AEPD (Spain) - EXP202200399: Difference between revisions

AEPD - PS-00246-2022
Authority:	AEPD (Spain)
Jurisdiction:	Spain
Relevant Law:	Article 5(1)(f) GDPR Article 32 GDPR Article 33 GDPR
Type:	Complaint
Outcome:	Upheld
Started:	18.07.2022
Decided:
Published:	27.09.2022
Fine:	31200
Parties:	n/a
National Case Number/Name:	PS-00246-2022
European Case Law Identifier:	n/a
Appeal:	n/a
Original Language(s):	Spanish
Original Source:	AEDP (in ES)
Initial Contributor:	n/a

The Spanish DPA fined a magazine company €31,200 for violating Articles 5(1)(f), 32, and 33 GDPR by unlawfully providing access to personal data to a third party and failing to notify the DPA on time about the data breach.

English Summary

Facts

On 22 October 2021, the controller, a producer of children's educational magazines, received an email signed by an external party, stating that they were researchers. They informed the controller that they had managed to access the company's data as a result of a vulnerability in the controller's website. The researcher provided a screenshot as proof with the names of the tables in the database but without providing proof of a data leak.

According to the controller, it was a case of ethical hacking without malicious intent. In any case, the controller sent the data subject an e-mail informing about access by an unauthorised third party to the database of the controller. This database contained location information and contact details of data subjects. This data was originally collected through a registration form. Nearly 470,000 people were affected, according to the controller. As a result, the data subject filed a complaint with the Spanish DPA.

The DPA started an investigation in the context of which the controller stated that it had hired a security contractor to fix the issues. The controller also argued that it had fixed all the vulnerabilities that allowed for the unauthorised access. It had also implemented security incident protocols and regular audits and had provided encryption for the stored data.

Holding

First, the DPA confirmed that the personal data of the data subject had been unlawfully disclosed to a third party from the database of the controller. Therefore, the controller violated Article 5(1)(f) GDPR. The DPA considered several aggravating factors, such as the fact that in some cases the leaked data concerned minor children.

Second, the DPA held that the controller failed to implement appropriate technical and organisational measures to ensure an adequate level of security. Therefore, the controller also breached Article 32 GDPR. The risk analysis that the controller provided was the output of the ‘GESTIONA EIDP’ tool of the DPA itself. With this tool, data subjects, controllers and DPO's are informed about basic aspects that must be taken into account for adequate data protection, prior to carrying out adequate risk management. The DPA held that this tool only provided guidance for basic elements about risk analysis for processing operations and impact assessments. In this case, there was no link between the measures that were implemented by the controller and the risk analysis. Therefore, it could not be held the measures were deployed to mitigate a certain level of risk. The DPA considered again, among other factors, the fact that part of the leaked data was of minor children and considered this an aggravating factor.

Finally, the DPA found that the controller violated Article 33 GDPR. The DPA stated that the controller knew it had suffered a data breach on 28 October 2021 and only informed the DPA on 11 November 2021. The controller had therefore notified the DPA almost two weeks after the data breach. Again, the DPA considered, among other factors, the fact that the leaked data was of minor children and considered this an aggravating factor.

The DPA fined the controller €52,000 for all the violations combined. This was reducded to €31,200 because the controller had already paid part of the fine voluntarily.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

1/19
 File No.: EXP202200399
RESOLUTION OF TERMINATION OF THE PROCEDURE FOR PAYMENT
VOLUNTEER
Of the procedure instructed by the Spanish Agency for Data Protection and based on
to the following
BACKGROUND
FIRST: On July 18, 2022, the Director of the Spanish Agency for
Data Protection agreed to initiate a sanctioning procedure against BAYARD REVISTAS,
S.A. (hereinafter, the claimed party), through the Agreement that is transcribed:
<<
File No.: EXP202200399
AGREEMENT TO START A SANCTION PROCEDURE
Of the actions carried out by the Spanish Agency for Data Protection
(AEPD) and based on the following:
FACTS
FIRST: D.A.A.A. (hereinafter, the complaining party) dated November 27,
2021 filed a claim with the Spanish Data Protection Agency. The
claim is directed against BAYARD REVISTAS, S.A with NIF A78874054 (in
forward, BAYARD). The grounds on which the claim is based are as follows:
The complaining party informs this Agency that he has received an email
by the person in charge of the web portal ***URL.1, in which he was informed about the
unauthorized access to the database by an unauthorized third party,
being responsible BAYARD.
According to the email, location and contact data of the
people who had provided their information on the website through the form of
Registration.
The person in charge assures that he has solved all the vulnerabilities that have
enabled the attack, has implemented the protocols to follow in the event of an incident
related to data protection, and has adopted a series of measures, including
which is the encryption of stored information.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es
2/19
Attached to this claim is the screenshot of the email received
on November 19, 2021, warning of the breach.
SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5
December, of Protection of Personal Data and guarantee of digital rights (in
hereinafter LOPDGDD), said claim was transferred to BAYARD, so that
proceed to its analysis and inform this Agency within a month of the
actions carried out to adapt to the requirements set forth in the regulations of
Data Protection.
The transfer was sent on January 21, 2022 by electronic notification,
in accordance with article 41 of Law 39/2015, of October 1, on the Procedure
Common Administrative of Public Administrations (LPACAP).
This notification was automatically rejected after ten days had elapsed
natural from its availability for access according to paragraph 2, article
43, of Law 39/2015, of October 1, of the Common Administrative Procedure of the
Public administrations; reiterating the transfer by certified mail, dated 01
of February 2022, resulting in the latter with an "unknown" status without the possibility of
locate the person in charge.
THIRD: On February 23, 2022, in accordance with article 65 of the
LOPDGDD, the claim filed by the claimant was admitted for processing.
FOURTH: The General Subdirectorate for Data Inspection proceeded to carry out
of previous investigative actions to clarify the facts in
matter, by virtue of the investigative powers granted to the authorities of
control in article 57.1 of Regulation (EU) 2016/679 (General Regulation of
Data Protection, hereinafter RGPD), and in accordance with the provisions of the
Title VII, Chapter I, Second Section, of the LOPDGDD, dated March 1,
2022 BAYARD information was required, in order to clarify the aspects
related to the security breach giving rise to the claim filed.
The request for information was sent by electronic notification, in accordance with
to article 41 of Law 39/2015, of October 1, on Administrative Procedure
Common Public Administrations (LPACAP).
Although this notification was automatically rejected after ten
calendar days from its availability for access according to paragraph 2,
Article 43 of Law 39/2015, of October 1, on Administrative Procedure
Common of Public Administrations; reiterating the transfer by mail
certified, dated March 14, 2022, but using a different fiscal address
to the one used in the transfer, address obtained from the website of the person in charge, resulting
this last successful request with an acknowledgment date of March 22, 2022.
FIFTH: On April 6, 2022, a response to said request for information is received.
SIXTH: Within the framework of the aforementioned preliminary investigation actions,
again, request for information dated April 25 of that same year.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es