AEPD (Spain) - E/07796/2020

From GDPRhub
AEPD - E/07796/2020
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 32(1) GDPR
Type: Investigation
Outcome: No Violation Found
Published: 16.04.2021
Fine: None
National Case Number/Name: E/07796/2020
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Spanish
Original Source: AEPD decision (in ES)
Initial Contributor: n/a

The Spanish DPA decided not to fine a football club that suffered a data breach because it had implemented adequate security measures and was diligent in mitigating the breach's consequences and reporting it to the authority.

English Summary


A Spanish football club, Real Madrid, suffered a data breach in which contracts, sport licenses, budgets, and other types of identifying data and economic information, related to around 1000 persons. This was done by a hacker that accessed the system with stolen credentials.

The club diligently informed of such breach to the competent authority and proceeded to scan the deep web and regular Real Madrid information on the web to verify whether the information had been made public or was for sale. There was no evidence that the hacked information had been used, nor received the authority any complaints regarding it.

After the breach, the controller installed additional measures to prevent it from happening again, namely new cyber-security measures, a double factor identification system, new laptop security protocols, and blocking the IPs from which the attack came.

The controller issued a report considering that the stolen information would not affect the reputation of the people involved, not pose any kind of risk to them. Therefore, they decided not to communicate the breach to the data subjects.

Additionally, a police investigation is taking place.


The AEPD concluded that the controller had adequate security measures and was diligent to mitigate its consequences and to report it to the authority.

Such adequate measures included, among others:

  • Data protection policy
  • Security policies and protocols
  • Measures to prevent computer atacks
  • Tools for monitoring, detecting, analysis and reporting security incidents
  • Data protection and security trainings
  • Access control measures
  • Risk analysis of the affected data processing activities
  • Cyber-security reports
  • Cyber-security guides

Because of this, the AEPD considered that Real Madrid had implemented appropriate technical and organisational measures to ensure a certain level of security. Therefore, they did not find a violation of Article 32(1) and decided not to fine the controller.


Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.


     Procedure No.: E / 07796/2020


Of the actions carried out by the Spanish Agency for Data Protection and

based on the following


FIRST: As a consequence of the notification to the Innovation Division
Technological of this Agency of a personal data security breach by

part of the REAL MADRID CLUB DE FUTBOL Treatment Manager with number
entry record O00007128e2000002465 relating to hacking on the website of the
foundation, the Subdirectorate General for Data Inspection is ordered to assess the
need to carry out the appropriate preliminary investigations in order to determine
a possible violation of data protection regulations.

SECOND: In view of the aforementioned data security bankruptcy notice
personal data, the Subdirectorate General for Data Inspection proceeded to carry out
of previous investigation actions, having knowledge of the following

Notification date of the personal data security breach: 17 of
September 2020.


During these proceedings, the following entities have been investigated:
REAL MADRID CLUB DE FÚTBOL with NIF G28034718 with address at AVDA.


1.- On January 11, 2021, information was requested from REAL MADRID CLUB DE
FOOTBALL (hereinafter Real Madrid) in order to expand the documentation received
in the gap notification. From the response received, the following can be inferred:

Regarding the company.

• Real Madrid has signed a service provision contract with
*** COMPANY.1 for the maintenance of Information Systems. (document 3
and 3a).
• Real Madrid has signed a contract with *** EMPRESA.2 for the service of

cybersecurity provided for the identification of the breach and the execution of a
incident response protocol (document 4).

Regarding the chronology of the events.

C / Jorge Juan, 6
28001 - Madrid 2/7

• On September 9, 2020 at 00:32 UTC, an access is identified from
an IP address from which that computer is rarely accessed. Because of this,
They try to identify all the accesses made and two accesses are detected.
carried out through the account of a user of the organization who was in
holiday period so they are suspicious and it is verified that they are

related to subsequent access to the server.
An analysis of the communications and connection attempts established between
the server and other elements of the environment.
• On September 11, the Incident Response team is activated, with
a backup made on the server at dawn from 9 to 10
September that turned out to be not correct and on the 16th a new shipment is made with the

correct backup to the incident response team.
• The analysis determines that, after the access made at 00:32 UTC on September 9,
September 2020, an access to an available network drive is also detected in
the equipment, locating information of an apparently sensitive nature relative to
budgets, personal information and private information of the entity.

