AEPD (Spain) - EXP202416691
From GDPRhub
| AEPD - EXP202416691 | |
|---|---|
 | |
| Authority: | AEPD (Spain) |
| Jurisdiction: | Spain |
| Relevant Law: | Article 5(1)(f) GDPR |
| Type: | Investigation |
| Outcome: | Violation Found |
| Started: | 01.06.2023 |
| Decided: | 15.01.2025 |
| Published: | 14.03.2025 |
| Fine: | 42,000 EUR |
| Parties: | Spanish Society of Medical Oncology |
| National Case Number/Name: | EXP202416691 |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | Spanish |
| Original Source: | AEPD (in ES) |
| Initial Contributor: | cwa |
The Spanish Society of Medical Oncology was fined €42,000 after their processor suffered a data breach revealing 2,622 patient's personal data, including health data.
English Summary
Facts
The Spanish Society of Medical Oncology (controller) promoted the participation by cancer patients in a study being conducted by a data processor. The patients downloaded a mobile app and, using a code given to them by their oncologist, inputted data about their well-being.
In June 2023, the controller notified the AEPD (Spanish DPA) that the processor had suffered a breach of security which resulted in the unauthorised access to 2,622 patients' personal data by an intentional bad-actor. The personal data consisted of the participants' email addresses, their phone number and their health-related data.
Holding
The DPA’s investigation revealed that the processor had failed to properly implement cryptographic controls to allow for the encryption of the data. Based on evidence from the National Cybersecurity and Technology Expertise Association, the DPA found that the failure to implement such controls facilitated the occurrence of the breach.
The DPA found that the controller had infringed Article 5(1)(f) GDPR for failing to ensure appropriate security of processing.
The DPA initially levied a fine of €70,000 for the infringement but pursuant to Law 39/2015, a Spanish law concerning administrative proceedings, the DPA informed the controller that it may acknowledge its responsibility for the alleged violations and/or make a voluntary payment of the proposed fine. Each of these actions reduces the imposed fine by 20%. The controller opted to reduce the fine by 40%, both acknowledging its responsibility for the violations and paying the reduced sanction amount of €42,000.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/25
File No.: EXP202416691
RESOLUTION TERMINATING THE PROCEDURE FOR RECOGNITION OF LIABILITY AND VOLUNTARY PAYMENT
Regarding the procedure initiated by the Spanish Data Protection Agency and based on the following
BACKGROUND
FIRST: On December 20, 2024, the Director of the Spanish Data Protection Agency agreed to initiate sanctioning proceedings against the SCIENTIFIC SOCIETY OF MEDICAL ONCOLOGY FOUNDATION (hereinafter, FSOM), through the following agreement:
<<
File No.: EXP202416691
AGREEMENT TO INITIATE SANCTIONING PROCEDURE
Regarding the actions taken by the Spanish Data Protection Agency and based on the following
FACTS
FIRST: The SCIENTIFIC SOCIETY OF MEDICAL ONCOLOGY FOUNDATION, with NIF G07324239 (hereinafter, FSEOM) promoted the implementation of ***PROJECT.1,
with the objective of (…). The data was collected by the patient themselves in a mobile application in which they registered using a code provided by their medical oncologist. (…)
For the implementation of this project, FSEOM relied on the company ***COMPANY.1
as the supplier and processor of the personal data collected within the framework of the aforementioned study.
On June 23, 2023, this Agency was notified of a personal data breach by the SCIENTIFIC SOCIETY OF MEDICAL ONCOLOGY FOUNDATION,
with NIF G07324239.
This notification reported the following:
- The incident was intentional, intended to harm the controller/processor or the affected individuals.
- The origin of the incident was: External: Others, unrelated to the controller and/or processor.
- What could have happened?: Cyberincident: (…)
- As a result of the incident, the following has been compromised: Confidentiality.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 2/25
- Specifically referring to the data affected by the confidentiality breach. Is the data securely encrypted, anonymized, or
protected in a way that makes it unintelligible to anyone who may have accessed it, or is it impossible to identify individuals? No.
- What could have happened? You can select several options: Being a victim
of phishing/spamming campaigns, Financial losses, Loss of control
over your personal data
- To what extent could the identified consequences affect individuals?
Individuals may experience significant inconveniences,
causing limited damage, which they will be able to overcome despite some
difficulties (additional costs, denial of access to commercial services,
fear, lack of understanding, stress, minor physical ailments, etc.)
- As of the date of this notification, are you aware that any of the identified damages have materialized, to the degree indicated in the previous question?
No
- How do you assess the likelihood that the above damage will materialize on the affected
individuals with the severity indicated? High
- Provide a brief description of what happened. Last Wednesday, June 14, 2023, in the late afternoon, ***EMPRESA.1 detected unauthorized access (…) that directly affected the personal data of participants in a study sponsored by the Spanish Society of Medical Oncology, for which ***EMPRESA.1 is the CRO and technology provider, as well as the data processor.
- Types of data affected: Contact information, Health (other health data)
- In total, how many people's data have been affected by the personal data breach? (…)
- Please indicate the date the breach was detected, understood as the date on which the data controller is certain that personal data has been affected.
June 20, 2023
- Do you know the date the breach began? Approximately / Estimated
- Indicate the start date of the breach: June 14, 2023
- Security measures before the breach: (...)
- Have you adopted new security measures after the incident that could have prevented the breach? Yes
- Mark only the new security measures and those that have been updated (...).
- Communication to those affected by the personal data breach: Have the affected individuals been notified of the breach under the conditions described above? No, but they will be informed.
- At the latest, the affected individuals will be informed by the following date:
July 21, 2023
- Means of notification: Communication addressed personally to each affected individual (postal, email, SMS, or similar), Public announcement, or publication on the corporate website.
- Data processor: Is a data processor involved in the personal data breach? Yes.
- Name of the Organization: ***COMPANY.1.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 3/25
On July 21, 2023, the FSEOM submitted a letter extending the notification of this breach to this Agency. The information initially provided remained unchanged, except for:
- What is your intention? To modify a previously made notification to provide relevant information.
- What could have happened? You can select several options: Being a victim of phishing/spamming campaigns, Loss of control over your personal data.
- To what extent could the identified consequences affect individuals?
