AEPD (Spain) - EXP202305587
From GDPRhub
| AEPD - EXP202305587 | |
|---|---|
 | |
| Authority: | AEPD (Spain) |
| Jurisdiction: | Spain |
| Relevant Law: | Article 5(1)(f) GDPR Article 32 GDPR |
| Type: | Other |
| Outcome: | n/a |
| Started: | 18.03.2022 |
| Decided: | |
| Published: | |
| Fine: | 3,000,000 |
| Parties: | Iberdrola Clientes, S.A. |
| National Case Number/Name: | EXP202305587 |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | Spanish |
| Original Source: | AEPD (in ES) |
| Initial Contributor: | lm |
The DPA fined a processor €3,000,000 after it failed to conduct an adequate risk assessment and overlooked avoidable security vulnerabilities that resulted in a data breach affecting nearly 3,000,000 data subjects.
English Summary
Facts
On 15 March 2022, I-DE Redes Eléctricas Inteligentes, S.A.U. detected an attack on its GEA management portal (GEA portal), which is a web portal that manages service connections between the electric distribution network. I-DE is the Iberdrola Company’s (the processor) energy distribution brand and one of its several companies. The following day, on 16 March 2022, there was a general slowdown across the processor’s companies’ various websites. After 17 March 2022, no suspicious traffic was observed on the processor’s websites.
Upon analysing the 16 March attack, I-DE determined that the breach extracted the personal data of 1.35 million of its clients and included names, surnames, email addresses, phone numbers, addresses, national identification card numbers and client codes. On 18 March 2022, I-DE notified the breach to the AEPD.
Spanish law concerning the electricity sector requires that regulated activities (such as distribution of electricity) and unregulated activities (such as marketing) be unbundled. In accordance with such law, the I-DE stated that it could only access the personal data of users of its electric service and thus does not have access to the data of data subjects managed by other distribution companies. Nonetheless, I-DE communicated the breach to other companies of the processor’s group on 28 March 2022, noting that it could have affected information referring to clients of these companies. It included internal codes corresponding to the affected clients so that the companies could verify if those clients’ data had been compromised. Two companies, Iberdrola Clientes, S.A. and Curenergía Comercializador de Ultimo Recurso SA, subsequently reported to the AEPD that personal data of 92,550 and 1,515,000 clients was affected, respectively. It notified affected data subjects by 1 April 2022.
The AEPD identified Iberdrola to be a processor within the meaning of Article 4(8) GDPR because it processes personal data of the companies belonging to the Iberdrola Group by providing services including IT infrastructure support and maintenance services. In this case, the processor was in charge of processing and managing the database where the three affected companies stored the personal data of their clients.
Due to the numerous companies affected, the AEPD initiated investigations into the three companies as well as the controller. On 8 May 2023, it initiated sanctioning procedures against the controller for potential violations of Articles 5(1)(f) and 32 GDPR.
The processor requested that its case be joined with the AEPD’s investigation of I-DE (EXP202205206). It noted that the attack on its GEA portal was the common security incident that prompted both cases. It argued that keeping the cases separate could result in a double imputation on I-DE and the processor of the same facts without elucidating each’s degree of responsibility.
With regard to the substantive violations, the processor argued that the cyberattacker, not the processor, was responsible for the breach’s spread to other companies. The processor also noted that it had mechanisms in place to detect the breach almost immediately, which enabled it to respond rapidly and which demonstrates compliance with Article 32 GDPR.
Holding
The AEPD found that the processor violated Articles 5(1)(f) and 32 GDPR, imposing a fine of €3,000,000.
It began by rejecting the controller’s request for joinder, finding that even though there was a common security incident, the cases involve distinct breaches of different sets of personal data.
In finding a violation of Article 32 GDPR, the AEPD focused primarily on the inadequate separation between the processor's companies' data, as required under national law. In particular, I-DE's client codes were displayed in URLs and allowed the cyber attacker to connect client data to the processor's other companies. This corrupted the required separation between the companies' data. The AEPD also noted that the processor failed to demonstrate that it carried out a risk analysis with respect to its processing facilities. It concluded that these shortcomings reflected inadequate measures to ensure safety of the personal data.
The AEPD also found that the processor violated Article 5(1)(f) GDPR. It focused on the failure to protect confidentiality of the personal data affected. In addition to lacking the security measures discussed above, the processor also did not have technical measures in place, such as pseudonymisation, that corresponded to the detail of the personal data it was regularly processing.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/99
File No.: EXP202305587
RESOLUTION OF SANCTIONING PROCEDURE
From the procedure instructed by the Spanish Data Protection Agency and based
to the following
Content
BACKGROUND................................................. .................................................. .......3
FIRST:................................................ .................................................. ...............3
SECOND:................................................ .................................................. ..............3
THIRD:................................................ .................................................. ...............4
ROOM:................................................ .................................................. .................4
FIFTH:................................................ .................................................. ..................4
SIXTH:................................................ .................................................. ....................4
SEVENTH:................................................ .................................................. ................5
EIGHTH:................................................ .................................................. .....................5
Regulatory framework................................................ .................................................. ...5
Systems and database architecture. GEA Application.................................7
Regarding the chronology of the events. Actions taken in order to
minimize adverse effects and measures adopted for their final resolution.....10
Regarding the causes that made the gap possible................................................13
Regarding the treatment manager contract................................................... .18
Regarding security measures................................................... ....................18
Regarding communication to those affected................................................... ...........25
Information on the recurrence of these events and number of analogous events
events over time.............................................. .......................................25
PROVEN FACTS................................................ ................................................28
FIRST: First notification of personal data breach................................28
SECOND: Circumstances of the attack................................................... .......................31
THIRD: About the GEA application of I-DE.............................................. ...................35
FOURTH: About systems and database architecture. Access from
Applications................................................. .................................................. ...........35
FIFTH: Causes that made the gap possible................................................ ...........37
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 2/99
SIXTH: Security measures established in the Database..............................................38
SEVENTH: immediate measures after the breach................................................... ..............38
EIGHTH: IBERDROLA as data processor with respect to IBERCLI and
CURENERGY................................................. .................................................. ......39
NINTH: Risk analysis of the treatment affected by the data breach
personal................................................ .................................................. .............41
TENTH: Number of people affected and type of data affected...................................42
LEGAL FUNDAMENTALS................................................. ...................................42
Competence................................................. .................................................. ........42
Previous questions................................................ .................................................. .42
Regarding the request for accumulation and the suspension of the deadline to formulate
allegations................................................. .................................................. ...........43
Response to the allegations to the Startup Agreement................................................... ..........Four. Five
FIRST: ON THE ACCUMULATION OF PROCEDURES.................45
SECOND. – ABOUT THE SPECIAL CIRCUMSTANCES THAT OCCURRED IN
RELATIONSHIP WITH THE PROCESSING OF THIS FILE AND THE
VIOLATION OF THE PRINCIPLES OF GOOD FAITH, LEGITIMATE TRUST AND
LEGAL SECURITY................................................ .......................................Four. Five
THIRD.- ON THE ADDITIONAL AFFECTION OF THE PRINCIPLES OF THE
SANCTIONAL LAW DERIVED FROM THE INTERPRETATION
CARRIED OUT BY LAAEPD................................................... ...................................51
FOURTH.- REGARDING THE ALLEGED VIOLATION BY IBERDROLA OF THE
ARTICLE 32 OF THE RGPD................................................ ....................................60
FIFTH. – ON THE ALLEGED VIOLATION OF THE PRINCIPLE OF
SECURITY................................................. .................................................. .....65
SIXTH. – ON THE VIOLATION OF THE PRINCIPLE OF
PROPORTIONALITY TO THE DETRIMENT OF IBERDROLA'S RIGHTS
.................................................. .................................................. .........................66
Response to the allegations to the Proposed Resolution................................................69
FIRST: Regarding the defenselessness generated by IBERDROLA as a consequence of
not having agreed on the accumulation of procedures EXP202305587 and
EXP202205206................................................ .................................................. ..70
SECOND: About the previous acts of the AEPD and the violation of the
principles of good faith, legitimate trust and legal certainty................................70
THIRD: About the arguments supported by the Proposed Resolution
to consider that bis in idem does not occur................................................. ..............76
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 3/99
FOURTH: On the application of the principles of the right to sanctions to
activity of the AEPD and the concurrence of a media contest................................79
FIFTH: Regarding the lack of violation by I-DE of article 32 of the RGPD
.................................................. .................................................. .........................84
SIXTH: Regarding the absence of violation of the principle of confidentiality and
integrity................................................. .................................................. ...........95
SEVENTH: Regarding the violation of the principle of proportionality to the detriment of
the rights of IBERDROLA................................................ ................................99
Integrity and confidentiality................................................ ...................................105
Classification of the violation of article 5.1.f) of the RGPD................................................... ..107
Penalty for violation of article 5.1.f) of the RGPD................................................. ......108
Article 32 of the GDPR................................................ ................................................110
Classification of the violation of article 32 of the RGPD................................................. ....113
Penalty for violation of article 32 of the RGPD................................................. .......114
BACKGROUND
FIRST:
On March 18, 2022, the Technological Innovation Division of
this Spanish Data Protection Agency (hereinafter AEPD or the Agency) a
security breach of personal data sent by I-DE REDES ELÉCTRICAS
INTELLIGENTES, S.A.U. with NIF A95075578 (hereinafter, I-DE) as responsible for the
treatment, in which you inform this Agency of the following:
On the afternoon of March 15, 2022, an attack was detected against the information management website.
connections (GEA) of I-DE. (…). At this time, no condition has yet been identified.
personal information. The next day, March 16, a brute force attack is detected
directed against the same target (GEA) as the incident the previous day. It repels
taking action. On March 17, GEA reopens and analyzes the activity record
and it is concluded that there has been extraction of personal data. It is indicated that the number
affected is 4.5 million clients of this company.
SECOND:
On March 29, 2022, I-DE presents a new notification expanding the
information about the security breach reported on the 18th of the same month, in which
indicates that, after the forensic analysis of the incident, the number of its clients whose data
1.35 million have been affected and it is also probable that there is data
affected clients of other companies in the Iberdrola group, since the attacker,
could potentially have exceeded information security conditions
exclusive of I-DE, jumping to ranges of information from other companies, which has already
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 4/99
been transmitted to the Company's Systems management for detailed analysis
of other conditions in other companies or businesses of the Iberdrola group.
Likewise, they indicate that the exact start date of the breach is March 7, 2022.
and report that the breach has not yet been communicated to the affected people and
which, at the latest, will be informed by March 31, 2022.
Along with the notification, the following is provided:
- Report “GEA cyber incident. Incident description and actions”, in which
describes the attack suffered and also includes the text of the
communication that will be sent to those affected.
THIRD:
On March 29, 2022, CURENERGIA MARKETER OF ULTIMO
RECURSO SA, with N.I.F. A95554630 (hereinafter CURENERGÍA) presents
security breach notification, in which it indicates that it was aware of it on 28
March 2022 that it has been affected by the security breach suffered by I-DE,
indicating the violation of the confidentiality of the personal data of 1,550,000
of its clients, whom it has not yet informed but will do so no later than
03/31/2022.
ROOM:
On March 29, 2022, IBERDROLA CLIENTES, S.A., with N.I.F.
A95758389 (hereinafter IBERCLI) presents a security breach notification, in the
which indicates that it has been aware on March 28, 2022 that it has been affected
for the security breach suffered by I-DE, indicating the violation of the
confidentiality of the personal data of 85,000 of its clients, whom it still
has not reported but will do so no later than 03/31/2022.
FIFTH:
Since April 2, 2022, claims for
clients affected by the security incident, which have been progressively
admitted for processing since May 9, 2022.
SIXTH:
On April 6, 2022, IBERCLI presents an extension of the notification of
gap in which it reports that the people affected by it are 1,515,000 and
that they have been informed of it on March 31, 2022 by communication
addressed personally to each affected person (postcard, email, SMS or similar).
Along with the notification, the following is provided:
- Report “Cyberattack incident 03/28/2022. Incident description and
Actions"
- Annex Communication to interested parties
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 5/99
SEVENTH:
On April 6, 2022, CURENERGÍA presents an extension of the notification of
gap in which it reports that the people affected by it are 92,550 and that
They have been informed of the same on March 31, 2022 by communication
addressed personally to each affected person (postcard, email, SMS or similar).
Along with the notification, the following is provided:
- Report “Cyberattack incident 03/28/2022. Incident description and
Actions"
- Annex Communication to interested parties
EIGHTH:
The General Subdirectorate of Data Inspection proceeded to carry out
prior investigative actions to clarify the facts in
issue, by virtue of the functions assigned to the control authorities in the
article 57.1 and the powers granted in article 58.1 of the Regulation (EU)
2016/679 (General Data Protection Regulation, hereinafter GDPR), and
in accordance with the provisions of Title VII, Chapter I, Second Section, of the
LOPDGDD, having knowledge of the following points:
During these actions, the following entities have been investigated:
- I-DE REDES ELECTRICAS INTELLIGENTES S.A. with NIF A95075578 (in
forward, I-DE)
- IBERDROLA S.A. with NIF A48010615 (hereinafter IBERDROLA)
- IBERDROLA CLIENTES S.A.U. with NIF A95758389 (hereinafter, IBERCLI)
- CURENERGIA COMERCIALIZADOR DE ULTIMO RESURSO S.A. with NIF
A95554630 (hereinafter, CURENERGIA)
Regulatory framework
- The regulations governing the electricity sector, Law 54/1997, of November 27,
of the Electrical Sector, imposes an obligation of total separation between the
regulated activities, such as distribution, and liberalized activities, such as
marketing.
- The right that consumers of electrical energy have to access and
connection to the transportation and distribution networks of electrical energy in the
Spanish territory is specifically included in Law 24/2013, of 26
December, from the Electrical Sector.
Distribution companies and marketing companies are two
differentiated entities in the field of the Electrical Sector. In this sense the
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 6/99
Law 24/2013, of December 26, of the Electrical Sector defines them as subjects
different.
- In accordance with the regulation of the electrical sector, the consumer, to receive
electricity at your home, you need to be the holder of two contracts
differentiated in relation to their point of supply (CUPS):
On the one hand, the energy purchase contract, “contract of
supply”, which is signed between a consumer and a company
electricity marketer.
Although it is also possible that the consumer acquires the
electricity directly on the market, without the need for
marketer, is not typical of natural person clients but of
large electricity consuming companies, indicate I-DE, IBERCLI
and CURENERGÍA in their response.
On the other hand, the network access or distribution or transportation contract,
“ATR contract”, which the consumer signs with the intermediation
as agent of the marketing company with which it has
contracted the purchase of electrical energy.
Although you can also subscribe directly with the owner company
of the network, is not typical of natural person clients but of
large electricity consuming companies, indicate I-DE, IBERCLI
and CURENERGÍA in their response.
- When a customer wants to contract electricity at a supply point or
make any contractual modification, said client goes to a
marketing company, who on behalf of the client and as his agent
contracts on its behalf the ATR contract, access contract to the
distribution.
Any contractual modification requested by a marketer to a
distributor is made through XML digital requests complying with the
exchange formats between agents established by the National Commission
of Markets and Competition (CNMC), by virtue of the Resolution of 20
December 2016, which approves the formats of the data files
exchange of information between energy distributors and marketers
electricity and natural gas, and Resolution of December 17, 2019, by which
New formats for information exchange files are approved
between distributors and marketers and the Resolution of 20 December is modified.
December 2016.
Taking into account the above:
- I-DE, electricity distributor of the Iberdrola group, states that
can only access the data of its clients, that is, users
of the electrical service whose supply point is within the network
whose management, as a distributor, corresponds to you and not to those managed by
other distribution companies.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 7/99
In relation to the users of your network, you know the information of the marketer
of each consumer as a consequence of the signature with him (or with the
marketer as agent of the consumer) of the ATR contract.
- I-DE indicates that it would not have the capacity to know any type of information
related to those who, being clients of IBERCLI or CURENERGIA,
electric energy marketers of the Iberdrola group in the free market and
regulated market, respectively, were not of this distributor.
Systems and database architecture. GEA application
(…)
(…):
- (…):
(…)
- (…).
