:
(…)
SEVENTH: immediate measures after the breach
I-DE, in its written response to the request made by this AEPD,
submitted on February 21, 2023 (Registration number:
REGAGE23e00011000318) indicates:
(…)
IBERDROLA, S.A., in its response to the request for information
carried out by this AEPD during the period of prior investigations, presented in
dated January 24, 2023 (Registration number: REGAGE23e00004670187), attached
as “Document No. 11”, the “Urgent Cybersecurity Plan”. In it it is indicated,
among others, the following measures: Application Security:
(…)
EIGHTH: security measures implemented prior to the incident
Among others, it was contributed:
(…)
NINTH: Risk analysis of the treatment affected by the data breach
personal
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 19/88
At the request of this AEPD for a copy of the risk analysis on the rights and
freedoms of natural persons carried out on the processing activity that has
suffered the security breach prior to the incident, I-DE provided the scheme
followed within the Iberdrola Group for the assessment of risk in the treatment
of personal data is carried out in accordance with it.
This scheme provides details of certain threats or circumstances such as
“vulnerable groups” “access to personal data by more than 10 people”
“international transfers” “large-scale treatments” “profiles with
legal”. These circumstances are stated as questions and, as answered
“yes” or “no”, a result is applied.
Likewise, it indicates that “Attached as Document No. 8 is an explanatory document of
the logic followed to calculate the risk level according to this methodology.
This methodology is implemented in an automated way in the company itself.
corporate tool for recording treatment activities, so that in the
The registration process itself determines the risk level of the treatment. So, the
application of said methodology in relation to treatment ***TREATMENT.1
resulted in a MEDIUM risk level, as stated in Document No.
7 referred to above.
In said document 8, circumstances or threats are analyzed in the sense of
indicated scheme, which are transferred to the Registry of Treatment Activities.
TENTH: Number of people affected and type of data affected
1,350,000 I-DE clients affected.
Type of data affected:
Name and surname
Email address
Fax number
Phone
Postal address
NIF/DNI
Client code
Company code
ELEVENTH: Communication to those affected
In the written response to the information request made by this AEPD,
during the previous investigation proceedings, presented on August 1,
2022 (Registration number: REGAGE22e00033475096), I-DE states that it has
communicated to those affected the personal data breach, indicating:
“The aforementioned communications were sent to i-DE clients of whom
email address was available through this means through
making several shipments between March 31 and April 12,
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 20/88
2022, the gap being notified by ordinary mail to the remaining clients between
on March 30 and April 7, 2022.”
FOUNDATIONS OF LAW
Yo
Competence
In accordance with the powers that article 58.2 of Regulation (EU) 2016/679
(General Data Protection Regulation, hereinafter RGPD), grants each
control authority and as established in articles 47, 48.1, 64.2 and 68.1 of the
Organic Law 3/2018, of December 5, on Protection of Personal Data and
guarantee of digital rights (hereinafter, LOPDGDD), is competent to
initiate and resolve this procedure the Director of the Spanish Protection Agency
of data.
Likewise, article 63.2 of the LOPDGDD determines that: "The procedures
processed by the Spanish Data Protection Agency will be governed by the provisions
in Regulation (EU) 2016/679, in this organic law, by the provisions
regulations dictated in its development and, insofar as they do not contradict them, with a
subsidiary, by the general rules on administrative procedures."
II
Previous issues
I-DE is a large company of the Iberdrola Group dedicated to energy distribution
electricity and for this purpose it processes personal data as the person responsible for a
very high number of people since, according to what it states, it processes data of 21 million
Of customers.
Therefore, in accordance with the provisions of article 4.1 of the RGPD, the
processing of personal data, since I-DE carries out, among
other treatments, the collection, conservation, consultation, use, deletion, etc., of
personal data of natural persons, such as: name, surname, ID, address
postal address, telephone number, email address, bank details, data
related to electricity supply and consumption, current account, etc.
Likewise, IBERDROLA S.A. provides different services to I-DE and other companies
of the Group, among them, “IT infrastructure support and maintenance” and
“Application development”, acting accordingly, as in charge of the
I-D treatment.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 21/88
In the case at hand, the security breach suffered has affected data
personal data processed by I-DE in its capacity as data controller,
determine the purposes and means with respect to these treatments, under article 4.7
of the GDPR.
Article 4 section 12 of the GDPR broadly defines “violations of
security of personal data” (hereinafter security breach) as “all
those security violations that cause the destruction, loss or alteration
accidental or unlawful personal data transmitted, preserved or otherwise processed
form, or unauthorized communication or access to said data.”
In the present case, there is a personal data security breach in the
circumstances indicated above, categorized as a breach of confidentiality, by
there has been improper access by an unauthorized third party to data
personal data treated by I-DE.
III
Regarding the request for consolidation and the suspension of the deadline to formulate allegations
Regarding the request for accumulation of this file and EXP202305587
carried out by I-DE, it should be noted that article 57 of the LPACAP establishes:
“The administrative body that initiates or processes a procedure, whichever
has been the form of his initiation, he may dispose, ex officio or at the request of
part, its accumulation to others with whom it maintains a substantial or intimate identity
connection, provided that it is the same body that must process and resolve the
procedure.
There will be no appeal against the accumulation agreement.”
(emphasis is ours)
Therefore, it is a possibility that the Administration has, not being obliged to
proceed with the accumulation if requested. However, this does not prevent
Motivate below the reasons why it has been considered appropriate.
process both sanctioning procedures separately.
Thus, although the two sanctioning files, one directed against I-DE and the other against
IBERDROLA, S.A., start from the same security incident (the attack on the application
GEA), it has produced two different personal data breaches and
differentiated, as reflected in the Factual Background of this
proposal, especially in the Eighth Factual Background, where the
information collected during the phase of prior investigative actions carried out
carried out by this AEPD.
Thus, on the one hand, the attack was initiated through an I-DE web application,
taking advantage of a vulnerability in it and that allowed access to the database
I-DE data and which affected the confidentiality of 1,350,000 I-DE clients. By
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 22/88
Therefore, this sanctioning procedure is directed exclusively at I-DE as
responsible for the processing of the personal data of its clients and as
consequence of an existing vulnerability in one of your web applications.
On the other hand, not only personal data of I-DE was affected in the cyberattack,
but, when accessing the I-DE database, which was hosted in a
system in which databases from other companies in the same group coexist, but
that it was also possible to overcome the logical separation and access the databases
of two other companies, IBERCLI and CURENERGÍA, affecting the confidentiality of
personal data of clients of the latter two. These different databases
different businesses are hosted or run on one maintained and supported system
by the company IBERDROLA, S.A., which, consequently, is in charge of
treatment of all of them, that is, I-DE, IBERCLI and CURENERGÍA.
This fact has led to the initiation of a sanctioning procedure against IBERDROLA,
S.A., but due to its responsibility as the person in charge of processing IBERCLI and
CURENERGÍA and exclusively for the personal data breach that has affected
only to the personal data of the clients of these two companies
marketing companies and only taking into account the responsibility that may have
IBERDROLA, S.A. regarding the configuration of the databases it manages
regarding these two affected companies.
In this sense, this impact on personal data of clients hosted in databases
data other than I-DE cannot be part of this sanctioning procedure directed
exclusively to examine the conduct of I-DE, since it is not responsible for any
the personal data of affected customers that belong to other companies, nor of the
possible failure to adopt appropriate measures for their protection or for the
absolute separation between them. Therefore, it must be analyzed
independent management of the databases carried out by IBERDROLA, S.A. regard
of these third companies, without I-DE being able to respond for possible
breaches of data protection regulations that may have been incurred
those third companies.
This was stated by I-DE in its written response to the request made by this
AEPD, presented on August 1, 2022, in which when requested
information on the data affected by the breach relating to IBERCLI clients and
CURENERGÍA, responded that “I-DE does not have access to the data of the people who
have been affected by the security breach and do not have the condition
of clients of the aforementioned entity as their supply point is not assigned to the
network managed by i-DE. This means that i-DE does not have the capacity to know
any type of information related to those who are clients of IBERCLI or of
CURNERGIA are not from this distributor”
Therefore, the sanctioning procedures being directed at different subjects (two
different companies), the personal data of clients from different companies may be affected.
companies, I-DE having nothing to do with the data of other clients, be processed
due to vulnerabilities or non-compliance with respect to different systems (one,
web application, another a database), etc., which is why it has not been considered
This AEPD accumulates the two files, but processes the two procedures
sanctions separately, as the responsibility is clearly separated
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 23/88
that is attributed to each one, as well as being personal data breaches
different and that affect personal data processed by different controllers.
Likewise, this does not make I-DE defenseless because at all times it knows
the facts of which he is accused, the infringement that they entail, their classification, the
responsibility that has been incurred, as well as that it has had and has the opportunity to
formulate allegations and present whatever documentation it deems appropriate in
defense of your interests permitted by applicable legislation.
Finally, regarding the request for suspension of the deadline to formulate allegations
to the Startup Agreement until a decision is made on the accumulation of the two
procedures, it means that this possibility does not exist even in the applicable regulations
of data protection (RGPD AND LOPDGDD) nor in the LPACAP. On the contrary, in
What this last law establishes is the obligation that the procedures that must
be completed by the interested parties are mandatory:
“Article 73. Compliance with procedures.
1. The procedures that must be completed by the interested parties must
be made within a period of ten days from the day following the notification of the
corresponding act, except in the case that the corresponding norm states
set a different deadline.”
Therefore, the request for suspension is not applicable, as this does not legally exist.
possibility, nor has it had any effect, having not been suspended, in
consequently, the deadline for formulating allegations.
IV
Response to allegations to the Startup Agreement
In response to the allegations presented by I-DE, the following should be noted:
FIRST: ON THE ACCUMULATION OF PROCEDURES
I-DE reiterates the request for accumulation again and refers to the request presented
to this effect on May 24, 2023.
In this regard, it is appropriate to refer to what was argued in the Legal Basis
above, in which a due answer to this question is given.
SECOND. – ABOUT THE SPECIAL CIRCUMSTANCES THAT OCCURRED IN
RELATIONSHIP WITH THE PROCESSING OF THIS FILE AND THE
VIOLATION OF THE PRINCIPLES OF GOOD FAITH, LEGITIMATE TRUST AND
LEGAL SECURITY
I-DE alleges that this AEPD has violated the principles of legal certainty, good faith
and legitimate trust established in article 3.2 e) of Law 40/2015, of 1
October, of the Legal Regime of the Public Sector (hereinafter LRJSP) since through
writing dated April 18, 2022, from the Technological Innovation Division of the
AEPD, it is indicated, in relation to the additional information provided by I-DE regarding
the personal data breach suffered by her, which “After analyzing the information
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 24/88
provided, the security breach has been updated in the security log.
notifications of security breaches and the initiation of other actions by
part of this Agency”, but that nevertheless, subsequently and without
no subsequent action until the date of the first information request
that is addressed to you (writing signed on July 8, 2022 by the acting Inspector) of what
which seems to indicate the initiation by the AEPD of investigative actions,
without any agreement or decision in this regard.
I-DE understands that this shows that it was not appropriate to carry out
additional investigation related to the gap since the AEPD when signing the
referred letter of April 18 considered appropriate the statements made
by I-DE, not appreciating in the gap the concurrence of any element that
justify the carrying out of investigative actions aimed at determining whether
had produced an alleged violation of data protection regulations.
However, I-DE continues, the AEPD on May 9, 2022, agrees to admission to
processing of claims (formulated prior to April 18, 2022) and the
initiation of prior investigative actions, but without it being stated in the
file no action or circumstance related to this case that would have
been contributed or occurred in the period between April 18 and the date of
admission to processing and that justifies the start of the same.
Likewise, I-DE understands that the letter of May 18, 2022 implies that the AEPD
considered that the information received from her about the breach was sufficient to
understand that it did not bear any responsibility for an alleged
non-compliance with data protection regulations, which determined the archive
of a file that, however, the AEPD decides to open days later without
there is any indication that implies a substantial change in the nature,
circumstances or severity of the breach. From this I-DE concludes that the AEPD adopted
a decision that directly contradicts the previous one adopted just 20 days ago
before.
Faced with this, it should be noted that in no way can the interpretation
of I-DE of the letter that he received on May 18, 2022. Thus, said letter is signed
generically by the AEPD, comes from the Technological Innovation Division, the
which is responsible for receiving security breaches and recording them in the registry at
effect, and in which the following was indicated:
“In relation to the additional information provided through check-in
REGAGE22e00010072289, relating to a personal data breach in a
treatment of I-DE REDES ELECTRICAS INTELLIGENTES S.A.U. we inform
that:
After analyzing the additional information provided, the security breach has
been updated in the security breach notification log and not
The initiation of other actions by this Agency is expected.
However, we remind you of the need to investigate the causes of the incident
until we understand how and why it has happened, and the obligation to take the
timely actions to prevent it from happening again and minimize the impact
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 25/88
potential on those affected, as well as the obligation to document any
security incident that may affect personal data such as
facts related to them and the corrective measures provided as and
as established in article 33.5 of the RGPD.
If over time you obtain indications that imply a change
substantial in the nature, circumstances or severity of the breach, may
make a new complete notification through our electronic office
https://sedeagpd.gob.es/sede-electronica-web/.
Likewise, we inform you that in the following link you have at your disposal the
guide for managing and reporting data security breaches
personal information published by this Agency:
https://www.aepd.es/media/guias/1ome-brechas-seguro.pdf”
The heading includes “TECHNOLOGICAL INNOVATION DIVISION”
On the left side of the document it is indicated that “Signed electronically by:
Spanish Data Protection Agency. As of 04/18/2022”
It is not signed by the Director of the Agency, it has no operative part in
which something is agreed upon or resolved, nor does it have any indication of any recourse against
the same.
Therefore, and contrary to what I-DE states, this document does not have a decisive nature, nor
due to its content, which only contains a forecast and which in no way can
understood to mean that this AEPD has assessed and decided that it did not attend I-
OF any responsibility for an alleged breach of the regulations of
data protection, which would mean archiving some actions - as has
wanted to understand I-DE-, nor by its form, since it does not even formally reflect
a decision, much less a resolution to file any action, since
For this to be the case, the only competent body for this is the current Director of the
AEPD. Thus, Article 13 of the AEPD Statute, approved by Royal Decree
389/2021, of June 1, the functions of the Presidency are determined:
1. The Presidency of the Spanish Data Protection Agency is responsible for:
d) Issue the resolutions and guidelines required for the exercise of functions
of the Agency, in particular those derived from the exercise of powers
provided for in article 57 of Regulation (EU) 2016/679 of Parliament
European Parliament and of the Council, of April 27, 2016, and the exercise of powers
of investigation and corrective powers provided for in article 58 of the
cited Regulation.
Therefore, to proceed with the archiving of investigation proceedings, it is required,
first, that they have been initiated (either because a claim has been admitted for processing,
either on their own initiative, which in both cases requires an express resolution
signed by the Director), which had not happened at the time of issuance of the
aforementioned writing from the Technological Innovation Division and, secondly, it is
necessary again an express resolution on the part of the Director archiving
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 26/88
said actions to understand, now, that from the information collected in said
investigations, the existence of a violation of the regulations of
data protection, which had not occurred.
In the present case, after notification of the personal data breach by
I-DE, several claims were filed by people affected by it, the
which were admitted for processing jointly by the AEPD in compliance with the
article 64 LOPDGDD:
Article 64. Form of initiation of the procedure and duration.
1.When the procedure refers exclusively to the lack of attention of a
request to exercise the rights established in articles 15 to 22 of the
Regulation (EU) 2016/679, will begin by agreement of admission to processing, which will be
will be adopted in accordance with the provisions of article 65 of this organic law.
In this case, the period to resolve the procedure will be six months from
from the date on which the claimant had been notified of the agreement
admission for processing. After this period, the interested party may consider
estimated your claim.
2.When the procedure aims to determine the possible
existence of a violation of the provisions of Regulation (EU) 2016/679 and in
This organic law will begin by means of an initial agreement adopted by
own initiative or as a result of a claim.
If the procedure is based on a claim made before the Agency
Spanish Data Protection Authority, in advance, will decide on your
admission for processing, in accordance with the provisions of article 65 of this organic law.
When the rules established in article 60 of the
Regulation (EU) 2016/679, the procedure will begin by adopting the
draft agreement to initiate the sanctioning procedure, which will be given
formal knowledge to the interested party for the purposes provided for in article 75 of this
organic Law.
The claim is admitted for processing, as well as in cases in which the Agency
Spanish Data Protection Agency acts on its own initiative, prior to the
initiation agreement, there may be a phase of prior investigation actions,
which will be governed by the provisions of article 67 of this organic law.
Article 67. Previous investigation actions.
1.Before the adoption of the agreement to initiate the procedure, and once admitted
processing the claim if there is one, the Spanish Data Protection Agency
may carry out prior research actions in order to achieve a better
determination of the facts and circumstances that justify the processing of the
procedure.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 27/88
The Spanish Data Protection Agency will act in any case when it is
requires research into treatments that involve massive data traffic
personal.
2.Preliminary investigation actions will be subject to the provisions of the
Section 2 of Chapter I of Title VII of this organic law and may not have a
duration exceeding twelve months from the date of the admission agreement to
procedure or the date of the agreement by which its initiation is decided when the
Spanish Data Protection Agency acts on its own initiative or as
consequence of the communication that had been sent to him by the authority of
control of another Member State of the European Union, in accordance with article 64.3 of
this organic law. (emphasis is ours)
From said regulations it is not inferred in any way that the AEPD has to justify
the way that I-DE requires the initiation of prior actions in the sense that it has
that there is something new or some new circumstance or that the claims have
had to provide new and different circumstances regarding documentation
provided by I-DE in its notification of the breach to this Agency, since this is not
required by the indicated regulations, in addition to the fact that it cannot be claimed that the
affected parties contribute something new, apart from knowing that the
confidentiality of your personal data due to a cyber attack, the circumstances of which
they don't know.
Precisely the previous investigative actions are carried out to clarify the
facts and circumstances of what happened, gathering more information in order to
be able to determine or not the existence of a possible violation of the regulations in
data protection matters. In this sense, the beginning of previous investigations and
its realization, the power of the AEPD with or without claims, does not prejudge anything, but
that allows gathering the necessary information to determine whether or not there are indications of
infringement. Even after said investigation, the proceedings may be archived
to understand, in view of the information collected, that there are no indications of
infringement. Which, in the present case, has not happened.
What the regulations do indicate is that, after the presentation of claims, this
Agency must decide whether to admit them for processing or not, having finally decided on their
admission through, this time, an Admission Agreement for processing, signed by the
Director of the Agency dated May 9, 2022. And, as indicated in article 67.2
referenced LOPDGDD, the AEPD can carry out prior actions of
investigation in order to achieve a better determination of the facts and the
circumstances. It is a power attributed to it by the RGPD and the LOPDGDD.
Likewise, and to make matters worse, even in the event of there being no
claims existed, the document from the Technological Innovation Division did not
nor would it have been an obstacle or obstacle to the exercise of the powers of
investigation that the AEPD has in accordance with the aforementioned article 64.2 that
determines that “The claim is admitted for processing, as well as in the cases in which
The Spanish Data Protection Agency acts on its own initiative, with character
Prior to the initiation agreement, there may be a phase of prior actions of
investigation…"
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 28/88
Therefore, this sanctioning procedure has not been initiated due to the content or
by some new information provided in the claims, but by the information and
documentation obtained after the period of prior investigation actions, to the
possible violations of protection regulations may be inferred from it.
of data.