• At that time, Real Madrid was alerted to a possible information leak on
Sept. 16, 2020, 6:20 p.m.
• On September 17, a data copy is detected from the network drive
did the server and the download of two tools at 1:40 UTC on the 9th of
The generation of different compressed files is detected which includes the

mentioned documents. At least one of these files is generated on the computer
around 1:40 UTC and subsequently removed at 2:06 UTC. The rest of the
compressed files cannot determine the exact date of their creation.
The use of different services and applications related to shipping and
document exchange during the time range in which the suspicious user
stays on the team.

As a result of these findings, on September 17, 2020 at 5:20 p.m.
The company that is conducting the analysis informs Real Madrid that there has been
an information leak.
• On September 18, the information obtained on the equipment is correlated,
with the available network registers, being therefore possible to detect a sending of
data to external sources (between 1:04 and 3:50 UTC).

Actions taken in order to minimize adverse effects and measures taken
for your final resolution.

• Among other short-term measures

o Reset the credentials of the compromised users
o Establish measures to not allow the use of tools that allow the
Authentication to remote systems without requiring the introduction of credentials.
o Block the use of certain platforms.

• Between post-hoc measures

o Double verification factor
o Server restore
o Blocking of the IP addresses from which the access took place.

C / Jorge Juan, 6
28001 - Madrid 3/7

Regarding the causes that made the breach possible

• The gap occurs as a consequence of the use of credentials

of a user by a third party outside the organization. It is currently unknown how the
alleged attacker obtained the credentials.
• Real Madrid states that the inquiries of the suppliers of
cybersecurity and systems have been unsuccessful and there is currently a
ongoing police investigation, opened as a result of the complaint filed with the Police.
(document 0).

Regarding the affected data.

• The data processing affected by the incident is related to:

        FUTBOL - Administrative Management, Contractual Relationship and follow-up of
        HR - Labor relationship management.

• The personal data that have been affected are those found in
the following types of documents: Contracts, federative licenses, documents,

Excel budgets and other documents. Basically identifying data and

• The categories of stakeholders that have been affected by this incident
It has been staff of the entity including players and technicians. In total about 1,000


• Real Madrid states that it does not consider that the information affected in the
incidence, may produce identity theft, economic damage or
denial of services. And, it is not estimated that with such information

cause damage to the honor or reputation of the affected persons in case of
public, nor affect their dignity or produce any type of discrimination for what
they will not communicate the incident to those affected.

They also state that they evaluated the incidence and concluded that there is a risk to
the rights and freedoms of the interested parties according to what is indicated in Annex 1 and

according to the criteria reflected by the Working Group of art. 29 (GT29), now Committee
European Data Protection (CEPD) in its Guidelines on notifications of
personal data incidents adopted on October 3, 2017 and reviewed and
finally adopted on February 6, 2018, the Agency is notified,
not so to the communication to the interested parties following the same criteria.

• Real Madrid states that it has been supervising itself on the Internet, including the
Deep Web, activity that could reflect the illegitimate use by third parties of the
information affected by the breach, without to date nothing has been detected
respect. Likewise, they state that they are not aware of any type of use by

third party of the information affected by the breach.
There are continuous automatic and manual searches of information about the Real
Madrid through different sources, such as social networks, web forums and
of the Deep web, ... to detect possible exposed assets and with regard to

C / Jorge Juan, 6
28001 - Madrid 4/7

This incident has been used more specific searches and has not been found
any evidence that the compromised information has been used by
third parties.

Regarding the security measures implemented

Before the breach:

•      General measures

o Data protection or information security policies.

o Logical access control measures for authorized users.
o Control measures to prevent attacks, intrusions and infections.
o Monitoring, detection, analysis and reporting of events of incidents of
o Training and awareness of staff on data protection.

o Regulatory framework for information security.
o Security governance model.

• Specific

o Analysis of network accessibility.

o Updating of applications and systems.
o Review of the source code.
o Cyber crisis management.
o Monitoring events and audit logs.
o Secure file delivery service.
o General control of security and monitoring.