(…)
(…):
- (…).
(…).
- (…).
(…).
(…).
(…).
(…).
(…).
IBERDROLA indicates that the audit to verify the logical separation of the
access to information by I-DE has its cause in what is established in the
regulatory regulations of the electrical sector, which imposes an obligation of separation
total between regulated activities, such as distribution, and liberalized activities, such as
is marketing, so that distribution companies must prove the
aforementioned separation.
I-DE informs that, annually, it issues a report that is presented to the Ministry
for the Ecological Transition and the Demographic Challenge (MITERD) and the National Commission
of Markets and Competition (CNMC) to account for compliance with the
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 8/99
obligations regarding separation of activities by the companies of the
group formed by Iberdrola España and the companies in which it participates with
regulated activities, that is, the company I-DE REDES ELÉCTRICAS
INTELIGENTES, S.A.U., article 12.2 b) of the Electricity Sector Law and article 14 of the
Code of separation of Activities of the Companies of the Iberdrola Spain Group
with Regulated Activities (“CSA”) available on the Iberdrola Spain website,
during exercise.
(…).
(…):
“(…)
Scope of work
(…)
(…).
Procedures performed
(…):
- (…)
- (…)
(…)
(…)
Conclusions
(…).
(…).
(…).”
Regarding the chronology of the events. Actions taken in order to minimize
the adverse effects and measures adopted for their final resolution.
I-D states the following:
- On March 15, in the afternoon, an attack was detected against the management website
I-DE attacks, (GEA), the sequence of events being the following:
(…).
(…).
(…).
(…).
(…).
(…).
- On the morning of March 16, 2022, there is a general slowdown
access to various Iberdrola group websites.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 9/99
(…).
(…).
(…).
(…).
(…).
(…).
(…).
- Starting March 17, 2022:
(…).
As of the 17th, no suspicious traffic or impact has been observed in
none of the Iberdrola group's internet service systems.
From the analysis of the activity log of the GEA application of the last
days it is concluded on March 17 that a
exfiltration, between March 7 and 15, 2022, of
approximately 4.5 million interested parties (natural persons).
(…).
On March 28, 2022, the Systems Directorate communicates to
IBERCLI and CURENERGIA the existence of a security incident in
the I-DE systems that could have affected the information referring to
the clients of these companies and includes information regarding the
internal customer codes of those affected, so that the companies
verify if data corresponding to
Your clients. Information analyzed by IBERCLI and CURENERGIA
verify that the security breach has affected personal data of
clients of said companies.
(…).
- Likewise, I-DE states and certifies that since it became aware of the
incident, the necessary actions were put into practice to, in coordination
with affected organizations, comply with internal protocols
established for this purpose and the applicable legislation, and which include the following
Actions:
Communication to INCIBE-CERT, National Institute of Cybersecurity in
Spain, as a response team to security incidents
Iberdrola reference computing.
Communication to the Cybernetic Coordination Office, under the
RDL 12/2018 on security of networks and information systems that
refers the cybersecurity incident to the National Police for
investigation,
Communication to the National Center for Infrastructure Protection
Criticisms under Law 08/2011 on Infrastructure Protection
Critics.
Presentation of a complaint to the National Police (Central Unit
of Cybercrime) and the document presented by I-DE together with the
same.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 10/99
Notification of the security breach to the AEPD and those affected.
- In summary, the monitoring systems allowed the detection of a
abnormal volume of traffic, a traffic analysis activity was launched
greater detail and the immediate measures that were adopted were:
(…).
(…).
(…).
(…).
(…).
(…).
(…).
-IBERCLI and CURENERGIA state that the cessation of the incident occurred
even before they were aware that it had affected
personal data referring to its clients, resulting in said cessation of the
additional security measures implemented by the Systems Directorate (of
IBERDROLA) in the GEA application, aimed at preventing, from access to the
itself could be exfiltrated by entering a random code information
of the Database referring to clients of other Group entities.
Regarding the causes that made the gap possible
- (…).
(…).
(…):
(…).
(…).
(…):
(…)
(…):
(…)
(…)
(…)
(…)
either (…)
(…).
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 11/99
(…)
(…)
- (…)
Regarding the affected data
- Exfiltrated customer data (…):
(…)
- (…):
(…)
- (…):
(…).
- (…).
- (…).
(…).
- (…).
- (…).
On March 28, 2022, the Systems Management notifies IBERCLI
and CURENERGIA the existence of a security incident in the security systems
I-DE that may have affected the information referring to the clients of these
companies and includes information referring to internal customer codes
of those affected, so that the companies verify if they have been able to see
compromised data corresponding to their clients.
IBERCLI and CURENERGÍA verify that the security breach has affected
personal data of 1,515,000 and 92,550 clients, respectively.
Regarding the data processor contract
- The Group's Framework Agreement for the Protection of Personal Data is provided
Iberdrola in which the scope of the provision of services to the
Group companies carried out by IBERDROLA. This agreement has been
updated in its Annex II, said update being pending
formalization.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 12/99
Likewise, the Declaration of Acceptance of Iberdrola España S.A.U. is provided.
of its adhesion to the Framework Agreement for the Protection of Personal Data of the
Iberdrola Group, the aforementioned entity acting, in accordance with what is indicated in the
second clause, in his own name and right and on behalf of the
companies belonging to its corporate group over which it has direct or
indirectly control, among which are I-DE, IBERCLI and
CURENERGY.
- IBERCLI and CURENERGIA provide a copy of the record of the activities of
processing of personal data corresponding to the affected treatments
through the gap:
(…).
(…).
- IBERDROLA provides a copy of the records of the treatment activities
corresponding to the treatments “Support and Maintenance of
IT Infrastructures” and “Application Development (SWF)”, which is carried out in
your status as the person in charge of the treatment, with respect to various treatments
of the Group companies, among which are those affected by the
security breach.
Regarding security measures
Regarding the risk analysis carried out on the treatment activity that has
suffered the security breach before the breach occurred:
- IBERDROLA states in a response letter that the Iberdrola Group has
adopted a risk analysis methodology for data processing
personal data that is implemented in an automated way in the company itself.
corporate tool for recording treatment activities, so that
In the registration process itself, the risk level of the treatment is determined.
- In the case of treatments for which IBERDROLA acts as
person in charge of the treatment, points out that the methodology involves carrying out the
risk analysis in relation to each of the treatments with respect to
those for which IBERDROLA holds said condition, so that this analysis is
developed by the entity responsible for the treatment in collaboration
with IBERDROLA
- For this reason, the result of the risk analysis related to the
specific treatments (…) are included in the Activity Records
Treatment of I-DE and those of IBERCLI and CURENERGIA, having been
communicated its results to IBERDROLA.
(…).
-Security measures implemented prior to the gap in treatments
of data where it has occurred:
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 13/99
I-DE, IBERCLI and CURENERGIA indicate in their responses that prior to the
incident, the following common security measures were implemented
to the IT infrastructure of the Iberdrola Group:
- (…).
- (…).
- (…).
- (…).
- (…).
- (…).
- (…).
- (…).
Likewise, like IBERDROLA, they also describe the security measures
specific to the GEA system:
(…):
(…)
(…).
(…)
(…):
- (…).
(…):
- (…).
-Reason why the security measures implemented have not prevented the
incident:
(…):
- (…).
- (…)
- (…).
- (…).
- (…).
- (…).
- (…).
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 14/99
- (…).
- (…).
Measures adopted to avoid, as far as possible, incidents such as the one that occurred
- (…)
(…)
Regarding communication to those affected
On March 28, 2022, the IBERDROLA Systems Management notifies
IBERCLI and CURENERGIA the existence of a security incident in the systems
of I-DE that could have affected the information referring to the clients of these
companies and includes information referring to the internal customer codes of the
affected, so that companies verify if they have been compromised
data corresponding to their clients.
IBERCLI and CURENERGÍA state that after analyzing the information by their respective
systems teams verify that the security breach has affected data
personal of 1,515,000 and 92,550 clients, respectively.
Likewise, they resolve to notify those affected of the security breach. The notification to
those affected was carried out, between March 31 and April 1, 2022, at the
clients whose email address was available, by sending
massive electronic communications; and by postal mail to the rest on the 4th and
April 5, 2022.
- The three companies provide the communication model sent to those affected
and it is verified that it complies with what is specified in article 34 of the RGPD.
Information on the recurrence of these events and number of analogous events
events in time.
IBERDROLA states that apart from the security incident that is the subject of this
procedure, no other procedure of a similar nature has occurred.
NINTH: The IBERDROLA entity is a large company with a turnover
of ***QUANTITY.1 euros in the year 2021 and ***QUANTITY.2 euros in the year 2022,
according to a report from the Axesor entity.
TENTH: On May 8, 2023, the Director of the Spanish Agency for
Data Protection agreed to initiate sanctioning proceedings against the claimed party,
in accordance with the provisions of articles 63 and 64 of Law 39/2015, of October 1,
of the Common Administrative Procedure of Public Administrations (in
hereinafter, LPACAP), for the alleged violation of Article 5.1.f) of the RGPD and Article
32 of the RGPD, typified in Article 83.5 of the RGPD and Article 83.4 of the RGPD.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 15/99
The aforementioned initiation agreement in accordance with the rules established in Law 39/2015, of
October 1, of the Common Administrative Procedure of Administrations
Public (hereinafter, LPACAP).
ELEVENTH: On May 24, 2023, IBERDROLA presents written by
the one who requests the accumulation of this file with EXP202205206, as well
such as the suspension of the deadline for the issuance of allegations until
resolve on this request, indicating the following:
IBERDROLA understands that the facts that serve as a basis for the exercise of power
sanctioning that the Agency tries to exercise are or have a unique basis that affects
the two sanctioning files that have been opened as differentiated, for
which requests the accumulation of both sanctioning procedures when understanding
that there is a necessary connectivity between them, that is, that it is a
same situation that can result in the responsibility of both. Understand by
IBERDROLA that the terms of said responsibility, total, partial, in degree of
author, collaborator or anyone else who comes from criminal references only
can be seen if the procedure is analyzed as a whole.
IBERDROLA maintains that the lack of accumulation in the present case could imply
a double imputation to two entities of the same facts, which the more
many belong to the same business group, specifically the Iberdrola group
of which IBERDROLA is the parent company.
If both files are not consolidated, IBERDROLA states that it would prevent
clarify the degree of responsibility of each of them, since the
facts would be analyzed separately and without evaluating the alleged action
simultaneous, in terms of responsibility, of the two entities against which both
procedures are directed. In this way, a double
imputation of the same facts to both entities without assessing whether or not it is
shared or if the sanctioning reproach directed separately against both does not
should be subject to reduction as a consequence of this supposed concurrence of
responsibility. With this, it is limited, in the terms established in the jurisprudence
constitutional that is reproduced below, the right to the defense of
IBERDROLA, by not being able to analyze the concurrent circumstances in the case of a
unified form as a consequence of the fragmentation caused by the opening of
two different procedures.
IBERDROLA understands that the budgets established in article 57 are met
of Law 39/2015, of October 1, on the Common Administrative Procedure of the
Public Administrations (hereinafter, LPACAP) that justify the accumulation of the
procedures, as well as the individualization of the relevance of their application to the
present assumption:
A) Existence of "intimate connection" or "substantial identity."
IBERDROLA points out that, in the present case, on March 18, 2022,
a personal data security breach, initially reported by I-DE. Is
This same security breach determines the opening of the present
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 16/99
procedure in which responsibility is attributed to IBERDROLA, as well as that of
that which is intended to accumulate with the present, open to elucidate the
responsibility of I-DE.
IBERDROLA indicates that connectivity, in the present case, derives, therefore, from
that it is about purifying responsibility of two legal entities, but for the same
fact: it is the Agency itself that makes it clear that it is a single breach of
security and that on it is the one on which, where appropriate, the
subjective responsibilities of IBERDROLA, in this procedure, and of I-DE
in the procedure whose accumulation is requested.
Therefore, IBERDROLA concludes that, since there are only a few facts for which
imputes responsibility both to it and to I-DE, it is evident that the
joint assessment of the same in order to determine if there is a liability
joint or separate of both entities, as well as whether the liability would be for
different title in each case.
B) That the processing and resolution of the procedure corresponds to the same body.
IBERDROLA points out that, together with the previous requirement, the LPACAP imposes respect
to the general principle of competence of the body that must issue the resolution, a requirement
which is fulfilled in the present case, given that the Law attributes the jurisdiction to
the processing of both procedures to a single sanctioning body, so with
accumulation is not lost or that competence is blurred as a consequence of the
potential existence of different instructional bodies.
In IBERDROLA's opinion, the essential effect of the accumulation of files is to
that all issues to be resolved must be examined in a single procedure and
decided in a single final act that jointly assesses the responsibilities of
all those involved.
IBERDROLA points out that the scheme it has just analyzed has, without a doubt,
special characteristics in the sanctioning area due to the structure itself and the trial
of value that it contains.
He brings up several Rulings of the Constitutional Court to point out that the
main principles and constitutional guarantees of the criminal order and criminal process
must be observed, with certain nuances, in the administrative procedure
sanctioning system such as the right to be informed of the accusation (SSTC 31/1986,
190/1987, 29/1989) and to use the relevant means of evidence for the defense
(SSTC 2/1987, 190/1987 and 212/1990), as well as the right to the presumption of
innocence (SSTC 13/1982, 36 and 37/1985, 42/1989, 76/1990 and 138/1990), rights
fundamental, all of them that have been incorporated by the legislator into the regulations
regulating the common administrative procedure.
IBERDROLA understands that the fragmentation of the procedure into two procedures
separated substantially affects the determination and verification of the facts
relevant in it, as well as the delimitation of the potential
responsibilities that may correspond to the entities to which the
procedures whose accumulation is requested.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 17/99
IBERDROLA therefore concludes that accumulation is a requirement of adequate
instruction and the guarantee of the right of defense and that the separate processing
of two disciplinary proceedings against two different legal entities for the same
facts is detrimental to their interests.
IBERDROLA understands that the lack of accumulation in the present case could imply
a double imputation to IBERDROLA and I-DE, as has been said, of the same
facts, without the accumulation allowing us to elucidate what the degree of
responsibility of each one of them, since the facts would be analyzed in a
separately and without going into assessing the supposed simultaneous action, in terms of
responsibility, of the two entities against which both procedures are directed.
Understands that maintaining the separation of procedures means in terms
procedural a division of the cause that conditions the instructional action and
of proposal because different instructions, evaluations and tests appear
potentially different and, therefore, criteria that can be, equally,
differentiated.
For all of the above, IBERDROLA requests the accumulation of the two files
cited and that the suspension of the deadline is also considered expressly requested
for the formalization of allegations until the incident of
accumulation that is proposed in accordance with this document.
Likewise, IBERDROLA understands that, taking into account the nature of the request
and the impact on the investigation of the files in question and, finally, on the
right of defense of the interested parties in both procedures, by affecting
substantially to the content of the allegations that IBERDROLA could make in
the assumption of agreeing to the aforementioned accumulation, with the consequent reduction of
their right to effective judicial protection in the form of using the means of
proof necessary for the adequate defense of your rights, we request
expressly suspends the deadline for formalizing allegations of
so that they can be carried out in accordance with the instruction criteria that
we are requesting.
Therefore, IBERDROLA requests the suspension of the deadline for the formalization of
allegations until the accumulation incident that arises is resolved
in accordance with this writing.
TWELFTH: On January 30, 2024, IBERDROLA presented a written
allegations to the Proposed Resolution of the sanctioning procedure.
THIRTEENTH
Of the actions carried out in this procedure and the documentation
recorded in the file, the following have been accredited:
PROVEN FACTS
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 18/99
FIRST: First notification of personal data breach
1.-Notifications of personal data breach made by I-DE:
A) On March 18, 2022, the Innovation Division was notified
Technology of this Spanish Data Protection Agency (hereinafter
AEPD or the Agency) a security breach of the personal data sent
by I-DE REDES ELÉCTRICAS INTELLIGENTES, S.A.U. with NIF A95075578
(hereinafter, I-DE) as responsible for the treatment, in which it informs this
Agency of the following:
(…).