Finally, I-DE brings up the Supreme Court ruling of February 22
of 2016 (resource 4048/2013), understanding that it is fully applicable to the case, in the
which is indicated:
“According to the facts briefly stated, we can consider
legitimate trust has been injured, since the Administration cannot adopt
decisions that contravene the perspectives and hopes founded on the
own previous decisions of the Administration. When you trust the
stability of his criteria, evidenced in multiple previous acts in a
same sense, which leads the administrator to adopt certain decisions,
trust is generated based on the consistency of behavior
administrative, which cannot be defrauded through an act
amazing. […]
It is worth keeping in mind that legitimate trust requires, ultimately, the
concurrence of three essential requirements. Namely, that it is based on signs
undeniable and external (1); that the hopes generated in the administered
they must be legitimate (2); and that the final conduct of the Administration is
contradictory with previous acts, is surprising and incoherent (3).
Exactly what happens in the case examined, according to the facts
previously reported.
Let us remember that, with respect to legitimate trust, we have been declaring
reiterated, by all, Judgment of December 22, 2010 (appeal
contentious-administrative no. 257 / 2009), that << the principle of good faith
protects the legitimate trust that may have been reasonably placed in
the behavior of others and imposes the duty of coherence in the
own behavior. Which is to say that the principle implies the
requirement of a duty of behavior that consists of the need to
to observe, with a view to the future, the behavior that previous acts predicted and
accept the binding consequences that arise from one's own actions
constituting a case of injury to the legitimate confidence of the parties
“I will come contra factum propium >>
In this regard, it is meant that the doctrine established therein is not “of
application to the present case, since, as indicated above, it has not been a
decision of this Administration, neither due to its form nor its content, nor has it caused
trust in the stability of his criterion, since there has been no criterion
decisive in this regard, much less evidenced in multiple previous acts in a
same sense, so the action of this Agency in relation to the alleged has not
supposed a final conduct of her that is contradictory with previous acts that
be surprising or incoherent, in the sense of the Court's doctrine.
For the above reasons, the claim made is rejected.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 29/88
THIRD.- ON THE ADDITIONAL AFFECTION TO THE PRINCIPLES OF THE
SANCTIONING RIGHT ARISING FROM THE INTERPRETATION MADE
BY LAAEPD
I-DE alleges in this section that the Startup Agreement incurs important
violations of the principles of administrative sanctioning law, since it implies
the imposition of two infractions whose content is, in reality, identical or with respect to
which, at least, it is possible to appreciate the subsumption of one of them in the other:
1.Violation of the non bis in idem principle
I-DE alleges that in the Start Agreement the AEPD considers that the
security implemented by it have not been, in its opinion, adequate and that this
implies a double violation of the RGPD, on the one hand, it understands that I-DE has not
adopted the appropriate technical and organizational measures, required by article 32
of the GDPR; and,
On the other hand, it considers that the principle of security has been violated, allegedly violating
article 5.1 f) of the GDPR, of which article 32 is nothing more than a mere specification.
I-DE understands that this means that two different sanctions are imposed,
respectively, considering that my client lacks the appropriate
security measures and because he understands that it has occurred, due to the lack of such
measures, a breach of confidentiality of personal data. And also,
establishes for both alleged infractions circumstances modifying the
responsibility of I-DE in every point identical, both in its determination and in the
legal basis for its imposition.
I-DE points out that it follows that the AEPD considers that the same fact (the
alleged insufficiency of security measures) would constitute two infractions
of the same protected legal asset (the adequate guarantee of the rights and freedoms
of interested parties). And this, because, on the one hand, the absence of the
security measures that the AEPD considers necessary to adopt and, on the other, the
principle of security and confidentiality, which requires the adoption of such measures.
Therefore, I-DE maintains that, incurring the triple identity of subject, fact and good
protected legal, there is no doubt that the principle of non bis in has been violated
idem, so it would only be possible to charge and punish for a single infraction, which in this
case would only be for article 32, since it would only be possible to appreciate the supposed
insufficiency of security measures.
Faced with this, it is necessary to explain the difference between the violation of art. 5.1.f and the
article 32 of the RGPD, which will be expanded in the following point regarding the allegation
regarding the existence of media competition, as well as the different classification in
sections even different from art. 83 of the GDPR and the different qualification of both
the effects of prescription in the LOPDGDD.
The art. 5.1.f) of the RGPD is violated when there is a loss of confidentiality,
of integrity or availability of personal data due to the absence or deficiency of
measures of any kind.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 30/88
This principle only determines the channel through which the
maintenance of confidentiality, integrity or availability when explicit
“through the application of appropriate technical and organizational measures”, which are not
Strictly security.
I-DE indicates that the appropriate technical and organizational measures to which it makes
mention the art. 5.1.f) RGPD are the security measures of art. 32 of the GDPR. This
would be to simplify the essence of the RGPD whose compliance is not limited to the implementation
technical and organizational security measures; would mean, in our case,
reduce the required guarantee through the principle of integrity and confidentiality at your discretion.
achievement only with security measures.
When art. 5.1.f) of the GDPR refers to technical or organizational measures
appropriate to guarantee the rights and freedoms of the interested parties within the framework of
The management of regulatory compliance with the RGPD does so in the sense provided in the
art. 25 of the GDPR regarding privacy by design.
This precept determines that,
“Taking into account the state of the art, the cost of the application and the
nature, scope, context and purposes of the processing, as well as the risks of
varying probability and severity that the treatment entails for the rights and
freedoms of natural persons, the person responsible for the treatment will apply, both
at the time of determining the means of treatment as well as at the time
of the treatment itself, appropriate technical and organizational measures, such as
pseudonymization, designed to effectively apply the principles of
data protection, such as data minimization, and integrate safeguards
necessary in the treatment, in order to comply with the requirements of this
Regulation and protect the rights of the interested parties” (emphasis is
our)
It should be noted that there are multiple technical or organizational measures that are not
security and that the person responsible for the treatment can implement as a channel to
guarantee this principle.
However, art. 32 of the GDPR includes the obligation to implement measures
appropriate technical and organizational security measures to ensure a level of
security appropriate to the risk. Of security. Just for security.
Furthermore, its objective is to guarantee a level of security appropriate to the risk.
regardless of whether a security breach has occurred, while
that in the case of article 5.1.f) of the RGPD, availability must be guaranteed,
confidentiality and integrity and materializes, in this case, with the loss of
data confidentiality. As can be seen, the two articles refer to
different behaviors, although they may be related.
Already entering fully into the examination of the non bis in idem, the Court's Judgment
National of July 23, 2021 (rec. 1/2017) provides that,
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 31/88
“(…) In accordance with the legislation and jurisprudence set forth, the non bis in idem principle
prevents punishing the same subject twice for the same act with support in the
same foundation, the latter understood as the same legal interest protected by
the sanctioning regulations in question. In fact, when there is the triple identity of
subject, fact and foundation, the sum of sanctions creates a sanction unrelated to the judgment of
proportionality carried out by the legislator and materializes the imposition of a sanction
not legally provided for, which also violates the principle of proportionality.
But for it to be possible to speak of “bis in idem” a triple identity must occur.
between the terms compared: objective (same facts), subjective (against the
same subjects) and causal (for the same basis or reason for punishing):
2. Subjective identity assumes that the affected subject must be the same,
whatever the nature or judicial or administrative authority that
prosecute and regardless of who the accuser or specific body is that
has been resolved, or that it is tried alone or in conjunction with other
affected.
b) Factual identity assumes that the facts prosecuted are the same, and rules out
the cases of real competition of infractions in which there is not the same
illegal act but before several.
c) The identity of the foundation or cause implies that the sanctioning measures do not
can coincide if they respond to the same nature, that is, if they participate in a
same teleological foundation, what happens between penal and
administrative sanctions, but not between the punitive and the merely
coercive.”
Taking as reference what was previously explained, the principle has not been violated
non bis in idem, since, although roughly understood the facts are detected
consequence of a personal data breach, the violation of art. 5.1.f) of the GDPR
takes the form of a clear loss of confidentiality and availability, the violation of the
art. 32 of the GDPR boils down to the absence and deficiency of security measures
(security only) detected, present regardless of data breach
personal. In fact, if these deficiencies in the security measures that are
detected in the I-DE web application would have been detected by the AEPD without
would have resulted in the loss of confidentiality, it could only have been
sanctioned by art. 32 of the GDPR.
And all this in the face of the allegations made by I-DE which considers that in both
precepts require only one conduct, which is to implement adequate security. It's not
true, since art. 5.1.f) of the GDPR is not limited to guaranteeing security
appropriate to the risk, but rather to guarantee the integrity and availability through
any measures. And not only through security measures, but through everything
type of appropriate technical or organizational measures.
As we have indicated, through art. 5.1.f) of the RGPD, a loss of
availability and confidentiality and, through art. 32 of the RGPD the absence and/or
deficiency of the security measures implemented by the person responsible for the
treatment. Absent or deficient security measures, we add, that violate the
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 32/88
GDPR regardless of whether the loss of data had not occurred.
confidentiality and availability.
Finally, regarding the application of identical aggravating factors in both infractions,
We must mean that the circumstances provided for in art. 83.2 of the GDPR and the
provided in art. 76.2 of the LOPDGDD are the only ones that can be applied by
AEPD for any infraction.
The determining factor in this case, with respect to that provided for in art. 83.2.b) of the GDPR does not
is that they coincide in their use, but rather the foundation established for their
consideration.
Having said all that, it is not considered that there is a violation of the principle of non bis in
idem, enshrined in article 25 of the Spanish Constitution.
2. Subsidiarily, existence of medial competition between the two imputed conducts
to I-DE
I-DE alleges that, on the other hand, the Initiation Agreement identifies (and intends to sanction)
a plurality of infractions that, supposedly, my client would have committed (which
which is flatly denied) when, in reality, one of them would be subsumed and
embedded in the other, giving rise to a medial competition in the terms provided in the
article 29.5 of the LRJSP.
I-DE understands that both infractions cannot be sanctioned, given that the commission of
the alleged violation of article 32.1 of the RGPD would determine the alleged violation
of article 5.1.f) of the same legal text and would be sanctioned by themselves
facts, since it considers that the alleged violation of article 5.1 f) would require
and inseparably the cause of the alleged lack of diligent implementation of the
measures referred to in article 32.1 of the RGPD.
I-DE brings up certain jurisprudence (for all, Sentence 339/2015 of
September 25, 2015 of the National Court - appeal 262/2014 - which cites the
Supreme Court ruling of February 8, 1999, - appeal 9/1996 -): “the
application of medial competition requires a necessary referral of infractions
respect to the others and vice versa, so it is essential that some do not
can be committed without executing the others.” Thus, there must exist “such a relationship between the
infringements concerned that one of them necessarily derives from the other, so
that the commission of one is not possible without executing the other” (for all, the Judgment of
the National Court of December 26, 2013, - appeal 416/2012). Thus
I-DE concludes that it is evident that such a relationship exists between the two infringements
who intend to accuse her.
In this regard, it means, as noted above, that art. 32
of the GDPR, although related to art. 5.1.f) of the GDPR does not circumscribe the principle
In its whole.
Thus, Article 5.1.f) of the GDPR is one of the principles relating to processing. The
principles relating to the treatment are, on the one hand, the starting point and the clause of
closure of the legal data protection system, constituting true
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 33/88
informing rules of the system with an intense expansive force; on the other hand, at
have a high level of specificity, they are mandatory standards that are susceptible
of being infringed.
Well, art. 5.1.f) of the RGPD includes the principle of integrity and confidentiality and
determines that personal data will be processed in such a way as to guarantee
adequate security of personal data, including protection against
unauthorized or illicit treatment and against its loss, destruction or accidental damage,
through the application of appropriate technical or organizational measures of all kinds,
not just security.
Moreover, art. 32 of the GDPR regulates how the security of the
processing in relation to the specific security measures that must be
implement, in such a way that taking into account the state of the art, the costs of
application, and the nature, scope, context and purposes of the processing, as well as
risks of varying probability and severity to the rights and freedoms of
natural persons, the person responsible and the person in charge of the treatment will apply measures
appropriate technical and organizational measures to guarantee a level of security appropriate to the
risk that includes, among other issues, the ability to guarantee the
data confidentiality.
As has been noted, this provision, art. 32 of the GDPR, although related to the
art. 5.1.f) of the GDPR does not circumscribe the principle in its entirety. The art. 5.1.f) of the GDPR
strictly requires that confidentiality be guaranteed, and requires for its application
a loss of confidentiality. We can find cases in which there are
inadequate measures without there being a loss of integrity and
confidentiality.
Proof of this is not only this difference between the violation of art. 5.1.f and the
article 32 of the RGPD, but the different classification in sections even different from the
art. 83 of the GDPR and the different qualification of both for the purposes of prescription
in the LOPDGDD.
In the case examined, as stated in the proven facts, there is a clear
loss of confidentiality revealed through a clear result:
produced illegitimate access by an unauthorized third party to personal data.
Likewise, as indicated, art. 5.1.f) of the RGPD is violated when
produces a loss of confidentiality, integrity or availability of data
personal, which may or may not occur due to the absence or deficiency of the measures
Strictly security.
This principle only determines the channel through which the
maintenance of confidentiality, integrity or availability when explicit
“through the application of appropriate technical and organizational measures”, which are not
Strictly security.
I-DE indicates that the appropriate technical and organizational measures to which it makes
mention article 5.1.f) are the security measures of art. 32 of the GDPR. This
would be to simplify the essence of the RGPD whose compliance is not limited to the implementation
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 34/88
technical and organizational security measures; would mean, in our case,
reduce the required guarantee through the principle of integrity and confidentiality at your discretion.
achievement only with security measures.
As noted above, when art. 5.1.f) of the GDPR refers to
appropriate technical or organizational measures to guarantee the rights and freedoms
of interested parties within the framework of GDPR regulatory compliance management.
does in the sense provided in art. 25 of the GDPR regarding privacy from
design.
We reiterate that there are multiple technical or organizational measures that are not
security and that the person responsible for the treatment can implement as a channel to
guarantee this principle.
And all this in the face of the allegations made to the contrary by I-DE that it considers
that in both precepts a single conduct is required, which is to implement security
appropriate. It is not true, since art. 5.1.f) of the RGPD is not restricted to the
guarantee of security appropriate to the risk, but rather to guarantee the integrity and
availability. And not only through security measures, but through all kinds of
appropriate technical or organizational measures.
As we have indicated, through art. 5.1.f) of the RGPD, a loss of
availability and confidentiality and, through art. 32 of the GDPR the absence and
deficiency of the security measures implemented by the person responsible for the
treatment. Absent or deficient security measures, we add, that violate the
GDPR regardless of whether the loss of data had not occurred.
confidentiality and availability.
In the present case, the aforementioned article 32 has been violated regardless of whether
ultimately suffered a breach of confidentiality or not, because the conduct
reprehensible and that violates said precept is the lack or inadequacy of those measures,
in themselves, that is, it is infringed and punished for it regardless of whether
Whether or not a personal data breach has occurred. Which does not prevent, in
In the event of a personal data breach materializing, this
circumstance as an aggravating circumstance, in accordance with the RGPD.
On the other hand, in the present case, so that we are faced with a violation of the article
5.1.f) it has been and is an unavoidable requirement that the confidentiality of the data be violated
personal (which does not happen with the violation of article 32)
Regarding the media competition, it should be noted that article 29 of the LRJSP does not
It is applicable to the sanctioning regime imposed by the RGPD. And this is because:
3. The GDPR is a complete system.
The GDPR is a community standard directly applicable in the Member States,
which contains a new, complete and global system aimed at guaranteeing the protection
of personal data in a uniform manner throughout the European Union.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 35/88
In relation, specifically and also, to the sanctioning regime provided in the
same, its provisions are applicable immediately, directly and
integral, providing for a complete system without gaps that must be understood,
be interpreted and integrated in an absolute, complete, integral manner, thus leaving the
Its ultimate purpose is the effective and real guarantee of the Fundamental Right to
Personal data protection. The opposite determines the loss of the
guarantees of the rights and freedoms of citizens.
In fact, a specific example of the lack of loopholes in the system of
GDPR is article 83 of the GDPR that determines the circumstances that can operate
as aggravating or mitigating circumstances with respect to an infringement (art. 83.2 of the RGDP) or that
specifies the existing rule regarding a possible medial competition (art. 83.3 of the
GDPR).
To the above we must add that the RGPD does not allow the development or realization of
its provisions by the legislators of the Member States, safe from what
the European legislator himself has specifically provided for, delimiting it in a very
concrete (for example, the provision of art. 83.7 of the RGPD). The LOPDGDD only
develops or specifies some aspects of the RGPD as far as it allows and with the
scope that it allows.
This is because the intended purpose of the European legislator is to implement a
uniform system throughout the European Union that guarantees the rights and freedoms of
natural persons, that corrects behavior contrary to the RGPD, that encourages
compliance, which enables the free circulation of this data.
In this sense, recital 2 of the GDPR determines that,
“(2) The principles and rules relating to the protection of natural persons in what
regarding the processing of your personal data must, whatever
their nationality or residence, respect their fundamental freedoms and rights, in
particularly the right to the protection of personal data. The present
Regulation aims to contribute to the full realization of an area of freedom,
security and justice and an economic union, to economic and social progress, to
reinforcement and convergence of economies within the internal market, as well as
well-being of natural persons.” (emphasis is ours)
Recital 13 of the GDPR continues to indicate that,
“(13) To ensure a consistent level of protection of natural persons throughout
the Union and avoid divergences that hinder the free circulation of personal data
within the internal market, a regulation is necessary that provides security
legal and transparency to economic operators, including microenterprises and
small and medium-sized businesses, and offer individuals of all
Member States the same level of enforceable rights and obligations and
responsibilities for those responsible and in charge of the treatment, in order to
ensure consistent supervision of the processing of personal data and sanctions
equivalents in all Member States, as well as effective cooperation between
the supervisory authorities of the different Member States. The good
functioning of the internal market requires that the free circulation of data
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 36/88
personal property in the Union is not restricted or prohibited for reasons related to
protection of natural persons with regard to data processing
personal”. (emphasis is ours)
In this system, the determining factor of the GDPR is not the fines. The corrective powers
of the control authorities provided for in art. 58.2 of the RGPD conjugated with the
provisions of art. 83 of the GDPR show the prevalence of corrective measures
against fines.
Thus, art. 83.2 of the GDPR says that “Administrative fines will be imposed, in
depending on the circumstances of each individual case, in addition to or in lieu of
the measures contemplated in article 58, paragraph 2, letters a) to h) and j).
In this way the corrective measures, which are all those provided for in art. 58.2 of
RGPD except the fine, have prevalence in this system, the fine being relegated
economic to cases in which the circumstances of the specific case determine
that a fine be imposed together with corrective measures or in lieu of the
themselves.
And all this with the purpose of forcing compliance with the RGPD, avoiding
non-compliance, encourage compliance and ensure that infringement is not more profitable
than non-compliance.
For this reason, art. 83.1 of the RGPD prevents that “Each supervisory authority will guarantee
that the imposition of administrative fines pursuant to this article for the
infringements of this Regulation indicated in paragraphs 4, 5 and 6 are in
each individual case effective, proportionate and dissuasive.” (emphasis is
our)
For this system to work with all its guarantees, it is necessary that several
elements are deployed in an integral and complete manner. The application of foreign rules
to the RGPD regarding the determination of fines in each of the States
members applying their national law, whether due to aggravating circumstances or
mitigating circumstances not provided for in the RGPD -or in the LOPDGDD in the Spanish case-, whether
due to the application of a media contest different from that provided in the RGPD, it would remain
effectiveness to the system that would lose its meaning, its teleological purpose, resulting in
the fines imposed for different violations would no longer be effective,
proportionate and dissuasive. And in this way the interested parties would also be robbed.
of the effective guarantee of their rights and freedoms, weakening the uniform application
of the GDPR. Mechanisms for the protection of rights and
freedoms of citizens and would be contrary to the spirit of the RGPD.