Individuals will not be affected, or they may experience some very limited and reversible inconveniences that they will overcome without any problems (information re-entry time, inconvenience, irritation, etc.).
- In total, how many individuals have had their data affected by the personal data breach? 2622
- Indicate the date the breach was resolved: 07/20/2023
- Communication to those affected by the personal data breach. Have the affected individuals been notified of the breach under the conditions described above? Yes
- Date of reporting: 07/20/2023
- Number of people informed: 2,622
- Means of reporting: Communication addressed personally to each affected person (postal, email, SMS, or similar) with a guarantee of delivery and verification,
Public announcement or publication on the corporate website
SECOND: As a result of the known facts, on July 13, 2023, the Director of the Spanish Data Protection Agency urged the
Subdirectorate General for Data Inspection (SGID) to initiate the preliminary investigative actions referred to in Article 67 of Organic Law 3/2018, of December 5, on the Protection of Personal Data and the Guarantee of Digital Rights (hereinafter, LOPDGDD).
THIRD: The Subdirectorate General for Data Inspection proceeded to carry out preliminary investigative actions to clarify the facts in question, pursuant to the functions assigned to supervisory authorities in Article 57.1 and the powers granted in Article 58.1 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter GDPR), and in accordance with the provisions of Title VIII of the LOPDGDD.
On February 12, 2024, a letter was received from the FSEOM in response to a request from this Agency, providing, among other things, the following information:
1. Document No. 1: Expert report on the breach, dated July 5, 2023, prepared by the National Association of Cybersecurity and Technological Expertise. This report incorporates the following statements made by the computer expert:
“(…)”.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 4/25
“Technical recommendations that would allow for improvements to the client's platform:
(…)
“During the course of work and drafting this expert opinion, ***COMPANY.1
has implemented various improvements to its procedures, which I explain below:
(…)
“Furthermore, I have been able to verify the planning of technical improvement measures that
are underway or will begin shortly:
(…)
The expert report concludes with the following text:
(…)
2. Provided as Document No. 2: expert report prepared by an external company
contracted by FSEOM following the breach (***COMPANY.2), dated February 9, 2024. Its content highlights:
-“***COMPANY.1 hereby notifies SEOM… by email dated June 16, Friday at 5:44 PM, the incident that was
detected on June 14, affecting an undetermined number of clients
of ***EMPRESA.1, including SEOM, indicated that with the information
available, it cannot be concluded that personal data had been affected (...)
On Tuesday, June 20, at 5:44 PM, a new email communication was sent
from ***EMPRESA.1 informing SEOM of the measures taken in its
systems, as well as the fact that they could not yet definitively conclude
that personal data had been affected, but that it was possible and that they would
confirm it if it had been.
Based on the information held by ***COMPANY.2, confirmation of the personal data breach occurred on June 21st, at which time SEOM sent ***COMPANY.1 a notification form so that the incident could be properly reported to the AEPD. The form was received on June 22nd. It is concluded that in SEOM's case, the personal data breach involved some (...) participants in the observational study of the ***PROJECT.1 project.
- "Throughout this process, ***COMPANY.2 began providing support to SEOM on June 23rd, ending on July 19th after analyzing the expert report received from ***COMPANY.1.
SEOM's objective was to verify the veracity of the information provided by ***COMPANY.1 and to expand the information as much as possible in order to evaluate the actions to be taken. (…)
Following receipt of the expert report prepared by ***COMPANY.1, ***COMPANY.2 issued its assessment on July 18th, concluding that the information provided in said report was correct and the measures adopted were equally appropriate. C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 5/25
and assessing that, at the time of the incident:
or (…)
- “We must indicate that after a second analysis of the information received between June 23rd and July 19th, 2023, including some subsequent documents,
we estimate that although the information from ***COMPANY.1’s central systems and applications is very complete, as well as the measures implemented are also satisfactory, SEOM needs to complete information on (…) and
what was the source of the incident, specifically:
(…)”
3. It is stated that “The personal data affected by the cyberattack and stored on the servers of ***EMPRESA.1 were the following:
Email address of the participant in the Observational Study
Mobile phone number
Health-related data (…) consisting of:
(…)
Provided as Document No. 3 are the four data collection questionnaires, which request, among other things, the following information: “(…)” and questions related to health (…).
4. Provided as Document No. 4: Record of processing activities of the
FSEOM, with, among other things, the following content:
- “REFERENCE: PROJECT_***PROJECT.1”
- “Data processors”: “***COMPANY.1: CRO that manages the Observational Study as a whole from the perspective of study management
and from a technological perspective (mobile APP and technological architecture).”
- “How does it occur?”: “Collection, storage, pseudonymization,
extraction of pseudonymized data. Access to pseudonymized data.”
- “Have you signed a contract?”: “Yes.”
5. "Regarding the communication made to those affected regarding the breach:
on July 20, 2023, the incident notice "IT INCIDENCE STUDY ***PROJECT.1" was sent through the platform
***URL.1 to all participants in the study "***PROJECT.1." The text corresponds to 4 consecutive SMS messages with the following content:
"IT INCIDENCE STUDY ***PROJECT.1 We inform you that there has been a
IT incident in the data storage of the study ***PROJECT.1, in which you participated. The incident has already been resolved. We recommend that you disregard any mobile communications that are not sent by your hospital or oncologist. You can access complete information about the incident and its scope related to your data through the secure link to our server: ***URL.2”.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 6/25
The link included in the SMS is the path to a hidden, private file on the server of the website www.seom.org, which we attach as DOCUMENT NO. 5.
It is provided as Document No. 5 a document entitled “FSEOM STATEMENT
STUDY ***PROJECT.1” with, among other things, the following content:
“From the SPANISH SOCIETY OF MEDICAL ONCOLOGY FOUNDATION (FSEOM)
we inform that on June 14, 2023, the provider of the study
***PROJECT.1 suffered a cyberattack that affected (…), which has
resulted in a confidentiality breach of some of the participants' personal data.
As privacy is very important to us, we have taken all measures within our reach to resolve the incident and minimize any damage that may be caused; (…).
Due to this, there may be some loss of control over the participants' personal data, as well as the receipt of unwanted communications (…). (…)”
In its letter of February 12, 2024, the FSEOM stated that: "The notice was delivered
correctly to 84.4% ((…) users) of the recipients, while it could not be delivered to 15.6% ((…) users). The delivery and user dispatch reports are attached as DOCUMENT NO. 6. A copy of the notification and the forwarding procedure are also provided as DOCUMENT NO. 7."