It is indicated that the number of affected people is 4.5 million clients of this company.
A) Dated March 29, 2022 (Registration number:
REGAGE22e00010072289) I-DE presents a new notification expanding the
information about the reported personal data breach, through the
contribution of the report “GEA cyber incident. Incident description and
Actions." dated March 28, 2022, according to which:
“I-DE, within the provision of services to its clients, offers a web application
called File Management and Connections (GEA): ***URL.1
This service allows customers or their representatives (installers) to carry out the
relevant procedures for the process of a connection to the network. In the course of the
application sessions, there is an exchange of client data information that
is subject to the application's own security filters, so that each
client (or delegated representative) will only be able to access the information that
corresponds to the security and intended access profiles.
It indicates that the number of affected I-DE clients is 1,350,000
Indicates the start date of the gap as March 7, 2022
Reports that the breach has not yet been communicated to the affected people and
which, at the latest, will be informed by March 31, 2022.
Likewise, in the aforementioned report “GEA cyber incident. Incident description and actions
indicated:
“6. Analysis of the extracted information
Based on the information from the forensic analysis, i-DE has carried out an analysis of the
records of potentially extracted information.
From the file sent to i-DE with the clients affected by the security breach that
contains 4.5 million records of natural persons, it has been proven that
Approximately 1.3 million are i-DE customers.
The attacker could potentially have exceeded the security conditions of the
exclusive information from i-DE, jumping to ranges of information from other companies.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 19/99
Given the nature of the database architecture (which, having separation
logic, shares common physical elements), this could mean that other data from
clients were from companies other than i-DE, which is transmitted to the management of
Company systems for detailed analysis of other conditions in other
companies or businesses of the Iberdrola group.”
2. Notifications of personal data breach made by IBERCLI:
A) dated March 29, 2022 (Registration number:
REGAGE22e00010094106), IBERCLI presents notification of gap
security, in which it indicates that it has been aware on March 28, 2022
that it has been affected by the security breach suffered by I-DE, indicating
the violation of the confidentiality of the personal data of 1,550,000
its clients, whom it has not yet informed but will do so no later than
03/31/2022.
A) Dated April 6, 2022 (Registration number: REGAGE22e00011889434),
IBERCLI presents modification of the data breach notification
personal data made on March 29, 2022, in which it reports that the
people affected by it are 1,515,000 and they have been informed of
the same on March 31, 2022 through directed communication
personally to each affected person (postal, email, SMS or similar).
Along with the notification, the following is provided:
-Report “Cyberattack incident 03/28/2022. Incident description and
Actions"
-Annex Communication to interested parties
3. Notification of personal data breach made by CURENERGIA:
A) Dated March 29, 2022 (Registration number:
REGAGE22e00010095169), CURENERGÍA presents notification of breach of
security, in which it indicates that it has been aware on March 28, 2022
that it has been affected by the security breach suffered by I-DE, indicating
the violation of the confidentiality of the personal data of 85,000 of its
clients, whom it has not yet informed but will do so no later than
03/31/2022.
A) Dated April 6, 2022 (Registration number: REGAGE22e00011892653),
CURENERGÍA presents modification of the data breach notification
personal data made on March 29, 2022, in which it reports that the
people affected by it are 92,550 and they have been informed of the
same on March 31, 2022 through personally addressed communication
to each affected person (postal, email, SMS or similar).
Along with the notification, the following is provided:
-Report “Cyberattack incident 03/28/2022. Incident description and
Actions"
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 20/99
-Annex Communication to interested parties
SECOND: Circumstances of the attack
1.As indicated in the summary of the report “GEA cyber incident. Description
incident and actions.” provided by IBERDROLA in the written response to the
information request made by this AEPD, during the actions
preliminary investigation, presented on January 24, 2023 (Number of
registration: REGAGE23e00004670187), and as also indicated in the report
“GEA cyber incident. Incident description and actions.” dated March 28, 2022”
and provided by I-DE along with the second personal data breach notification,
The chronology of the attack is as follows:
- “On March 15, in the afternoon, an attack was detected against the information management website.
I-DE connections, (GEA)
(…)
(…)
(…)
(…).
(…).
- On March 16, 2022, in the morning, a general slowdown occurs
access to various Iberdrola group websites.
(…)
- Starting March 17:
(…).
As of the 17th, no suspicious traffic or impact has been observed in
none of the Iberdrola group's internet service systems
From the analysis of the activity log of the GEA application of the last
days it is concluded on March 17 that a
exfiltration, between March 7 and 15, 2022, of
approximately 4.5 million interested parties (natural persons).
Provided to I-DE by the Systems Directorate the information related to
the client codes of the interested parties, it communicates on date 28
March 2022 that, of the same, only 1.34 million
records correspond to I-DE clients.
On March 28, 2022, the Systems Directorate communicates to
IBERCLI and CURENERGIA the existence of a security incident in
the I-DE systems that could have affected the information referring to
the clients of these companies and includes information regarding the
internal customer codes of those affected, so that the companies
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 21/99
verify whether data corresponding to
Your clients. Information analyzed by IBERCLI and CURENERGIA
verify that the security breach has affected personal data of
clients of said companies.
(…)
2.As indicated by IBERCLI, in the report “Cyberattack incident 03/28/2022. Description
incident and actions.” dated April 4, 2022” and provided together with the second
notification of personal data breach, the chronology of the events is the
following:
"3. Facts
Elements relating exclusively to the cyber attack are excluded from this story.
to the i-DE GEA website, given that, as we know, the AEPD has already been informed of
they.
The events therefore begin from the moment in which, on the part of IBERCLI, it is
knowledge of having been affected by the cyber attack:
1. On March 28, i-DE Systems received a notification indicating
that, as a result of the analysis carried out by said company, it has been
observed that among the affected clients there are those who do not correspond with
i-DE customer codes.
2. After urgently analyzing the information given to us, we conclude
that a total of 1.5 million IBERCLI clients have been affected, despite
that the database architecture has implemented security measures
logical separation and each society, by application, only has the capacity to
access your own clients.
3. Once the impact of IBERCLI data has been confirmed, on 03/29, we proceed to
notify the AEPD.
4. Work begins in parallel on notification to interested parties. Bliss
notification is made in waves between 03/31 (400.00 notifications
by email approx.), 01/04 (rest of email notifications) and 04/04 (sending of
letters for clients for whom email is not available). It establishes a
service device for affected customers, with a toll-free number and a
specific email, and the usual channels are reinforced by giving
instructions to address specific questions about the incident. It is included
Attached is a copy of the communication sent.
5. IBERCLI has been integrated into a plan at the Iberdrola group level, in which
technical and organizational measures adopted to avoid, as far as possible,
possible, security incidents like the one that happened. It has been released for everyone
Iberdrola group an urgent securitization plan, consisting of:
to. Prevention (Infrastructure Controls)
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 22/99
b. Vulnerability detection
c. Remediation of detected vulnerabilities
d. Review of emergency protocols
6. The scope of digital surveillance established for the
i-DE incident, no publication having been detected to date
in open sources or dark web”
3. As indicated by CURENERGIA, in the report “Cyberattack incident 03/28/2022.
Incident description and actions.” dated April 4, 2022” and provided together with
the second notification of a personal data breach, the chronology of the events is
The next:
"3. Facts
Elements relating exclusively to the cyber attack are excluded from this story.
to the i-DE GEA website, given that, as we know, the AEPD has already been informed of
they.
The events therefore begin from the moment in which, on the part of CURENERGIA,
is aware of having been affected by the cyber attack:
1. On March 28, i-DE Systems received a notification indicating
that, as a result of the analysis carried out by said company, it has been
observed that among the affected clients there are those who do not correspond with
i-DE customer codes.
2. After urgently analyzing the information given to us, we conclude
that a total of 92,550 CURENERGIA clients have been affected,
Although the database architecture has implemented security measures
logical separation and each society, by application, only has the capacity to
access your own clients.
3. Confirmed the impact of CURENERGIA data, on 03/29, we proceed to
notify the AEPD.
4. Work begins in parallel on notification to interested parties. Bliss
Notification is made in waves between 03/31, 04/01 and 04/04 (for
email or by sending letters to clients for whom email is not available). HE
establishes a service device for affected customers, with a number
free and a specific email, and the channels are reinforced
giving instructions to answer specific queries about the
incident. A copy of the communication sent is included in the annex.
5. CURENERGIA has been integrated into a plan at the Iberdrola group level, in which
which includes technical and organizational measures adopted to avoid, as far as
possible, security incidents like the one that happened. It has been released for everyone
Iberdrola group an urgent securitization plan, consisting of:
to. Prevention (Infrastructure Controls)
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 23/99
b. Vulnerability detection
c. Remediation of detected vulnerabilities
d. Review of emergency protocols
6. The scope of established digital surveillance is extended to CURENERGIA
for the i-DE incident, with no detection of any
publication in open sources or dark web”
THIRD: About the GEA application of I-DE
-i-de and IBERDROLA, in their written responses to requests made by this
AEPD, indicate:
-The GEA application is an i-DE web application that is used for the Management of
Electrical Connections, this application is published on the Internet for access by
part of the users (customers, installers, etc.) involved in the management process
of those connection files:
***URL.1
-This service allows customers or their representatives (installers) to carry out the
relevant procedures for the process of a connection to the network. In the course of the
application sessions, there is an exchange of client data information that
is subject to the application's own security filters, so that each
client (or delegated representative) will only be able to access the information that
corresponds to the security and access profiles intended
-(…):
***URL.2
FOURTH: About systems and database architecture. Access from
Applications.
IBERDROLA, as the person in charge of processing and managing the database where
The three affected companies store the personal data of their clients, indicates what
following:
“(…)
(…).”
FIFTH: Causes that made the gap possible
IBERDROLA, in its response document presented on January 24, 2023, indicates:
(…)
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 24/99
(…).
(…).
(…):
• (…)
• (…)
• (…)
• (…)
• (…)
• (…)
• (…)
• (…)
• (…)
(…)
(…)
SIXTH: Security measures established in the Database
IBERDROLA, regarding the security measures established in the database,
In its response document presented on January 24, 2023, it indicates what
following:
“(…).”
SEVENTH: immediate measures after the breach
IBERDROLA, in its response document submitted on January 24, 2023,
indicates the following:
“(…).”
EIGHTH: IBERDROLA as data processor with respect to IBERCLI and
CURENERGY
In response to the information request made by this AEPD to
IBERDROLA during the period of prior investigations related to the contracts
signed in relation to data protection regarding the provision of services
IT and security support provided to I-DE, IBERCLI and CURENERGIA,
IBERDROLA, in its response document presented on January 24, 2023
(Registration number: REGAGE23e00004670187), indicates:
- “It is provided as document No. 1, Framework Agreement for the protection of personal data
for the Iberdrola Group, which details the scope of the provision of services to
the Group companies carried out by my client, with the requirements
established in article 28 of the General Data Protection Regulation. This
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 25/99
Agreement has been updated in its Annex II, which is provided as document number
1bis, with said update pending formalization.
Likewise, a declaration of acceptance of
Iberdrola España, S.A.U. of its accession to the aforementioned Framework Agreement, acting the aforementioned
entity, as indicated in the second clause, in its own name and right
and on behalf of the companies belonging to its corporate group on the
that directly or indirectly holds control, among which are the three
entities to which the information request refers.
The aforementioned “Framework Agreement for the protection of personal data for the Iberdrola Group”,
signed on May 18, 2018, is signed, on the one hand, by IBERDROLA and, on the other,
by “the companies integrated into the group whose dominant entity, in the sense
established by law, it is IBERDROLA (hereinafter Iberdrola Group) that signs the
Declaration of Acceptance that appears as Annex I to this contract...". In said
agreement (hereinafter PDP Framework Agreement), the following is indicated:
In point 1 of “Explain”:
“That the parties have signed a Framework Agreement for the Provision of Services
Corporate which regulates the provision of corporate services of (…)
systems (…) under the Single Corporation Model by IBERDROLA to the
beneficiary Iberdrola Group companies (…)
Point 11 “Therefore, this Data Protection Framework Agreement is established
Personal under which access and processing of personal data is legitimized by
IBERDROLA and the Group Companies (service providers) on behalf of
other Group Companies (recipients of the service), complying with the
different applicable personal data protection legislations, especially
the RGPD and the Spanish legislation that governs the processing of personal data by
part of IBERDROLA”
In the “CLAUSES” section, it is indicated:
SECOND CLAUSE. In its second paragraph it states:
“(…)”
This Annex, among other services, includes “Operation and support”, “Development” and
“Systems Management”
In CLAUSE SEVEN “Guarantees in the processing of personal data”, it is stated
indicates:
“7.5.- Obligations of the Data Processor.
e) Security Measures.
In accordance with the GDPR, apply appropriate technical and organizational measures
to guarantee an adequate level of risk, taking into account the state of the
technique, the costs of implementation, and the nature, scope, context and
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 26/99
purposes of treatment, as well as risks of varying probability and severity
for the rights and freedoms of natural persons.
The security measures to be implemented are those indicated in Annex III of
this PDP Framework Agreement”
In response to the request for a copy of the registry referred to in article 30 of the
RGPD, regarding the personal data processing activities of the aforementioned
companies carried out under its responsibility, IBERDROLA responds:
“The Records of Activities of
Treatment corresponding to the treatments "Support and Maintenance of
IT Infrastructures” and “Application Development (SWF)”, carried out by me
principal in his capacity as person in charge of the treatment, with respect to various
treatments of the companies of the Iberdrola Group, among which are the
Affected by the security breach:
• (…)
• (…)
Likewise, IBERDROLA indicates that “The Systems Management of the Iberdrola Group
manages and operates the physical equipment that houses the information, providing service to
the different companies of the Group”.
NINTH: Risk analysis of the treatment affected by the data breach
personal
At the request of this AEPD for a copy of the risk analysis on the rights and
freedoms of natural persons carried out on the processing activity that has
suffered the security breach prior to the incident, both IBERCLI and
CURENERGÍA provided the same document which is the scheme followed within
of the Iberdrola Group for the assessment of risk in data processing
personal and that is carried out in accordance with it:
(…)
Likewise, both companies attach a document explaining the logic followed
for calculating the risk level according to this methodology, called “Logic
“Risk Level calculation”
They explain that this methodology is implemented in an automated way in the
own corporate tool for recording treatment activities, so that
In the registration process itself, the risk level of the treatment is determined. So that,
The application of said methodology in relation to the treatment (…) showed as
result in a MEDIUM risk level.
This document analyzes circumstances or threats in the sense of
indicated scheme, which are transferred to the Registry of Treatment Activities.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 27/99
TENTH: Number of people affected and type of data affected
IBERCLI clients affected: 1,515,000
CURENERGIA clients affected: 92,550
Type of data affected:
(…)
FOUNDATIONS OF LAW
Yo
Competence
In accordance with the powers that article 58.2 of Regulation (EU) 2016/679
(General Data Protection Regulation, hereinafter RGPD), grants each
control authority and as established in articles 47, 48.1, 64.2 and 68.1 of the
Organic Law 3/2018, of December 5, on Protection of Personal Data and
guarantee of digital rights (hereinafter, LOPDGDD), is competent to
initiate and resolve this procedure the Director of the Spanish Protection Agency
of data.
Likewise, article 63.2 of the LOPDGDD determines that: "The procedures
processed by the Spanish Data Protection Agency will be governed by the provisions
in Regulation (EU) 2016/679, in this organic law, by the provisions
regulations dictated in its development and, insofar as they do not contradict them, with a
subsidiary, by the general rules on administrative procedures."
II
Previous issues
In the present case, in accordance with the provisions of article 4.1 of the RGPD, there is
the processing of personal data, since IBERDROLA
carries out, among other treatments, the collection, conservation, consultation, use,
deletion, etc., of personal data of natural persons, such as: name,
surnames, ID, postal address, telephone number, email address,
bank details, data relating to electricity supply and consumption, current account,
etc
IBERDROLA carries out this activity in its capacity as person in charge of the treatment,
in accordance with article 4.8 of the GDPR, since it processes these personal data by
account of other companies belonging to the Iberdrola Group to which it lends, among
others, Support and Maintenance services for IT Infrastructures and Development of
applications (SWF). Specifically, in the case at hand, it provides these services
as the person in charge of processing, among others, I-DE, CURENERGÍA AND IBERCLI.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 28/99
Article 4 section 12 of the GDPR broadly defines “violations of
security of personal data” (hereinafter security breach) as “all
those security violations that cause the destruction, loss or alteration
accidental or unlawful personal data transmitted, preserved or otherwise processed
form, or unauthorized communication or access to said data.