The GDPR is endowed with its own principle of proportionality that must be
applied in its strict terms.
4. There is no legal loophole, there is no supplementary application of art. 29 of the GDPR.
In addition to the above, it means that there is no legal gap regarding the application of the
media contest. Neither the RGPD allows nor the LOPDGDD provides for the supplementary application
of the provisions of art. 29 of the LRJSP.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 37/88
There is also no subsidiary application of art. 29 of the GDPR. In Title VIII of the
LOPDGDD regarding “Procedures in case of possible violation of the regulations
of data protection”, article 63 that opens the Title provides that “The
Procedures processed by the Spanish Data Protection Agency will be governed
by the provisions of Regulation (EU) 2016/679, in this organic law, by the
regulatory provisions dictated in its development and, as far as they are not
contradict, on a subsidiary basis, by the general rules on the
administrative procedures.” Although there is a clear reference to the LPACAP, it is not
establishes in no way a subsidiary application with respect to the LRJSP that does not
contains in its articles any provision relating to administrative procedure
some.
In the same way that the AEPD is not applying the aggravating and mitigating circumstances provided
in art. 29 of the LRJSP, since the RGPD establishes its own, therefore,
There is no legal loophole or subsidiary application of the same, nor is it possible to apply
section relating to media competition and for identical reasons.
In any case, the judicial precedents cited by the plaintiff regarding the competition
medial come from the application of the LOPD of the year 99 that transposed the Directive
95/46/EC, the RGPD establishing a clearly different system. At that time,
article 115 of Royal Decree 1720/2007, of December 21, which approves
the Regulations for the development of Organic Law 15/1999, of December 13, of
protection of personal data, it did provide for a supplementary application of the
Law 30/1992, of November 26, on the Legal Regime of Administrations
Public and Common Administrative Procedure.
Thirdly, and now focusing on the specific case examined, and without prejudice
From the above, it should be noted that there is no medial competition. Article 29.5 of the
LRJSP establishes that “When the commission of an infraction results
necessarily the commission of another or others, only the sanction should be imposed
corresponding to the most serious infraction committed.”
Well, the medial competition takes place when in a specific case the commission of
an infraction is a necessary means to commit a different one.
The established facts determine the commission of two different infractions, without the
violation of article 32 of the RGPD (security of processing), as stated
the appellant, is the necessary means by which the violation of the
article 5.1.F) of the RGPD (principle of confidentiality).
In conclusion, from all this and against everything argued, it has been proven
that I-DE was not diligent because it did not adequately guarantee confidentiality
of the personal data of its clients, as well as that it did not have the measures
appropriate technical and organizational measures to ensure an appropriate level of security.
For the above reasons, the allegation is rejected.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 38/88
FOURTH.- ON THE ALLEGED VIOLATION BY I-DE OF ARTICLE 32
OF THE GDPR
I-DE alleges that it does not agree that the Startup Agreement indicates that it was not the
diligent enough to implement appropriate security measures to
prevent security incidents from occurring like the one that happened, as it maintains
that, as has been revealed in the responses given to the AEPD
in the different information requirements, it has been proven that there was
implemented multiple and robust security measures aimed at protecting
the information of its clients and prior to March 2022.
I-DE proceeds below to detail the security measures it has
implanted.
Faced with this, it means that in the present case there was a vulnerability in the
GEA web application, which was used by the cybercriminal. So, as it has
has been accredited in the Proven Facts and as indicated in the Foundation
of Law VI of the Initiation Agreement, (…).
Therefore, the above shows the existence of a web application with a
vulnerability that allowed:
(…)
Likewise, as a subsequent measure to avoid incidents such as the one that occurred,
proceeded through I-DE to modify the GEA application (…).
On the other hand, as security measures existed before the incident, they pointed out,
among others, the following:
(…). And it is precisely this vulnerability that was used by the attacker during
the security breach.
(…)
From the above, it follows that this attack would have been avoided if that
code would not have been visible. Even more so if you take into account that this is one of the
requirements that are included in the indicated document, (…).
Likewise, this vulnerability is identifiable in security assessments. Without
However, during the investigation proceedings I-DE has not proven that
detect the vulnerability of the GEA application within the framework of the
security evaluation implemented in the Iberdrola Group. Furthermore, as has been
indicated, the last review or security assessment of critical applications dates from
2019, almost two and a half years before the incident, so they were not being very
taking into account the rapid advances in technology, as well as the
sophistication of cyber attacks, in addition to the fact that the
results obtained.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 39/88
Therefore, the GEA application contained an avoidable and identifiable vulnerability that
was the one used by the attacker. This clearly shows a
non-compliance with article 32 of the GDPR, as it requires appropriate measures to
guarantee a level of security appropriate to the risk, and all this taking into account the
state of the art, application costs and the nature, scope, context and
the purposes of the treatment.
(…)
Regarding the risks to the rights and freedoms based on which they must
appropriate security measures be established and implemented, I-DE has not provided a
risk analysis carried out prior to the incident that complies with art. 32 of
GDPR, as it does not indicate what measures should be applied to the risk level. Also, the
approach to risk analysis, contained in the Register of Activities of
Treatment regarding the affected activity is not oriented to the risks that for
the rights and freedoms of the owners of personal data may involve the
loss of confidentiality, availability or integrity.
Recital 75 of the GDPR, cited in the Initiation Agreement, indicates that “The risks
for the rights and freedoms of natural persons, of seriousness and probability
variables, may be due to data processing that could cause damage and
physical, material or immaterial damages, particularly in cases in which the
treatment may give rise to problems of discrimination, identity theft or
fraud, financial loss, reputational damage, loss of confidentiality of
data subject to professional secrecy, unauthorized reversal of pseudonymization or
any other significant economic or social harm; in cases where
deprives data subjects of their rights and freedoms or prevents them from exercising control
about your personal data; in cases where the personal data processed
reveal ethnic or racial origin, political opinions, religion or beliefs
philosophical, militancy in unions and the processing of genetic data, data
relating to health or data on sexual life, or criminal convictions and offences.
or related security measures; in cases in which aspects are evaluated
personal, in particular the analysis or prediction of aspects related to the
performance at work, economic situation, health, preferences or interests
personal, reliability or behavior, situation or movements, in order to create or
use personal profiles; in cases in which personal data of
vulnerable people, particularly children; or in cases where the treatment
involves a large amount of personal data and affects a large number of
interested."
For its part, art. 28.2 LOPDGDD determines that “For the adoption of the measures
referred to in the previous section, those responsible and in charge of the treatment
will take into account, in particular, the increased risks that could arise in the
following assumptions:
5. When the treatment could generate situations of discrimination,
identity theft or fraud, financial loss, damage to the
reputation, loss of confidentiality of data subject to professional secrecy,
unauthorized reversal of pseudonymization or any other harm
economically, morally or socially significant for those affected.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 40/88
b) When the treatment could deprive those affected of their rights and
freedoms or could prevent them from exercising control over their data
personal (,,,)”
As explained in the guide “Risk management and impact assessment in
processing of personal data” of the AEPD, “The RGPD establishes the obligation of
manage the risk that a risk to people's rights and freedoms poses
treatment. This risk arises both from the very existence of the treatment and from
its technical and organizational dimensions. The risk arises both from the
automated data processing as well as manual processing,
human elements and the resources involved. The risk arises from the purposes of the
treatment and its nature, and also by its scope and the context in which it is
unwraps.”
However, these risks have not been assessed. Damage has not been assessed for
physical, material or immaterial persons, or at least it is not proven that
fact, lacking, therefore, a risk analysis focused on the protection of the
rights and freedoms of the interested parties.
On the other hand, I-DE understands that the AEPD has linked the alleged non-compliance with
article 32 with the production of the result that occurred as a consequence of the
concurrence of a series of factors that were unpredictable and that were
detected and resolved immediately. It therefore concludes that the AEPD is
imposing, with regard to the adoption of security measures, a
obligation of result, but which is nevertheless an obligation of means.
In this regard, it brings up or stated by the Supreme Court in its
ruling of February 15, 2022 (cassation appeal 7359/2020), which clearly states
clear way that the obligation imposed by data protection regulations
personnel, to adopt technical and organizational measures aimed at guaranteeing the
confidentiality, availability and integrity of the information, is an obligation of
means and not result.
In this regard, it should be noted that the aforementioned Judgment effectively indicates, above all
security measures regarding data protection, that “… the obligation that
falls on the person responsible and on the person in charge of the treatment with respect to the
adoption of necessary measures to guarantee the security of personal data
personnel is not an obligation of result but of means, without the obligation being enforceable.
infallibility of the measures adopted. Only the adoption and
implementation of technical and organizational measures, which according to the state of the
technology and in relation to the nature of the processing carried out and the data
personal data in question, reasonably allow to avoid its alteration, loss,
“unauthorized treatment or access.” (emphasis is ours)
However, the Judgment continues indicating, in the specific case analyzed in
same, that “…the program used to collect customer data does not
contained no security measures that would allow checking whether the address of
email entered was real or fictitious and whether it really belonged to the person
whose data was being processed and gave consent for it. The state
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 41/88
of the technique at the time in which these events occurred allowed us to establish
measures aimed at verifying the veracity of the email address, conditioning
the continuation of the process for the user to receive the contract at the address
provided and only from it provide the necessary consent for its
collection and treatment. Measures that were not adopted in this case.
(…) So, at the time these events occurred, there were
technical measures related to the registration process, which would have prevented the filtration of
personal data produced. This implies that the technical measures adopted
did not comply with the security conditions in the terms required in art. 9.1 of the
LO 15/1999, therefore incurring the infringement provided for in art. 44.3.h)
consisting of “Maintain the files, premises, programs or equipment that contain
personal data without due security conditions that via
regulations are determined […]”.
Therefore, although it is inferred from the Judgment that the obligations established by the
Article 32 of the GDPR are media, it also makes it clear that, if at the time of
When the incident occurred, there were adequate technical measures to avoid or mitigate the
effects thereof and were not applied, this represents a breach of the aforementioned
obligation imposed by the RGPD and, therefore, a violation of it.
In the present case, as has been pointed out, there was a vulnerability in the application
GEA, which was identifiable in the safety evaluations as well as avoidable, as
as evidenced by the fact that I-DE subsequently proceeded to correct
said vulnerability. This clearly shows a breach of the article
32 of the GDPR, as it requires appropriate measures to guarantee a level of
security appropriate to the risk, and all this taking into account the state of the art,
the costs of implementation and the nature, scope, context and purposes of the
treatment.
I-DE also alleges that the security breach is not caused by insufficient
the measures adopted, but rather the intense activity carried out by a third party with the
sole intention to carry out the cyberattack produced to the detriment not only of the
i-DE clients, but of the company itself.
Faced with this, it should be noted that total infallibility of the
measures that can be taken to ensure adequate protection in the
processing of personal data. However, once the attack occurs, it must
evaluate the diligence of the data controller in the application of the measures
appropriate technical and organizational measures to guarantee a level of security appropriate to the
risk, taking into account the state of the art, application costs,
nature, scope, context and purposes of the processing.
In the present case, I-DE did not count, at the time of the breach of
data protection, with appropriate measures in relation to the risks of the
processing for the protection of personal data, since as indicated,
There was a detectable and avoidable vulnerability in its web application, which was
exploited by cybercriminals.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 42/88
Finally, in accordance with the Judgment of June 22, 2021- Rec. 1210/2018,
and the Judgment of November 5, 2011 - Rec. 1796/2019, in which the
subjective or culpable element, it is insisted that the guilt of the plaintiff
cannot be considered excluded or attenuated by the fact that the
fraudulent action of a third party, since the responsibility of the plaintiff does not
derives from his actions, but from his own.
Finally, I-DE points out that it had implemented mechanisms that allowed the
almost immediate detection of the security breach suffered as a result of the
access to GEA, adopting immediately, so i-DE understands that its rapid
performance is a clear example that for the same reason it was given, and is given, complete
compliance with the provisions of article 32.1 c) of the RGPD, when it refers to “the
ability to restore availability and access to personal data
in the event of a physical or technical incident”, something that, however, has not been the object
of sufficient assessment by the Initiation Agreement.
In this regard, both in the Initiation Agreement and in this proposal it has been
taken into account that I-DE reacted as quickly as possible and proceeded to take action
aimed at repelling the attack and to avoid its repetition, considering it as
mitigating circumstance in accordance with article 83.2.c) RGPD.
For the above reasons, the claim made is rejected.
FIFTH. – ON THE ALLEGED DELART INFRINGEMENT. 5.1.F) OF THE RGPD
In this section I-DE alleges that it has not been proven, not even indicatively, the
fraudulent use of personal data, limiting the Startup Agreement to consider
that there is a very high risk nor that it has materialized in practice.
In this regard, it should be clarified that what I-DE is accused of is the violation of the
principle of confidentiality since it is clear that, after suffering a computer attack against
the GEA website, taking advantage of a vulnerability in it, there was an access
illegitimate access to personal data and the extraction thereof by a third party does not
authorized, which meant the loss of confidentiality and control of numerous
personal data (name and surname, ID, postal address, fax, e-mail, telephone,
client code) and that affected 1,350,000 I-DE clients. This supposes the
breach of the duty to guarantee the confidentiality of personal data,
since, as has been indicated, article 5.1.f) indicates that they must be treated in such a way
manner that ensures adequate security of personal data, including the
protection against unauthorized or illicit processing.
Regarding the high risk that these data, in the hands of
cybercriminal/s, were used fraudulently, this was indicated to express what
involves the loss of confidentiality, but is not necessary in any way, to
understand violated article 5.1.f) that said risks of fraudulent use are
materialize, because what has materialized with the gap is the loss of
confidentiality of the personal data processed by I-DE, which is what is attributed to it
exclusively.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 43/88
On the other hand, I-DE once again insists in this section that it understands that the
AEPD considered the breach reported by it to be archived and that the claims were not
provide nothing new and, therefore, nothing seems to justify the reopening of the
investigation when it had been archived.
In this regard, it is appropriate to refer to everything already argued in relation to it in the
Second section of this Legal Basis.
For the above reasons, the claim made is rejected.
SIXTH. – ON THE VIOLATION OF THE PRINCIPLE OF PROPORTIONALITY
I-DE alleges that the sanctions imposed violate the principle of proportionality,
since the AEPD, to determine the amount of the sanctions, has resorted to criteria
completely generic.
Thus, regarding the alleged negligence in its actions, I-DE indicates that it has
proven that the events that occurred occurred at a specific time and that
were resolved very quickly, so the measures adopted before the
incident mitigated its effects. This immediate solution to the incident, which
shows that they did have planned actions in the event of a possible attack on their
systems.
Faced with this, it should be noted that the appropriate technical and organizational measures
to guarantee a level of security appropriate to the risk that for the rights and
freedoms of natural persons may have the processing of personal data
They cannot in any way be only reactive measures, that is, to solve
immediately a personal data breach. Thus, article 32 of the GDPR not only
indicates that they must guarantee adequate security, but also that said
Measures should include the ability to ensure the confidentiality, integrity,
ongoing availability and resilience of treatment systems and services
(letter b of article 32.1 GDPR). Therefore, it is not enough to have measures to
react as soon as possible when confidentiality has been breached, we must have
also appropriate prior measures to prevent said violation. And this because
Equally or more important are the measures aimed at safeguarding confidentiality,
the integrity and availability of personal data, that is, the measures
preventive measures aimed at avoiding any violation of this.
Therefore, it cannot be accepted that the measures that I-DE had implemented were
adequate in that they allowed the incident to be resolved later, since this
it only demonstrates the existence of corrective measures. However, what they allowed
Those reactive measures were the cessation of the attack once it had occurred and the restoration of the
service, that is, in terms of the protection of personal data, it avoided an impact
greater and this has already been taken into account as a mitigating circumstance in the present procedure
sanctioning, but in no way can they solve the loss of confidentiality
of the personal data affected, since this had already materialized.
That is, the confidentiality of personal data is guaranteed above all with
precautionary measures. In this sense, it has already been indicated in the response to the allegation
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 44/88
Fourth of this Legal Basis, the vulnerability contained in the
GEA application, which was used by the cybercriminal for his attack and that the
Furthermore, it was perfectly identifiable in the security evaluations. In
In relation to the latter, it should not be forgotten that article 32.2 GDPR determines that
security measures must also include a process of verification, evaluation
and regular assessment of the effectiveness of technical and organizational measures to
ensure the safety of the treatment.
Therefore, all of this only reflects a lack of diligence on the part of I-DE to the
when it comes to guaranteeing security appropriate to the risk of data processing that
performed. In this sense, it should not be forgotten that GEA is a web application, it is
That is, it allows access from the Internet to a database where
stored personal data of millions of customers, which involves processing
on a large scale, which requires appropriate security measures for that web environment and
aimed especially at guaranteeing that illegitimate access does not occur to said
personal information.
On the other hand, I-DE points out that it does not agree that it is considered an aggravating circumstance.
the linking of your activity with the processing of personal data,
because he understands that his behavior is getting worse because he belongs to the electrical sector and
that for this reason special diligence must be required, and that this once again attacks
the principle of proportionality.
Faced with this, it means that their behavior is not aggravated by belonging to the sector
electrical, but because its activity, the development of its business, involves and requires
continuous and abundant processing of personal data, as demonstrated by the
fact that it processes data from millions of people.
Therefore, as indicated in the Startup Agreement, I-DE is a company accustomed to
processing of personal data, which entails, once again, the requirement of greater
degree of diligence.
On the other hand, it is noted that article 83.2 of the RGPD provides that “When deciding the
imposition of an administrative fine and its amount in each individual case will be
due account:
(…)
k) any other aggravating or mitigating factor applicable to the circumstances of the
case…".
In this sense, the Spanish legislator has considered including in article 76 of the
LOPDGDD that: “2. In accordance with the provisions of article 83.2.k) of the Regulations
(EU) 2016/679 may also be taken into account:
(…)
b) The linking of the offender's activity with the performance of treatments
of personal data.”
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 45/88
This Agency simply takes into consideration that circumstance, provided for by the
legislator, when deciding the imposition of the administrative fine.
It should be noted that, for the purposes of deciding the imposition of a fine, it cannot have
administrative, the same consideration as an infraction produced by a natural person
or a small company not accustomed to processing personal data, which a
large company like I-DE, accustomed to processing personal data of
millions of clients, with a long history behind them in this regard. By
assumption that the violation is considered to be more serious for the purposes of imposing
a fine if the person responsible for the treatment is among the latter, as is
the case of I-DE.
On the other hand, it alleges the lack of proportionality comparing it with the file
PS/00179/2020, in which it indicates that he was only fined 500,000 euros despite
that not only was confidentiality breached, but that the breach was not notified to the
AEPD, something that I-DE has done, but, nevertheless, the sanction is
considerably smaller.
In this regard, it should be noted, on the one hand, that in terms of data protection,
the technical and organizational security measures to be adopted by those responsible for the
treatment and other obligations to comply required by the RGPD, must be the
appropriate in relation to the specific risks posed by the specific
treatments carried out by each person responsible. Therefore, when analyzing the diligence of some
and others in compliance with the regulations must be based on the circumstances of each
case, taking into account the nature, scope, context and purposes of each
treatment, therefore there are no identical cases.