Screenshots with the following content are provided as Document No. 6:
“Communication July 23
Details
Date: 07/20/2023 1:10 PM
User: fseom
Recipients: (…)
SMS/Recipients: 4
Total SMS: 10,460
Cost: (…) €”
“Unknown Messages: 0
Delivered: (…)
Not delivered: (…)”
The text of the message sent is the same as the one reproduced above.
A spreadsheet with the following fields in the top row is provided as Document No. 7: “Number”, “Reference”, “First Name”, “Last Name”, “Delivery” (column completed with the values “Delivered”/”Not delivered”), “SMS sent”, “SMS
delivered”.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 7/25
A spreadsheet is also attached with the following fields in the top row: "Visit"
(column completed with the values "no" in all rows), "Clicks", "Location",
"Device", "Model", "Email", "Date of birth".
A spreadsheet is also attached with the following fields in the top row:
"User", "SMS ID", "Campaign ID", "User reference", "Send date", "Report",
"Report date", "Sender", "Recipient", "Country", "Routing", "#SMS", "Message",
"Carrier", "CompatibleR", "Blacklisted", "Description", "Error type", "Campaign name".
6. Document No. 8 includes a certificate signed on February 7, 2024, by the FSEOM secretary, certifying: "That, following notification to those affected by the personal data breach that occurred on June 14, 2023, we have not received any complaints or communications in this regard from any of them."
7. Document No. 9 includes a screenshot of an email sent on June 20, 2023, from ***COMPANY.1 to FSEOM, with, among other things, the following content:
“Based on the conversation we had yesterday, we would like to use this email to share with you more detailed information about the security incident suffered by ***COMPANY.1 due to a hacking of a secondary storage system. (…)
After days of analysis, both by our internal team and by external advisors and a technological expert report, we are learning more information about what happened and, at this time, we cannot definitively confirm that, in your case, personal data related to the health of patients has been affected. (…).”
A screenshot is also provided of an email sent on June 16, 2023, from ***COMPANY.1 to FSEOM, with, among other things, the following content:
“Dear Customer,
We are contacting you to inform you, in a reliable manner, that ***COMPANY.1 has detected unauthorized access to a secondary storage system that directly affects personal data stored in a database for which you are the Data Controller or Data Processor. (…)
(i) Date the security breach was detected: On the afternoon of
Wednesday, June 14, 2023
(ii) Nature of the breach: Unauthorized access to (…).
(iii) Projects affected: ***PROJECT.1
(iv) Potential number of data affected: (…)
(v) Categories of data affected:
(…)”
8. In its letter of February 12, 2024, FSEOM indicated: “The Service Provision Contract and the Data Processor Contract signed between FSEOM and ***COMPANY.1 are attached as
DOCUMENT NO. 10. Additionally,
***COMPANY.1 completed a checklist certifying whether it was a privacy-compliant provider, a document that is also attached to this document block” (sic).
A copy of the contract dated April 20, 2021, between ***COMPANY.1 (as provider) and FSEOM (as client), for the execution
of the project “***PROJECT.1” is provided as Document No. 10.
A copy of the contract between FSEOM and ***COMPANY.1 is also provided, for the purpose of
"defining the conditions under which the DATA PROCESSOR will process personal data for the provision of the service contracted by FSEOM, in accordance with the provisions of Spanish data protection legislation and Article 28 of the GDPR and related provisions."
Point 3 of the contract establishes: "The data processor must adopt the measures that, based on the risk analysis conducted by FSEOM, have been communicated to it and are necessary to guarantee an adequate level of security. Such measures are provided in Annex II of this contract."
The following measures are highlighted in Annex II (among others):
"(...)"
The contract also includes an appendix (Appendix 3) with additional information
on ***COMPANY.1's Security Measures, highlighting the following as relevant:
“(…)”
9. Provided as Document No. 11 “Risk Report for Rights and Freedoms and DPIA” document dated June 25, 2021, with, among other things, the following content:
- “SUPPORT ASSETS USED
The support assets required to carry out the planned processing operations are:
(…)
- “The data flow will be as follows:
(…)
- “The processing operations that the entity intends to address pose a high risk to the rights and freedoms of data subjects
derived from:
Processing of particularly sensitive data related to
the health of the participant in the Observational Study (Article 9 of the GDPR)”
- “For the processing of personal data whose risk is the disclosure of special categories of data that produce legal effects on the
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 9/25
In light of the following factors, such as: discrimination, loss of control by the controller, or loss of professional secrecy, the following controls have been proposed:
(…)
(…) Regarding the disclosure of special category data, the residual risk level is medium.”
- Regarding the person responsible for implementing such measures, the document indicates “***POSITION.1 and ***COMPANY.1.”
10. Document No. 12 includes a document from ***COMPANY.1 entitled
“NEW TECHNICAL AND ORGANIZATIONAL MEASURES ADOPTED BY
***COMPANY.1 TO PREVENT, AS FAR AS POSSIBLE, SECURITY INCIDENTS
LIKE THE ONE THAT HAPPENED.” From their analysis, the following statements are extracted, among others:
- “(…)
11. A document from ***COMPANY.1 entitled
“SECURITY MEASURES TO REDUCE THE RISK OF A SIMILAR ATTACK” is provided as Document No. 13, containing the measures taken to reduce the risk of a similar attack.
From their analysis, the following statements are extracted, among others:
(…)
12. A document from FSEOM entitled
“Security Breach Response Procedure” is provided as Document No. 14, which states, among other information:
“This procedure establishes the following aspects:
Roles and responsibilities of personnel.
Details of appropriate contacts.
Appropriate communication channel.
Steps to be followed.”
A document from ***COMPANY.1 entitled "Incident Notification and Communication" (original in English) is also provided.
13. An invoice from ***COMPANY.2 to FSEOM, dated June 26, 2023, with the following reference "***REFERENCE.1", is provided as Document No. 15.
Three invoices from ***COMPANY.5 to FSEOM, dated September 13, 2023, are also provided, for the following: "(…)
14. An invoice is provided as Document No. 16. Copy of the complaint filed with the National Police on June 17, 2023, by the representative of ***COMPANY.1, who reported that:
“--…there has been unauthorized access (…).