In the present case, there is a personal data security breach in the
circumstances indicated above, categorized as a breach of confidentiality, by
a computer attack has occurred in a web application of one of the companies
of the Iberdrola Group and that has caused illicit access by a third party not
authorized to personal data from two other companies of the same Group and that
were stored in the database shared by different companies
of the group and which is administered and managed by IBERDROLA. Therefore, the gap
security suffered has affected personal data processed by IBERDROLA in its
status of person in charge of treatment.
III
Regarding the request for joinder and the suspension of the deadline to formulate allegations
Regarding the request for accumulation of this file and EXP202205206
carried out by IBERDROLA, it should be noted that article 57 of the LPACAP
establishes:
“The administrative body that initiates or processes a procedure, whichever
has been the form of his initiation, he may dispose, ex officio or at the request of
part, its accumulation to others with whom it maintains a substantial or intimate identity
connection, provided that it is the same body that must process and resolve the
procedure.
There will be no appeal against the accumulation agreement.”
(emphasis is ours)
Therefore, it is a possibility that the Administration has, not being obliged to
proceed with the accumulation if requested. However, this does not prevent
Motivate below the reasons why it has been considered appropriate.
process both sanctioning procedures separately.
Thus, although the two sanctioning files, one directed against I-DE and the other against
IBERDROLA, S.A., start from the same security incident (the attack on the application
GEA, I-DE web application), it has produced two personal data breaches
different and differentiated, as reflected in the Factual Background of the
present proposal, especially in the Eighth Factual Background, where
reviews the information collected during the preliminary actions phase of
investigation carried out by this AEPD.
Thus, on the one hand, the attack occurred through an I-DE web application,
taking advantage of a vulnerability in it and that allowed access to the database
I-DE data and which affected the confidentiality of 1,350,000 I-DE clients. By
Therefore, the sanctioning procedure related to EXP202205206 is directed exclusively
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 29/99
to I-DE as responsible for the processing of the personal data of its clients and
as a result of an existing vulnerability in one of your web applications.
On the other hand, not only personal data of I-DE was affected in the cyberattack,
but, when accessing the I-DE database, which was hosted in a
system in which databases from other companies in the same group coexist, the
attacker taking advantage of database vulnerabilities gained access to
the databases of two other companies, IBERCLI and CURENERGÍA, affecting the
confidentiality of personal data of clients of the latter two. These different
Databases of different companies are hosted or carried out in one system
maintained and supported exclusively by IBERDROLA, which, consequently, is
responsible for processing all of them, that is, I-DE, IBERCLI and CURENERGÍA.
This fact has led to the initiation of this sanctioning procedure against
IBERDROLA, but due to its responsibility as IBERCLI's data processor
and CURENERGÍA and exclusively for the personal data breach that has
affected only the personal data of the clients of these two companies
marketing companies and only taking into account the responsibility that may have
IBERDROLA regarding the configuration of the database it manages regarding
of these two affected companies.
In this sense, this impact on personal data of clients hosted in databases
I-DE data cannot be part of this sanctioning procedure directed
exclusively to IBERDROLA, since I-DE is not responsible for the data
personal data of affected clients who belong to other companies, nor of the possible
failure to adopt adequate measures to protect the confidentiality of
the personal data of other companies hosted in a database managed
IBERDROLA as the person in charge of the treatment.
Therefore, the management of the databases must be analyzed independently.
carried out by IBERDROLA with respect to these third companies, without being able to
respond to I-DE for possible breaches of data protection regulations
in said management.
Therefore, the sanctioning procedures being directed at different subjects (two
different companies), the personal data of clients from different companies may be affected.
companies, I-DE having nothing to do with the data of other clients, be processed
due to vulnerabilities or non-compliance with respect to different systems (in one a
web application, from I-DE, in this, a database managed by IBERDROLA), etc., is
Therefore, this AEPD has not considered accumulating the two files, but rather
process the two sanctioning procedures separately, as it is clearly
separate the responsibility attributed to each one, as well as dealing with gaps
of different personal data and that affect personal data processed by
different responsible parties.
Likewise, this does not make IBERDROLA defenseless because at all times
knows the facts of which he is accused, the infringement that they entail, the
responsibility that has been incurred, as well as that it has had and has the opportunity to
formulate allegations and present whatever documentation is deemed appropriate in
defense of your interests permitted by applicable legislation.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 30/99
Finally, regarding the request for suspension of the deadline to formulate allegations
to the Startup Agreement until a decision is made on the accumulation of the two
procedures, it means that this possibility does not exist even in the applicable regulations
of data protection (RGPD AND LOPDGDD) nor in the LPACAP. On the contrary, in
What this last law establishes is the obligation that the procedures that must
be completed by the interested parties are mandatory:
“Article 73. Compliance with procedures.
1. The procedures that must be completed by the interested parties must
be made within a period of ten days from the day following the notification of the
corresponding act, except in the case that the corresponding norm states
set a different deadline.”
Therefore, the request for suspension is not applicable, as this does not legally exist.
possibility, nor has it had any effect, having not been suspended, in
consequently, the deadline for formulating allegations.
IV
Response to allegations to the Startup Agreement
In response to the allegations presented, the following is stated:
FIRST: ON THE ACCUMULATION OF PROCEDURES
IBERDROLA reiterates the accumulation request again and refers to the request
presented for this purpose on May 24, 2023.
In this regard, it is appropriate to refer to what was argued in the Legal Basis
above, in which a due answer to this question is given.
SECOND. – ABOUT THE SPECIAL CIRCUMSTANCES THAT OCCURRED IN
RELATIONSHIP WITH THE PROCESSING OF THIS FILE AND THE
VIOLATION OF THE PRINCIPLES OF GOOD FAITH, LEGITIMATE TRUST AND
LEGAL SECURITY
IBERDROLA alleges that this AEPD has violated the principles of legal certainty,
good faith and legitimate trust established in article 3.2 e) of Law 40/2015, of 1
of October, of the Legal Regime of the Public Sector (hereinafter LRJSP) since
by letter dated April 18, 2022, from the Innovation Division
Technology of the AEPD, it is indicated, in relation to the additional information provided
by I-DE regarding the personal data breach suffered by her, which “After the analysis
Based on the additional information provided, the security breach has been updated in the
record of notifications of security breaches and the start of others is not expected
actions by this Agency.” However, later and without record
no subsequent action until the date of the first information request
which is addressed to I-DE (writing signed on July 8, 2022 by the acting Inspector)
from which the initiation by the AEPD of actions of
investigation, without any agreement or decision in this regard.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 31/99
IBERDROLA understands that this shows that it was not appropriate to carry out
additional investigation related to the gap since the AEPD when signing the
referred letter of April 18 considered appropriate the statements made
by I-DE, IBERCLI and CURENERGIA, not appreciating in the gap the concurrence of
any element that would justify carrying out investigative actions
aimed at determining whether an alleged violation of the
data protection regulations.
However, IBERDROLA continues, the AEPD on May 9, 2022, agrees to the
admission to processing of claims (formulated prior to April 18,
2022) and the initiation of prior investigation actions, but without it being stated in the
file no action or circumstance related to this case that would have
been contributed or occurred in the period between April 18 and the date of
admission to processing and that justifies the start of the same.
Likewise, IBERDROLA understands that the letter of May 18, 2022 implies that the
AEPD considered that the information received from her about the breach was sufficient
to understand that it did not participate in I-DE or in IBERDROLA or in any other of the
entities that had proceeded to notify the incident any responsibility
for an alleged breach of data protection regulations, which
determined the filing of a file that, however, the AEPD decides to open days
afterwards without any indication that implies a substantial change in the
nature, circumstances or severity of the breach. From this IBERDROLA concludes that
The AEPD adopted a decision that directly contradicts the previous one adopted
just 20 days before.
In this regard, it should be noted, first of all, that the aforementioned letter of May 18
of 2022 was aimed solely at I-DE and in relation to notifications
carried out by the same to the Technological Innovation Division of this AEPD as
consequence of a personal data breach suffered by her.
Therefore, said writing in no way refers to the personal data breach.
suffered by IBERCLI and CURENERGIA and for which this procedure is processed
sanctioning IBERDROLA as the person in charge of processing them, by far
Now try to extend it to this file.
It is stated in the proposed resolution that, however, and for the sake of completeness of
the above, regardless of whether the personal data breach reported by I-DE
caused the breach suffered by IBERCLI and CURENERGÍA, we proceed to respond to the
erroneous interpretation that IBERDROLA makes in relation to the aforementioned letter.
Thus, said letter is signed in a generic way by the AEPD, it comes from the Division
of Technological Innovation, which is responsible for receiving notifications of the
personal data breaches and record them in the registry that maintains this purpose, and in the
which indicated the following:
“In relation to the additional information provided through check-in
REGAGE22e00010072289, relating to a personal data breach in a
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 32/99
treatment of I-DE REDES ELECTRICAS INTELLIGENTES S.A.U. we inform
that:
After analyzing the additional information provided, the security breach has
been updated in the security breach notification log and not
The initiation of other actions by this Agency is expected.
However, we remind you of the need to investigate the causes of the incident
until we understand how and why it has happened, and the obligation to take the
timely actions to prevent it from happening again and minimize the impact
potential on those affected, as well as the obligation to document any
security incident that may affect personal data such as
facts related to them and the corrective measures provided as and
as established in article 33.5 of the RGPD.
If over time you obtain indications that imply a change
substantial in the nature, circumstances or severity of the breach, may
make a new complete notification through our electronic office
https://sedeagpd.gob.es/sede-electronica-web/.
Likewise, we inform you that in the following link you have at your disposal the
guide for managing and reporting data security breaches
personal information published by this Agency: https://www.aepd.es/media/guias/guia-
security-breaches.pdf”
The heading includes “TECHNOLOGICAL INNOVATION DIVISION”
On the left side of the document it is indicated that “Signed electronically by:
Spanish Data Protection Agency. As of 04/18/2022”
It is not signed by the Director of the Agency, it has no operative part in
which something is agreed upon or resolved, nor does it have any indication of any recourse against
the same.
Therefore, and contrary to what I IBERDROLA affirms, this writing has no character
decision-making, nor for its content, which only contains a forecast and which in
some can be understood as assuming that this AEPD has assessed and decided that it does not
participated in I-DE nor in IBERDROLA (although we insist that it is directed exclusively
to I-DE) any responsibility for an alleged breach of the regulations of
data protection, which means the archiving of some actions - as has
wanted to understand IBERDROLA - nor because of its shape, because not even
formally reflects a decision, much less a resolution to file
any action, because for this to be so, the only competent body for this is
the current Director of the AEPD. Thus, Article 13 of the AEPD Statute, approved
By Royal Decree 389/2021, of June 1, the functions of the
Presidency:
1. The Presidency of the Spanish Data Protection Agency is responsible for:
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 33/99
d) Issue the resolutions and guidelines required for the exercise of functions
of the Agency, in particular those derived from the exercise of powers
provided for in article 57 of Regulation (EU) 2016/679 of Parliament
European Parliament and of the Council, of April 27, 2016, and the exercise of powers
of investigation and corrective powers provided for in article 58 of the
cited Regulation.
Therefore, to proceed with the archiving of investigation proceedings, it is required,
first, that they have been initiated (either because a claim has been admitted for processing,
either on their own initiative, which in both cases requires an express resolution
signed by the Director), which had not happened at the time of issuance of the
aforementioned writing from the Technological Innovation Division and, secondly, it is
necessary again an express resolution on the part of the Director archiving
said actions to understand, now, that from the information collected in said
investigations, the existence of a violation of the regulations of
data protection, which had not occurred.
In the present case, after notification of the personal data breach by
I-DE, CURENERGIA and IBERCLI, several claims were filed by people
affected by it, which were admitted for processing jointly by the
AEPD in compliance with article 64 LOPDGDD:
Article 64. Form of initiation of the procedure and duration.
1. When the procedure refers exclusively to the lack of attention of
a request to exercise the rights established in articles 15 to 22
of Regulation (EU) 2016/679, will begin by agreement of admission to processing,
which will be adopted in accordance with the provisions of article 65 of this law
organic.
In this case, the period to resolve the procedure will be six months to
count from the date on which the claimant was notified of the agreement
admission to processing. After this period, the interested party may consider
estimated your claim.
2. When the procedure aims to determine the possible
existence of a violation of the provisions of Regulation (EU) 2016/679 and
in this organic law, it will begin through a start-up agreement adopted
on its own initiative or as a result of a complaint.
If the procedure is based on a claim made before the Agency
Spanish Data Protection Authority, in advance, will decide on your
admission for processing, in accordance with the provisions of article 65 of this law
organic.
When the rules established in article 60 of the
Regulation (EU) 2016/679, the procedure will begin by adopting
of the draft agreement to initiate the sanctioning procedure, of which
will give formal knowledge to the interested party for the purposes provided for in article 75
of this organic law.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 34/99
The claim is admitted for processing, as well as in the cases in which the
Spanish Data Protection Agency acts on its own initiative, with
prior to the initiation agreement, there may be a phase of actions
prior investigation, which will be governed by the provisions of article 67 of this
organic Law.
Article 67. Previous investigation actions.
1. Before the adoption of the agreement to initiate the procedure, and once
admitted for processing the claim if there is one, the Spanish Agency of
Data Protection may carry out prior investigation actions to
in order to achieve a better determination of the facts and circumstances that
justify the processing of the procedure.
The Spanish Data Protection Agency will act in any case when it is
requires research into treatments that involve massive trafficking of
personal information.
2. Previous investigation actions will be subject to the provisions of the
Section 2 of Chapter I of Title VII of this organic law and may not have
a duration greater than twelve months from the date of the agreement of
admission to processing or the date of the agreement by which its initiation is decided
when the Spanish Data Protection Agency acts on its own initiative
or as a consequence of the communication that had been sent to you by the
supervisory authority of another Member State of the European Union, in accordance with the
article 64.3 of this organic law. (emphasis is ours)
From said regulations it is not inferred in any way that the AEPD has to justify
the manner that IBERDROLA requires the initiation of prior actions in the sense that
there must be something new or some new circumstance or that the claims
have had to provide new and different circumstances regarding the
documentation provided by I-DE in its notification of the breach to this Agency, since
This is not required by the indicated regulations, in addition to the fact that it cannot be claimed
that those affected contribute something new, apart from knowing that the
confidentiality of your personal data due to a cyber attack, the circumstances of which
they don't know.
Precisely the previous investigative actions are carried out to clarify the
facts and circumstances of what happened, gathering more information in order to
be able to determine or not the existence of a possible violation of the regulations in
data protection matters. In this sense, the beginning of previous investigations and
its realization, the power of the AEPD with or without claims, does not prejudge anything, but
that allows gathering the necessary information to determine whether or not there are indications of
infringement. Even after said investigation, the proceedings may be archived
to understand, in view of the information collected, that there are no indications of
infringement. Which, in the present case, has not happened.
What the regulations do indicate is that, after the presentation of claims, this
Agency must decide whether to admit them for processing or not, having finally decided on their
admission through, this time, an Admission Agreement for processing, signed by the
Director of the Agency dated May 9, 2022. And, as indicated in article 67.2
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 35/99
referenced LOPDGDD, the AEPD can carry out prior actions of
investigation in order to achieve a better determination of the facts and the
circumstances. It is a power attributed to it by the RGPD and the LOPDGDD.
Likewise, and to make matters worse, even in the event of there being no
claims existed, the document from the Technological Innovation Division did not
nor would it have been an obstacle or obstacle to the exercise of the powers of
investigation that the AEPD has in accordance with the aforementioned article 64.2 that
determines that “The claim is admitted for processing, as well as in the cases in which
The Spanish Data Protection Agency acts on its own initiative, with character
Prior to the initiation agreement, there may be a phase of prior actions of
investigation…"
Therefore, this sanctioning procedure has not been initiated due to the content or
by some new information provided in the claims, but by the information and
documentation obtained after the period of prior investigation actions, to the
possible violations of protection regulations can be inferred from it.
of data.
