AEPD (Spain) - EXP202200399

From GDPRhub
AEPD - PS-00246-2022
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 5(1)(f) GDPR
Article 32 GDPR
Article 33 GDPR
Type: Complaint
Outcome: Upheld
Started: 18.07.2022
Published: 27.09.2022
Fine: 31200
Parties: n/a
National Case Number/Name: PS-00246-2022
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Spanish
Original Source: AEDP (in ES)
Initial Contributor: n/a

The Spanish DPA fined a magazine company €31,200 for violating Articles 5(1)(f), 32, and 33 GDPR because of a personal data security breach caused by vulnerabilities on its website. The controller also failed to notify the DPA about this data breach on time.

English Summary


On 22 October 2021, the controller, a producer of children's educational magazines, received an e-mail from the individual in charge of its web-portal. This individual stated that an external alleged researcher had managed to access the company's data as a result of a vulnerability in the website. The researcher provided a screenshot as proof with the names of the tables in the database but without providing proof of a data leak.

The controller carried out an internal investigation. It stated that this was a case of ethical hacking without malicious intent, since the researcher had notified the web-portal manager about the vulnerabilities. The database contained location information and contact details of data subjects. This data was originally collected through a registration form. Nearly 470,000 people were affected by the breach. The controller sent its affected data subjects an e-mail informing about access by an unauthorised third party to the database. One data subject filed a complaint with the Spanish DPA after receiving the e-mail.

The DPA started an investigation in the course of which the controller stated that it hired a security contractor to fix the issues. The controller also argued that its web-portal manager had fixed all the vulnerabilities that enabled the unauthorised access. It had also implemented security incident protocols and regular audits and had provided encryption for the stored data.


First, the DPA confirmed that the personal data of the data subject had been unlawfully disclosed to a third party from the database of the controller. Therefore, the controller violated Article 5(1)(f) GDPR. The DPA considered several aggravating factors, such as the fact that in some cases the leaked data concerned minor children.

Second, the DPA held that the controller failed to implement appropriate technical and organisational measures to ensure an adequate level of security, breaching Article 32 GDPR. The risk analysis that the controller provided was the output of the ‘GESTIONA EIDP’ tool of the DPA itself. With this tool, data subjects, controllers and DPOs are informed about basic aspects that must be taken into account for adequate data protection, prior to carrying out adequate risk management. The DPA held that this tool only provided guidance for basic elements about risk analysis for processing operations and impact assessments. In this case, there was no link between the measures that were implemented by the controller and the risk analysis. Therefore, it could not be held the measures were deployed to mitigate a certain level of risk. The DPA considered again, among other factors, the fact that part of the leaked data was of minor children and considered this an aggravating factor.

Finally, the DPA found that a violation of Article 33 GDPR. The DPA stated that the controller knew it had suffered a data breach on 28 October 2021 and only informed the DPA on 11 November 2021. The controller had therefore notified the DPA almost two weeks after the data breach. Again, the DPA considered, among other factors, the fact that the leaked data was of minor children and considered this an aggravating factor.

The DPA fined the controller €52,000 for all the violations combined. This was reduced to €31,200 because the controller had already paid part of the fine voluntarily.


Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

 File No.: EXP202200399
Of the procedure instructed by the Spanish Agency for Data Protection and based on
to the following
FIRST: On July 18, 2022, the Director of the Spanish Agency for
Data Protection agreed to initiate a sanctioning procedure against BAYARD REVISTAS,
S.A. (hereinafter, the claimed party), through the Agreement that is transcribed:
File No.: EXP202200399
Of the actions carried out by the Spanish Agency for Data Protection
(AEPD) and based on the following:
FIRST: D.A.A.A. (hereinafter, the complaining party) dated November 27,
2021 filed a claim with the Spanish Data Protection Agency. The
claim is directed against BAYARD REVISTAS, S.A with NIF A78874054 (in
forward, BAYARD). The grounds on which the claim is based are as follows:
The complaining party informs this Agency that he has received an email
by the person in charge of the web portal ***URL.1, in which he was informed about the
unauthorized access to the database by an unauthorized third party,
being responsible BAYARD.
According to the email, location and contact data of the
people who had provided their information on the website through the form of
The person in charge assures that he has solved all the vulnerabilities that have
enabled the attack, has implemented the protocols to follow in the event of an incident
related to data protection, and has adopted a series of measures, including
which is the encryption of stored information.
C/ Jorge Juan, 6
28001 – Madrid
Attached to this claim is the screenshot of the email received
on November 19, 2021, warning of the breach.
SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5
December, of Protection of Personal Data and guarantee of digital rights (in
hereinafter LOPDGDD), said claim was transferred to BAYARD, so that
proceed to its analysis and inform this Agency within a month of the
actions carried out to adapt to the requirements set forth in the regulations of
Data Protection.
The transfer was sent on January 21, 2022 by electronic notification,
in accordance with article 41 of Law 39/2015, of October 1, on the Procedure
Common Administrative of Public Administrations (LPACAP).
This notification was automatically rejected after ten days had elapsed
natural from its availability for access according to paragraph 2, article
43, of Law 39/2015, of October 1, of the Common Administrative Procedure of the
Public administrations; reiterating the transfer by certified mail, dated 01
of February 2022, resulting in the latter with an "unknown" status without the possibility of
locate the person in charge.
THIRD: On February 23, 2022, in accordance with article 65 of the
LOPDGDD, the claim filed by the claimant was admitted for processing.
FOURTH: The General Subdirectorate for Data Inspection proceeded to carry out
of previous investigative actions to clarify the facts in
matter, by virtue of the investigative powers granted to the authorities of
control in article 57.1 of Regulation (EU) 2016/679 (General Regulation of
Data Protection, hereinafter RGPD), and in accordance with the provisions of the
Title VII, Chapter I, Second Section, of the LOPDGDD, dated March 1,
2022 BAYARD information was required, in order to clarify the aspects
related to the security breach giving rise to the claim filed.
The request for information was sent by electronic notification, in accordance with
to article 41 of Law 39/2015, of October 1, on Administrative Procedure
Common Public Administrations (LPACAP).
Although this notification was automatically rejected after ten
calendar days from its availability for access according to paragraph 2,
Article 43 of Law 39/2015, of October 1, on Administrative Procedure
Common of Public Administrations; reiterating the transfer by mail
certified, dated March 14, 2022, but using a different fiscal address
to the one used in the transfer, address obtained from the website of the person in charge, resulting
this last successful request with an acknowledgment date of March 22, 2022.
FIFTH: On April 6, 2022, a response to said request for information is received.
SIXTH: Within the framework of the aforementioned preliminary investigation actions,
again, request for information dated April 25 of that same year.
C/ Jorge Juan, 6
28001 – Madrid