On the other hand, article 83 establishes that
1. Each supervisory authority shall ensure that the imposition of fines
administrative sanctions under this article for violations of the
of this Regulation indicated in sections 4, 5 and 6 are in each case
effective, proportionate and dissuasive individual treatment.
2. Administrative fines will be imposed, depending on the circumstances
of each individual case..."
Therefore, it is necessary to attend to the circumstances of each individual case, there being no
two identical files and, therefore, with equal results. As an example, in the
file that brings up those affected were less than half than in the case
which concerns us now; the violation of art. 32 of the GDPR, it was for another type of
insufficiency in measures to guarantee adequate safety for the treatment;
These were events that occurred in 2018, the year in which it became mandatory
GDPR compliance, which is not the same as four years later; it is not the same
knowledge of the technique a few years before and after, especially due to the rapid
progress thereof, v etc.
Likewise, it is pointed out that there are many other files after and before the
present in which the violation of the
confidentiality of data such as the violation of security measures of the
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 46/88
article 32 of the RGPD, although, as has been pointed out, the
specific circumstances of the case.
Finally, and for completeness, it is not appropriate to demand equality in illegality. The
Jurisprudence is clear on this. Thus, the Judgment of the National Court of
April 28, 2023 (SAN 04/28/2023 REC. 409/2021 indicates that “A deal is referred to
discriminatory sanction since that fine or economic sanction can
be replaced by the measures of art. 58 GDPR, less burdensome measures as could
be the warning. And refers to other infractions committed by other
entities. Of course the plaintiff tries to compare this situation with another
sanctioning procedure that is mentioned, but we are not dealing with a deal
discriminatory or that the principle of equality is violated since it is a principle that
only operates within the framework of legality when equal factual situations have a
different treatment without reasonable justification. As the STS of January 20 points out
2004, “equality must be preached within the law, so that if the action
correct of the Administration is the one now prosecuted, as we have declared, the
invoked as contrary to it was not and, consequently, it cannot be used to
request that equal treatment be applied to the appellant, since, as this Chamber of the Court
Supreme Court has declared in its sentences of June 16, 2003, July 14, 2003
and October 20, 2003 that "the principle of equality has no significance for
protect a situation contrary to the legal system", and this, as indicated by the
Sentencing chamber, regardless of the fact that the administrative action has not been proven
alleged as contradictory to the present one.”
In the same sense, the STS of April 2, 2014 (Rec. 1916/2010) points out that “the
“Legality prevails over a possible injury to the principle of equality.” In this case,
We are facing an administrative infraction that is intended to be compared with another that has
had a different solution, but from what is observed in the allegation that is formulated
the plaintiff can hardly make a comparison of a situation
and another. Let us remember that according to the consolidated constitutional doctrine for
To appreciate the occurrence of a violation of the principle of equality, there must be
the following assumptions: 1) provision of an ideal comparison term
demonstrative of the substantial identity of the legal situations that have received
different treatment, 2) that the unequal treatment is not based on objective reasons that
justify, and 3) that the comparative trial is carried out within the framework of legality,
since it is not possible to invoke the principle of equality in illegality to perpetuate
situations contrary to what is provided for by the legal system. Thus things, the
conduct for which the plaintiff has been sanctioned and which is contrary to law
does not allow its responsibility to be further attenuated by the fact that in other
assumptions, which are unknown, the sanction imposed was not economic and
considered more beneficial.”
For all the above reasons, the claim made is rejected.
V
Response to the allegations to the Proposed Resolution
In response to the allegations presented by I-DE, the following should be noted:
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 47/88
FIRST: Regarding the defenselessness generated by I-DE as a consequence of not having
agreed to the accumulation of procedures EXP202305587 and EXP202205206
I-DE is once again ratified in the allegations regarding the Initiation Agreement regarding its
request for the accumulation of both files, also indicating that with
Regardless of whether article 57 of the LPACAP indicates a “may”, the power
granted must be considered in all cases enforceable to the Administration when the
non-cumulative processing of the procedures may negatively affect the
rights of those included in them, I-DE insisting that the non-accumulation
attentive to their right to defense.
Thus, it indicates that the administrative file does not even contain the real accreditation of
the admission for processing of any claim directed against I-DE or against any
another company of the Iberdrola Group, so that I-DE has been forced to intuit,
from the Research Actions Report (IAI), the information that could
have given rise to the AEPD opening this sanctioning procedure.
I-DE therefore understands that this simple fact would be sufficient to justify the
obligation to consolidate the two files since their access to the
information that the AEPD has available to consider committed two alleged
violations of data protection regulations has been limited to those
elements that the AEPD has considered appropriate to incorporate into this file,
without being able to have a complete vision of the facts or, consequently, of the motives
that induce the AEPD to impose such sanctions. For this reason, I-DE considers that the
accumulation of procedures harms their rights.
In this regard, it should be noted, first of all, that it has already been answered in the proposal
resolution regarding the request for consolidation of the two files
referenced, response that is transcribed in the Fundamentals of Law III
of this Resolution to which reference should be made. Therefore, although it is true that it is
a power of the Administration to proceed with the accumulation or not, it is also
that the reasons were argued and the reasons why it was not appropriate or not
It was appropriate to combine both sanctioning procedures.
Regarding what is alleged by I-DE regarding the fact that non-accumulation produces
defenselessness, because in his file there is no record of the admission for processing of any
claim against it, it means that said admissions for processing are not recorded either.
in the other file to which the accumulation is requested, so it would not have
effects in this sense, consequently not causing any defenselessness
accumulation.
In this regard, it is noted that, since April 2, 2022, they have been presented to
this Agency claims from clients affected by the security incident, the
which have been progressively admitted for processing since May 9, 2022. In
In this sense, it is indicated that the claimants basically claim to have seen
their personal data affected by the aforementioned breach, without being able to provide any
added information because, logically, in the face of cyberattacks such as the one suffered,
They can provide little or no information because they are unaware of it and do not have access to it.
same. These claims were accepted for processing successively, from the
May 9, by the Director of this Agency, as they were presented since April
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 48/88
2022. All of them have not been the subject of any further procedures. That is why
These claims are not part of this sanctioning procedure, only
two to which I-DE has had access, so defenselessness has not been caused.
Likewise, in the Background of both the Initiation Agreement and the Proposal for
Resolution and also this Resolution, the existence of these
claims. Specifically, it is indicated in the Fifth Background that “Since 2
April 2022, customer complaints have been submitted to this Agency
affected by the security incident, which have been progressively
admitted for processing since May 9, 2022.” Therefore, I-DE has been informed
from the beginning of the existence of said claims.
Due to the above, whether or not knowledge of the specific content of said claims
does not affect in any way the right of defense of I-DE since this
sanctioning procedure was initiated and has been processed solely as a consequence
of the facts proven during the preliminary investigation actions
carried out by this Agency. Therefore, I-DE has known at all times and
complete form of the facts of which he is accused and all the circumstances in relation
with them, which, it is insisted, derive exclusively from the entire
documentation collected and other actions carried out during the
prior investigations and not the content of the claims that are not part
of either procedure. Likewise, he has had knowledge of everything
moment of the infractions that are attributed to such acts and the sanctions
that could arise from them, and has been able to allege and present whatever
documentation has been deemed relevant throughout this procedure
sanctioner.
Therefore, the requested non-accumulation does not cause you any defenselessness nor does it affect you.
negatively to any of your procedural rights
In relation to the rest of the arguments raised by I-DE to demand the
accumulation, as these are reproductions of those exposed in the Initiation Agreement,
It is appropriate to refer to the response given by this Agency and which appears, as has been
indicated, transcribed in Legal Basis III of this Resolution.
SECOND: About the previous acts of the AEPD and the violation of the principles
of good faith, legitimate trust and legal certainty.
I-DE insists again that the letter of April 18, 2022 that was addressed to it
from the Technological Innovation Division of this Agency has a decision-making nature and
that this prevents or should have prevented any investigative action
subsequent of the personal data breach suffered which, in addition, violates the
principles of good faith, legitimate trust and legal certainty.
Likewise, it indicates that one of the functions of the Technological Innovation Division of
This Agency is to “analyze and classify security breaches and, where appropriate,
reasonedly propose to the Presidency the initiation of an investigation when
“sees signs of the commission of an infraction” (article 31 e) of the Statute of the
AEPD).
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 49/88
I-DE adds that the aforementioned letter is signed by the “AEPD”, which means that it must
be understood as signed by the Director, since the “legal and institutional representation” of the
Agency corresponds solely and exclusively to the Director, as established in the
article 13.1b) of the AEPD Statute.
From this I-DE concludes that, having been analyzed by the Innovation Division
Technological the information communicated by her about the security breach,
understood that it was not appropriate to submit any type of proposal to the Director of the AEPD
motivated in relation to the same, as I do not consider the provisions of the
GDPR, this resulted in this Agency being notified of the decision not to carry out
any action related to the aforementioned gap.
Faced with this, first of all it is worth remembering that this question was already answered in
the Proposed Resolution, a response that appears transcribed entirely in the
Legal basis IV of this Resolution and to which reference should be made.
On the other hand, it cannot be admitted or understood, even indirectly, that the
The aforementioned writing in question is signed by the Director of this Agency, by
as long as his signature does not appear expressly, no matter how much I-DE wants to assume
artificially that the signature comes from said body by holding the representation
of the AEPD. No generic signature from the AEPD or any of the bodies in which
is structured, nor can the signature of any of the holders thereof
replace the signature of the Director when exercising the powers attributed to her
both by Law and by the Statute of the AEPD, the delegation of signature in these cases
must be direct and express, and must be stated in the administrative act that is signed by
delegation to guarantee and safeguard that the decision has been adopted by
competent body.
In this sense, the Statute of the Spanish Data Protection Agency, approved
By Royal Decree 389/2021, of June 1 (hereinafter the Statute) establishes
expressly that:
1. The Presidency of the Spanish Data Protection Agency is responsible for:
d) Issue the resolutions and guidelines required for the exercise of functions
of the Agency, in particular those derived from the exercise of powers
provided for in article 57 of Regulation (EU) 2016/679 of Parliament
European Parliament and of the Council, of April 27, 2016, and the exercise of powers
of investigation and corrective powers provided for in article 58 of the
cited Regulation. (emphasis is ours)
On the other hand, article 27 of the Statute establishes the powers that the
General Subdirectorate of Data Inspection of the AEPD:
1. The Subdirectorate General of Data Inspection is the administrative body,
dependent on the Presidency of the Spanish Data Protection Agency, which
develops the powers provided for in article 57.1, letters f), g), h), i) and u) of the
Regulation (EU) 2016/679 of the European Parliament and of the Council, of April 27,
2016, and carries out the inspection and instruction functions necessary for the exercise
of the investigative powers established in article 58.1, letters a), b), d), e) and f)
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 50/88
and the corrective powers provided in article 58.2, letters a), b), c), d), f), g), i)
and j), both of the aforementioned Regulation. (emphasis is ours)
2. In order to fulfill the tasks established in the previous section, to the
General Data Inspection Subdirectorate is responsible for the following:
functions:
a) Permanent supervision of compliance with Regulation (EU) 2016/679
of the European Parliament and of the Council, of April 27, 2016, of the Law
Organic 3/2018, of December 5, and the provisions that develop it,
by those responsible and in charge of the treatments.
b) The exercise of the investigative powers defined in article 51 of
Organic Law 3/2018, of December 5.
(…)
d) The processing of procedures in case of possible violation of the
data protection regulations in accordance with the provisions of title VIII of the
Organic Law 3/2018, of December 5, including the claims of the
citizens due to lack of attention to their requests to exercise their rights
contemplated in articles 15 to 22 of Regulation (EU) 2016/679 of the
European Parliament and of the Council, of April 27, 2016. It corresponds to the
General Subdirectorate of Data Inspection the duty to inform the
claimant about the course and outcome of the claim filed with the
Spanish Data Protection Agency, in accordance with the provisions of the
article 77.2 of the aforementioned Regulation.
(…)
e) The evaluation of the admissibility for processing of the claims that are
submitted to the Spanish Data Protection Agency, and the proposal to
the Presidency of decision on the admission or non-admission for processing, in accordance
to the provisions of article 65 of Organic Law 3/2018, of December 5.
(…)
h) Carrying out prior investigation actions agreed upon by the
Presidency on his own initiative, following a complaint, or at the request of another
control body or authority, in order to achieve a better determination of the
facts and circumstances that justify the processing of the procedure,
according to the provisions of article 67 of Organic Law 3/2018, of 5
December. (emphasis is ours)
Therefore, with respect to the Technological Innovation Division of the AEPD, which
In accordance with the Statute, its functions include “analyzing and classifying the
security breaches and, where appropriate, propose with reasons to the Presidency the
initiation of an investigation when there are indications of the commission of an
infringement” (article 31 e) of the AEPD Statute), this does not mean that it is the only and
exclusive means by which this Agency can initiate investigative actions. So,
This investigative power that the AEPD has, as has been reflected in the
described regulations, is carried out by the General Subdirectorate of Inspection of
Data, which may initiate investigative actions ex officio, by order of
the Director, either as a consequence of the admission of claims presented
before the AEPD.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 51/88
The Technological Innovation Division, after analyzing the documentation provided by I-
DE (not all the circumstances of the incident) has indicated that it does not foresee the start
of other actions, and not that I do not consider the provisions of the RGPD violated or that
the decision had been made not to carry out any action related to the
mentioned gap. The Technological Innovation Division did not make a decision, but rather
was limited to informing I-DE of a forecast, which does not prevent them from being taken into account.
takes into account other circumstances, such as the presentation of claims by those affected
due to the gap, which makes it advisable to separate from this forecast.
Therefore, the aforementioned document does not have the decisive and decisive nature that I-DE
intended, neither by its content nor by its form and this is not an obstacle nor can it prevent
in no way the investigative power that the AEPD has and its exercise through
the inspection and investigation functions that the Subdirectorate General of Inspection
of Data is entrusted. Above all, after the presentation of claims for
part of affected people and that the LOPDGDD requires its processing.
Thus, article 65 of the LOPDGDD, relating to the “Admission for processing of
claims”, establishes that
1.When a request is submitted to the Spanish Data Protection Agency
claim, it must evaluate its admissibility for processing, in accordance
with the forecasts of this article.
2. The Spanish Data Protection Agency will not accept claims
presented when they do not concern data protection issues
personal, manifestly unfounded, abusive or not
provide rational evidence of the existence of an infringement.
Therefore, when complaints are submitted to the AEPD, it is obliged to analyze
their admissibility in advance, and may disallow them only in the cases of
section 2 of article 65 transcribed, which did not occur in the case that we
occupies
Therefore, once admitted for processing, prior investigation actions were initiated.
precisely to find out the facts and circumstances that occurred and if the
These could lead to a possible violation of the regulations regarding
data protection, as permitted and empowered by articles 64 and 66 of the LOPDGDD,
which were already transcribed in the response to the allegations to the Startup Agreement and
which, for the sake of expository clarity, are indicated again:
Article 64. Form of initiation of the procedure and duration.
1.When the procedure refers exclusively to the lack of attention of a
request to exercise the rights established in articles 15 to 22 of the
Regulation (EU) 2016/679, will begin by agreement of admission to processing, which will be
will be adopted in accordance with the provisions of article 65 of this organic law.
In this case, the period to resolve the procedure will be six months from
from the date on which the claimant had been notified of the agreement
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 52/88
admission for processing. After this period, the interested party may consider
estimated your claim.
2.When the procedure aims to determine the possible
existence of a violation of the provisions of Regulation (EU) 2016/679 and in
This organic law will begin by means of an initial agreement adopted by
own initiative or as a result of a claim.
If the procedure is based on a claim made before the Agency
Spanish Data Protection Authority, in advance, will decide on your
admission for processing, in accordance with the provisions of article 65 of this organic law.
When the rules established in article 60 of the
Regulation (EU) 2016/679, the procedure will begin by adopting the
draft agreement to initiate the sanctioning procedure, which will be given
formal knowledge to the interested party for the purposes provided for in article 75 of this
organic Law.
The claim is admitted for processing, as well as in cases in which the Agency
Spanish Data Protection Agency acts on its own initiative, prior to the
initiation agreement, there may be a phase of prior investigation actions,
which will be governed by the provisions of article 67 of this organic law.
Article 67. Previous investigation actions.
1.Before the adoption of the agreement to initiate the procedure, and once admitted
processing the claim if there is one, the Spanish Data Protection Agency
may carry out prior research actions in order to achieve a better
determination of the facts and circumstances that justify the processing of the
procedure.
The Spanish Data Protection Agency will act in any case when it is
requires research into treatments that involve massive data traffic
personal.
2.Preliminary investigation actions will be subject to the provisions of the
Section 2 of Chapter I of Title VII of this organic law and may not have a
duration exceeding twelve months from the date of the admission agreement to
procedure or the date of the agreement by which its initiation is decided when the
Spanish Data Protection Agency acts on its own initiative or as
consequence of the communication that had been sent to him by the authority of
control of another Member State of the European Union, in accordance with article 64.3 of
this organic law. (emphasis is ours)
Therefore, it is reiterated that from said regulations it is not inferred in any way that the AEPD
have to justify in the manner required by I-DE the initiation of prior actions in the
sense that there must be something new or some new circumstance or that the
claims have had to provide new and different circumstances regarding
of the documentation provided by I-DE in its notification of the breach to this Agency,
since this is not required by the indicated regulations, in addition to the fact that it cannot be
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 53/88
pretend that those affected contribute something new, apart from knowing that it has been
violated the confidentiality of your personal data due to a cyber attack whose
circumstances unknown.
Precisely the previous investigative actions are carried out to clarify the
facts and circumstances of what happened, gathering more information in order to
be able to determine or not the existence of a possible violation of the regulations in
data protection matters. In this sense, the beginning of previous investigations and
its realization, the power of the AEPD with or without claims, does not prejudge anything, but
that allows gathering the necessary information to determine whether or not there are indications of
infringement. Even after said investigation, the proceedings may be archived
to understand, in view of the information collected, that there are no indications of
infringement. Which, in the present case, has not happened.
What the reflected regulations do indicate is that, after the presentation of claims,
This Agency must decide whether to admit them for processing or not, having finally decided on their
admission through, this time, an Admission Agreement for processing, signed by the
Director of the Agency dated May 9, 2022. And, as indicated in article 67.2
referenced LOPDGDD, the AEPD can carry out prior actions of
investigation in order to achieve a better determination of the facts and the
circumstances. It is a power attributed to it by the RGPD and the LOPDGDD.
Likewise, and to make matters worse, as indicated, even in the
assuming that the claims have not existed, the forecast of the Division of
Technological Innovation would not have been an obstacle or obstacle to the exercise,
ex officio, of the investigative powers that the AEPD has in accordance with the
cited article 64.2 which determines that “The claim is admitted for processing, as well as in
the cases in which the Spanish Data Protection Agency acts on its own
initiative, prior to the initiation agreement, there may be a phase of
previous investigation actions…”
Therefore, this sanctioning procedure has not been initiated due to the content or
by some new information provided in the claims, but by the information and
documentation obtained after the period of prior investigation actions, to the
possible violations of protection regulations may be inferred from it.
of data.
THIRD: Regarding the arguments supported by the Proposed Resolution for
consider that bis in idem does not occur.
I-DE once again indicates that the non bis in idem principle in taxation has been violated
of the two violations, since it understands that the AEPD is not prosecuting the violation
of article 5.1.f) of the RGPD for a reason other than that derived from, in their opinion,
inadequate security of personal data, but solely and exclusively for that
reason.