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 10/25
-- A virtual txt file is located on the server with the following content:
“Contact ***EMAIL.1 or ***EMAIL.2 ASAP to recovery. Your files are safe.”
A copy of the complaint filed with the National Police on July 12, 2023, by the FSEOM representative is also provided. He reported that:
“—That on June 19 of this year, the Foundation was informed that the servers contracted by ***COMPANY.1 suffered a cyberattack, resulting in the theft of the data of the patients who participated in the aforementioned study.”
15. FSEOM indicates that “Attached as DOCUMENT NO. 17 is a copy of the training provided at FSEOM on security incidents, and a copy of the arguments prepared to assist those affected by the security breach in case they contact FSEOM (DOCUMENT NO. 18).
Document No. 17 includes a document titled "***REFERENCE.2" entitled "Planning and Implementation of Processes to Detect, Contain, and Mitigate a Security Breach."
Document No. 18 includes a document titled "***REFERENCE.3" entitled "Q&A," which states:
"(...) What happens if my data is fraudulently used? What risks do I face?
There are several fraudulent uses of data obtained through criminal means.
The most common uses are sales to marketing companies, as well as attempts to access personal devices.
In the case of data being sold to marketing companies, the effect will be the
reception of unwanted advertising through various means, (...).
The greatest risks relate to attempts to access devices and the information contained therein (personal data, bank accounts, etc.), as well as identity theft (...)."
16. In its document of February 12, 2024, FSEOM states: “6.4.- Regarding the clarification that the breach could have been avoided by adopting some additional measure, we refer to the fact that if ***COMPANY.1 had complied with the measure (…) agreed upon in the contract, the impact on those affected could have been avoided.” (sic)
For its part, within the framework of the preliminary investigation, this Agency has carried out a series of checks on the Internet:
- On September 11, 2024, this Agency verified that, in relation to the reactive measure implemented to replace tokens with roles, on the ***APP.1 website itself, entitled "Best Security Practices Recommended by ***APP.1", the following text was included, extracted from the official documentation of ***APP.1, which recommended not using access keys directly in the application that needs to access resources of ***EMPRESA.3 (programmatic tokens), using ROLES instead as a good security practice (***URL.3):
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 11/25
"Use of access keys ***APP.3 for ***APP.1 Applications and Services that require access to ***COMPANY.3:
For applications running on ***COMPANY.4 or other ***APP.1 Services to access ***COMPANY.3 resources, they must include valid ***APP.1 credentials in their ***APP.1 API requests. We recommend not storing ***APP.1 credentials directly in the application or on a ***COMPANY.4 instance. These are long-term credentials that do not rotate automatically and could have a significant business impact if compromised. Instead, use an ***APP.3 role to temporarily manage credentials for applications or services that require access to ***COMPANY.3. When you use a role, you do not have to distribute long-term credentials (such as a username and password or access keys) to an instance of ***COMPANY.4 or a service of ***APP.1 such as ***APP.2. The role provides temporary permissions that applications can use when making calls to other resources of ***APP.1.”
- On September 19, 2024, this Agency verified that, with respect to the processes established in ISO 27001, Annex A.10 of this standard, which establishes cryptographic controls to protect information, encryption requirements for specially protected data, states: “The cryptographic controls in Annex A.10 are based on the principle of least privilege and require that only authorized persons have access to the cryptographic keys and that these keys are appropriately protected.”
- On September 20, 2024, this Agency verified that, in the official ***APP.1 documentation, in relation to "Identity Management" and "Best Practices for Securely Storing and Using Secrets," the following content could be seen at the link ***URL.4, among others (emphasis added):
"A common antipattern is to embed ***APP.3 access keys within source code, configuration files, or mobile applications. When an ***APP.3 access key is required to communicate with an ***APP.1 service, use temporary (short-term) security credentials."These short-term credentials can be provided through ***APP.3 roles for (...) instances, execution roles for ***APP.4 functions, ***APP.3 roles for ***ENTERPRISE.6 for mobile user access, and ***APP.5 policies for IoT devices.
When interacting with third parties, it is preferable to delegate access to an ***APP.3 role with the necessary access to your account resources rather than setting up an ***APP.3 user and sending that third party the secret access key for that user.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 12/25
- On September 24, 2024, this Agency verified that in the official documentation of ***APP.1, in relation to information on good security practices and recommendations for the implementation of the National Scheme, the MEDIUM Level through the configuration of ***APP.1, on the website
***URL.5, the following content could be seen, among others (The information was not updated with the latest version of the ENS (RD 311/2022):
Related measure of RD 3/2010 (Annex II 4.2.5. Authentication Mechanism, page 27):
“Access to systems and assets can be controlled by checking
that the root user does not have access keys attached to their ***APP.3 role. Make sure to remove the root access keys. Instead,
create and use the role-based system ***APP.1 Accounts to
help incorporate the principle of minimum functionality.”
FOURTH: According to the report collected from the AXESOR tool on December 15, 2024, the entity FSEOM is an association with a sales volume of
(…) euros.
LEGAL BASIS
I
Jurisdiction
In accordance with the powers granted to each supervisory authority by Article 58.2 of Regulation (EU) 2016/679
(General Data Protection Regulation, hereinafter GDPR) and as established in Articles 47, 48.1, 64.2, and 68.1 of Organic Law 3/2018, of December 5, on the Protection of Personal Data and the Guarantee of Digital Rights (hereinafter LOPDGDD), it is competent to
initiate and resolve This procedure is directed by the Director of the Spanish Data Protection Agency.
II
Procedure
Furthermore, Article 63.2 of the LOPDGDD establishes that: "The procedures processed by the Spanish Data Protection Agency shall be governed by the provisions of Regulation (EU) 2016/679, by this Organic Law, by the regulatory provisions issued in its development, and, insofar as they do not contradict them, in a subsidiary manner, by the general rules on administrative procedures."
In accordance with Article 64 of the LOPDGDD, and taking into account the characteristics of the alleged infringement, a sanctioning procedure is initiated.
The procedure will last a maximum of twelve months from the date of the initiation agreement. After this period, the resolution will expire and, consequently, the proceedings will be archived, in accordance with the provisions of Article 64 of the LOPDGDD.
