AEPD (Spain) - EXP202200399: Difference between revisions

From GDPRhub
(Created page with "{{DPAdecisionBOX |Jurisdiction=Spain |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoES.jpg |DPA_Abbrevation=AEPD |DPA_With_Country=AEPD (Spain) |Case_Number_Name=PS-00...")
 
No edit summary
Line 70: Line 70:


=== Facts ===
=== Facts ===
The data subject filed a complaint at the DPA against the controller, a producer children's educational magazines and senior publications. The controller sent the data subject an e-mail informing it about unauthorized access by an unauthorized third party to the database of the controller. This database contained location-information and contact-details of data subjects. This data was originally collected through a registration form FOR. Nearly 470,000 people were affected by this data breach, according to the controller.  
The data subject filed a complaint at the DPA against the controller, a producer of children's educational magazines. The controller sent the data subject an e-mail informing it about unauthorized access by an unauthorized third party to the database of the controller. This database contained location-information and contact-details of data subjects. This data was originally collected through a registration form FOR. Nearly 470,000 people were affected by this data breach, according to the controller.  
 
On 22 October 2021 the controller received an email signed by an external person, who identified himself as an alleged researcher, informing that he had managed to access the company's data as a result of a vulnerability in the website, providing as proof a screenshot with the names of the tables in the database and without providing proof of the data leak. This was therefore a case of ethical hacking without malicious intent.  
On 22 October 2021 the controller received an email signed by an external person, who identified himself as an alleged researcher, informing that he had managed to access the company's data as a result of a vulnerability in the website, providing as proof a screenshot with the names of the tables in the database and without providing proof of the data leak. This was therefore a case of ethical hacking without malicious intent.  
The controller hired a security contractor to fix the issues. The controller had stated that it had fixed all the vulnerabilities that had made the unauthorized access possible. It had also implemented security incident protocols and had provided encryption for the stored information.
 
The controller hired a security contractor to fix the issues. The controller stated that it had fixed all the vulnerabilities that had made the unauthorized access possible. It had also implemented security incident protocols and had provided encryption for the stored information.
 




Line 78: Line 81:
=== Holding ===
=== Holding ===
The DPA held that the personal data of the data subject had been unlawfully disclosed to a third party from the database of the controller. The DPA held that the controller had therefore violated Article 5(1)(f) of the GDPR. The DPA considered several aggravating factors, such as the fact that in some cases, the leaked data was of minor children.   
The DPA held that the personal data of the data subject had been unlawfully disclosed to a third party from the database of the controller. The DPA held that the controller had therefore violated Article 5(1)(f) of the GDPR. The DPA considered several aggravating factors, such as the fact that in some cases, the leaked data was of minor children.   
The DPA also held that the controller failed to implement appropriate technical and organizational measures to ensure an adequate level of security. Therefore, the controller also breached Article 32 of the GDPR. The risk analysis that the controller provided was the output of the ‘GESTIONA EIDP’ tool of the DPA itself. The DPA held that this tool only provided guidance for basic elements about risk analysis for processing operations and impact assessments. The DPA held that there was no link between the measures that were implemented by the controller and the risk analysis. Therefore, it could not be held the measures were deployed to mitigate a certain level of risk. The DPA considered again the fact that the leaked data was of minor children and considered this an aggravating factor.   
The DPA also held that the controller failed to implement appropriate technical and organizational measures to ensure an adequate level of security. Therefore, the controller also breached Article 32 of the GDPR. The risk analysis that the controller provided was the output of the ‘GESTIONA EIDP’ tool of the DPA itself. The DPA held that this tool only provided guidance for basic elements about risk analysis for processing operations and impact assessments. The DPA held that there was no link between the measures that were implemented by the controller and the risk analysis. Therefore, it could not be held the measures were deployed to mitigate a certain level of risk. The DPA considered again the fact that the leaked data was of minor children and considered this an aggravating factor.   
The DPA also found that the controller violated Article 33 of the GDPR. The DPA stated that The controller knew it had suffered a data breach on 28 October 2021 and informed the DPA at 11 November 2021. The controller had therefore notified the DPA almost two weeks after the data breach. The DPA considered again the fact that the leaked data was of minor children and considered this an aggravating factor.   
The DPA also found that the controller violated Article 33 of the GDPR. The DPA stated that The controller knew it had suffered a data breach on 28 October 2021 and informed the DPA at 11 November 2021. The controller had therefore notified the DPA almost two weeks after the data breach. The DPA considered again the fact that the leaked data was of minor children and considered this an aggravating factor.   
The DPA fined the controller €52,000 for the combined violations, which was reduced to €31,200.
The DPA fined the controller €52,000 for the combined violations, which was reduced to €31,200.





Revision as of 10:10, 3 October 2022

AEPD - PS-00246-2022
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 5(1)(f) GDPR
Article 32 GDPR
Article 33 GDPR
Type: Complaint
Outcome: Upheld
Started: 18.07.2022
Decided:
Published: 27.09.2022
Fine: 31200
Parties: n/a
National Case Number/Name: PS-00246-2022
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Spanish
Original Source: AEDP (in ES)
Initial Contributor: n/a

The Spanish DPA fined a magazine company €52,000 (reduced to €31,200), for violating Articles 5(1)(f), 32, and 33 GDPR by unlawfully providing access to personal data to a third party and failing to notify the DPA on time about the data breach.


English Summary

Facts

The data subject filed a complaint at the DPA against the controller, a producer of children's educational magazines. The controller sent the data subject an e-mail informing it about unauthorized access by an unauthorized third party to the database of the controller. This database contained location-information and contact-details of data subjects. This data was originally collected through a registration form FOR. Nearly 470,000 people were affected by this data breach, according to the controller.