In this regard, the Judgment of the National Court of July 23,
2021 (rec. 1/2017), which provides,
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 54/88
“(…) In accordance with the legislation and jurisprudence set forth, the non bis in idem principle
prevents punishing the same subject twice for the same act with support in the
same foundation, the latter understood as the same legal interest protected by
the sanctioning regulations in question. In fact, when there is the triple identity of
subject, fact and foundation, the sum of sanctions creates a sanction unrelated to the judgment of
proportionality carried out by the legislator and materializes the imposition of a sanction
not legally provided for, which also violates the principle of proportionality.
But in order to speak of "bis in idem" a triple identity must occur.
between the terms compared: objective (same facts), subjective (against the
same subjects) and causal (for the same basis or reason for punishing):
a) Subjective identity assumes that the affected subject must be the same,
whatever the nature or judicial or administrative authority that
prosecute and regardless of who the accuser or specific body is that
has been resolved, or that it is tried alone or in conjunction with other
affected.
b) Factual identity assumes that the facts prosecuted are the same, and
rules out the cases of real competition of infractions in which there is no
before the same illegal act but before several.
c) The identity of foundation or cause implies that the measures
sanctions cannot occur if they respond to the same nature, that is
That is, if they participate in the same teleological foundation, what happens
between criminal and administrative sanctions, but not between
punitive and merely coercive.”
Taking as reference what was previously explained in the procedure
sanctioning agent, the non bis in idem principle has not been violated, since, although
Roughly understood, the facts are detected as a result of a data breach
personal, the violation of art. 5.1.f) of the RGPD results in a clear loss of
confidentiality that affected certain clients, the violation of art. 32 of
GDPR boils down to poor security measures (security only)
detected, present regardless of the personal data breach. Of
In fact, if these security measures that I-DE had implemented had been
detected by the AEPD without loss of confidentiality having occurred,
It would only have been sanctioned by art. 32 of the GDPR.
As we have indicated, through art. 5.1.f) of the RGPD, a loss of
confidentiality and availability and through art. 32 of the GDPR the deficiency of
security measures implemented by the person responsible for the treatment. Measures of
poor security, we add, that violate the GDPR, regardless of whether
whether or not the personal data breach occurred.
Article 32 of the GDPR is violated regardless of whether a breach occurs or not.
personal data breach. That is, it is violated by not having appropriate measures
to guarantee adequate security in the processing of data without
necessary or essential for a security breach to occur in the
personal data that, where appropriate, may affect the confidentiality of the
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 55/88
data, either only to availability, or only to integrity, or to some or all of them.
Another thing is that the deficiency in security measures becomes evident,
in the specific case, on the occasion of a breach of data security
personal data (violation of confidentiality in this case), as has occurred in the
present assumption.
On the other hand the art. 5.1.f) of the RGPD is violated when there is a loss of
confidentiality or integrity of personal data, which may or may not occur
due to absence or deficiency of security measures. This principle only
determines the channel through which the maintenance of the
confidentiality, integrity or availability when it explains “through the application of
appropriate technical and organizational measures”, which are not strictly security measures.
Likewise, it means again that article 5.1.f) of the RGPD is one of the
principles relating to treatment. The principles relating to treatment are, on the one hand,
side, the starting point and the closing clause of the legal protection system
of data, constituting true informing rules of the system with an intense
expansive force; On the other hand, since they have a high level of concreteness, they are standards of
mandatory compliance susceptible to being infringed.
The violation of confidentiality that is attributed to I-DE is for failing to comply with the
obligation imposed in article 5.1.f to process the data in such a way that
ensures adequate security, including protection against
unauthorized or illicit treatment, through the application of technical measures or
appropriate organizational structures.
Finally, it should be added that, in relation to the alleged violation of the principle
of non bis in idem, a response to this allegation was already given in the Proposal of
Resolution, in which the non-existence of the triple
identity of facts, subject and foundation, as required by jurisprudence,
response that appears fully transcribed in the Third section of the Fundamentals of
Law IV of this Resolution and to which reference should be made.
Finally, regarding the allegations by I-DE regarding the fact that in the imputation of the
violation of article 5.1.f) an obligation of result is being required, which
is contrary to the Judgment of February 15, 2022 (cassation appeal
7359/2020), which indicates that the obligation imposed by the regulations for the protection of
personal data, to adopt technical and organizational measures is an obligation to
means and not results, it means that what is analyzed in said Judgment is the
compliance with technical and organizational measures in the sense of whether they are
adequate to guarantee the safety of the treatments, that is, we would be
not in the scope of compliance with article 5.1.f, but in the scope of compliance
of article 32 RGPD when dealing with security measures. Therefore, the argument
given by I-DE and the analysis of the same that is going to be carried out must refer
exclusively in relation to the violation of article 32 GDPR, which will be
develop in the Fifth section of this Legal Basis relating to the
violation of article 32.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 56/88
FOURTH: On the application of the principles of the right to sanctions to the activity
of the AEPD and the concurrence of a media competition.
I-DE alleges again that, if the existence of the bis in idem is not appreciated, when
least one of the infractions would be subsumed and embedded in the other, since
that the imputation of the violation of article 5.1.f) of the RGPD is due to the fact that the
treatment has not been carried out, in the opinion of the AEPD, in compliance with the
necessary security measures. Therefore I-DE understands the existence of absolute
link between the alleged absence of adequate security measures and the
breach of the principle of confidentiality. That is to say, it is the supposed insufficiency of
security measures which directly leads to the violation of article 32
and the violation of 5.1.f).
There is, therefore, a clear case of medial competition, since the two infractions
charges cannot be committed one without the other.
Next, I-DE argues the reasons why it considers that it is
application of article 29 of the LRJSP and that, with its non-application, the AEPD is
implicitly repealing, in terms of data protection, all guarantees
of the sanctioning regime established by the Constitutional Court.
In this regard, since this allegation was already formulated against the Agreement of
Beginning and that it was widely responded to in the Proposed Resolution, the
which is transcribed in full in the Third section of the Fundamentals of Law IV,
It is necessary to refer to it in its entirety.
On the other hand, in relation to the mention made by the AEPD regarding the non-
applicability of art. 29 of Law 40/2015, of October 1, on the Legal Regime of the
Public Sector (hereinafter, “LRJSP”), I-DE brings up Royal Decree 389/2021,
of June 1, which approves the Statute of the Spanish Protection Agency
of Data, in which article 3 establishes that the AEPD is governed by the provisions of the
RGPD, and additionally, by the LRJSP. I-DE understands that the above implies
that, in relation to everything not expressly regulated in the RGPD or the
LOPDGDD will comply with the provisions for this purpose in the LRJSP, as is the case of
contests of infractions provided for in article 29 of the LRJSP in relation to the
principle of proportionality as a principle of sanctioning power.
Faced with this, it means that article 3.2 of the aforementioned Statute of the AEPD establishes
the next:
2. Additionally, as soon as it is compatible with their full independence,
will be governed by Law 40/2015, of October 1, on the Legal Regime of the Sector
Public, particularly what is provided for autonomous organizations; by the law
39/2015, of October 1, of the Common Administrative Procedure of the
Public administrations; by Law 47/2003, of November 26, General
Budgetary; by Law 9/2017, of November 8, on Sector Contracts
Public, by which the
Directives of the European Parliament and of the Council 2014/23/EU and 2014/24/EU,
February 26, 2014; by Law 33/2003, of November 3, of the
Heritage of Public Administrations, as well as the rest of the regulations
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 57/88
of general and special administrative law that may apply. In
defect of administrative rule, common law will apply.
Therefore, what is being indicated is that the regime is additionally applied
legal of the Public Sector, but in relation to its consideration as an organism
public belonging to the General Administration of the State, that is, to
considerations such as its composition, organization, structure, etc.
For its part, article 3.3 of the AEPD Statute indicates the following:
3. The procedures processed by the Spanish Agency for the Protection of
Data will be governed by the provisions of Regulation (EU) 2016/679 of the
European Parliament and of the Council, of April 27, 2016, the Organic Law
3/2018, of December 5, on Protection of Personal Data and guarantee of
digital rights, by the regulatory provisions issued in their
development and, insofar as they do not contradict them, on a subsidiary basis, by the
general rules on administrative procedures.
Therefore, in the procedures processed by it, among them, the procedure
sanctioning, neither the LRJSP nor the LPAC is applied additionally, but instead declares
that the procedures processed by the AEPD will be governed by the RGPD and the
LOPDGDD. And on a subsidiary basis (not supplementary) by the rules on the
administrative procedures.
In this regard, it is insisted that there is no supplementary application of the aforementioned precept, for
as there is no legal loophole regarding the application of the media competition provided for in
said article 29 of the LRJSP. Neither the RGPD allows nor the LOPDGDD provides the
supplementary application of the provisions of art. 29 of the LRJSP.
In Title VIII of the LOPDGDD related to “Procedures in case of possible
violation of data protection regulations”, article 63 that opens the Title is
provides that "The procedures processed by the Spanish Agency for the Protection of
Data will be governed by the provisions of Regulation (EU) 2016/679, in this law
organic, by the regulatory provisions dictated in its development and, as
do not contradict them, on a subsidiary basis, by the general rules on the
administrative procedures.". Although there is a referral to the LPACAP, it is not
establishes in no way a subsidiary application with respect to the LRJSP that does not
contains in its articles any provision relating to administrative procedure
some.
In the same way that the AEPD is not applying the aggravating and mitigating circumstances provided
in the same art. 29 of the LRJSP, since the RGPD establishes its own, for
Therefore, there is no legal loophole or subsidiary application of the same, nor is there any
application of the section relating to media competition and for identical reasons.”
As already indicated, in addition to the application of rules other than the GDPR regarding the
determination of fines in each of the Member States applying their
national law, whether due to aggravating or mitigating circumstances not provided for in
the RGPD -or in the LOPDGDD in the Spanish case-, either by the application of a
media contest other than that provided for in the RGPD, would reduce the effectiveness of the system that
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 58/88
would lose its meaning, its teleological purpose, resulting in the fines imposed by
different infringements would no longer be effective, proportionate and dissuasive. And of
This way would also deprive the interested parties of the effective guarantee of their
rights and freedoms, weakening the uniform application of the GDPR. The
mechanisms for the protection of the rights and freedoms of citizens and would be
contrary to the spirit of the GDPR.
Clarify, in advance, that supplementary status refers to cases in which, in
a certain norm does not regulate a specific assumption, legal loophole, giving
give rise to the application of another legal norm that regulates such a situation, provided that it does not
is inconsistent with the legal system.
While subsidiarity refers to a competition of standards, which means
that for a given case two or more rules may be applicable, so
so that the subsidizing norm cedes to the benefit of the main one.
Well, having examined both suppletoriness and subsidiarity, we conclude the
not application of article 29 of the LRJSP but of article 83 of the RGPD in relation
with the principle of proportionality.
This is so because:
• The principle of proportionality applies to the sanctioning procedure.
• The principle of proportionality is fully regulated in article 83 of the
GDPR.
• There is no legal loophole.
• Neither the RGPD nor the LOPDGDD refer to the application, due to the existence of a legal loophole,
of article 29 of the LRJSP.
• In the procedures processed by the AEPD, for the procedures
administrative procedures processed, the subsidiary application of the general rules is foreseen
on administrative procedures.
• In the procedures processed by the AEPD, for the procedures
administrative procedures processed and not in relation to the principles of the procedure
sanctioning, a subsidiary application of the LRJSP is not established in the LOPDGDD.
Therefore, there is neither supplementary nor subsidiarity that would make the article apply.
29 of the LRJSP.
Regarding the fact that, as I-DE indicates, the Agency itself has previously
said article 29 is considered applicable considering the existence of cases of
media contest, as in its Resolution of April 23, 2021, issued in the
procedure PS/00240/2019, it should be noted that the Administration can
separate from what was previously resolved. Thus, article 35 of the LPACAP establishes
that:
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 59/88
1. They will be motivated, with succinct reference to facts and legal bases:
c) Acts that are separated from the criteria followed in preceding actions or
of the opinion of advisory bodies.
Therefore, it is legitimate for the Administration to separate itself from the criteria followed in
preceding actions, as long as said change is motivated, which
occurs in the present case. Thus, in addition to what has just been argued in this
own section, it is worth remembering again that this allegation was already made against the
Initiation Agreement, relating to the media contest and responded to it by motivating and
arguing why the existence of the medial competition is not considered and, furthermore,
The non-applicability of article 29 LRJSP is motivated. Therefore, it is necessary to refer to the
arguments put forward and that appear transcribed in the Third section of the
Legal basis IV of this Resolution.
Therefore, once argued and motivated, not only is the existence
of concurrence of infractions, as well as the reasons why it is not considered
applicable to article 29 LRJSP, the change of
criterion.
In this sense, the Sentence of March 12, 2018, of the Superior Court of
Justice of Madrid, Administrative Litigation Chamber, Section 4 (Rec. 761/2017),
points out, on the occasion of the review of a sanctioning procedure, that:
“(…) the Administration can separate itself from what was previously resolved
motivating the change (art. 35.c) of Law 39/2015, of October 1, of the
Common Administrative Procedure of Public Administrations). As
points out the Supreme Court in its Order of December 4, 1998 "... so that
the doctrine of the acts of the Administration has application is
It is fundamentally necessary that a first body of the Administration has
issued a first act declaring rights and then in the second
revoke the decision taken in the first", and said circumstance does not occur
in this case because the present administrative act of tax settlement does not
revokes any decision taken in a preceding act relating to it
tax concept nor is there an express declarative act that is now
modify.
For these purposes, it is necessary to distinguish between the effectiveness of the acts of the
Administration and the connection of the Administration to the precedents
interpretative measures applied in previous situations since, in the event that
is questioned, and using the words of the Supreme Court (ruling of 25
February 2000), it is not possible to speak of "own act but at most a change of
criterion and interpretation, which is perfectly valid." Likewise, the STS
of June 27, 2000 states:
"...the principle of acting against one's own acts could not be taken to extremes
such that they obstruct the conformity with the Law of a certain action,
by the mere fact of" (the existence of) "another previous one of a different sign although
this was not protected by legality, in the same way that equality only
falls within the scope of legality, as is sufficiently known,
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 60/88
under penalty of being able to consolidate illegal or inappropriate resolutions forever
to Law, irreversible and impossible to modify later.
The High Court has expressed itself in the same sense in other Sentences. So,
In that of February 1, 1999, it declares that "this principle cannot be invoked
to create, maintain or extend in the field of public law, situations
contrary to the legal system, or when the preceding act results in
contradiction with the purpose or interest protected by a legal norm that, due to its
nature, is not capable of protecting a discretionary action of the
Administration that involves the recognition of rights and/or
obligations that arise from its own acts. Or said by another
In this way, the doctrine of proper acts without the limitation that has just been explained
could introduce into the field of public law relations the principle
of the autonomy of the will as an ordering method of regulated matters
by norms of a mandatory nature, in which the public interest prevails
safeguarded by the principle of legality; a principle that would be violated
If an action by the Administration contrary to the
legal system for the sole fact that this has been decided by the
Administration or because it responds to a precedent thereof. (...) or, said in
In other words, it cannot be said that the trust placed
in an act or precedent that is contrary to the mandatory norm” (the emphasis
is ours).
Likewise, and for greater completeness, this criterion of understanding the article as not applicable
29 LRJSP is not new as it has been applied in previous sanctioning proceedings
at the moment. As an example, PS/00020/2023 and PS/00667/2023 are noted.
Finally, I-DE alleges that the application of Article 29 is also a possibility
recognized by Guidelines 4/2022, on the calculation of administrative fines under
the RGPD, which expressly stipulates the criteria that the authority must follow
administrative to evaluate, prior to imposition of the sanction, the possible
concurrence of these.
In light of this, it is noted that, in relation to the citation of Guidelines 04/2022 of the
CEPD on the calculation of administrative fines under the GDPR, in its version
2.1, adopted on May 24, 2023, in section 22 reference is made to three
types of concurrence, namely, infringement, unity of action and plurality of
actions: “When examining the analysis of the traditions of the Member States in
matter of competition rules, as indicated in the jurisprudence of the CJEU,
and taking into account the different areas of application and the consequences
legal, these principles can be roughly grouped into the three categories
following: - Concurrence of violations (chapter 3.1.1), - Unity of action (chapter
3.1.2), - Plurality of actions (chapter 3.2).
In cases of concurrence of infractions, the provision established in this regard
is that contained in article 83.3 of the RGPD, which establishes a quantitative limit in
these cases of concurrence: “If a person responsible or in charge of the treatment
breaches intentionally or negligently, for the same operations of
treatment or related operations, various provisions of this
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 61/88
Regulation, the total amount of the administrative fine will not be higher than the amount
provided for the most serious infractions.”
Likewise, at this moment we must remember that the seriousness of the infractions
of the GDPR is determined in accordance with the rules established in it and not in the
LOPDGDD. The classification of infractions is regulated in article 83,
sections 4, 5 and 6 of the GDPR, while the classification of infringements as
very serious, serious or minor for the sole purposes of the prescription is provided in the
articles 72, 73 and 74 of the LOPDGDD.
Last but not least, the AEPD does not sanction for the same offense, such as
claims I-DE, but have been verified through proven facts not refuted by
I-DE, the commission of two differentiated infractions, classified differently,
Furthermore, in the specific case, there is no medial competition.
For all the above reasons, this allegation is rejected.
FIFTH: Regarding the lack of violation by I-DE of article 32 of the RGPD
Indicates again that I-DE had carried out an analysis of the risks that the treatment
of the data from access to GEA could generate the rights and freedoms of
interested parties, as well as implemented security measures that allowed mitigating
the aforementioned risks
I-DE does not agree that this Agency understands that the measures of
security were insufficient due to the existence of a
vulnerability in GEA that has given rise to the personal data breach, as
understands that the measures adopted by I-DE were robust despite having existed
a security incident, which he does not deny, but he does deny that it can be considered
that this result must necessarily determine the insufficiency of the measures
adopted by I-DE.
I-DE also points out that, even if the AEPD intends to indicate that the vulnerability
finally detected was “avoidable and identifiable”, the truth is that it had not been
been despite the adoption by i-DE of all the guidelines established by
the Iberdrola Group to preserve the security of the information being processed,
and in the same way it was not “avoidable and identifiable” that a
compromise in the credentials of a GEA user (…), as indicated in the
conclusions of the forensic report provided by my client (page 519 of the
administrative file), without in any case being able to prove that the
exfiltration took place as a consequence of the way in which it had been established
the generation of passwords in the application, as the AEPD categorically states.
And in this sense, I-DE understands that it is obvious to indicate that the state of the art of
pentesting techniques do not guarantee one hundred percent the detection of each and every
of vulnerabilities, which cannot even be qualified, as the
AEPD of obvious, let alone considered “avoidable and identifiable”.
Therefore, it maintains that the reasoning supported by the AEPD can only be qualified
to circulate because, being clear that jurisprudence has highlighted that the
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 62/88
obligation to adopt security measures is one of means and not of result,
The AEPD carries out an assessment of the alleged non-compliance by I-DE with the obligation
to implement security measures by reversing the reasoning that must be followed
for this, by indicating throughout his Proposed Resolution that, ultimately, the
measures were objectively inadequate as a consequence of the fact that
The attack could indeed occur and the security breach took place.
Therefore, I-DE maintains that, in this way, the AEPD intends to avoid the doctrine
supported by the Supreme Court in its ruling of February 15, 2022
referring to the insufficiency of the measures, but ultimately their
reasoning is that the result is taken into consideration as a premise for
consider that the means were inadequate before it occurred.