If no objections are made to this initial resolution within the stipulated period, it may be considered a proposed resolution, as established in Article 64.2.f) of Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations (hereinafter, LPACAP).
III
Preliminary Questions
In the present case, in accordance with Articles 4.1 and 4.2 of the GDPR, personal data processing is established, since FSEOM
carries out, among other processing operations, the collection and storage of personal data of natural persons: email address, mobile phone number, and health-related data.
Fundacion SEOM carries out this activity in its capacity as data controller, as it determines the purposes and means of such activity, pursuant to Article 4.7 of the GDPR.
IV
Breached obligation. Integrity and Confidentiality
Article 5.1(f) of the GDPR provides:
"1. Personal data shall be:
(…)
f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, by applying appropriate technical or organizational measures ("integrity and confidentiality")."
Loss of confidentiality of personal data
On June 23, 2023, FSEOM, in its capacity as data controller, notified this Agency of a personal data breach, reporting that
"***EMPRESA.1 detected unauthorized access (…) directly affecting the personal data of participants in a study sponsored by the Spanish Society of Medical Oncology, of which ***EMPRESA.1 is the CRO and technology provider, and also the data processor."
In its letter of February 12, 2024, FSEOM provides as Document No. 10 a copy of the contract dated April 20, 2021, between ***COMPANY.1 (as supplier)
and FSEOM (as client), for the execution of the project "***PROJECT.1".
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 14/25
Based on the above, this Agency understands that there has been a loss of confidentiality of personal data linked to the project "***PROJECT.1" promoted by FSEOM.
Personal Data Affected
On July 21, 2023, FSEOM submitted to this Agency a letter extending its notification of this breach, indicating that the contact and health data of (...) individuals had been affected by this incident.
In its letter of February 12, 2024, FSEOM indicated that "The personal data affected by the cyberattack and stored on the servers of ***COMPANY.1 were the following:
Email address of the participant in the Observational Study
Mobile phone number
Health-related data (…) consisting of:
(…)
In Document No. 3 of said letter, it can be seen that the interested parties were requested to provide the following personal data: “(…)” and health-related questions (…).
Based on all the above, this Agency understands that the following personal data of (…)
natural persons were affected by the breach that is the subject of this procedure: (…) and health-related questions.
Chronology of events and technical or organizational measures
On April 20, 2021, as can be seen from Document No. 10 attached to the letter from FSEOM dated February 12, 2024, FSEOM and ***COMPANY.1 signed a data processor agreement, Annex II of which obliged ***COMPANY.1 to “(…)”.
This contract also included an Appendix 3 with additional information on ***COMPANY.1's Security Measures, including:
(…).
On June 23, 2023, FSEOM, in its capacity as data controller, notified this Agency of a personal data breach, reporting that
***COMPANY.1 (data processor) detected unauthorized access to the
personal data of participants in the study of the “***PROJECT.1” project.
On July 5, 2023, the National Association of Cybersecurity and Technological Expertise prepared an incident report indicating that on June 14, 2023,
***COMPANY.1 detected (…).
The report explained that (…).
Regarding the chronology of events, (…).
The attack occurred due to (…)."
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 15/25
The aforementioned expert report lists a series of technical recommendations to improve ***COMPANY.1's platform, including: (…).
The report also details improvements implemented by ***COMPANY.1, with respect to (…).
On February 9, 2024, company ***COMPANY.2 prepared a second expert report on the breach in question, which indicated that at the time of the incident (…).
***COMPANY.1 had implemented “NEW TECHNICAL AND ORGANIZATIONAL MEASURES ADOPTED BY ***COMPANY.1 TO PREVENT, AS FAR AS POSSIBLE, SECURITY INCIDENTS LIKE THE ONE THAT HAPPENED,” such as: (…).
Also ***COMPANY.1 reportedly adopted "SECURITY MEASURES TO REDUCE THE RISK OF A SIMILAR ATTACK" such as:
(…)
For its part, on September 11, 2024, this Agency verified that, in relation to
the reactive measure implemented to replace tokens with roles, the following text, extracted from the official documentation of ***APP.1, was included on the ***APP.1 website entitled "Best Security Practices Recommended by ***APP.1", in which
(…).
On September 19, 2024, this Agency verified that, with respect to the processes established in ISO 27001, Annex A.10 of this standard, which establishes cryptographic controls for protecting information and encryption requirements for specially protected data, states: "The cryptographic controls in Annex A.10 are based on the principle of least privilege and require that only authorized persons have access to the cryptographic keys and that these keys are adequately protected."
On September 20, 2024, this Agency verified that the official ***APP.1 documentation, related to "Identity Management" and "Best Practices for Securely Storing and Using Secrets," contains the following content, among others, at the link ***URL.4:
"A common antipattern is to embed ***APP.3 access keys within source code, configuration files, or mobile applications. When an ***APP.3 access key is required to communicate with an ***APP.1 service, use temporary (short-term) security credentials. These short-term credentials can be provided through ***APP.3 roles for instances of (...), execution roles for ***APP.4 functions, ***APP.3 roles for ***ENTERPRISE.6 mobile user access, and ***APP.5 policies for IoT devices.
When interacting with third parties, it is preferable to delegate access to
an ***APP.3 role with the necessary access to your account resources
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 16/25
instead of setting up a ***APP.3 user and sending that third party the
secret access key for that user.”
On September 24, 2024, this Agency verified that in the official documentation of ***APP.1, regarding information on security best practices and recommendations for implementing the National Medium Level Scheme through the ***APP.1 configuration, on the website ***URL.5, the following content can be seen, among others (The information is not updated with the latest version of the ENS (RD 311/2022):
Related measure of RD 3/2010 (Annex II 4.2.5. Authentication Mechanism, page 27):
"Access to systems and assets can be controlled by checking that the root user does not have access keys attached to their role.
***APP.3. Ensure root access keys are removed. Instead, create and use the role-based system ***APP.1 Accounts to help incorporate the principle of Minimum functionality."
In conclusion, the fact that ***COMPANY.1 (data processor) did not have the measures examined in place facilitated the occurrence of the personal data breach and its greater impact. The aforementioned measures were introduced by the data processor ex post (reactively) in order to prevent a similar personal data breach from occurring again.
Under Article 4.8 of the GDPR, the data processor is the person who "processes personal data on behalf of the controller."