On the other hand, IBERDROLA brings up the Supreme Court's ruling of 22
of February 2016 (resource 4048/2013), understanding that it is fully applicable to the
case, which indicates:
“According to the facts briefly stated, we can consider
legitimate trust has been injured, since the Administration cannot adopt
decisions that contravene the perspectives and hopes founded on the
own previous decisions of the Administration. When you trust the
stability of his criteria, evidenced in multiple previous acts in a
same sense, which leads the administrator to adopt certain decisions,
trust is generated based on the consistency of behavior
administrative, which cannot be defrauded through an act
amazing. […]
It is worth keeping in mind that legitimate trust requires, ultimately, the
concurrence of three essential requirements. Namely, that it is based on signs
undeniable and external (1); that the hopes generated in the administered
they must be legitimate (2); and that the final conduct of the Administration is
contradictory with previous acts, is surprising and incoherent (3).
Exactly what happens in the case examined, based on the facts
previously reported.
Let us remember that, with respect to legitimate trust, we have been declaring
reiterated, by all, Judgment of December 22, 2010 (appeal
contentious-administrative no. 257 / 2009), that << the principle of good faith
protects the legitimate trust that may have been reasonably placed in
the behavior of others and imposes the duty of coherence in the
own behavior. Which is to say that the principle implies the
requirement of a duty of behavior that consists of the need to
to observe, with a view to the future, the behavior that previous acts predicted and
accept the binding consequences that arise from one's own actions
constituting a case of injury to the legitimate confidence of the parties
"come contra factum propium >> (emphasis added)
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 36/99
In this regard, it is meant that the doctrine established therein is not
application to the present case, since, as indicated above, it has not been a
decision of this Administration, neither by its form nor by its content, nor have they
caused confidence in the stability of his criteria, since there has been no
criterion in this regard, much less evidenced in multiple previous acts in a
same sense, so the action of this Agency in relation to the alleged has not
supposed a final conduct of her that is contradictory with previous acts that
be surprising or incoherent, in the sense of the Court's doctrine.
Finally, regarding the reference made by IBERDROLA regarding the fact that in the
Agreement of the Director of the AEPD, of May 9, 2022, by which
processing the claims made against IBERCLI, in which reference is made to the
file AT/02233/2022, of which IBERDROLA indicates that it does not know what this is
file, requesting that it be indicated whether any other file has been opened
type of procedure against her and to whose file she has not been given access,
It should be noted that the claims received are grouped under the aforementioned file.
by those affected by the personal data breach suffered, which were admitted to
processed jointly through the aforementioned Agreement, not assuming any
file or procedure directed against IBERDROLA or against any of the
member companies of the Iberdrola Group.
In this regard, it is recalled again that said claims, being based on
a personal data breach, they are only admitted for processing and this
entails, as has been pointed out, the possibility of initiating investigative actions
for the clarification of the facts and everything that happened, the documentation being
and everything collected during said actions, which has motivated, exclusively, the
initiation of this sanctioning procedure, and not the aforementioned claims, therefore
that they are not part of this procedure. Likewise, it is reported that no
no further processing is carried out beyond communicating (which does not
notify) the claimants of the initiation, in this case, of a sanctioning procedure and
also the resolution that falls on it.
.
For the above reasons, the claim made is rejected.
THIRD.- ON THE ADDITIONAL AFFECTION TO THE PRINCIPLES OF THE
SANCTIONING RIGHT ARISING FROM THE INTERPRETATION MADE
BY LAAEPD
IBERDROLA alleges in this section that the Startup Agreement incurs important
violations of the principles of administrative sanctioning law, since it implies
the imposition of two infractions whose content is, in reality, identical or with respect to
which, at least, it is possible to appreciate the subsumption of one of them in the other:
1.Violation of the non bis in idem principle
IBERDROLA alleges that in the Initiation Agreement the AEPD considers that the
security implemented by it have not been, in its opinion, adequate and that this
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 37/99
implies a double violation of the RGPD, on the one hand, it understands that IBERDROLA does not
has adopted the appropriate technical and organizational measures required by article
32 of the GDPR; and, on the other hand, it considers that the principle of security has been violated, breaking,
supposedly, article 5.1 f) of the GDPR, of which article 32 is nothing more than a mere
concretion.
IBERDROLA understands that this means that two different sanctions are imposed,
respectively, considering that it lacks adequate security measures and
because it understands that, due to the lack of such measures, a gap of
confidentiality of personal data. And, furthermore, it establishes for both assumptions
infringements, circumstances modifying the liability of IBERDROLA
identical at all points, both in their determination and in the legal foundation
of its imposition.
IBERDROLA points out that it follows that the AEPD considers that the same
fact (the alleged insufficiency of security measures) would constitute two
infringements of the same protected legal good (the adequate guarantee of the rights and
freedoms of the interested parties). And this, because it would sanction, on the one hand, the
absence of the security measures that the AEPD considers necessary to adopt and, therefore,
another, the principle of security and confidentiality, which requires the adoption of such
measures.
Therefore, IBERDROLA maintains that, incurring the triple identity of subject, fact
and protected legal good, there is no doubt that the principle of non bis has been violated
in idem, so it would only be possible to charge and punish for a single infraction, which in this
case would only be for article 32, since it would only be possible to appreciate the supposed
insufficiency of security measures.
Faced with this, it is necessary to explain the difference between the violation of art. 5.1.f and the
article 32 of the RGPD, which will be expanded in the following point regarding the allegation
regarding the existence of media competition, as well as the different classification in
sections even different from art. 83 of the GDPR and the different qualification of both
the effects of prescription in the LOPDGDD.
The art. 5.1.f) of the RGPD is violated when there is a loss of confidentiality,
integrity or availability of personal data, which may occur or
not due to the absence or deficiency of security measures.
This principle only determines the channel through which the
maintenance of confidentiality, integrity or availability when explicit
“through the application of appropriate technical and organizational measures”, which are not
Strictly security.
IBERDROLA indicates that the appropriate technical and organizational measures to which
mentions the art. 5.1.f) RGPD are the security measures of art. 32 of the GDPR.
This would be to simplify the essence of the GDPR whose compliance is not limited to
implementation of technical and organizational security measures; would mean, in our
case, reduce the guarantee required through the principle of integrity and confidentiality
to its achievement only with security measures.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 38/99
When art. 5.1.f) of the GDPR refers to technical or organizational measures
appropriate to guarantee the rights and freedoms of the interested parties within the framework of
The management of regulatory compliance with the RGPD does so in the sense provided in the
art. 25 of the GDPR regarding privacy by design.
This precept determines that,
“Taking into account the state of the art, the cost of the application and the
nature, scope, context and purposes of the processing, as well as the risks of
varying probability and severity that the treatment entails for the rights and
freedoms of natural persons, the person responsible for the treatment will apply, both
at the time of determining the means of treatment as well as at the time
of the treatment itself, appropriate technical and organizational measures, such as
pseudonymization, designed to effectively apply the principles of
data protection, such as data minimization, and integrate safeguards
necessary in the treatment, in order to comply with the requirements of this
Regulation and protect the rights of the interested parties” (emphasis is
our)
It should be noted that there are multiple technical or organizational measures that are not
security and that the person responsible for the treatment can implement as a channel to
guarantee this principle.
However, art. 32 of the GDPR includes the obligation to implement measures
appropriate technical and organizational security measures to ensure a level of
security appropriate to the risk. Of security. Just for security.
Furthermore, its objective is to guarantee a level of security appropriate to the risk.
regardless of whether a security breach has occurred, while
that in the case of article 5.1.f) of the RGPD, confidentiality and
integrity and materializes, in this case, with the loss of confidentiality of the
data. As can be seen, the two articles pursue different purposes, although
they may be related.
Already entering fully into the examination of the non bis in idem, the Court's Judgment
National of July 23, 2021 (rec. 1/2017) provides that,
“(…) In accordance with the legislation and jurisprudence set forth, the non bis in idem principle
prevents punishing the same subject twice for the same act with support in the
same foundation, the latter understood as the same legal interest protected by
the sanctioning regulations in question. In fact, when there is the triple identity of
subject, fact and foundation, the sum of sanctions creates a sanction unrelated to the judgment of
proportionality carried out by the legislator and materializes the imposition of a sanction
not legally provided for, which also violates the principle of proportionality.
But in order to speak of "bis in idem" a triple identity must occur.
between the terms compared: objective (same facts), subjective (against the
same subjects) and causal (for the same basis or reason for punishing):
a) Subjective identity assumes that the affected subject must be the same, regardless of
whatever the nature or judicial or administrative authority that prosecutes and with
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 39/99
independence of who the accuser or specific body is that has resolved, or that
be tried alone or in conjunction with other affected parties.
b) Factual identity assumes that the facts prosecuted are the same, and rules out
the cases of real competition of infractions in which we are not faced with the same
illegal act but before several.
c) The identity of the foundation or cause implies that the sanctioning measures do not
can coincide if they respond to the same nature, that is, if they participate in a
same teleological foundation, what happens between penal and
administrative sanctions, but not between the punitive and the merely
coercive.”
Taking as reference what was previously explained, the principle has not been violated
non bis in idem, since, although roughly understood the facts are detected
consequence of a personal data breach, the violation of art. 5.1.f) of the GDPR
takes the form of a clear loss of confidentiality and availability, the violation of the
art. 32 of the GDPR boils down to the absence and deficiency of security measures
(security only) detected, present regardless of data breach
personal.
And all this in the face of the allegations made by IBERDROLA, which considers that in
Both precepts require a single conduct, which is to implement security.
appropriate. It is not true, since art. 5.1.f) of the RGPD is not restricted to the
guarantee of security appropriate to the risk, but rather to guarantee the integrity and
confidentiality. And not only through security measures, but through all kinds of
appropriate technical or organizational measures.
As has been indicated, through art. 5.1.f) of the RGPD, a loss of
integrity and confidentiality, and through art. 32 of the RGPD the absence and/or
deficiency of the security measures implemented by the person responsible for the
treatment. Absent or deficient security measures, we add, that violate the
GDPR regardless of whether the loss of data had not occurred.
confidentiality and integrity.
Finally, regarding the application of identical aggravating factors in both infractions,
We must mean that the circumstances provided for in art. 83.2 of the GDPR and the
provided in art. 76.2 of the LOPDGDD are the only ones that can be applied by
AEPD for any infraction.
The determining factor in this case, with respect to that provided for in art. 83.2.b) of the GDPR does not
is that they coincide in their use, but rather the foundation established for their
consideration.
Having said all that, it is not considered that there is a violation of the principle of non bis in
idem, enshrined in article 25 of the Spanish Constitution.
2. Subsidiarily, existence of medial competition between the two imputed conducts
to IBERDROLA
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 40/99
IBERDROLA alleges that, on the other hand, the Initiation Agreement identifies (and intends to
sanction) a plurality of infractions that, supposedly, he would have committed (what
is flatly denied) when, in reality, one of them would be subsumed and
embedded in the other, giving rise to a medial contest in the terms provided in the
article 29.5 of the LRJSP.
IBERDROLA understands that both infractions cannot be sanctioned, given that the
commission of the alleged violation of article 32.1 of the RGPD would determine the
alleged violation of article 5.1.f) of the same legal text and would be sanctioned
for the same facts, since it considers that the alleged violation of article 5.1 f)
would necessarily and inseparably bring about the alleged lack of implementation
diligent of the measures referred to in article 32.1 of the RGPD.
IBERDROLA brings up certain jurisprudence (for all, the Judgment
339/2015 of September 25, 2015 of the National Court - appeal 262/2014 -
which cites the Supreme Court Sentence of February 8, 1999, -recourse 9/1996-):
“the application of the medial competition requires a necessary referral of some infractions
respect to the others and vice versa, so it is essential that some do not
can be committed without executing the others.” Thus, there must exist “such a relationship between the
infringements concerned that one of them necessarily derives from the other, so
that the commission of one is not possible without executing the other” (for all, the Judgment of
the National Court of December 26, 2013, - appeal 416/2012). Thus
I-DE concludes that it is evident that such a relationship exists between the two infringements
who intend to accuse her.
In this regard, it means, as noted above, that art. 32
of the GDPR, although related to art. 5.1.f) of the GDPR does not circumscribe the principle
In its whole.
Thus, Article 5.1.f) of the GDPR is one of the principles relating to processing. The
principles relating to the treatment are, on the one hand, the starting point and the clause of
closure of the legal data protection system, constituting true
informing rules of the system with an intense expansive force; on the other hand, at
have a high level of specificity, they are mandatory standards that are susceptible
of being infringed.
Well, art. 5.1.f) of the RGPD includes the principle of integrity and confidentiality and
determines that personal data will be processed in such a way as to guarantee
adequate security of personal data, including protection against
unauthorized or illicit treatment and against its loss, destruction or accidental damage,
through the application of appropriate technical or organizational measures of all kinds,
not just security.
Moreover, art. 32 of the GDPR regulates how the security of the
processing in relation to the specific security measures that must be
implement, in such a way that taking into account the state of the art, the costs of
application, and the nature, scope, context and purposes of the processing, as well as
risks of varying probability and severity to the rights and freedoms of
natural persons, the person responsible and the person in charge of the treatment will apply measures
appropriate technical and organizational measures to guarantee a level of security appropriate to the
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 41/99
risk that includes, among other issues, the ability to guarantee the
data confidentiality.
As has been noted, this provision, art. 32 of the GDPR, although related to the
art. 5.1.f) of the GDPR does not circumscribe the principle in its entirety. The art. 5.1.f) of the GDPR
strictly requires that confidentiality be guaranteed, and requires for its application
a loss of confidentiality. We can find cases in which there are
inadequate measures without resulting in a loss of integrity and
confidentiality.
Proof of this is not only this difference between the violation of art. 5.1.f and the
article 32 of the RGPD, but the different classification in sections even different from the
art. 83 of the GDPR and the different qualification of both for the purposes of prescription
in the LOPDGDD.
In the case examined, as stated in the proven facts, there is a clear
loss of confidentiality revealed through a clear result:
produced illegitimate access by an unauthorized third party to personal data.
Likewise, as has been indicated, art. 5.1.f) of the RGPD is violated when
produces a loss of confidentiality or integrity of personal data, which
which may or may not occur due to the absence or deficiency of strictly safety measures.
security.
This principle only determines the channel through which the
maintenance of confidentiality, integrity or availability when explicit
“through the application of appropriate technical and organizational measures”, which are not
Strictly security.
IBERDROLA indicates that the appropriate technical and organizational measures to which
Article 5.1.f mentions the security measures of art. 32 of the GDPR.
This would be to simplify the essence of the GDPR whose compliance is not limited to
implementation of technical and organizational security measures; would mean, in our
case, reduce the guarantee required through the principle of integrity and confidentiality
to its achievement only with security measures.
As noted above, when art. 5.1.f) of the GDPR refers to
appropriate technical or organizational measures to guarantee the rights and freedoms
of interested parties within the framework of GDPR regulatory compliance management.
does in the sense provided in art. 25 of the GDPR regarding privacy from
design.
We reiterate that there are multiple technical or organizational measures that are not
security and that the person responsible for the treatment can implement as a channel to
guarantee this principle.
And all this in the face of the allegations made to the contrary by IBERDROLA that
considers that in both precepts a single conduct is required, which is to implement the
adequate security. It is not true, since art. 5.1.f) of the RGPD is not restricted to
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 42/99
the guarantee of security appropriate to the risk, but rather the guarantee of the integrity and
availability. And not only through security measures, but through all kinds of
appropriate technical or organizational measures.
As we have indicated, through art. 5.1.f) of the RGPD, a loss of
integrity and confidentiality and through art. 32 of the RGPD the absence and deficiency
of the security measures implemented by the person responsible for the treatment. Measures
absent or deficient security measures, we add, that violate the RGPD
regardless of whether or not a loss of confidentiality has occurred
and integrity.