On 22 October 2021 the controller received an email signed by an external person, who identified himself as an alleged researcher, informing that he had managed to access the company's data as a result of a vulnerability in the website, providing as proof a screenshot with the names of the tables in the database and without providing proof of the data leak. This was therefore a case of ethical hacking without malicious intent.

The controller hired a security contractor to fix the issues. The controller stated that it had fixed all the vulnerabilities that had made the unauthorized access possible. It had also implemented security incident protocols and had provided encryption for the stored information.



Holding

The DPA held that the personal data of the data subject had been unlawfully disclosed to a third party from the database of the controller. The DPA held that the controller had therefore violated Article 5(1)(f) of the GDPR. The DPA considered several aggravating factors, such as the fact that in some cases, the leaked data was of minor children.

The DPA also held that the controller failed to implement appropriate technical and organizational measures to ensure an adequate level of security. Therefore, the controller also breached Article 32 of the GDPR. The risk analysis that the controller provided was the output of the ‘GESTIONA EIDP’ tool of the DPA itself. The DPA held that this tool only provided guidance for basic elements about risk analysis for processing operations and impact assessments. The DPA held that there was no link between the measures that were implemented by the controller and the risk analysis. Therefore, it could not be held the measures were deployed to mitigate a certain level of risk. The DPA considered again the fact that the leaked data was of minor children and considered this an aggravating factor.

The DPA also found that the controller violated Article 33 of the GDPR. The DPA stated that The controller knew it had suffered a data breach on 28 October 2021 and informed the DPA at 11 November 2021. The controller had therefore notified the DPA almost two weeks after the data breach. The DPA considered again the fact that the leaked data was of minor children and considered this an aggravating factor.

The DPA fined the controller €52,000 for the combined violations, which was reduced to €31,200.


Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.


1/19
 File No.: EXP202200399
RESOLUTION OF TERMINATION OF THE PROCEDURE FOR PAYMENT
VOLUNTEER
Of the procedure instructed by the Spanish Agency for Data Protection and based on
to the following
BACKGROUND
FIRST: On July 18, 2022, the Director of the Spanish Agency for
Data Protection agreed to initiate a sanctioning procedure against BAYARD REVISTAS,
S.A. (hereinafter, the claimed party), through the Agreement that is transcribed:
<<
File No.: EXP202200399
AGREEMENT TO START A SANCTION PROCEDURE
Of the actions carried out by the Spanish Agency for Data Protection
(AEPD) and based on the following:
FACTS
FIRST: D.A.A.A. (hereinafter, the complaining party) dated November 27,
2021 filed a claim with the Spanish Data Protection Agency. The
claim is directed against BAYARD REVISTAS, S.A with NIF A78874054 (in
forward, BAYARD). The grounds on which the claim is based are as follows:
The complaining party informs this Agency that he has received an email
by the person in charge of the web portal ***URL.1, in which he was informed about the
unauthorized access to the database by an unauthorized third party,
being responsible BAYARD.
According to the email, location and contact data of the
people who had provided their information on the website through the form of
Registration.
The person in charge assures that he has solved all the vulnerabilities that have
enabled the attack, has implemented the protocols to follow in the event of an incident
related to data protection, and has adopted a series of measures, including
which is the encryption of stored information.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es
2/19
Attached to this claim is the screenshot of the email received
on November 19, 2021, warning of the breach.
SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5
December, of Protection of Personal Data and guarantee of digital rights (in
hereinafter LOPDGDD), said claim was transferred to BAYARD, so that
proceed to its analysis and inform this Agency within a month of the
actions carried out to adapt to the requirements set forth in the regulations of
Data Protection.
The transfer was sent on January 21, 2022 by electronic notification,
in accordance with article 41 of Law 39/2015, of October 1, on the Procedure
Common Administrative of Public Administrations (LPACAP).
This notification was automatically rejected after ten days had elapsed
natural from its availability for access according to paragraph 2, article
43, of Law 39/2015, of October 1, of the Common Administrative Procedure of the
Public administrations; reiterating the transfer by certified mail, dated 01
of February 2022, resulting in the latter with an "unknown" status without the possibility of
locate the person in charge.
THIRD: On February 23, 2022, in accordance with article 65 of the
LOPDGDD, the claim filed by the claimant was admitted for processing.
FOURTH: The General Subdirectorate for Data Inspection proceeded to carry out
of previous investigative actions to clarify the facts in
matter, by virtue of the investigative powers granted to the authorities of
control in article 57.1 of Regulation (EU) 2016/679 (General Regulation of
Data Protection, hereinafter RGPD), and in accordance with the provisions of the
Title VII, Chapter I, Second Section, of the LOPDGDD, dated March 1,
2022 BAYARD information was required, in order to clarify the aspects
related to the security breach giving rise to the claim filed.
The request for information was sent by electronic notification, in accordance with
to article 41 of Law 39/2015, of October 1, on Administrative Procedure
Common Public Administrations (LPACAP).
Although this notification was automatically rejected after ten
calendar days from its availability for access according to paragraph 2,
Article 43 of Law 39/2015, of October 1, on Administrative Procedure
Common of Public Administrations; reiterating the transfer by mail
certified, dated March 14, 2022, but using a different fiscal address
to the one used in the transfer, address obtained from the website of the person in charge, resulting
this last successful request with an acknowledgment date of March 22, 2022.
FIFTH: On April 6, 2022, a response to said request for information is received.
SIXTH: Within the framework of the aforementioned preliminary investigation actions,
again, request for information dated April 25 of that same year.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es