Even if the personal data breach occurred in the systems of
***EMPRESA.1, the data processor, and even if said processor did not have the measures just analyzed in place at the time the personal data breach occurred, which would most likely have prevented the breach or at least reduced its impact, the data controller is FSEOM.
Based on all the above, this Agency understands that FSEOM, as the data controller, did not have the appropriate technical or organizational measures in place to prevent an incident such as the one that occurred.
Therefore, based on the evidence currently available, in accordance with the agreement to initiate sanctioning proceedings, it is considered that the known facts could constitute an infringement, attributable to FSEOM, for a violation of Article 5.1.f) of the GDPR.
V
Classification of the violation of Article 5.1.f) of the GDPR and classification for the purposes of limitation
Article 83.5 of the GDPR classifies the violation of the following articles as an administrative violation, which shall be punishable, in accordance with paragraph 2, with administrative fines of up to EUR 20,000,000 or, in the case of a company, an amount equivalent to a maximum of 4% of the total annual global turnover of the previous financial year, whichever is higher:
"a) the basic principles for processing, including the conditions for consent pursuant to Articles 5, 6, 7, and 9; (…)"
For its part, the LOPDGDD, in its Article 71, Infractions, it states that:
"The acts and conduct referred to in sections 4,
5, and 6 of Article 83 of Regulation (EU) 2016/679, as well as those that are contrary to this Organic Law, constitute infractions."
For the sole purposes of the statute of limitations, Article 72.1 of the LOPDGDD (Organic Law on Personal Data Protection) establishes the following:
"In accordance with the provisions of Article 83.5 of Regulation (EU) 2016/679, infractions that constitute a substantial violation of the articles mentioned therein, and in particular, the following, are considered very serious and will be subject to a three-year statute of limitations:
a) The processing of personal data in violation of the principles and guarantees
established in Article 5 of Regulation (EU) 2016/679."
VI
Proposed Sanction
In order to determine the administrative fine to be imposed, the provisions of Articles 83.1 and 83.2 of the GDPR must be observed, which state:
“1. Each supervisory authority shall ensure that the imposition of administrative fines pursuant to this Article for infringements of this Regulation referred to in paragraphs 4, 9, and 6 are, in each individual case, effective, proportionate, and dissuasive.
2. Administrative fines shall be imposed, depending on the circumstances of each individual case, in addition to or as a substitute for the measures provided for in Article 58(2)(a) to (h) and (j). When deciding on the imposition of an administrative fine and its amount in each individual case, due account shall be taken of:
a) the nature, gravity, and duration of the infringement, taking into account the nature, scope, or purpose of the processing operation that the number of data subjects affected and the level of damage they have suffered;
b) the intentionality or negligence of the breach;
c) any measures taken by the controller or processor to mitigate the damage suffered by the data subjects;
d) the degree of responsibility of the controller or processor, taking into account the technical or organizational measures they have implemented pursuant to Articles 25 and 32;
e) any previous breach committed by the controller or processor;
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 18/25
f) the degree of cooperation with the supervisory authority in order to remedy the breach and mitigate the potential adverse effects of the breach;
g) the categories of personal data affected by the breach;
(h) the manner in which the supervisory authority became aware of the infringement, in particular whether the controller or processor notified the infringement and, if so, to what extent;
(i) where the measures referred to in Article 58(2) have been ordered against the controller or processor concerned in relation to the same matter, compliance with those measures;
(j) adherence to codes of conduct pursuant to Article 40 or to certification mechanisms approved pursuant to Article 42; and
(k) any other aggravating or mitigating factors applicable to the circumstances of the case, such as financial benefits obtained or losses avoided, directly or indirectly, through the infringement.
For its part, Article 76 "Sanctions and corrective measures" of the LOPDGDD (Spanish Data Protection Act) provides:
"1. The sanctions provided for in sections 4, 5, and 6 of Article 83 of Regulation (EU) 2016/679 shall be applied taking into account the grading criteria established in paragraph 2 of the aforementioned article.
2. In accordance with the provisions of Article 83.2.k) of Regulation (EU) 2016/679, the following may also be taken into account:
a) The continuous nature of the infringement.
b) The connection between the offender's activity and the processing of personal data.
c) The benefits obtained as a result of committing the infringement.
d) The possibility that the affected party's conduct could have led to the commission of the infringement.
e) The existence of a merger by absorption process subsequent to the commission of the violation, which cannot be attributed to the acquiring entity.
f) The violation of the rights of minors.
g) The availability, when not mandatory, of a data protection officer.
h) Voluntary submission by the controller or processor to alternative dispute resolution mechanisms in cases where there are disputes between them and any interested party.
In the present case, considering the seriousness of the potential violation, especially considering the consequences its commission has on those affected, a fine would be imposed, in addition to the adoption of measures, if appropriate.
The fine imposed must be, in each individual case, effective, proportionate, and dissuasive, in accordance with the provisions of Article 83.1 of the GDPR. To guarantee these principles, FSEOM's sales volume (€) is considered as a preliminary consideration.
For the purposes of deciding on the imposition of an administrative fine and its amount, in accordance with the evidence currently available,
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 19/25
Resolution to initiate sanctioning proceedings, and without prejudice to the outcome of the investigation, it is considered appropriate to grade the sanction to be imposed according to the following circumstances, contemplated in the aforementioned provisions.
As a preliminary matter, it is deemed that the following circumstances apply:
• The nature, severity, and duration of the violation, taking into account the
nature, scope, or purpose of the processing operation in question, as well as the number of data subjects affected and the level of damages they have suffered (Article 83.2, letter a) of the GDPR): due to improper access to the
personal data of (...) natural persons: (...), due to not having the appropriate technical or organizational measures to prevent an incident such as the one that gave rise to this procedure.
• The categories of personal data affected by the
breach (Article 83.2(g) of the GDPR): Among the data affected by the
breach were health data of patients participating in the Project
"***PROJECT.1".
Likewise, the following grading factors are considered as aggravating factors:
• The connection between the offender's activity and the processing of personal data (Article 76.2, letter b) of the LOPDGDD):
FSEOM is an organization dedicated to collecting health data on a specific pathology, and is therefore accustomed to processing personal data.
The balance of the circumstances contemplated in Article 83.2 of the GDPR and 76.2 of the LOPDGDD, with respect to the infringement committed by violating the provisions of Article 5.1.f) of the GDPR, allows for the initial imposition of an administrative fine of €70,000.00.