In the present case, the aforementioned article 32 has been violated regardless of whether
ultimately suffered a breach of confidentiality or not, because the conduct
reprehensible and that violates said precept is the lack or inadequacy of those measures,
in themselves, that is, it is infringed and punished for it regardless of whether
Whether or not a personal data breach has occurred. Which does not prevent, in
In the event of a personal data breach materializing, this
circumstance as an aggravating circumstance, in accordance with the RGPD.
On the other hand, in the present case, so that we are faced with a violation of the article
5.1.f) it has been and is an unavoidable requirement that the confidentiality of the data be violated
personal (which does not happen with the violation of article 32)
Regarding the media competition, it should be noted that article 29 of the LRJSP does not
It is applicable to the sanctioning regime imposed by the RGPD. And this is because:
1. The GDPR is a complete system.
The GDPR is a community standard directly applicable in the Member States,
which contains a new, complete and global system intended to guarantee the protection
of personal data in a uniform manner throughout the European Union.
In relation, specifically and also, to the sanctioning regime provided in the
same, its provisions are applicable immediately, directly and
integral, providing for a complete system without gaps that must be understood,
be interpreted and integrated in an absolute, complete, integral manner, thus leaving the
Its ultimate purpose is the effective and real guarantee of the Fundamental Right to
Personal data protection. The opposite determines the loss of
guarantees of the rights and freedoms of citizens.
In fact, a specific example of the lack of loopholes in the system of
GDPR is article 83 of the GDPR that determines the circumstances that can operate
as aggravating or mitigating circumstances with respect to an infringement (art. 83.2 of the RGDP) or that
specifies the existing rule regarding a possible medial competition (art. 83.3 of the
GDPR).
To the above we must add that the RGPD does not allow the development or realization of
its provisions by the legislators of the Member States, safe from what
the European legislator himself has specifically provided for, delimiting it in a very
specific (for example, the provision of art. 83.7 of the RGPD). The LOPDGDD only
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 43/99
develops or specifies some aspects of the RGPD as far as it allows and with the
scope that it allows.
This is because the intended purpose of the European legislator is to implement a
uniform system throughout the European Union that guarantees the rights and freedoms of
natural persons, that corrects behavior contrary to the RGPD, that encourages
compliance, which enables the free circulation of this data.
In this sense, recital 2 of the RGPD determines that,
“(2) The principles and rules relating to the protection of natural persons in what
regarding the processing of your personal data must, whatever
their nationality or residence, respect their fundamental freedoms and rights, in
particularly the right to the protection of personal data. The present
Regulation aims to contribute to the full realization of an area of freedom,
security and justice and an economic union, to economic and social progress, to
reinforcement and convergence of economies within the internal market, as well as
well-being of natural persons.” (emphasis is ours)
Recital 13 of the GDPR continues to indicate that,
“(13) To ensure a consistent level of protection of natural persons throughout
the Union and avoid divergences that hinder the free circulation of personal data
within the internal market, a regulation is necessary that provides security
legal and transparency to economic operators, including microenterprises and
small and medium-sized businesses, and offer individuals of all
Member States the same level of enforceable rights and obligations and
responsibilities for those responsible and in charge of the treatment, in order to
ensure consistent supervision of the processing of personal data and sanctions
equivalents in all Member States, as well as effective cooperation between
the supervisory authorities of the different Member States. The good
functioning of the internal market requires that the free circulation of data
personal property in the Union is not restricted or prohibited for reasons related to
protection of natural persons with regard to data processing
personal”. (emphasis is ours)
In this system, the determining factor of the GDPR is not the fines. The corrective powers
of the control authorities provided for in art. 58.2 of the RGPD conjugated with the
provisions of art. 83 of the GDPR show the prevalence of corrective measures
against fines.
Thus, art. 83.2 of the GDPR says that “Administrative fines will be imposed, in
depending on the circumstances of each individual case, in addition to or in lieu of
the measures contemplated in article 58, paragraph 2, letters a) to h) and j).
In this way the corrective measures, which are all those provided for in art. 58.2 of
RGPD except the fine, have prevalence in this system, the fine being relegated
economic to cases in which the circumstances of the specific case determine
that a fine be imposed together with corrective measures or in lieu of the
themselves.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 44/99
And all this with the purpose of forcing compliance with the RGPD, avoiding
non-compliance, encourage compliance and ensure that infringement is not more profitable
than non-compliance.
For this reason, art. 83.1 of the RGPD prevents that “Each supervisory authority will guarantee
that the imposition of administrative fines pursuant to this article for the
infringements of this Regulation indicated in paragraphs 4, 5 and 6 are in
each individual case effective, proportionate and dissuasive.” (emphasis is
our)
For this system to work with all its guarantees, it is necessary that several
elements are deployed in an integral and complete manner. The application of foreign rules
to the RGPD regarding the determination of fines in each of the States
members applying their national law, whether due to aggravating circumstances or
mitigating circumstances not provided for in the RGPD -or in the LOPDGDD in the Spanish case-, whether
due to the application of a media contest different from that provided in the RGPD, it would remain
effectiveness to the system that would lose its meaning, its teleological purpose, resulting in
the fines imposed for different violations would no longer be effective,
proportionate and dissuasive. And in this way the interested parties would also be robbed.
of the effective guarantee of their rights and freedoms, weakening the uniform application
of the GDPR. Mechanisms for the protection of rights and
freedoms of citizens and would be contrary to the spirit of the RGPD.
The GDPR is endowed with its own principle of proportionality that must be
applied in its strict terms.
2. There is no legal loophole, there is no supplementary application of art. 29 of the GDPR.
In addition to the above, it means that there is no legal gap regarding the application of the
media contest. Neither the RGPD allows nor the LOPDGDD provides for the supplementary application
of the provisions of art. 29 of the LRJSP.
There is also no subsidiary application of art. 29 of the GDPR. In Title VIII of the
LOPDGDD regarding “Procedures in case of possible violation of the regulations
of data protection", article 63 that opens the Title provides that "The
Procedures processed by the Spanish Data Protection Agency will be governed
by the provisions of Regulation (EU) 2016/679, in this organic law, by the
regulatory provisions dictated in its development and, as far as they are not
contradict, on a subsidiary basis, by the general rules on the
administrative procedures." Although there is a clear referral to the LPACAP, it is not
establishes in no way a subsidiary application with respect to the LRJSP that does not
contains in its articles any provision relating to administrative procedure
some.
In the same way that the AEPD is not applying the aggravating and mitigating circumstances provided
in art. 29 of the LRJSP, since the RGPD establishes its own, therefore,
There is no legal loophole or subsidiary application of the same, nor is it possible to apply
section relating to media competition and for identical reasons.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 45/99
In any case, the judicial precedents cited by the plaintiff regarding the competition
medial come from the application of the LOPD of the year 99 that transposed the Directive
95/46/EC, the RGPD establishing a clearly different system. At that time,
article 115 of Royal Decree 1720/2007, of December 21, which approves
the Regulations for the development of Organic Law 15/1999, of December 13, of
protection of personal data, it did provide for a supplementary application of the
Law 30/1992, of November 26, on the Legal Regime of Administrations
Public and Common Administrative Procedure.
Thirdly, and now focusing on the specific case examined, and without prejudice
From the above, it should be noted that there is no medial competition. Article 29.5 of the
LRJSP establishes that “When the commission of an infraction results
necessarily the commission of another or others, only the sanction should be imposed
corresponding to the most serious infraction committed.”
Well, the medial competition takes place when in a specific case the commission of
an infraction is a necessary means to commit a different one.
The established facts determine the commission of two different infractions, without the
violation of article 32 of the RGPD (security of processing), as stated
the appellant, is the necessary means by which the violation of the
article 5.1.F) of the RGPD (principle of confidentiality).
In conclusion, from all this and against everything argued, it has been proven
that I-DE was not diligent because it did not adequately guarantee confidentiality
of the personal data of its clients, as well as that it did not have the measures
appropriate technical and organizational measures to ensure an appropriate level of security.
For the above reasons, the allegation is rejected.
FOURTH.- REGARDING THE ALLEGED VIOLATION BY IBERDROLA OF THE
ARTICLE 32 OF THE GDPR
IBERDROLA alleges that it is not satisfied that the Startup Agreement indicates that
did not have the appropriate security measures to guarantee complete
separation between the personal data of the different companies with respect to the
which acts as the person in charge of the treatment, since it maintains that, as it has been
demonstrating in the responses given to the AEPD in the different
information requirements, it has been proven that it had implemented
robust security systems that (…).
IBERDROLA proceeds below to detail again how access to the
information contained in the database by the different applications.
Thus, as indicated, the database where the personal data of
clients of the different companies of the Iberdrola Group is (…).
However, (…)
(…):
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 46/99
-(…).
-(…).
Therefore, although it is indicated that the client code is not accessible to users, it does not
It is less true that, if a transaction is generated with the CUSTOMER table using the
“client code”, this means that it does not have the previous filter of “Company Code”, and then
Yes, you can access personal data from other companies once the code
customer indicated in the URL corresponds to the customer of another company with the
that only has this logical separation. Therefore, it was being allowed,
By modifying the client code in the URL of this web application, data will be accessed
personal data of clients of other companies with which there is no relationship and
against which it is mandatory to safeguard their confidentiality against
unauthorized third parties.
That is, with or without cyberattack, what is reflected is that, modifying that code in the
url, the implemented logical separation was circumvented. Therefore, it was not appropriate.
or was insufficient, which represents a violation of art. 32, as it reflects a lack or
insufficiency of appropriate measures to ensure adequate security, according to
the risk, in the processing of personal data.
IBERDROLA seems to maintain that the responsibility for this lies with the
cybercriminal for taking advantage of a vulnerability in a web application. However,
if the logical separation had been adequate (or if physical separation had existed),
the attack would have been restricted exclusively to I-DE clients. The
vulnerability exploited by the attacker was that the client code was displayed in
the URL and that, in addition, it was allowed to modify said URL by making calls to the table
CUSTOMER and thus access the personal data stored in that table.
That later this would also allow access to personal data of clients from other companies.
companies is a consequence of a poor logical separation in the database.
This deficiency is precisely in allowing GEA's internal code, the
“COD_CLIENTE” will generate transactions with the CLIENT table and will not have the filter
previous “Company Code”. This was allowed because that's how it was set up (and therefore
IBERDROLA declarations, as is also established in the applications
from the rest of the companies that share the CUSTOMER table and the same logical separation)
Therefore, the cybercriminal did not exploit that vulnerability in the logical separation in
the affected board, but ran into it.
In this sense, it is not acceptable that, under any circumstances, it can be accessed from
an application from one company to the personal data of clients of other companies.
This is the responsibility of IBERDROLA since, as the person in charge of treatment,
manages the Group's database.
On the other hand, IBERDROLA alleges that the AEPD has linked the alleged
non-compliance with article 32 with the production of the result that occurred as
consequence of the concurrence of a series of factors that were unpredictable
and that were detected and resolved immediately. He concludes therefore that the
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 47/99
AEPD is imposing, with regard to the adoption of security measures,
an obligation of result, but which is nevertheless an obligation of means.
In this regard, it brings up or stated by the Supreme Court in its
ruling of February 15, 2022 (cassation appeal 7359/2020), which clearly states
clear way that the obligation imposed by data protection regulations
personnel, to adopt technical and organizational measures aimed at guaranteeing the
confidentiality, availability and integrity of the information, is an obligation of
means and not result.
In this regard, it should be noted that the aforementioned Judgment effectively indicates, above all
security measures regarding data protection, that “… the obligation that
falls on the person responsible and on the person in charge of the treatment with respect to the
adoption of necessary measures to guarantee the security of personal data
personnel is not an obligation of result but of means, without the obligation being enforceable.
infallibility of the measures adopted. Only the adoption and
implementation of technical and organizational measures, which according to the state of the
technology and in relation to the nature of the processing carried out and the data
personal data in question, reasonably allow to avoid its alteration, loss,
“unauthorized treatment or access.” (emphasis is ours)
However, the Judgment continues indicating, in the specific case analyzed in
same, that “…the program used to collect customer data does not
contained no security measures that would allow checking whether the address of
email entered was real or fictitious and whether it really belonged to the person
whose data was being processed and gave consent for it. The state
of the technique at the time these events occurred made it possible to establish
measures aimed at verifying the veracity of the email address, conditioning
the continuation of the process for the user to receive the contract at the address
provided and only from it provide the necessary consent for its
collection and treatment. Measures that were not adopted in this case.
(…) So, at the time these events occurred, there were
technical measures related to the registration process, which would have prevented the filtration of
personal data produced. This implies that the technical measures adopted
did not comply with the security conditions in the terms required in art. 9.1 of the
LO 15/1999, therefore incurring the infringement provided for in art. 44.3.h)
consisting of "Maintain the files, premises, programs or equipment that contain
personal data without due security conditions that via
regulations are determined [...]".
(…) It is stated that the technical security measures referred to the program
IT was the responsibility of Telefónica Consumer Finance, which designed the program and was the
responsible for the file and the treatment, and that the sanctioned company only
acted on its behalf, collecting data from clients who opted for the
financing. The truth is that the person in charge of the treatment - the natural or legal person
that, alone or jointly with others, processes personal data on behalf of the
responsible for the treatment, art. 4 section 8 of the Regulation, such as art. 3.g) of the
LOPD 15/1999, and the collection of data implies processing (art. 3.c),-also
must adopt the necessary technical and organizational measures to
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 48/99
guarantee the security of personal data, as provided in art. 32.1
of Regulation (EU) 2016/679 of the Parliament and of the Council and art. 9.1 of the LOPD
and is subject to the sanctioning regime established in the Law (art. 43 of the LOPD
15/1999).
The appellant company processed customer data on behalf of the person responsible for the
file so she implemented and used said program being knowledgeable, or would have
should be, that it lacked the necessary security measures…” (the
emphasis is ours)
Therefore, although it is inferred from the Judgment that the obligations established by the
Article 32 of the GDPR are media, it also makes it clear that, if at the time of
When the incident occurred, there were adequate technical measures to avoid or mitigate the
effects thereof and were not applied, this represents a breach of the aforementioned
obligation imposed by the RGPD and, therefore, a violation of it.
In the present case, as has been pointed out, there was a vulnerability or poor
configuration of access to the database managed by IBERDROLA as
person in charge of the treatment, which was also avoidable because it could have
configured in another way or, as you have indicated that you plan to do,
proceed to separate the systems that make use of the common data infrastructure
center, that is, proceed to store the personal data of the companies
affected in exclusive and separate tables.
This clearly shows a breach of article 32 of the RGPD, for
as requires appropriate measures to guarantee a level of security appropriate to the
risk, and all this taking into account the state of the art, the application costs
and the nature, scope, context and purposes of the processing.
IBERDROLA also alleges that the security breach is not caused by what
insufficient of the measures adopted, but of the intense activity carried out by a
third party with the sole intention of carrying out the cyber attack that caused harm not
not only from the clients of the Group companies, but from the companies themselves that
they suffered.
Faced with this, it should be noted that total infallibility of the
measures that can be taken to ensure adequate protection in the
processing of personal data. However, once the attack occurs, it must
evaluate the diligence of those responsible and in charge in the application of the measures
appropriate technical and organizational measures to guarantee a level of security appropriate to the
risk, taking into account the state of the art, the costs of application, the
nature, scope, context and purposes of the processing.
In the present case, IBERDROLA did not have, at the time of the breach
data protection, with appropriate measures in relation to the risks of the
processing for the protection of personal data, since as indicated,
There was a vulnerability in the configuration of access to the database
managed by IBERDROLA as data processor.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 49/99
Finally, in accordance with the Judgment of June 22, 2021- Rec. 1210/2018,
and the Judgment of November 5, 2011 - Rec. 1796/2019, in which the
subjective or culpable element, it is insisted that the guilt of the plaintiff
cannot be considered excluded or attenuated by the fact that the
fraudulent action of a third party, since the responsibility of the plaintiff does not
derives from his actions, but from his own.