For this reason, I-DE reiterates everything indicated in the document of allegations to the Startup Agreement and
bring up again the ruling of the Supreme Court that has just been
be mentioned, since the AEPD only intends to create an appearance that
the result is not taken into consideration as a determining fact of the alleged
violation of article 32, when, as has been proven, said result is the
premise on which the AEPD bases the alleged insufficiency of the measures adopted by
My client.
Faced with this, it should be indicated, first of all, that the analysis of the risks of the
treatment carried out from access from the GEA application does not show measurement
something to be adopted to alleviate the alleged risks detected. In fact, it is a
analysis based on a document attached by I-DE as Document No. 8
document explaining the logic followed to calculate the risk level according to
to this methodology. This methodology is implemented in a way
automated in the corporate activity registration tool itself
treatment, so that in the registration process itself it determines the level of risk
of the treatment. Thus, the application of said methodology in relation to the
treatment ***TREATMENT.1 resulted in a MEDIUM risk level,
as stated in Document No. 7 referred to above.”
In the aforementioned Document 8, certain threats or circumstances are detailed such as
“vulnerable groups” “access to personal data by more than 10 people”
“international transfers” “large-scale treatments” “profiles with
legal”. These circumstances are stated as questions and, as answered
“yes” or “no”, a result is applied:
(…)
Several of these questions appear in Document 7 referenced by I-DE, which
appears to be the Treatment Activity Record of the activity affected by the
personal data breach, in which the answer is “Yes” or “No” and a
“Medium” risk, but nothing more. That is, there is no indication of any measure adopted or that
should be adopted to alleviate this medium risk. Nor whether it is an inherent risk or
of a residual risk.
Likewise, as indicated in the Proposed Resolution in response to this
same allegation, nor, in view of the aforementioned Document 8, said analysis is
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 63/88
focused on risks of variable probability and severity that for the “rights and
freedoms of natural persons may entail processing, such as
physical, material or immaterial damages, in particular problems of
discrimination, identity theft, fraud, financial loss, harm to the
reputation, loss of confidentiality of data subject to professional secrecy,
unauthorized reversal of pseudonymization or any other economic damage or
significant social; in cases where the interested parties are deprived of their rights
and freedoms or are prevented from exercising control over their personal data; In the cases
in which personal aspects are evaluated, in particular the analysis or prediction of
aspects related to performance at work, economic situation, health,
personal preferences or interests, reliability or behavior, situation or
movements, in order to create or use personal profiles; in cases where
personal data of vulnerable people, in particular children, are processed; or in cases
in which the processing involves a large amount of personal data and affects a
large number of interested parties, etc., all in accordance with Considering 75 of the
GDPR
For its part, art. 28.2 LOPDGDD determines that “For the adoption of the measures
referred to in the previous section, those responsible and in charge of the treatment
will take into account, in particular, the increased risks that could arise in the
following assumptions:
a) When the treatment could generate situations of discrimination,
identity theft or fraud, financial loss, damage to the
reputation, loss of confidentiality of data subject to professional secrecy,
unauthorized reversal of pseudonymization or any other harm
economically, morally or socially significant for those affected.
b) When the treatment could deprive those affected of their rights and
freedoms or could prevent them from exercising control over their data
personal (,,,)”
Likewise, as explained in the guide “Risk management and impact assessment in
processing of personal data” of the AEPD, “The RGPD establishes the obligation of
manage the risk that a risk to people's rights and freedoms poses
treatment. This risk arises both from the very existence of the treatment and from
its technical and organizational dimensions. The risk arises both from the
automated data processing and manual processing,
human elements and the resources involved. The risk arises from the purposes of the
treatment and its nature, and also by its scope and the context in which it is
unwraps.”
However, as already indicated, these risks have not been assessed. Not have
assessed the damages to natural persons, material or immaterial, or at least not
it is proven that it has been done, lacking, therefore, a risk analysis focused on
the protection of the rights and freedoms of the interested parties. Likewise, neither
indicates what security measures to adopt to mitigate this “Medium” risk.
Therefore, I-DE has not proven what it states regarding that “it had led to
carried out an analysis of the risks that the processing of data from access to
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 64/88
GEA could generate in the rights and freedoms of the interested parties, as well as
implemented security measures that allowed mitigating the aforementioned risks."
Secondly, in that I-DE had robust measures implemented and that
This Agency has linked the alleged non-compliance with article 32 to the result of the
incident, bringing up again what was stated by the Supreme Court in its
ruling of February 15, 2022 (cassation appeal 7359/2020), it means that,
As was already responded to this same allegation in the Proposed Resolution,
the deficiencies detected and which represent non-compliance with article 32 of the RGPD
They existed independently of the attack and the security breach that occurred.
Thus, in the present case there was a vulnerability in the GEA web application, so
prior to the attack and which was used by the cybercriminal. So, as it has
proven in the Proven Facts, the attack occurred from a user
validly logged (…).
Therefore, the above shows the existence of a web application with a
vulnerability that allowed:
-(…)
Likewise, as a subsequent measure to avoid incidents such as the one that occurred,
proceeded through I-DE to modify the GEA application (…).
On the other hand, as security measures existed before the incident, they pointed out,
among others, the following:
(…). And it is precisely this vulnerability that was used by the attacker during
the security breach.
(…).
From the above, it follows that this attack would have been avoided if that
code would not have been visible. Even more so if you take into account that this is one of the
requirements that are included in the indicated document, (…).
Likewise, this vulnerability is identifiable in security assessments. Without
However, during the investigation proceedings I-DE has not proven that
detect the vulnerability of the GEA application within the framework of the
security evaluation implemented in the Iberdrola Group. Furthermore, as has been
indicated, the last review or security assessment of critical applications dates from
2019, almost two and a half years before the incident, so they were not being very
taking into account the rapid advances in technology, as well as the
sophistication of cyber attacks, in addition to the fact that the
results obtained.
Therefore, the GEA application contained an avoidable and identifiable vulnerability that
was the one used by the attacker. This clearly shows a
non-compliance with article 32 of the GDPR, as it requires appropriate measures to
guarantee a level of security appropriate to the risk, and all this taking into account the
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 65/88
state of the art, application costs and the nature, scope, context and
the purposes of the treatment.
(…)
Therefore, all this shows that the security measures at the time
of the incident were not appropriate for adequate data protection
according to the risks of the treatments and taking into account the state of the
technique and current costs.
Due to the above, in no way has this Agency indicated that the exfiltration
took place as a consequence of the way in which the
password generation in the affected application. What has been pointed out is that the
attack took place having taken advantage of the vulnerability in said application
consisting of the visualization, from a correctly validated session, (...).
In addition to this fact, what has been pointed out by this Agency is that it also
There were other deficiencies in security measures, such as a policy of
passwords (…).
These are deficiencies in themselves, regardless, it is insisted, of the concrete
incident that occurred and the personal data breach that occurred. However, not
The fact that the vulnerability in the GEA application was
precisely the one taken advantage of by the attacker who, in addition, initially
access validly logged in without the exfiltration being detected at first
illegitimate information and without being able to know with complete certainty why
medium obtained the credentials of a user, since in the report issued by the
company SIA about the incident, it is indicated that:
(…)
Likewise, the SIA company itself, in its recommendations, expressly indicated:
• (…)
Regarding the possibility of access to the web application from suspicious IPs or
malicious or, at least, not necessary for the business, it should not be forgotten either
that, as noted in the SIA company report, (…).
Therefore, in no way has this Agency relied on the result of the cyber attack
to justify non-compliance with article 32 of the RGPD, since, as has been stated
noted, said non-compliance already occurred before and independently of the attack
suffered, which shows that there were no appropriate measures to
ensure an adequate level of security.
Finally, regarding the Supreme Court Ruling of February 15, 2022
(cassation appeal 7359/2020), indicated by I-DE, means, as already stated
pointed out in the Proposed Resolution that the aforementioned Judgment effectively indicates,
on security measures regarding data protection, which “…the
obligation that falls on the person responsible and on the person in charge of the treatment
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 66/88
regarding the adoption of necessary measures to guarantee the safety of the
personal data is not an obligation of result but of means, without
the infallibility of the measures adopted is required. Only the
adoption and implementation of technical and organizational measures, which in accordance with the state
of the technology and in relation to the nature of the processing carried out and the data
personal data in question, reasonably allow to avoid its alteration, loss,
“unauthorized treatment or access.” (emphasis is ours)
However, the Judgment continues indicating, in the specific case analyzed in
same, that “…the program used to collect customer data does not
contained no security measures that would allow checking whether the address of
email entered was real or fictitious and whether it really belonged to the person
whose data was being processed and gave consent for it. The state
of the technique at the time these events occurred made it possible to establish
measures aimed at verifying the veracity of the email address, conditioning
the continuation of the process for the user to receive the contract at the address
provided and only from it provide the necessary consent for its
collection and treatment. Measures that were not adopted in this case.
(…) So, at the time these events occurred, there were
technical measures related to the registration process, which would have prevented the filtration of
personal data produced. This implies that the technical measures adopted
did not comply with the security conditions in the terms required in art. 9.1 of the
LO 15/1999, therefore incurring the infringement provided for in art. 44.3.h)
consisting of "Maintain the files, premises, programs or equipment that contain
personal data without due security conditions that via
regulations are determined [...]".
It should be noted, first of all, that this ruling is issued under the protection of the
regulations prior to the RGPD, in which, in accordance with the system provided for in the LOPD and in
the RLOPD, security measures were perfectly standardized. It has been
gone from a system with standard and static security measures for any
responsible for security measures specific to each organization (adapted to their
characteristics and idiosyncrasy), which considers the specific risks of the entity of
that is concerned; Furthermore, they are now dynamic, in such a way that they are not exhausted by the
implementation of security measures appropriate to the risk at the beginning of the
treatments, but must adapt to the risks that appear.
The new regulation provided for in the GDPR significantly expands the obligations of the
responsible for the treatment and its scope of action and responsibility, extending
now clearly to the actions carried out by those in charge of the
treatment, which fall within their scope of responsibility.
Secondly, the cited Supreme Court Judgment considers, in relation to
a violation of art. 9 of the LOPDP that “the obligation that falls on the
responsible for the file and about the person in charge of processing regarding the adoption
of measures necessary to guarantee the security of personal data
It is not an obligation of result but of means, without infallibility being required.
of the measures adopted. Only the adoption and implementation of
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 67/88
technical and organizational measures, which in accordance with the state of technology and in
relation to the nature of the processing carried out and the personal data in question,
reasonably allow to avoid its alteration, loss, treatment or unauthorized access
authorized".
Regarding this, he specifies that “It is not enough to design the technical and organizational means
necessary, it is also necessary to correctly implement it and use it correctly.
appropriate, so that he will also be responsible for the lack of diligence in his
use, understood as reasonable diligence taking into account the circumstances
of the case".
As has been demonstrated and argued throughout this
sanctioning procedure, it is considered that there were no measures of
appropriate security measures to ensure security appropriate to the risk, including
even if there had been no personal data breach.
In this regard, this Agency wishes to point out that in no way does it consider that the
obligation to implement security measures imposed by the regulations of
data protection has the nature of an obligation of result and not of means.
But it is no less true that I-DE did not count, before the incident occurred,
with measures that “in accordance with the state of technology and in relation to nature
of the processing carried out and the personal data in question, reasonably allow
prevent its alteration, loss, treatment or unauthorized access.”
Therefore, although it is inferred from the Judgment that the obligations established by the
Article 32 of the GDPR are media, it also makes it clear that, if at the time of
When the incident occurred, there were adequate technical measures to avoid or mitigate the
effects thereof and were not applied, this represents a breach of the aforementioned
obligation imposed by the RGPD and, therefore, a violation of it.
In the present case, as has been repeatedly pointed out, there was a vulnerability
in the GEA application, (…). This clearly shows a breach of the
Article 32 of the GDPR, as it requires appropriate measures to guarantee a level
of security appropriate to the risk, and all this taking into account the state of the
technique, the costs of implementation and the nature, scope, context and purposes of the
treatment.
For the above reasons, the allegation is rejected.
SIXTH: Regarding the absence of violation of the principle of confidentiality and
integrity.
I-DE once again outlines the absolute identity between the two infractions that were committed against it.
charge to the extent that the alleged violation of article 5.1.f) of the RGPD or
well it turns out to be the result of the alleged violation of article 32 of said
Regulation or brings direct, immediate and exclusive cause of this assumption
second breach, that is, due to the lack of adequate security measures.
I-DE points out in this regard that the AEPD has not considered the existence of
any violation that does not refer to security measures, since no
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 68/88
indicated any measure that has ceased to comply other than the security measures that
may be required.
In this regard, it was already indicated in the Proposed Resolution that when art. 5.1.f)
of the GDPR refers to appropriate technical or organizational measures to ensure the
rights and freedoms of data subjects within the framework of compliance management
regulations of the RGPD does so in the sense provided for in art. 25 of the GDPR regarding
privacy by design.
This precept determines that,
“Taking into account the state of the art, the cost of the application and the
nature, scope, context and purposes of the processing, as well as the risks of
varying probability and severity that the treatment entails for the rights and
freedoms of natural persons, the person responsible for the treatment will apply, both
at the time of determining the means of treatment as well as at the time
of the treatment itself, appropriate technical and organizational measures, such as
pseudonymization, designed to effectively apply the principles of
data protection, such as data minimization, and integrate safeguards
necessary in the treatment, in order to comply with the requirements of this
Regulation and protect the rights of the interested parties” (emphasis is
our)
It should be noted that there are multiple technical or organizational measures that are not
security and that the person responsible for the treatment can implement as a channel to
guarantee this principle.
In this sense, I-DE has not proven that it has complied with the provisions of said
precept, since it has not been proven that, in accordance with the risks of
varying probability and severity that the treatment entails, for the rights and
freedoms of natural persons, has applied technical and organizational measures
appropriate measures, such as pseudonymization, designed and intended to apply
effectively the principles of data protection, among which is the
confidentiality principle.
Therefore, the GDPR requires the applicability of data protection from design and implementation.
need to manage both the risks to the rights and freedoms of
individuals, such as the impact on those rights and freedoms that a
data breach, especially in web environments, because they can affect a large
population volume.
As stated in the guidelines for treatments that involve communication of
data between public administrations of this Agency, whose reasoning is
extrapolated to large organizations that handle large amounts of data, always
There are risks related to personal data breaches. However, these
will be especially considerable in the processing of personal data carried out
carried out by large public and private organizations that are serving a large
part of the citizens, and even much more if they are interconnected. Is very
It is important to keep in mind that the risk that data breaches can pose
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 69/88
personal data in such treatments does not depend so much on whether categories of
sensitive and/or specially protected data as well as the consequences for the
fundamental rights that can arise from an information compromise
To estimate the impact that a personal data breach could have, you must
consider the consequences that would arise from its materialization. A form of
To do so is, before a breach occurs, to consider the possible scenarios of
materialization of a compromise of personal data, determine its
consequences, and evaluate how it affects the rights and freedoms of the interested parties,
especially if these are irreversible consequences on their fundamental rights
Regarding measures appropriate to the level of risks to rights and freedoms,
the art. 24.1 of the GDPR establishes that the measures to be adopted in a
treatment to guarantee and be able to demonstrate its compliance with the Regulation
must take into account the scope, context and purposes of the treatment, and must
address, in particular, the extent of subjects affected by it and the risk that
means for fundamental rights and not only the typology of the data
In the aforementioned Guidelines it is indicated that “the technical and organizational measures that
adopted must be specifically aimed at minimizing the risks
identified for rights and freedoms from potential data breaches
personal. This implies that the person responsible must evaluate the risks that may
appear, design measures aimed at minimizing its probability and impact, and
determine the extent to which such measures are appropriately managing the
“concrete risks in a dynamic process”
And it is added that “Appropriate measures must be selected and implemented
from the design of the treatments with the aim that all risk contexts
for rights and freedoms to be considered. It must be taken into account that
Some measures will be more effective in avoiding or mitigating the direct impact on the
individuals and other measures will be mainly about the social impact for the
Fundamental rights. It is necessary to apply a high level of data protection by
flaw (…)"
It is not disputed that a personal data breach may occur, therefore within
of the risk management of a given organization, precisely because
may produce a gap, said scenario must be evaluated as
inseparable part of risk management for the purposes of (i) adopting all types of
appropriate technical and organizational measures to prevent it from materializing and (ii)
determine post-facto measures to minimize damage. On this particular
The aforementioned Guidelines explain that “given the possible scenarios of materialization of
different types of gaps, the answer must be found, at least, to the following
questions from the design of the treatment and prior to its implementation:
• What personal and social impact a personal data breach can have if
materializes.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 70/88
• What data protection measures should be implemented a priori to
minimize the personal and social impact that a materialized breach could produce.
• What response measures should be planned and executed after the fact,
once the breach has occurred, to minimize the personal and social impact.”
Therefore, its management cannot be based exclusively on the scope of the
cybersecurity, but it has to encompass all the areas in which it is developed
treatment, since, otherwise, risk management would not be complete, and, therefore,
it would be useless. To achieve this, it is essential to adopt specific measures for the
data protection by design and by default, and also measures for a
effective management of the consequences of the gap aimed at protecting rights
fundamentals of natural persons.
As has been noted, there are multiple technical or organizational measures that are not of
security and that the person responsible for the treatment can implement as a channel to
guarantee the principle of confidentiality.
In this sense, I-DE has not proven that it has complied with the provisions of the
RGPD, since it has not been proven that, in accordance with all of the above, there has been
evaluated those risks and applied appropriate technical and organizational measures
aimed at effectively applying data protection principles, including
measures aimed at guaranteeing the principle of confidentiality. And along with this there must be
highlight that in this case the bankruptcy of the principle of
confidentiality
Furthermore, and apart from the above, not even in the analysis of the risks
to adopt the security measures of article 32, the measures have been indicated.
measures to be adopted to alleviate the “medium” risk that the activity of
treatment affected by the gap, as indicated below in detail.
more extensive and detailed in the response to the Fourth allegation hereof
Foundation of Law.
Therefore, in the case examined, as stated in the proven facts, there is
a clear loss of confidentiality since access has occurred by a third party
not authorized to the personal data processed by I-DE, which does not imply a
objective liability, since I-DE was not diligent in not guaranteeing, in this way,
adequate security through the application of technical measures and
appropriate organizational measures, not only security, but of all kinds.
Regarding what was pointed out by I-DE regarding that this AEPD has not accredited
in no way materializes the risk posed by the loss of confidentiality.
for the affected people, that no I-DE client has seen their
rights as a consequence of the security breach that occurred, which includes
which does not allow considering a principle violated and imposing as a consequence of
said alleged infringement the fine of two million euros on the basis of a mere
potential or the consideration that a high risk of fraud could occur, in
in any way accredited.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 71/88
Faced with this, and as already indicated in the Proposed Resolution, what was
charges I-DE is the violation of the principle of confidentiality since it is clear that, after
suffer a computer attack against the GEA website, there was illegitimate access to data
personal data and their extraction by an unauthorized third party, which meant
the loss of confidentiality and control of numerous personal data (name and
surnames, ID, postal address, fax, e-mail, telephone, customer code) and that affected
1,350,000 I-DE clients. Therefore, the risk did materialize, the loss of
confidentiality and loss of control over data. What is guaranteed is the
confidentiality in order to avoid the serious damage that bankruptcy may cause, since
It represents a high risk for the interested parties, if confidentiality is violated,
of fraudulent use of data: identity theft for recruitment
online, phishing, financial fraud, etc. The loss of confidentiality has already been
occurred in this case when the access and exfiltration occurred, which does not
is that there is a “probability” of risk, but rather the realization of this risk causing a
damage by itself. This represents a breach of the duty to guarantee the
confidentiality of personal data, since as indicated, article 5.1.f)
points out that they must be treated in such a way as to guarantee safety
adequate protection of personal data, including protection against unauthorized processing.
authorized or illegal.