VII
Corrective Measures
If the violation is confirmed, the resolution issued may establish the corrective measures that the offending entity must adopt to end the non-compliance with personal data protection legislation, in this case Article 5.1.f) of the GDPR, in accordance with the provisions of the aforementioned Article 58.2.d) of the GDPR, according to which each supervisory authority may "order the controller or processor to ensure that processing operations comply with the provisions of this Regulation, where appropriate, in a specified manner and within a specified period..."
Thus, the responsible entity may be required to bring its actions into compliance with personal data protection regulations, within the scope expressed in the previous Legal Basis.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 20/25
This document establishes the alleged violation committed and the facts that could give rise to this potential breach of data protection regulations. From this, it is clear what measures to be adopted, without prejudice to the sanctioned party's responsibility to implement the specific procedures, mechanisms, or instruments. The data controller is fully familiar with its organization and must decide, based on proactive responsibility and a risk-based approach, how to comply with the GDPR and the LOPDGDD.
However, in this case, regardless of the foregoing, in accordance with the evidence currently available regarding the agreement to initiate sanctioning proceedings, the resolution adopted may require FUNDACION SEOM to adopt the following measures within three months from the date of the final resolution of this procedure:
- Prove the effective implementation of appropriate technical and organizational measures, not only to comply with the regulations, but also to demonstrate compliance before the supervisory authorities and interested parties.
The imposition of these measures is compatible with the sanction of an administrative fine, as provided in Article 83.2 of the GDPR.
Please be advised that failure to comply with the possible order to adopt measures imposed by this body in the resolution of this sanctioning procedure may be considered an administrative infraction pursuant to the provisions of the GDPR, classified as an infraction in Articles 83.5 and 83.6. Such conduct may lead to the opening of a subsequent administrative sanctioning procedure.
Please also remember that neither the acknowledgment of the infraction committed nor, where applicable, the voluntary payment of the proposed amounts exempts you from the obligation to adopt the relevant measures to cease the conduct or correct the effects of the infraction committed, nor from the obligation to prove compliance with this obligation to this AEPD.
Therefore, in light of the above, the Director of the Spanish Data Protection Agency,
HAS RESOLVED:
FIRST: TO INITIATE SANCTIONING PROCEEDINGS against FUNDACIÓN SOCIEDAD
CIENTÍFICA DE ONCOLOGÍA MÉDICA, with NIF G07324239, for the alleged violation of Article 5.1.f) of the GDPR, as defined in Article 83.5 of the GDPR.
SECOND: TO APPOINT R.R.R. as instructor and S.S.S. as secretary,
indicating that they may be challenged, if appropriate, in accordance with the provisions of Articles 23 and 24 of Law 40/2015, of October 1, on the Legal Regime of the Public Sector (LRJSP).
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 21/25
THIRD: TO INCORPORATE into the file, for evidentiary purposes, the notification of the personal data security breach, as well as the documents
obtained and generated by the Subdirectorate General of Data Inspection in the actions prior to the initiation of this sanctioning procedure.
FOURTH: THAT for the purposes provided for in Article 64.2 b) of Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations, the
appropriate sanction would be an administrative fine of €70,000.00,
without prejudice to the outcome of the investigation.
FIFTH: NOTIFY this agreement to the SCIENTIFIC SOCIETY FOUNDATION OF MEDICAL ONCOLOGY, with Tax Identification Number (NIF) G07324239, granting it a hearing period of ten business days to formulate its allegations and present any evidence it deems appropriate. In its written allegations, it must provide its Tax Identification Number (NIF) and the procedure number shown in the heading of this document.
In accordance with the provisions of Article 85 of the LPACAP (Spanish Civil Code), it may acknowledge its liability within the period granted for the formulation of allegations to this initiation agreement; this will entail a 20% reduction in the appropriate penalty imposed in this procedure. With the application of this reduction, the penalty would be set at €56,000.00, and the procedure would be resolved with the imposition of this penalty.
Likewise, at any time prior to the resolution of this procedure, the court may voluntarily pay the proposed penalty, which will result in a 20% reduction in its amount. With the application of this reduction, the penalty would be set at €56,000.00, and its payment would terminate the procedure, without prejudice to the imposition of the corresponding measures.
The reduction for voluntary payment of the penalty is cumulative with the reduction applicable for acknowledgment of liability, provided that this acknowledgment of liability is made clear within the period granted for submitting allegations at the opening of the procedure. Voluntary payment of the amount referred to in the preceding paragraph may be made at any time prior to the resolution. In this case, if both reductions were to be applied, the penalty would be set at €42,000.00.
In any case, the effectiveness of either of the aforementioned reductions will be conditioned upon the express withdrawal or waiver of any administrative action or appeal against the sanction.
For these purposes, if you choose either of them, you must send the
General Subdirectorate of Data Inspection express notification of your withdrawal or waiver of any administrative action or appeal against the penalty, indicating which of the two reductions you are choosing, or whether you are choosing both.
If you choose to voluntarily pay any of the amounts indicated above (€56,000.00 or €42,000.00), you must do so by depositing it into account IBAN: ES00-0000-0000-0000-0000-0000
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 22/25
(BIC/SWIFT Code: CAIXESBBXXX) opened in the name of the Spanish Data Protection Agency at CAIXABANK, S.A., indicating in the entry the reference number of the procedure that appears in the heading of this document and the reason for the reduction in the amount you are applying for.
Likewise, proof of payment must be sent to the Subdirectorate General of Inspection, along with express notification of the withdrawal or waiver of any administrative action or appeal against the penalty in order to continue with the procedure in accordance with the amount paid.
Finally, it is noted that, in accordance with the provisions of Article 112.1 of the LPACAP,
there is no administrative appeal against this act.
1479-111224
Mar España Martí
Director of the Spanish Data Protection Agency
>>
SECOND: On January 15, 2025, FSOM proceeded to pay the penalty
in the amount of €42,000.00, making use of the two reductions provided for in the
initiation agreement transcribed above, which implies recognition of liability in relation to the events referred to in the initiation agreement and
their legal qualification.
THIRD: FSOM has expressly waived any administrative action or appeal against the sanction.