Finally, IBERDROLA points out that it had implemented mechanisms that allowed the
almost immediate detection of the personal data breach suffered, adopting
immediately, so he understands that his quick action is a clear example of
that by the same was given, and is given, complete compliance with the provisions of the
article 32.1 c) of the GDPR, when it refers to “the ability to restore the
Availability and access to personal data quickly in the event of an incident
physical or technical”, something that, however, has not been sufficiently valued by
part of the Initiation Agreement.
In this regard, both in the Initiation Agreement and in this proposal it has been
taken into account that IBERDROLA, through the Systems Department, reacted as
as quickly as possible and proceeded to take measures aimed at repelling the attack and to
avoid its repetition, considering it as an extenuating circumstance in accordance with
article 83.2.c) RGPD.
Finally, IBERDROLA indicates that article 82.2 of the RGPD establishes in its section
second that “[a] manager will only be liable for damages and losses
caused by the treatment when you have not complied with the obligations of the
present
Regulations specifically addressed to those in charge or have acted outside or
against the legal instructions of the person responsible.”
Although IBERDROLA points out that this standard is included within the
provisions contained in the RGPD related to the right to compensation and
responsibility, considers that if a person in charge of the
treatment, as is your case, must be responsible for the damages that eventually
the interested parties could have suffered as a consequence of the treatment in the event of
that you have complied with the obligations that, as a processor, the RGPD imposes on you,
nor would it be possible to demand any responsibility from him in the area
sanctioner.
Therefore, IBERDROLA reminds that it has fully complied with the obligations
that the RGPD imposes on it as the person in charge of processing i-DE, IBERCLI and
CURENERGIA, following in all cases its instructions and adopting, in particular,
the security measures required to prevent the loss of availability,
integrity or availability of the data for which each of them is responsible
said companies, which would determine the necessary archiving of this procedure.
In light of this, it is appropriate to refer to everything indicated above in this document.
Basis of Law, as it reflects that IBERDROLA, as in charge of
treatment that administers and manages the database affected by the cyberattack, not
fulfilled its obligations in relation to the adoption of technical measures and
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 50/99
appropriate organizational measures to guarantee a level of security appropriate to the risk,
which, where applicable, included, among others, the ability to guarantee confidentiality,
permanent integrity, availability and resilience of security systems and services
processing as required by article 32 of the GDPR.
For the above reasons, the claim made is rejected.
FIFTH. – ON THE ALLEGED VIOLATION OF THE PRINCIPLE OF
SECURITY
In this section, IBERDROLA alleges that it has not been proven, not even
indicatively, the fraudulent use of personal data, limiting the Agreement of
I begin to consider that there is a very high risk nor that it has materialized in the
practice.
In this regard, it is worth clarifying that what is being attributed to IBERDROLA is the
violation of the principle of confidentiality since it is clear that, after suffering an attack
computer against the GEA website of the I-DE company, in addition to producing access
illegal access to personal data processed by it, there was also illegitimate access to
personal data -and the extraction thereof- by an unauthorized third party, which
It meant the loss of confidentiality and control of numerous personal data (…)
and that affected 4,515,000 IBERCLI clients and 92,550 CURENERGIA clients.
This represents a breach of the duty to guarantee the confidentiality of the data.
personal, since as has been indicated, article 5.1.f) indicates that they must be treated
in such a way as to ensure adequate security of personal data,
including protection against unauthorized or unlawful processing.
Regarding the high risk that these data, in the hands of
cybercriminal/s, were used fraudulently, this was indicated to express what
involves the loss of confidentiality, but is not necessary in any way, to
understand violated article 5.1.f) that said risks of fraudulent use are
materialize, because what has materialized with the gap is the loss of
confidentiality of personal data, which is what is exclusively attributed.
On the other hand, IBERDROLA once again insists in this section regarding its understanding
that the AEPD considered the breach reported by it to be archived and that the claims were not
provide nothing new and, therefore, nothing seems to justify the reopening of the
investigation when it had been archived.
In this regard, it is appropriate to refer to everything already argued in relation to this in the
Second section of this Legal Basis.
Therefore, the claim made is rejected.
SIXTH. – ON THE VIOLATION OF THE PRINCIPLE OF PROPORTIONALITY
TO THE DETRIMENT OF THE RIGHTS OF IBERDROLA
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 51/99
IBERDROLA alleges that the sanctions imposed violate the principle of
proportionality, since the AEPD, to determine the amount of the sanctions, has
resorted to completely generic criteria.
Thus, regarding the alleged negligence in its actions, IBERDROLA indicates that
has proven that the events that occurred occurred at a specific time and that
were resolved very quickly, so the measures adopted before the
incident mitigated its effects. This immediate solution to the incident, which
shows that they did have planned actions in the event of a possible attack on their
systems.
Faced with this, it should be noted that the appropriate technical and organizational measures
to guarantee a level of security appropriate to the risk that for the rights and
freedoms of natural persons may have the processing of personal data
They cannot in any way be only reactive measures, that is, to solve
immediately a personal data breach. Thus, article 32 of the GDPR not only
indicates that they must guarantee adequate security, but also that said
Measures should include the ability to ensure the confidentiality, integrity,
ongoing availability and resilience of treatment systems and services
(letter b of article 32.1 GDPR). Therefore, it is not enough to have measures to
react as soon as possible when confidentiality has been breached, we must have
also appropriate prior measures to prevent said violation. And this because
Equally or more important are the measures aimed at safeguarding confidentiality,
the integrity and availability of personal data, that is, the measures
preventive measures aimed at avoiding any violation of this.
Therefore, it cannot be accepted that the measures that IBERDROLA had implemented
were adequate in that they allowed the incident to be resolved later, since
This only demonstrates the existence of corrective measures. However, what
allowed those reactive measures was the cessation of the attack once it had occurred and the
restoration of the service, that is, regarding the protection of personal data
avoided a greater impact and this has already been taken into account as a mitigating factor in the
present sanctioning procedure, but in no way can they solve the
loss of confidentiality of the affected personal data, since it is already
had materialized.
That is, the confidentiality of personal data is guaranteed above all with
precautionary measures. In this sense, it has already been indicated in the response to the allegation
Fourth of this Legal Basis the absence of technical measures and
appropriate organizational measures to ensure proper separation of data
personal data of clients from at least three different companies.
Therefore, all of this only reflects a lack of diligence on the part of
IBERDROLA when it comes to guaranteeing security adequate to the risk of
data processing carried out. In this sense, it should not be forgotten that in the
affected database personal data of millions of people are stored
clients, which involves large-scale treatment, which, in turn, are accessed
from web applications, that is, from the Internet, which requires security measures
suitable for this and specifically aimed at ensuring that there is no
illegitimate access to said personal data.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 52/99
On the other hand, IBERDROLA indicates that it does not agree with it being considered as
aggravating the linking of their activity with the performance of data processing
personal, since he understands that his behavior is getting worse because he belongs to the
electrical sector and that therefore special diligence must be required, and that this
once again violates the principle of proportionality.
Faced with this, it means that their behavior is not aggravated by belonging to the sector
electrical, but because its activity, the development of its business, involves and requires
continuous and abundant processing of personal data, as demonstrated by the
fact that it processes data from millions of people.
Therefore, as indicated in the Startup Agreement, IBERDROLA is a company
accustomed to the processing of personal data, which entails, once again, the requirement
of a higher degree of diligence.
On the other hand, it is noted that article 83.2 of the RGPD provides that “When deciding the
imposition of an administrative fine and its amount in each individual case will be
due account:
(…)
k) any other aggravating or mitigating factor applicable to the circumstances of the
case…".
In this sense, the Spanish legislator has considered including in article 76 of the
LOPDGDD that: “2. In accordance with the provisions of article 83.2.k) of the Regulations
(EU) 2016/679 may also be taken into account:
(…)
b) The linking of the offender's activity with the performance of treatments
of personal data.”
This Agency simply takes into consideration that circumstance, provided for by the
legislator, when deciding the imposition of the administrative fine.
It should be noted that, for the purposes of deciding the imposition of a fine, it cannot have
administrative, the same consideration as an infraction produced by a natural person
or a small company not accustomed to the processing of personal data, which a
large company like IBERDROLA, accustomed to the processing of personal data
of millions of clients, with a long history behind them in this regard. By
assumption that the violation is considered to be more serious for the purposes of imposing
a fine if the person responsible for the treatment is among the latter, as is
the case of IBERDROLA
On the other hand, it alleges the lack of proportionality comparing it with the file
PS/00179/2020, in which it indicates that he was only fined 500,000 euros despite
that not only was confidentiality breached, but that the breach was not notified to the
AEPD, something that IBERDROLA has done, but, nevertheless, the sanction is
considerably smaller.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 53/99
In this regard, it should be noted, on the one hand, that in terms of data protection
the technical and organizational security measures to be adopted by those responsible for the
treatment and other obligations to comply required by the RGPD, must be the
appropriate in relation to the specific risks posed by the specific
treatments carried out by each person responsible. Therefore, when analyzing the diligence of some
and others in compliance with the regulations must be based on the circumstances of each
case, taking into account the nature, scope, context and purposes of each
treatment, therefore there are no identical cases.
On the other hand, article 83 establishes that
1. Each supervisory authority shall ensure that the imposition of fines
administrative sanctions under this article for violations of this
Regulations indicated in sections 4, 5 and 6 are in each individual case
effective, proportionate and dissuasive.
2. Administrative fines will be imposed, depending on the circumstances of each
individual case…” (The emphasis is ours)
Therefore, it is necessary to attend to the circumstances of each individual case, there being no
two identical files and, therefore, with equal results. As an example, in the
file that brings up those affected were less than half than in the case
which concerns us now; the violation of art. 32 of the GDPR, it was for another type of
insufficiency in measures to guarantee adequate safety for the treatment;
These were events that occurred in 2018, the year in which it became mandatory
GDPR compliance, which is not the same as four years later; it is not the same
knowledge of the technique a few years before and after, especially due to the rapid
progress of it, etc.
Likewise, it is pointed out that there are many other files after and before the
present in which the violation of the
confidentiality of data such as the violation of security measures of the
article 32 of the RGPD, although, as has been pointed out, the
specific circumstances of the case.
Finally, and for completeness, it is not appropriate to demand equality in illegality. The
Jurisprudence is clear on this. Thus, the Judgment of the National Court of
April 28, 2023 (SAN 04/28/2023 REC. 409/2021 indicates that “A deal is referred to
discriminatory sanction since that fine or economic sanction can
be replaced by the measures of art. 58 GDPR, less burdensome measures as could
be the warning. And refers to other infractions committed by other
entities. Of course the plaintiff tries to compare this situation with another
sanctioning procedure that is mentioned, but we are not dealing with a deal
discriminatory or that the principle of equality is violated since it is a principle that
only operates within the framework of legality when equal factual situations have a
different treatment without reasonable justification. As the STS of January 20 points out
2004, "equality must be preached within the law, so that if the action
correct of the Administration is the one now prosecuted, as we have declared, the
invoked as contrary to it was not and, consequently, it cannot be used to
request that equal treatment be applied to the appellant, since, as this Chamber of the Court
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 54/99
Supreme Court has declared in its sentences of June 16, 2003, July 14, 2003
and October 20, 2003 that "the principle of equality has no significance for
protect a situation contrary to the legal system", and this, as indicated by the
Sentencing chamber, regardless of the fact that the administrative action has not been proven
alleged as contradictory to the present one".
In the same sense, the STS of April 2, 2014 (Rec. 1916/2010) indicates that "the
legality prevails over a possible injury to the principle of equality." In this case,
We are facing an administrative infraction that is intended to be compared with another that has
had a different solution, but from what is observed in the allegation that is formulated
the plaintiff can hardly make a comparison of a situation
and another. Let us remember that according to the consolidated constitutional doctrine for
To appreciate the occurrence of a violation of the principle of equality, there must be
the following assumptions: 1) provision of an ideal comparison term
demonstrative of the substantial identity of the legal situations that have received
different treatment, 2) that the unequal treatment is not based on objective reasons that
justify, and 3) that the comparative trial is carried out within the framework of legality,
since it is not possible to invoke the principle of equality in illegality to perpetuate
situations contrary to what is provided for by the legal system. Thus things, the
conduct for which the plaintiff has been sanctioned and which is contrary to law
does not allow its responsibility to be further attenuated by the fact that in other
assumptions, which are unknown, the sanction imposed was not economic and
considered more beneficial.”
For all the above reasons, the claim made is rejected.
V
Response to the allegations to the Proposed Resolution
In response to the allegations presented by IBERDROLA, it should be noted that
following:
FIRST: Regarding the defenselessness generated by IBERDROLA as a consequence of not
the accumulation of procedures EXP202305587 and
EXP202205206
IBERDROLA once again ratifies the allegations regarding the Startup Agreement regarding
his request for the consolidation of both files, also indicating that with
Regardless of whether article 57 of the LPACAP indicates a “may”, the power
granted must be considered in all cases enforceable to the Administration when the
non-accumulated processing of the procedures may negatively affect the
rights of those included in them, IBERDROLA insisting that the non
accumulation attentive to their right to defense.
In this regard, it should be noted, first of all, that it has already been answered in the proposal
resolution regarding the request for consolidation of the two files
referenced, response that is transcribed in full in the
Legal basis III of this Resolution to which reference should be made in its
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 55/99
whole. Therefore, although it is true that it is a power of the Administration to
proceed to the accumulation or not, it is also true that the reasons and reasons were argued.
reasons why it was not appropriate or appropriate to accumulate both
sanctioning procedures.
Likewise, IBERDROLA maintains that non-accumulation makes it defenseless since
understands that her access to the information that the AEPD has provided for
consider two alleged infractions committed has been limited to those
elements that the AEPD has considered appropriate to incorporate into this file without
to have a complete vision of the facts nor, consequently, of the motives
that induce the AEPD to impose such sanctions.
Faced with this, it should be noted that it is unknown what information or circumstances believe
IBERDROLA that it does not know, because it has known at all times and
complete the facts and all the circumstances in relation to them. In addition,
has been aware at all times of the infractions that are attributed to him by
such events and the sanctions that could arise from them, and has been able
allege and present whatever documentation you have considered relevant throughout the
present sanctioning procedure.
Therefore, the requested non-accumulation does not cause you any defenselessness nor does it affect you.
negatively to any of your procedural rights
In relation to the rest of the arguments raised by IBERDROLA to demand the
accumulation, as these are reproductions of those exposed in the Initiation Agreement,
It is appropriate to refer to the response given by this Agency and which appears, as has been
indicated, transcribed in Legal Basis III of this Resolution.
SECOND: About the previous acts of the AEPD and the violation of the principles
of good faith, legitimate trust and legal certainty.
IBERDROLA insists again that the letter of April 18, 2022 that was
directed I-DE from the Technological Innovation Division of this Agency has
decision-making nature and that this prevents or should have prevented any action of
subsequent investigation of the personal data breach suffered which, in addition,
violates the principles of good faith, legitimate trust and legal certainty.
Firstly, IBERDROLA was already told in response to the allegations
Start Agreement that the aforementioned communication from the Technological Innovation Division
of this Agency was addressed only to I-DE and in relation to the notifications
made by it to the aforementioned Division as a consequence of a breach of
personal data suffered by her.
Therefore, said writing in no way referred to the personal data breach.
suffered by IBERCLI and CURENERGIA and notified to this Agency by these companies and
by which this sanctioning procedure is processed against IBERDROLA as
responsible for their treatment, no matter how much she now tries to extend it to
this file. It is for this reason that said writing does not appear in this document.
sanctioning procedure, so it is not appropriate to accept, as alleged
IBERDROLA, that said absence has caused defenselessness. However, the same
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 56/99
was provided by IBERDROLA together with its written allegations to the Startup Agreement and
In the proposed resolution he was responded to and argued about the erroneous
IBERDROLA's interpretation of the content and nature of the aforementioned
written.
IBERDROLA also indicates the following:
“However, it is the Proposed Resolution itself that reveals the
close connection between the letter addressed to i-DE (whose omission of the
This file would only create defenselessness for my client) and the
present procedure when, immediately afterwards, he adds that “however the
personal data breach reported by I-DE was derived from the breach suffered by
IBERCLI and CURENERGÍA, we proceed to respond to the erroneous interpretation that
carried out by IBERDROLA in relation to the aforementioned document.”