Likewise, regarding the fact that none of its clients have been affected in any
of their rights as a consequence of the security breach, I-DE forgets that the
The loss of confidentiality itself means that the
core of the fundamental right to data protection, which is none other than that of
have control of personal data.
Regarding the high risk that this data, in the hands of
cybercriminal/s, were used fraudulently, this was indicated to express what
involves the loss of confidentiality, but is not necessary in any way, to
understand that article 5.1.f has been violated, that said risks of fraudulent use are
materialize, because what has materialized with the gap is the loss of
confidentiality of the personal data processed by I-DE, which is what is attributed to it
exclusively.
For the above reasons, the allegation is rejected.
SEVENTH: Regarding the violation of the principle of proportionality to the detriment of the
I-DE rights
I-DE draws attention to the fact that the same aggravating circumstances have been applied in
relation to the two infractions charged, which is understood to show to what extent
point the connection between both in total, proceeding with the application of what was invoked in
the Second and Third allegations (violation of the non bis in idem principle and
existence of medial contest)
In this regard, it was already indicated, in relation to the application of identical aggravating factors
in both infractions, that the circumstances provided for in art. 83.2 of the GDPR and the
provided in art. 76.2 of the LOPDGDD are the only ones that can be applied by
AEPD for any infraction.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 72/88
The determining factor in this case is not that they coincide in their use, but rather the foundation
to be established for your consideration.
Likewise, I-DE alleges the inappropriate application of article 83.2.a) of the RGPD,
drawing I-DE attention to the fact that it has been considered appropriate
aggravate the penalty imposed due to the fact that a loss of property has occurred
confidentiality of personal data, both in relation to article 32 and
article 5.1.f)
Thus, I-DE maintains that, in relation to the violation of article 32, in accordance with
traditional concept of security in systems, its objective is the
guarantee of the integrity, confidentiality and availability of the information, therefore
that, if the AEPD considers that the fact that a gap occurs
confidentiality would aggravate the conduct consisting of the alleged absence of such
security measures, any accusation for the alleged violation of article 32,
will be aggravated by the AEPD, which would entail the inclusion in the catalog of
violations of a kind aggravated by their very nature, which without
However, it is not included in the RGPD or the LOPDGDD.
In this regard, it should be noted, contrary to what has been argued, that the violation of
Confidentiality is not necessary or essential in the commission of the
violation of article 32, since as already indicated above, it can be
violate the aforementioned article 32 due to the absence of appropriate security measures or due to
inefficiency in its use or implementation, without necessarily having
a personal data breach has occurred. Another different thing is that it is put into
evidences the violation of article 32 as a consequence of the materialization of a
violation of the security of personal data that, by its very definition, involves
“any breach of security that results in the destruction, loss or alteration
accidental or unlawful personal data transmitted, preserved or otherwise processed
form, or unauthorized communication or access to said data” (section 12 of
article 4 of the GDPR)
Therefore, in the present case, there was a vulnerability in an I-DE application,
in addition to other deficiencies such as password policy and limits
existing in access to the application from suspicious IPs and not necessary for the
business development, which revealed that I-DE was not applying
appropriate measures to guarantee a level of security appropriate to the risk of its
treatments (don't forget that it is a web application, that is, with access from
internet), which in itself represents a violation of article 32. If in addition
These deficiencies have allowed or facilitated, as is the case, the occurrence of
a personal data breach (in this case, confidentiality breach), there is no
no obstacle to considering said violation as an aggravating circumstance of the
article 83.2.a), which allows taking into account the “nature, severity and duration of
the infringement, taking into account the nature, scope or purpose of the operation of
treatment in question as well as the number of interested parties affected and the level of
the damages and losses they have suffered” (emphasis added).
Regarding the application of the aggravating circumstance of article 83.2.a) for violation of the article
5.1.f), although it is true that the violation of confidentiality is not appropriate
as a circumstance to be taken into account to aggravate the infringement since
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 73/88
is subsumed in the offending type itself, it is also true that said precept, the
83.2.a) of the RGPD has been applied as an aggravating circumstance, also taking into account the
number of interested parties affected, which are very numerous, amounting to more than one
million people (1,350,000), as well as numerous data were stolen
personal information (name and surname, ID, postal address, e-mail, telephone number,
client code), so it is appropriate to continue taking these circumstances into account
as aggravating factors, so article 83.2.a) of the GDPR continues to apply.
Regarding the fact that I-DE understands that in relation to this aggravating circumstance, it is intended to take into account
account of alleged damages and losses suffered, which have not been proven
by the AEPD, it means that what is taken into account in said aggravating circumstance is the damage
and the risk that it poses in itself to loss of confidentiality, which entails a total
loss of control over one's own personal data and the high risk that it entails of
that are used fraudulently, since they have been stolen by a cybercriminal.
On the other hand, I-DE argues that the aggravating circumstance of article 83.2.b cannot be applied.
of the RGPD regarding the existence of negligence since, in the Court's Ruling
of Justice, of December 5, 2023 (case C-807/21), it is declared that:
“75 Consequently, it must be declared that article 83 of the GDPR does not
allows imposing an administrative fine for an infraction contemplated in
its sections 4 to 6 without proving that said infringement was committed
intentionally or negligently by the person responsible for the treatment and that, for
Therefore, guilt in the commission of the infraction constitutes a requirement
for the imposition of the fine.”
From this I-DE deduces that if this intentionality or negligence is necessary for
the infringement can be considered committed, it can hardly be considered that the
The most serious form of culpable guilt can act as an aggravating circumstance,
and even less about a subjective criterion, such as the volume of I-DE.
Faced with this, it should be noted that one thing is that, in order to impute an infringement
administrative is necessary the existence of intention or negligence and another, which does not
The existence of especially negligent negligence may be used as an aggravating circumstance.
highlighted, due to the circumstances of the case. The opposite would be contrary to one's own
article 83.2.b) which establishes that “When deciding to impose an administrative fine
and its amount in each individual case will be duly taken into account:
b) intentionality or negligence in the infringement”
Thus, in any violation of data protection regulations,
the existence of intentionality or negligence. And this both to a
data controller as a natural person, as a legal entity, whether a small
company with little connection with the processing of personal data, whether it is a
large company, a multinational, etc., and with processing of personal data in a manner
continuous and on a large scale, for example.
Therefore, once it has been determined that, as a premise, this subjective element occurs
base guilt, this does not prevent the aggravating factor from being considered
intentionality or negligence indicated by considering that, in accordance with the
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 74/88
specific circumstances of the case, a different degree of intentionality is considered
or negligence in the actions of the offending subject. Thus, in accordance with the
Guidelines 04/2022 of the European Data Protection Board on the calculation of
administrative fines under the GDPR, version 2.1, adopted on 24
May 2023, notes the following:
“4.2.2 — Intentional or negligent nature of the infringement
55. In its previous guidance the EDPB stated that "in general, the intention
includes both knowledge and will in relation to the characteristics of
a crime, while "unintentional" means that there was no intention to cause the
infringement, although the controller/processor breached the duty to
care required by law.
Example 4 — Illustrations of intent and negligence (from WP 253)
"Circumstances indicative of intentional violations may be a
illicit processing explicitly authorized by the senior management hierarchy of the
responsible for the treatment, or despite the advice of the protection delegate
of data or violating existing policies, for example, obtaining and
processing of data about the employees of a competitor with the intention of
discredit that competitor in the market. Other examples here can be:
- the modification of personal data to give a (positive) impression
misleading about whether objectives have been met; we have seen it in the context
of targets for hospital waiting times
- the trading of personal data for commercial purposes, i.e. the sale of
data as “opted in” without checking or ignoring the opinions of users.
interested parties about how their data should be used
Other circumstances, such as failure to read and follow policies
existing, human error, lack of verification of personal data in the
published information, the lack of application of technical updates in the
timing, lack of policy adoption (rather than simply lack of
of application) may be indicative of negligence";
56. The intentional or negligent nature of the infringement [Article 83(2)(b) of the
GDPR] must be evaluated taking into account the objective elements of conduct
obtained from the facts of the matter. The EDPB highlighted that it is generally accepted that
intentional violations, "demonstrate contempt for the provisions of the law,
are more serious than unintentional ones. In the case of intentional infringement, it is
The supervisory authority is likely to give more weight to this factor. According to
the circumstances of the case, the supervisory authority may also attribute weight to the
degree of negligence. At best, negligence could be considered
neutral." (emphasis is ours)
In the present case, the aggravating circumstance of negligence was appreciated since the
detected vulnerability could have been avoided, and is also a vulnerability
identifiable in security assessments. Likewise, in relation to the infringement
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 75/88
of article 5.1.f) of the RGPD, negligence was also seen as an aggravating circumstance
shown by I-DE because, as has been pointed out, due to its subjective circumstances
and due to the high number of clients it has, a higher degree of
professionalism and diligence in the duty to guarantee the confidentiality of the
personal data of its numerous clients.
Regarding the consideration of the size of I-DE as an aggravating factor, it should be noted
that the same level of diligence cannot be demanded from a company like I-DE, which
required from a natural person or a small business, for example. This means that
A higher level of diligence is required because the level of professionalism is
elderly.
It is appropriate to recall again, in this sense, the Judgment of the National Court of
10/17/2007 (rec. 63/2006), that with respect to entities whose activity involves the
continuous processing of customer data, indicates “…the Supreme Court comes
understanding that imprudence exists whenever a legal duty of
care, that is, when the offender does not behave with the required diligence. And in the
assessment of the degree of diligence, special consideration must be given to professionalism
or not of the subject, and there is no doubt that, in the case now examined, when the
activity of the appellant is constant and abundant handling of data of a
personnel must insist on rigor and exquisite care to conform to the
legal provisions in this regard.
Finally, contrary to what was stated by I-DE, the consideration of this aggravating circumstance
of negligence has at no time meant that the limit has been increased
maximum of the sanction to be imposed, since the maximum limits are established
in sections 4 and 5 of article 83 of the RGPD, which allow imposing a
penalty, respectively of 10,000,000 euros or 2% of the business volume
global annual total and 20,000,000 euros or 4% of the total annual business volume
global. Therefore, at no time has the maximum amount of the
sanction that could be imposed as a consequence of the application of the aggravating circumstances
as indicated by I-DE.
Regarding the aggravating circumstance included in article 76.2.b of the LOPDGDD,
I-DE points out that his behavior is getting worse due to the mere fact of belonging to
a specific sector of activity. In this regard, it is meant that this provision does not
The specific activity to which I-DE is dedicated (distributor) is taken into consideration.
of energy), but its connection with the performance of data processing
personal, since it carries out massive and large-scale treatments (21 million
clients), through computer applications and web applications and continuously.
In this sense, the Spanish legislator has considered including in article 76 of the
LOPDGDD that: “2. In accordance with the provisions of article 83.2.k) of the Regulations
(EU) 2016/679 may also be taken into account:
(…)
b) The linking of the offender's activity with the performance of medical treatments.
personal information."
This Agency simply takes into consideration that circumstance, provided for by the
legislator, when deciding the imposition of the administrative fine.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 76/88
Finally, I-DE alleges the breach of the principle of equal treatment if it is taken into account
consideration of the precedents of this Agency. Thus, it indicates the procedure
PS/000179/2020 in which it indicates that a minor penalty was imposed despite
understand that the circumstances were more serious, but that, above all, in said
file, no sanction was imposed for violation of article 5.1.f) of the RGPD,
despite the existence of a data confidentiality breach being evident,
The AEPD having therefore modified its criteria, since by now converting what was
considered a violation of article 32 of the GDPR in two violations, by making
now refers to 5.1.f) of the RGPD, and considerably multiply the total amount of
The infringement represents a flagrant breach of the principle of equality, security
legal and public faith. Likewise, he points out that this also goes against the doctrine of
own acts.
Faced with this, as already pointed out in the Proposed Resolution, the
circumstances and facts of procedure PS/000179/2020 are not the same nor
comparable, just as there is no equality in illegality, so there is no
try to equate sanctions in the face of different facts and circumstances. Therefore,
It is necessary to refer to the response to this same allegation and which appears
transcribed in its entirety in the Sixth section of the Fundamentals of Law IV of the
present Resolution.
Regarding what I-DE maintains regarding the fact that the principle of
equality also in the fact that PS/000179/2020 only sanctioned
for a violation of article 32 and was not considered a violation of article 5.1.f) of the
RGPD, there having also been a confidentiality breach, and that this also
goes against the doctrine of proper acts, it means that I-DE has only
selected and brings up this file to defend an alleged treatment
unequal but which, however, ignores the numerous sanctioning procedures
existing prior to the present in which, after a gap of
confidentiality, has been sanctioned for violating both precepts. By way
As an example and without exhaustive character, since there are more, the following should be indicated:
PS/00444/2021, PS/00420/2021, PS/00528/2021, PS/00099/2022, PS/00113/2022,
PS/00164/2022, PS/00419/2022, PS/00168/2022.
Finally, regarding the procedure PS/0002/2023 in which they have been imposed
also two sanctions for violating both article 32 and 5.1.f) of the RGPD and that for
also refer to a company in the electrical sector, brings up I-DE to make
a comparison, because there it was imposed, in the total sum of the two sanctions for
these two infractions, an amount that only exceeds 500,000 euros than those imposed
to I-DE, despite the fact that there were affected parties, it means again that the
facts and circumstances are different and that, for this reason, a fine was imposed
different (in this case higher), in addition to other fines for other violations
different ones that were considered.
In this sense, it is once again recalled that, in terms of data protection, the
technical and organizational security measures to be adopted by those responsible for the
treatment and other obligations to comply required by the RGPD, must be the
appropriate in relation to the specific risks posed by the specific
treatments carried out by each person responsible. Therefore, when analyzing the diligence of some
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 77/88
and others in compliance with the regulations must be based on the circumstances of each
case, taking into account the nature, scope, context and purposes of each
treatment, therefore there are no identical cases. In this sense, it must be remembered
that article 83, in section 2, establishes that “Administrative fines are
will be imposed, depending on the circumstances of each individual case…” (the emphasis
is ours)
Therefore, it is necessary to attend to the circumstances of each individual case, there being no
two identical files and, therefore, with equal results.
As a general and final consideration, it should be noted that none of the sanctions
applied violates the principle of proportionality. Thus, it must be remembered that the
articles 83.4 and 83.5 of the RGPD, where the
violation of article 32 and article 5.1.f), establish limits on the amounts
of the fines that can be imposed, very far from those that have finally been imposed
established.
Thus, article 83.4 of the aforementioned Regulation establishes that sanctions will be imposed, in accordance
with paragraph 2, with administrative fines of a maximum of EUR 10 000 000 or,
In the case of a company, an amount equivalent to a maximum of 2% of the
total global annual business volume of the previous financial year, opting for the
of greater amount. In this regard, according to the Axesor entity, the volume
of business for 2022 from I-DE was ***AMOUNT.2 euros, which would have
allowed to impose a penalty of up to ***AMOUNT.3 euros, for the violation
of article 32.
For its part, article 83.5 of the RGPD establishes that sanctions will be imposed, in accordance with
paragraph 2, with administrative fines of a maximum of EUR 20 000 000 or,
In the case of a company, an amount equivalent to a maximum of 4% of the
total global annual business volume of the previous financial year, opting for the
of greater amount. In this regard, in accordance with the turnover
indicated, would have allowed imposing a penalty of up to ***AMOUNT.4 euros,
for violation of article 5.1.f).
Therefore, taking into account the above, as well as the negligence of I-DE in having a
web application with the vulnerability detected, with a weak password policy and
with access permissions from suspicious IPs and not necessary for development
of your business activity (and much less for the purpose of the application in
issue), from which the personal data of its clients is accessed and taking into account
takes into account the high number of affected people whose personal data were
exfiltrated by a cybercriminal, which represents a loss of control over the
personal data irremediably, with the risk that this entails, cannot be
It can be said that the sanctions finally imposed violate the principle of
proportionality, taking into account that “Each supervisory authority will ensure that
the imposition of administrative fines in accordance with this article for the
infringements of this Regulation indicated in paragraphs 4, 5 and 6 are in
each individual case effective, proportionate and dissuasive” (emphasis is
our)
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 78/88
SAW
Integrity and confidentiality
Article 5.1.f) “Principles relating to processing” of the GDPR establishes:
"1. The personal data will be:
(…)
f) treated in such a way as to ensure adequate safety of the
personal data, including protection against unauthorized processing or
unlawful and against its loss, destruction or accidental damage, through the application
of appropriate technical or organizational measures ("integrity and
confidentiality»).”
The principle of data integrity and confidentiality requires a guarantee of
security in the application of technical or organizational measures that prevent alteration
of personal data, its loss, unauthorized or illicit processing or access. It's not
the existence of this fundamental right is not possible if the
confidentiality, integrity and availability thereof.
Hence, the integrity and confidentiality of personal data are considered
essential to prevent the interested parties from suffering negative effects. Therefore, they must
be treated in a manner that ensures adequate integrity and confidentiality of
personal data, especially to prevent access, processing or use
authorized users of said data.
In short, it is the data controller who has the obligation to integrate the
necessary guarantees in the treatment, with the purpose of, by virtue of the principle of
proactive responsibility, comply and be able to demonstrate compliance, while
while respecting the fundamental right to data protection.
In this regard, it must be remembered that the confidentiality of personal data is
regulated in article 5 of the RGPD, being, therefore, one of the principles relating to
treatment. The principles relating to treatment are, on the one hand, the starting point
and the closing clause of the legal data protection system, constituting
true informing rules of the system with an intense expansive force; for another
On the other hand, as they have a high level of specificity, they are mandatory standards.
likely to be infringed.
Article 5.1.f) of the GDPR establishes a clear obligation of consistent compliance
in preventing unauthorized or illicit treatments by implementing measures of all kinds
adequate to guarantee the confidentiality, integrity and availability of the data.
Consequently, those responsible for the treatment must be available to
guarantee the confidentiality of personal data to prevent a third party
access data that does not belong to them, since it is precisely their responsibility to process the
personal data in accordance with the RGPD and LOPDGDD. For this reason, it is an activity in
where the diligence provided by them is essential to avoid this type of access
Not allowed.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 79/88
In the present case, the principle of confidentiality has been violated since it is clear that
after suffering a computer attack against the I-DE connection management website
(GEA), taking advantage of its vulnerability, an illegitimate access occurred
to personal data and their extraction, which meant the loss of
confidentiality and control of numerous personal data (name and surname,
ID, postal address, fax, e-mail, telephone, customer code) and which affected, among others,
1,350,000 I-DE clients. This represents a breach of the duty to guarantee the
confidentiality of personal data, since as indicated, article 5.1f)
points out that they must be treated in such a way as to guarantee safety
adequate protection of personal data, including protection against unauthorized processing.
authorized or illegal.
Therefore, the risk of loss of confidentiality has materialized, having been
usurped by a cybercriminal, which means that they can be used for
not known (sold, communicated, published, etc.), all without consent
of its owners, leading to a total and absolute loss of control over them.
In addition, it also poses a very high risk of fraudulent use of them.
(identity theft, fraud, financial losses, etc.) or that serve to
any other utility that in certain circumstances constitutes a threat
for its owners. It should also be taken into account that most of the data
Leaked personal information is data that cannot be modified or changed by others.