• Documents:

o Registry of Treatment Activities related to the treatments affected by
the reported gap (document 7)
o Risk Analysis of the two affected treatments. Two are attached

Risk Analysis projections made for both treatments that have been
carried out in order to verify that the additional measures
are being implemented as a result of the gap that has occurred, contribute to further reduce the
residual risk (documents 8, 8 bis, 9 and 9 bis)
o Analysis of the need to carry out Impact Assessments (documents
10 and 11).

o Corporate work environment in which security measures are detailed
applied to the affected treatments (document 13).
o Information security policy (document 14).
o Guide for the Identification and communication of security incidents (document

o Review report on compliance with Title VIII of the Regulation of
development of the LOPD (RD1720 / 2007) (document 16) which corresponds to the last
data protection audit report, of June 30, 2016.
o Cybersecurity report for the year 2020 (document 17) evaluation system
keep going.

C / Jorge Juan, 6
28001 - Madrid 5/7

o New cybersecurity measures (document 12).

Information on the recurrence of these events and number of analogous events

happened in time.

There is no recurrence and there are no known analogous events.

                               FOUNDATIONS OF LAW


In accordance with the investigative and corrective powers that article 58 of the
Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter

RGPD) grants each control authority, and according to the provisions of article 47 of the
Organic Law 3/2018, of December 5, on the Protection of Personal Data and
guarantee of digital rights (hereinafter LOPDGDD), is competent to
resolve these investigative actions by the Director of the Spanish Agency for
Data Protection.


The GDPR defines, in a broad way, "data security breaches
personal "(hereinafter security bankruptcy) as" all those violations of the
security that cause accidental or unlawful destruction, loss or alteration of

personal data transmitted, stored or otherwise processed, or the
unauthorized communication or access to said data. "

In the present case, it is established that there was a data security breach
personal in the circumstances indicated above, categorized as a gap

confidentiality, as a consequence of the leakage of information detected.

Of the documentation provided by the company in the course of these actions of
investigation, between her, RAT and AR of the two affected treatments, analysis on the
need to carry out Impact Assessments, the document on the environment of
corporate work in which security measures applied on the

affected treatments and the guide for Identification and communication of incidents of
security, it follows that prior to the breach, the investigated entity
had reasonable security measures in place based on possible risks

Regarding the impact, the data that have been violated are the content in the
following types of documents: Contracts, federative licenses, documents, Excel
of budgets and other documents, which basically contain identifying data
and economic, finding the volume of data affected in the range of 1000.

Continuous monitoring of the Internet including the Dark Web, as well as
searches for information about Real Madrid, both automatically and
manual, without any evidence of illegitimate use by third parties of the

C / Jorge Juan, 6
28001 - Madrid 6/7

information nor are there any claims made to this Agency regarding this

To prevent these events from being repeated, the provisions of the document are adopted
New Cybersecurity Measures, among others, the double authentication factor and the
change in the rules of use of laptops.

As a result of the foregoing, it is established that the technical measures and
reasonable organizational measures to avoid this type of incident, however and once
Once this is detected, a diligent reaction is produced, in order to notify the AEPD and
implement means to eliminate it.

Finally, it is recommended to prepare a Final Report on the traceability of the event and
its evaluative analysis, in particular, regarding the final impact. This Report is a
valuable source of information with which the analysis and management of
risks and will serve to prevent the repetition of a gap with similar characteristics
as analyzed.


In the present case, the action of the investigated as the entity responsible for the

treatment, has been diligent and proportional to the regulations on the protection of
personal data analyzed in the previous paragraphs.

Therefore, in accordance with the provisions, by the Director of the Spanish Agency for
Data Protection, IT IS AGREED:


with NIF G28034718 with address at AVDA. CONCHA ESPINA, Nº 1 - 28036 MADRID

In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once it has been notified to the interested parties.

C / Jorge Juan, 6
28001 - Madrid 7/7

Against this resolution, which puts an end to the administrative procedure as prescribed by
the art. 114.1.c) of Law 39/2015, of October 1, on Administrative Procedure
Common of Public Administrations, and in accordance with the provisions of the

arts. 112 and 123 of the aforementioned Law 39/2015, of October 1, interested parties may
file, optionally, an appeal for reconsideration before the Director of the Agency
Spanish Data Protection within a period of one month from the day

following notification of this resolution or directly contentious appeal
administrative before the Contentious-Administrative Chamber of the National Court,
in accordance with the provisions of article 25 and paragraph 5 of the provision
Additional fourth of Law 29/1998, of July 13, regulating the Jurisdiction

Contentious-Administrative, within two months from the next day
upon notification of this act, as provided in article 46.1 of the aforementioned Law.


Mar Spain Martí
Director of the Spanish Agency for Data Protection

28001 - Madrid 6