FOURTH: The initiation agreement transcribed above indicated that, if the violation was confirmed, it could be agreed that the controller would be required to adopt appropriate measures to bring its actions into compliance with the regulations mentioned in this act, in accordance with the provisions of the aforementioned Article 58.2 d) of the GDPR, according to which each supervisory authority may "order the controller or processor to ensure that processing operations comply with the provisions of this Regulation, where appropriate, in a specific manner and within a specified period...".
Having acknowledged responsibility for the violation, the imposition of the measures included in the initiation agreement is appropriate.
LEGAL BASIS
I
Jurisdiction
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 23/25
In accordance with the powers granted to each supervisory authority by Article 58.2 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter GDPR) and as established in Articles 47, 48.1, 64.2, and 68.1 of Organic Law 3/2018, of December 5, on the Protection of Personal Data and the Guarantee of Digital Rights (hereinafter LOPDGDD), the President of the Spanish Data Protection Agency is competent to resolve this procedure.
Likewise, Article 63.2 of the LOPDGDD establishes that: "The procedures processed by the Spanish Data Protection Agency shall be governed by the provisions of Regulation (EU) 2016/679, by this Organic Law, by the regulatory provisions issued in its development, and, insofar as they do not contradict them, in a subsidiary capacity, by the general rules on administrative procedures."
II
Termination of the Procedure
Article 85 of Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations (hereinafter, LPACAP), under the heading "Termination of Sanctioning Procedures" provides the following:
"1. Once a sanctioning procedure has been initiated, if the offender acknowledges responsibility, the procedure may be terminated with the imposition of the appropriate sanction.
2. When the sanction is solely monetary in nature, or when a monetary sanction and a non-monetary sanction may be imposed, but the inadmissibility of the latter has been justified, voluntary payment by the alleged offender, at any time prior to the resolution, will entail the termination of the procedure, except with regard to restoring the altered situation or determining compensation for damages caused by the commission of the offense. Infraction.
3. In both cases, when the sanction is solely monetary in nature, the competent body to resolve the procedure will apply reductions of at least 20% on the amount of the proposed sanction, which may be combined.
These reductions must be specified in the notification of initiation of the procedure, and their effectiveness will be conditional on the withdrawal or waiver of any administrative action or appeal against the sanction.
The percentage reduction provided for in this section may be increased by regulation.
III
Voluntary Payment and Acknowledgment of Liability
In accordance with the provisions of the aforementioned Article 85 of the LPACAP (Spanish Civil Code), the notified initiation agreement
informed the public about the possibility of acknowledging liability and voluntarily paying the proposed penalty, which would entail two cumulative reductions of 20% each. With the application of these two reductions, the penalty would be set at €42,000.00, and its payment would imply
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 24/25
the termination of the procedure, without prejudice to the imposition of the corresponding measures.
Following notification of the aforementioned initiation agreement, FSOM has proceeded to acknowledge liability and voluntarily pay the penalty, accepting the two reductions provided and expressly waiving any action or appeal through administrative channels.
It should be noted that, in accordance with the provisions of the LPACAP, as well as the Supreme Court's jurisprudence on this matter, the exercise of voluntary payment by the alleged liable party does not exempt the administration from its obligation to resolve and notify all proceedings, regardless of their method of initiation. Similarly, Article 88 of the aforementioned law establishes that the resolution that concludes the proceedings will decide all issues raised by the interested parties and any other issues arising from them.
Therefore, in accordance with applicable legislation and having assessed the criteria for graduating the sanctions whose existence has been proven, the Presidency of the Spanish Data Protection Agency RESOLVES:
FIRST: TO DECLARE the commission of the violations and CONFIRM the sanctions determined in the operative section of the initiation agreement transcribed in this
resolution.
The sum of the aforementioned amounts results in a total of 70,000.00 euros.
After FUNDACIÓN SOCIEDAD CIENTÍFICA DE ONCOLOGÍA MÉDICA made prompt payment and acknowledged liability, pursuant to
Article 85 of the LPACAP, the aforementioned total is reduced by 40%, resulting in the final amount of 42,000.00 euros.
SECOND: DECLARE the termination of procedure EXP202416691, in accordance with the provisions of Article 85 of the LPACAP.
THIRD: ORDER the SCIENTIFIC SOCIETY OF MEDICAL ONCOLOGY FOUNDATION to notify the Agency of the adoption of the measures described in the legal grounds of the initiation agreement transcribed in this resolution within 3 months of this resolution becoming final and enforceable.
FOURTH: NOTIFY the SCIENTIFIC SOCIETY OF MEDICAL ONCOLOGY FOUNDATION of this resolution.
FIFTH: In accordance with the provisions of Article 85 of the LPACAP, which conditions the reduction for voluntary payment and acknowledgment of liability on the withdrawal or waiver of any action or appeal through administrative channels, this authority accepts the waiver expressly stated by the SCIENTIFIC SOCIETY OF MEDICAL ONCOLOGY FOUNDATION. Consequently, no optional appeal for reconsideration may be filed against this resolution, all of which is without prejudice to the possibility of resorting to contentious-administrative jurisdiction.
Consequently, taking into account the provisions of Article 90 of the LPACAP, given that no appeal may be made through administrative channels after expressly waiving this resolution, this resolution shall become final and fully enforceable upon notification.
However, in accordance with the provisions of Article 90.3.a) of the LPACAP, a final administrative decision may be suspended as a precautionary measure if the interested party expresses their intention to file an administrative appeal. If this is the case, the interested party must formally notify this fact in writing to the Spanish Data Protection Agency, submitting it through the Agency's Electronic Registry [https://sedeagpd.gob.es/sede-electronica-web/], or through any of the other registries provided for in Article 16.4 of the aforementioned Law 39/2015, of October 1. They must also forward to the Agency the documentation proving the effective filing of the administrative appeal. If the
Agency does not become aware of the filing of the administrative appeal within two months from the day following notification of this resolution, it will terminate the precautionary suspension.
In accordance with Article 50 of the LOPDGDD (Organic Law on Data Protection), this
Resolution will be made public once it has been notified to the interested parties.
1259-180225
Olga Pérez Sanjuán
The Deputy Director General of Data Inspection, in accordance with Article 48.2 of the LOPDGDD (Organic Law on Data Protection), due to a vacancy in the position of President and Deputy President
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es