(name, surname, ID, address...)
This loss of control over one's own personal data results in a
violation of the fundamental right to data protection recognized in the article
18 of the Spanish Constitution, as the Constitutional Court has indicated
(Sentence 292/2000, of November 30, 2000) “the fundamental right to
Data protection seeks to guarantee the person power of control over their
personal data, about its use and destination, with the purpose of preventing its illicit trafficking and
harmful to the dignity and rights of the affected person (…) The right to data protection
"It guarantees individuals the power to dispose of these data."
For all the above and in accordance with the evidence available in
At this time of proposal for a resolution, it is considered that the known facts
could constitute an infraction, attributable to I-DE, for violation of the
article 5.1.f) of the RGPD.
VII
Classification of the violation of article 5.1.f) of the RGPD
The aforementioned violation of article 5.1.f) of the RGPD implies the commission of the violations
typified in article 83.5 of the RGPD that under the heading “General conditions
for the imposition of administrative fines” provides:
“Infringements of the following provisions will be sanctioned, in accordance with the
paragraph 2, with administrative fines of a maximum of EUR 20 000 000 or,
In the case of a company, an amount equivalent to a maximum of 4% of the
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 80/88
global total annual business volume of the previous financial year, opting for
the largest amount:
a) the basic principles for the treatment, including the conditions for the
consent under articles 5, 6, 7 and 9; (…)”
In this regard, the LOPDGDD, in its article 71 “Infringements” establishes that
“The acts and conduct referred to in sections 4,
5 and 6 of article 83 of Regulation (EU) 2016/679, as well as those that result
contrary to this organic law.”
For the purposes of the limitation period, article 72 “Infringements considered very
“serious” of the LOPDGDD indicates:
"1. Based on what is established in article 83.5 of Regulation (EU) 2016/679,
considered very serious and will prescribe after three years the infractions that involve
a substantial violation of the articles mentioned therein and, in particular, the
following:
a) The processing of personal data violating the principles and guarantees
established in article 5 of Regulation (EU) 2016/679. (…)”
VIII
Penalty for violation of article 5.1.f) of the RGPD
In accordance with the evidence available, the sanction should be graduated to
impose in accordance with the following criteria established in article 83.2 of the
GDPR:
As aggravating factors:
- Article 83.2.a) RGPD: Nature, severity and duration of the infringement.
-Number of interested parties affected: there are very numerous people affected, since
amounts to more than one million I-DE clients (1,350,000).
-Level of damages and losses suffered: High. Numerous were stolen
personal data (name and surname, ID, postal address, e-mail, phone number
telephone, client code) and a very considerable number of I-DE clients
(1,350,000) losing, therefore, all control over them, thus emptying
of content the fundamental right to the protection of personal data that,
As indicated by the Constitutional Court in the previously reviewed Judgment,
seeks to guarantee the person power of control and disposition over their
personal data, about its use and destination, with the purpose of preventing its traffic
illegal and harmful to the dignity and rights of the affected person.
- Article 83.2.b) RGPD. Intentional or negligence in the infringement: the
existence of negligence in compliance and observance of technical measures and
organizational measures to ensure the security necessary for data protection
personal data, specifically to guarantee their confidentiality. To this
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 81/88
In this regard, it must be remembered that I-DE is a large company, which carries out treatments
large scale, affecting its treatments to numerous natural persons (21 million
people) so a higher level of diligence is required.
It is worth remembering, in this sense, the Judgment of the National Court of
10/17/2007 (rec. 63/2006), that with respect to entities whose activity involves the
continuous processing of customer data, indicates “…the Supreme Court comes
understanding that imprudence exists whenever a legal duty of
care, that is, when the offender does not behave with the required diligence. And in the
assessment of the degree of diligence, special consideration must be given to professionalism
or not of the subject, and there is no doubt that, in the case now examined, when the
activity of the appellant is constant and abundant handling of data of a
personnel must insist on rigor and exquisite care to conform to the
legal provisions in this regard.
As mitigating factors:
- Article 83.2.c) RGPD. Measures taken by the person responsible to alleviate the damage and
damages suffered by the interested parties: Positive. As soon as he became aware of the attack,
reacted as quickly as possible and proceeded to take measures aimed at repelling
the same and to avoid its repetition (suspension of the web application; blocking of IPs
suspicious events, disconnections, etc.) and immediate activation of its internal protocols
corresponding, which could have avoided a much more serious impact.
Likewise, it is considered that it is appropriate to graduate the sanction to be imposed in accordance with the
following criteria established in section 2 of article 76 “Sanctions and measures
“corrective measures” of the LOPDGDD:
As aggravating factors:
- Article 76.2.b) LOPDGDD. Linking the offender's activity with the performance
of personal data processing: The development of the activity
I-DE's business involves continuous, large-scale processing of
personal data, since, according to what it states, it processes data of 21 million people. By
Therefore, it is a large company used to processing personal data.
In accordance with the evidence available, taking into account the
circumstances of the case and the criteria established in article 83.2 of the RGPD with
regarding the infraction committed by violating the provisions of article 5.1.f) of the
GDPR, a penalty of €2,500,000 (two and a half million euros) is established.
IX
Article 32 of the GDPR
Article 32 “Security of processing” of the GDPR establishes:
"1. Taking into account the state of the art, the application costs, and the
nature, scope, context and purposes of the processing, as well as risks of
variable probability and severity for people's rights and freedoms
physical, the person responsible and the person in charge of the treatment will apply technical and
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 82/88
appropriate organizational measures to guarantee a level of security appropriate to the risk,
which, if applicable, includes, among others:
a) pseudonymization and encryption of personal data;
b) the ability to guarantee the confidentiality, integrity, availability and
permanent resilience of treatment systems and services;
c) the ability to restore availability and access to data
personnel quickly in the event of a physical or technical incident;
d) a process of regular verification, evaluation and assessment of effectiveness
of the technical and organizational measures to guarantee the security of the
treatment.
2. When evaluating the adequacy of the security level, particular consideration will be given to
takes into account the risks presented by data processing, in particular as
consequence of the accidental or unlawful destruction, loss or alteration of data
personal data transmitted, preserved or otherwise processed, or the communication or
unauthorized access to said data.
3. Adherence to a code of conduct approved pursuant to Article 40 or to a
certification mechanism approved pursuant to article 42 may serve as an element
to demonstrate compliance with the requirements established in section 1 of the
present article.
4. The controller and the person in charge of the treatment will take measures to ensure that
any person acting under the authority of the person responsible or in charge and
has access to personal data can only process said data following
instructions of the person responsible, unless it is obliged to do so by virtue of the Law of
the Union or the Member States.”
Article 32 does not establish static security measures, but will correspond to the
responsible for determining those security measures that are necessary to
guarantee the confidentiality, integrity and availability of personal data,
Therefore, the same data processing may involve security measures
different depending on the specific specificities in which said
data treatment.
In line with these provisions, Recital 75 of the GDPR establishes:
risks to the rights and freedoms of natural persons, serious and
variable probability, may be due to data processing that could cause
physical, material or immaterial damages, particularly in cases where
that the treatment may give rise to problems of discrimination, usurpation of
identity or fraud, financial loss, reputational damage, loss of
confidentiality of data subject to professional secrecy, unauthorized reversal of the
pseudonymization or any other significant economic or social harm; in the
cases in which the interested parties are deprived of their rights and freedoms or are
prevents you from exercising control over your personal data; in cases where the data
processed personal reveals ethnic or racial origin, political opinions, religion
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 83/88
or philosophical beliefs, militancy in unions and the processing of genetic data,
data relating to health or data on sexual life, or convictions and offenses
criminal or related security measures; in cases in which they are evaluated
personal aspects, in particular the analysis or prediction of aspects related to the
performance at work, economic situation, health, preferences or interests
personal, reliability or behavior, situation or movements, in order to create or
use personal profiles; in cases in which personal data of
vulnerable people, particularly children; or in cases where the treatment
involves a large amount of personal data and affects a large number of
interested. (emphasis is ours)
Likewise, Recital 83 of the GDPR establishes: In order to maintain the security and
prevent the processing from infringing the provisions of this Regulation, the
responsible or the person in charge must evaluate the risks inherent to the treatment and
apply measures to mitigate them, such as encryption. These measures must guarantee a
appropriate level of security, including confidentiality, taking into account the status
of the technique and the cost of its application with respect to the risks and the nature of
personal data that must be protected. When assessing risk in relation to
data security, the risks that arise from the
processing of personal data, such as destruction, loss or alteration
accidental or unlawful personal data transmitted, preserved or otherwise processed
form, or unauthorized communication or access to said data, susceptible in
particular of causing physical, material or immaterial damages. (he
emphasis is ours)
In short, the first step to determine the security measures will be the
Risk assessment. Once evaluated, it will be necessary to determine the measures of
security aimed at reducing or eliminating risks for the treatment of
data.
Data security requires the application of technical or organizational measures
appropriate in the processing of personal data to protect said data
against access, use, modification, dissemination, loss, destruction or accidental damage,
unauthorized or illicit. In this sense, security measures are key when
to guarantee the fundamental right to data protection. It is not possible
existence of the fundamental right to the protection of personal data if it is not
possible to guarantee their confidentiality, integrity and availability.
It should not be forgotten that, in accordance with article 32.1 of the aforementioned GDPR, the
technical and organizational measures to apply to guarantee a level of security
appropriate to the risk must take into account the state of the art, the costs of
application, nature, scope, context and purposes of the processing, as well as
risks of varying probability and severity to the rights and freedoms of
Physical persons.
Therefore, I-DE, when evaluating risks and determining technical measures and
appropriate organizational measures to guarantee a level of security appropriate to the risk,
is obliged to take into account the specific activity that its business entails, which
involves processing personal data continuously and on a large scale (numerous data at a time)
collect, process, store...); the type of data processed: identification,
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 84/88
contact, those related to the supply and consumption of electricity, current accounts,
etc); the context: use of a web application on the Internet, that is, in an environment not
isolated, which entails risks derived from the interconnectivity itself that the
network, which must be attended to in a specialized way.
Therefore, derived from the activity to which it is dedicated, I-DE is obliged to carry out
a very specialized way of analyzing risks and implementing measures
appropriate technical and organizational measures to guarantee a level of security appropriate to the
risk of its activity for the rights and freedoms of people.
In the present case, as noted above, I-DE suffered a cyber attack on
its GEA web application, causing a security breach consisting of a breach
of confidentiality when there is access to personal data of its clients,
contained in the Group's database and an illicit exfiltration of the same.
The GEA application is an I-DE web application used for the management of
electrical connections. It is published on the Internet for access by
users (customers, installers, etc.) involved in the management process of those
connection files.
(…)
All of the above shows that I-DE was not diligent enough when it came to
implement appropriate security measures to prevent incidents from occurring
of security like the one that took place in the present case, that is, it did not apply measures
appropriate technical and organizational measures to guarantee a level of security appropriate to the
risk of your personal data processing. Likewise, there is no appreciation of the
necessary diligence in the process of regular verification, evaluation and assessment of
the effectiveness of technical and organizational measures to ensure the safety of the
treatment. (article 32.1)
Therefore, in accordance with the evidence available, it is considered that
The known facts constitute an infringement, attributable to I-DE, for
violation of article 32 of the RGPD.
x
Classification of the violation of article 32 of the RGPD
The aforementioned violation of article 32 of the RGPD implies the commission of the violations
typified in article 83.4 of the RGPD that under the heading “General conditions
for the imposition of administrative fines” provides:
“Infractions of the following provisions will be sanctioned, in accordance with the
paragraph 2, with administrative fines of a maximum of EUR 10 000 000 or,
In the case of a company, an amount equivalent to a maximum of 2% of the
global total annual business volume of the previous financial year, opting for
the largest amount:
a) the obligations of the controller and the processor pursuant to Articles 8,
11, 25 to 39, 42 and 43; (…)”
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 85/88
In this regard, the LOPDGDD, in its article 71 “Infringements” establishes that
“The acts and conduct referred to in sections 4,
5 and 6 of article 83 of Regulation (EU) 2016/679, as well as those that result
contrary to this organic law.”
For the purposes of the limitation period, article 73 “Infringements considered serious”
of the LOPDGDD indicates:
“Based on what is established in article 83.4 of Regulation (EU) 2016/679,
are considered serious and will prescribe after two years the infractions that involve a
substantial violation of the articles mentioned therein and, in particular, the
following:
(…)
f) The lack of adoption of those technical and organizational measures that
are appropriate to guarantee a level of security appropriate to the risk
of the treatment, in the terms required by article 32.1 of the Regulation
(EU) 2016/679.
XI
Penalty for violation of article 32 of the GDPR
In accordance with the evidence available, the sanction should be graduated to
impose, in accordance with the following criteria established in article 83.2 of the
GDPR:
As aggravating factors:
- Article 83.2.a) RGPD: Nature, severity and duration of the infringement.
-It is considered that the nature of the infraction is serious since it has
entailed a loss of confidentiality and, therefore, of disposition and control
irremediable on personal data.
-Number of interested parties affected: there are very numerous people affected, since
amounts to 1,350,000
-Level of damages and losses suffered: High. Numerous were stolen
personal data (name and surname, ID, postal address, e-mail, phone number
telephone, client code) and a very considerable number of I-DE clients
(1,350,000) losing, therefore, all control over them, thus emptying
content the fundamental right to the protection of personal data that, as
indicates the Constitutional Court in the previously reviewed Judgment, pursues
guarantee the person power of control and disposal over their personal data,
on its use and destination, with the purpose of preventing its illicit trafficking and harm to the
dignity and rights of the affected person.
- Article 83.2.b) RGPD. Intentional or negligence in the infringement: the
existence of negligence in compliance and observance of technical measures and
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 86/88
organizational measures to ensure adequate security for data protection
personal data, specifically to guarantee their confidentiality. The
detected vulnerability could have been avoided, and is also a vulnerability
identifiable in security assessments.
In this regard, it must be remembered that I-DE is a large company, which carries out
large-scale treatments, affecting numerous natural persons
(21 million people) so a higher level of diligence is required and
appropriate security measures to ensure the confidentiality of data
personal it deals with.
It is worth remembering, in this sense, the Judgment of the National Court of
10/17/2007 (rec. 63/2006), that with respect to entities whose activity involves the
continuous processing of customer data, indicates “…the Supreme Court comes
understanding that imprudence exists whenever a legal duty of
care, that is, when the offender does not behave with the required diligence. And in the
assessment of the degree of diligence, special consideration must be given to professionalism
or not of the subject, and there is no doubt that, in the case now examined, when the
activity of the appellant is constant and abundant handling of data of a
personnel must insist on rigor and exquisite care to conform to the
legal provisions in this regard.
As mitigating factors:
- Article 83.2.c) RGPD. Measures taken by the person responsible to alleviate the damage and
damages suffered by the interested parties: Positive. As soon as he became aware of the attack,
I-DE staff reacted as quickly as possible and proceeded to take action
aimed at repelling the same and to avoid its repetition (suspension of the web application;
blocking suspicious IPs, disconnections, etc.) and immediate activation of your
corresponding internal protocols, which could have avoided a major impact
More serious.
Likewise, it is considered that it is appropriate to graduate the sanction to be imposed in accordance with the
following criteria established in section 2 of article 76 “Sanctions and measures
“corrective measures” of the LOPDGDD:
As aggravating factors:
- Article 76.2.b) LOPDGDD. Linking the offender's activity with the performance
of personal data processing: The development of the activity
business that I-DE performs involves a continuous, large-scale treatment of
personal information. Therefore, it is a large company used to treating
of personal data.
The balance of the circumstances contemplated in article 83.2 of the RGPD and the
article 76.2 of the LOPDGDD, with respect to the infraction committed by violating the
established in article 32 of the RGPD, allows establishing a penalty of €1,000,000
(one million euros).
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 87/88
Therefore, in accordance with the applicable legislation and evaluated the criteria of
graduation of the sanctions whose existence has been proven, the Director of the
Spanish Data Protection Agency RESOLVES:
FIRST: IMPOSE I-DE REDES ELÉCTRICAS INTELLIGENTES, S.A.U., with NIF
A95075578, for a violation of Article 5.1.f) of the RGPD typified in Article
83.5 of the RGPD, a fine of 2,500,000 euros (TWO MILLION FIVE HUNDRED THOUSAND
EUROS).
SECOND: IMPOSE I-DE REDES ELÉCTRICAS INTELLIGENTES, S.A.U., with
NIF A95075578, for a violation of Article 32 of the RGPD, typified in Article
83.4 of the RGPD, a fine of 1,000,000 (ONE MILLION EUROS)
THIRD: NOTIFY this resolution to I-DE REDES ELÉCTRICAS
INTELLIGENTES, S.A.U.
FOURTH: This resolution will be enforceable once the deadline to file the
optional resource for replacement (one month counting from the day following the
notification of this resolution) without the interested party having made use of this power.
The sanctioned person is warned that he must make effective the sanction imposed once
This resolution is executive, in accordance with the provisions of art. 98.1.b)
of Law 39/2015, of October 1, on the Common Administrative Procedure of the
Public Administrations (hereinafter LPACAP), within the voluntary payment period
established in art. 68 of the General Collection Regulations, approved by Real
Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003, of 17
December, through your entry, indicating the NIF of the sanctioned person and the number of
procedure that appears in the heading of this document, in the account
restricted IBAN number: ES00-0000-0000-0000-0000-0000, opened in the name of the
Spanish Data Protection Agency in the banking entity CAIXABANK, S.A.
Otherwise, it will be collected during the executive period.
Once the notification is received and once enforceable, if the enforceable date is
between the 1st and 15th of each month, both inclusive, the deadline to make the payment
voluntary will be until the 20th of the following month or immediately following business month, and if
The payment period is between the 16th and last day of each month, both inclusive.
It will be until the 5th of the second following or immediately following business month.
In accordance with the provisions of article 76.4 of the LOPDGDD and given that the
The amount of the penalty imposed is greater than one million euros, it will be subject to
publication in the Official State Gazette of the information that identifies the offender, the
violation committed and the amount of the penalty.
In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once it has been notified to the interested parties.
Against this resolution, which puts an end to the administrative procedure in accordance with art. 48.6 of the
LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the
Interested parties may optionally file an appeal for reconsideration before the
Director of the Spanish Data Protection Agency within a period of one month to
count from the day following the notification of this resolution or directly
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 88/88
contentious-administrative appeal before the Contentious-administrative Chamber of the
National Court, in accordance with the provisions of article 25 and section 5 of
the fourth additional provision of Law 29/1998, of July 13, regulating the
Contentious-administrative Jurisdiction, within a period of two months from the
day following the notification of this act, as provided for in article 46.1 of the
referred Law.
Finally, it is noted that in accordance with the provisions of art. 90.3 a) of the LPACAP,
may provisionally suspend the final resolution through administrative means if the
interested party expresses his intention to file a contentious-administrative appeal.
If this is the case, the interested party must formally communicate this fact through
writing addressed to the Spanish Data Protection Agency, presenting it through
of the Agency's Electronic Registry [https://sedeagpd.gob.es/sede-electronica-
web/], or through any of the other registries provided for in art. 16.4 of the
cited Law 39/2015, of October 1. You must also transfer to the Agency the
documentation that proves the effective filing of the contentious appeal
administrative. If the Agency was not aware of the filing of the appeal
contentious-administrative procedure within a period of two months from the day following the
notification of this resolution would terminate the precautionary suspension.
938-16012024
Sea Spain Martí
Director of the Spanish Data Protection Agency
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es