With this, the AEPD expressly recognizes that, even though the letter was addressed to i-DE
There is an intimate and indissoluble relationship between both procedures, given that the
breach that is attributed to my client is a direct cause of the vulnerability produced
in the GEA application. In this way, it is evident that if the AEPD considered
sufficient clarifications made by i-DE in the notification related to the
gap which is the cause of this file, and it is clear that without said
gap the one now analyzed would not have taken place, the consideration of the cause as
not susceptible to prior investigation, must have as its only consequence the
file of the procedure referring to what is only the effect of that cause
previously considered sufficiently justified”
In this regard, it is pointed out that what we wanted to indicate is that the same incident
(cyber attack) two different personal data breaches resulted. An affecting
to personal data of I-DE clients and due to a vulnerability in its web application. AND
another affecting clients of IBERCLI and CURENERGÍA because they store the three
companies the personal data of their respective clients in a database
managed by IBERDROLA as the person in charge of the treatment and on the occasion of a
vulnerability in the logical separation in said database.
Notwithstanding the above, just as was responded to in the Proposal for
Resolution on IBERDROLA's arguments in relation to the statement of
April 18, 2022, and as he continues to understand that this writing affects the
present sanctioning procedure - which has already been indicated that it is not - responds to
continuation in relation to the new arguments put forward by IBERDROLA
regarding the same.
Thus, IBERDROLA indicates that one of the functions of the Innovation Division
Technology of this Agency is to “analyze and classify security breaches and,
where appropriate, propose with reasons to the Presidency the initiation of a
investigation when there are indications of the commission of an infraction” (article 31 e)
of the AEPD Statute).
IBERDROLA adds that the aforementioned document is signed by the “AEPD”, which means
which must be understood as signed by the Director, since the “legal representation and
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 57/99
“institutional” of the Agency corresponds solely and exclusively to the Director, as
as established in article 13.1b) of the AEPD Statute.
From this IBERDROLA concludes that, having been analyzed by the Division of
Technological Innovation the information communicated by it about the gap of
security, understood that it was not appropriate to raise any type of complaint to the Director of the AEPD
motivated proposal in relation to the same, as I do not consider the provisions violated
in the GDPR, this resulted in this Agency being notified of the decision not to carry out
take any action related to the aforementioned gap.
Faced with this, first of all, it is worth remembering that this question was already answered in
the Proposed Resolution, and a response is given in the Legal Basis IV of the
present Resolution and to which reference should be made.
On the other hand, it cannot be admitted or understood, even indirectly, that the
The aforementioned writing in question is signed by the Director of this Agency, by
as long as your signature does not appear expressly, no matter how much IBERDROLA wants to
artificially presuppose that the signature comes from said body by displaying the
representation of the AEPD. No generic signature of the AEPD or any of the
bodies in which it is structured, nor the signature of any of the holders of the
same may substitute the signature of the Director when exercising the powers that
has been attributed both by Law and by the Statute of the AEPD. Likewise, the
delegation of signature in these cases must be direct and express, and must appear in the
administrative act that is signed by delegation to guarantee and safeguard that the
decision has been adopted by a competent body.
In this sense, the Statute of the Spanish Data Protection Agency, approved
By Royal Decree 389/2021, of June 1 (hereinafter the Statute) establishes
expressly that:
"1. It corresponds to the Presidency of the Spanish Data Protection Agency:
(…)
d) Issue the resolutions and guidelines required for the exercise of the functions of the
Agency, in particular those derived from the exercise of the powers provided for in the
Article 57 of Regulation (EU) 2016/679 of the European Parliament and of the Council, of
April 27, 2016, and the exercise of investigative powers and powers
“corrective measures provided for in article 58 of the aforementioned Regulation.” (emphasis is
our)
On the other hand, article 27 of the Statute establishes the powers that the
General Subdirectorate of Data Inspection of the AEPD:
"1. The General Subdirectorate of Data Inspection is the administrative body,
dependent on the Presidency of the Spanish Data Protection Agency, which
develops the powers provided for in article 57.1, letters f), g), h), i) and u) of the
Regulation (EU) 2016/679 of the European Parliament and of the Council, of April 27,
2016, and carries out the inspection and instruction functions necessary for the exercise
of the investigative powers established in article 58.1, letters a), b), d), e) and f)
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 58/99
and the corrective powers provided in article 58.2, letters a), b), c), d), f), g), i)
and j), both of the aforementioned Regulations. (emphasis is ours)
2. In order to fulfill the tasks established in the previous section, to the
General Data Inspection Subdirectorate is responsible for the following:
functions:
a) Permanent supervision of compliance with Regulation (EU) 2016/679 of the
European Parliament and of the Council, of April 27, 2016, of the Organic Law
3/2018, of December 5, and the provisions that develop it, by the
responsible and in charge of the treatments.
b) The exercise of the investigative powers defined in article 51 of the Law
Organic 3/2018, December 5.
(…)
d) The processing of procedures in case of possible violation of the
data protection regulations in accordance with the provisions of title VIII of the Law
Organic 3/2018, of December 5, including citizens' complaints
due to lack of attention to their requests to exercise the rights contemplated in
Articles 15 to 22 of Regulation (EU) 2016/679 of the European Parliament and of the
Council, of April 27, 2016. Corresponds to the General Subdirectorate of
Data Inspection the duty to inform the claimant about the course and the result
of the claim presented to the Spanish Data Protection Agency,
in accordance with the provisions of article 77.2 of the aforementioned Regulation.
(…)
e) The evaluation of the admissibility for processing of the claims that are presented
before the Spanish Data Protection Agency, and the proposal to the Presidency of
decision on admission or non-admission to processing, in accordance with the provisions of the
Article 65 of Organic Law 3/2018, of December 5.
(…)
h) Carrying out prior investigation actions agreed upon by the Presidency
on its own initiative, following a complaint, or at the request of another body or authority
of control, in order to achieve a better determination of the facts and circumstances
that justify the processing of the procedure, according to the provisions of article 67 of
"Organic Law 3/2018, of December 5." (emphasis is ours)
Therefore, with respect to the Technological Innovation Division of the AEPD, which
In accordance with the Statute, its functions include “analyzing and classifying the
security breaches and, where appropriate, propose with reasons to the Presidency the
initiation of an investigation when there are indications of the commission of an
infringement” (article 31 e) of the AEPD Statute), this does not mean that it is the only and
exclusive means by which this Agency can initiate investigative actions. So,
This investigative power that the AEPD has, as has been reflected in the
described regulations, is carried out by the General Subdirectorate of Inspection of
Data, which may initiate investigative actions ex officio, by order of
the Director, either as a consequence of the admission of claims presented
before the AEPD.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 59/99
The Technological Innovation Division, after analyzing the documentation provided by I-
DE (not all the circumstances of the incident) has indicated that it does not foresee the start
of other actions, and not that I do not consider the provisions of the RGPD violated or that
the decision had been made not to carry out any action related to the
mentioned gap. The Technological Innovation Division did not make a decision, but rather
was limited to informing I-DE of a forecast, which does not prevent them from being taken into account.
takes into account other circumstances, such as the presentation of claims by those affected
due to the gap, which makes it advisable to separate from this forecast.
Therefore, the aforementioned document does not have the decisive and decisive nature that it now has.
IBERDROLA intends, neither by its content nor by its form and this is not an obstacle nor can it
prevent in any way the investigative power that the AEPD has and its exercise
through the inspection and investigation functions that the Subdirectorate General of
Data Inspection is entrusted. Above all, after the presentation of
claims by affected people and that the LOPDGDD obliges their
processing.
Thus, article 65 of the LOPDGDD, relating to the “Admission for processing of
claims”, establishes that
1.When a request is submitted to the Spanish Data Protection Agency
claim, it must evaluate its admissibility for processing, in accordance
with the forecasts of this article.
2. The Spanish Data Protection Agency will not accept claims
presented when they do not concern data protection issues
personal, manifestly unfounded, abusive or not
provide rational evidence of the existence of an infringement.
Therefore, when complaints are submitted to the AEPD, it is obliged to analyze
their admissibility in advance, and may disallow them only in the cases of
section 2 of article 65 transcribed, which did not occur in the case that we
occupies
Therefore, once admitted for processing, prior investigation actions were initiated.
precisely to find out the facts and circumstances that occurred and if the
These could lead to a possible violation of the regulations regarding
data protection, as permitted and empowered by articles 64 and 66 of the LOPDGDD,
which were already transcribed in the response to the allegations to the Startup Agreement and
which, for the sake of expository clarity, are indicated again:
Article 64. Form of initiation of the procedure and duration.
1.When the procedure refers exclusively to the lack of attention of a
request to exercise the rights established in articles 15 to 22 of the
Regulation (EU) 2016/679, will begin by agreement of admission to processing, which will be
will be adopted in accordance with the provisions of article 65 of this organic law.
In this case, the period to resolve the procedure will be six months from
from the date on which the claimant was notified of the admission agreement to
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 60/99
Procedure. After this period, the interested party may consider his
claim.
2.When the procedure aims to determine the possible existence
of a violation of the provisions of Regulation (EU) 2016/679 and this law
organic, will be initiated by means of a start-up agreement adopted on its own initiative or as
consequence of claim.
If the procedure is based on a claim made before the Agency
Spanish Data Protection Authority, in advance, will decide on your admission
to be processed, in accordance with the provisions of article 65 of this organic law.
When the rules established in article 60 of the
Regulation (EU) 2016/679, the procedure will begin by adopting the
draft agreement to initiate the sanctioning procedure, which will be given
formal knowledge to the interested party for the purposes provided for in article 75 of this law
organic.
The claim is admitted for processing, as well as in cases in which the Agency
Spanish Data Protection Agency acts on its own initiative, prior to the
initiation agreement, there may be a phase of prior investigation actions, which
It will be governed by the provisions of article 67 of this organic law. (emphasis is
our)
Article 67. Previous investigation actions.
1.Before the adoption of the agreement to initiate the procedure, and once admitted to
processing the claim if there is one, the Spanish Data Protection Agency
may carry out prior research actions in order to achieve a better
determination of the facts and circumstances that justify the processing of the
procedure.
The Spanish Data Protection Agency will act in any case when it is
requires research into treatments that involve massive data traffic
personal.
2.Preliminary investigation actions will be subject to the provisions of Section
2nd of Chapter I of Title VII of this organic law and may not have a duration
greater than twelve months from the date of the agreement for admission to processing or
the date of the agreement by which its initiation is decided when the Spanish Agency of
Data Protection acts on its own initiative or as a consequence of the
communication that had been sent to you by the control authority of another State
member of the European Union, in accordance with article 64.3 of this organic law. (he
emphasis is ours)
Therefore, it is reiterated that from said regulations it is not inferred in any way that the AEPD
have to justify the initiation of actions in the manner required by IBERDROLA
previous in the sense that there must be something new or some new circumstance
or that the claims have had to provide new and
different with respect to the documentation provided by I-DE in its notification of the
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 61/99
breach to this Agency, since this is not required by the indicated regulations, in addition
that those affected cannot be expected to contribute something new, apart from
know that the confidentiality of your personal data has been violated by a
cyber attack whose circumstances they are unaware of.
Precisely the previous investigative actions are carried out to clarify the
facts and circumstances of what happened, gathering more information in order to
be able to determine the existence of a possible violation of the regulations regarding
Data Protection. In this sense, the beginning of previous investigations and their
realization, power of the AEPD with or without claims, does not prejudge anything, but rather
allows gathering the necessary information to determine whether or not there are indications of
infringement. Even after said investigation, the proceedings may be archived
to understand, in view of the information collected, that there are no indications of
infringement. Which, in the present case, has not happened.
What the reflected regulations do indicate is that, after the presentation of claims,
This Agency must decide whether to admit them for processing or not, having finally decided on their
admission through, this time, an Admission Agreement for processing, signed by the
Director of the Agency dated May 9, 2022. And, as indicated in article 67.2
referenced LOPDGDD, the AEPD can carry out prior actions of
investigation in order to achieve a better determination of the facts and the
circumstances. It is a power attributed to it by the RGPD and the LOPDGDD.
Likewise, and to make matters worse, as indicated, even in the
assuming that the claims have not existed, the forecast of the Division of
Technological Innovation would not have been an obstacle or obstacle to the exercise,
ex officio, of the investigative powers that the AEPD has in accordance with the
cited article 64.2 which determines that “The claim is admitted for processing, as well as in
the cases in which the Spanish Data Protection Agency acts on its own
initiative, prior to the initiation agreement, there may be a phase of
previous investigation actions…”
Therefore, this sanctioning procedure has not been initiated due to the content or
by some new information provided in the claims, but by the information and
documentation obtained after the period of prior investigation actions, to the
possible violations of protection regulations may be inferred from it.
of data.
THIRD: Regarding the arguments supported by the Proposed Resolution for
consider that bis in idem does not occur.
IBERDROLA once again indicates that the non bis in idem principle has been violated in the
imposition of the two infractions, since it understands that the AEPD is not prosecuting the
violation of article 5.1.f) of the RGPD for a reason other than that derived from, at its
judgment, inadequate security of personal data, but solely and exclusively for
that reason.
In this regard, the Judgment of the National Court of July 23,
2021 (rec. 1/2017), which provides,
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 62/99
“(…) In accordance with the legislation and jurisprudence set forth, the non bis in idem principle
prevents punishing the same subject twice for the same act with support in the
same foundation, the latter understood as the same legal interest protected by
the sanctioning regulations in question. In fact, when there is the triple identity of
subject, fact and foundation, the sum of sanctions creates a sanction unrelated to the judgment of
proportionality carried out by the legislator and materializes the imposition of a sanction
not legally provided for, which also violates the principle of proportionality.
But in order to speak of "bis in idem" a triple identity must occur.
between the terms compared: objective (same facts), subjective (against the
same subjects) and causal (for the same basis or reason for punishing):
a) Subjective identity assumes that the affected subject must be the same, regardless of
whatever the nature or judicial or administrative authority that prosecutes and with
independence of who the accuser or specific body is that has resolved, or that
be tried alone or in conjunction with other affected parties.
b) Factual identity assumes that the facts prosecuted are the same, and rules out
the cases of real competition of infractions in which there is not the same
illegal act but before several.
c) The identity of the foundation or cause implies that the sanctioning measures do not
can coincide if they respond to the same nature, that is, if they participate in a
same teleological foundation, what happens between penal and
administrative sanctions, but not between the punitive and the merely
coercive.”
Taking as reference what was previously explained in the procedure
sanctioning agent, the non bis in idem principle has not been violated, since, although
Roughly understood, the facts are detected as a result of a data breach
personal, the violation of art. 5.1.f) of the RGPD results in a clear loss of
confidentiality that affected certain clients, the violation of art. 32 of
GDPR boils down to poor security measures (security only)
detected, present regardless of the personal data breach. Of
In fact, if these security measures that IBERDROLA had implemented had been
detected by the AEPD without loss of confidentiality having occurred,
It would only have been sanctioned by art. 32 of the GDPR.
As we have indicated, through art. 5.1.f) of the RGPD, a loss of
confidentiality and availability and through art. 32 of the GDPR the deficiency of
security measures implemented by the person responsible for the treatment. Measures of
poor security, we add, that violate the GDPR, regardless of whether
whether or not the personal data breach occurred.
Article 32 of the GDPR is violated regardless of whether or not a breach occurs.
personal data breach. That is, it is violated by not having appropriate measures
to guarantee adequate security in the processing of data without
necessary or essential for a security breach to occur in the
personal data that, if applicable, may affect the confidentiality of the
data, either only to availability, or only to integrity, or to some or all of them.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 63/99
Another thing is that the deficiency in security measures becomes evident,
in the specific case, on the occasion of a breach of data security
personal data (violation of confidentiality in this case), as has occurred in the
present assumption.
On the other hand the art. 5.1.f) of the RGPD is violated when there is a loss of
confidentiality or integrity of personal data, which may or may not occur
due to absence or deficiency of security measures. This principle only
determines the channel through which the maintenance of the
confidentiality, integrity or availability when it explains “through the application of
appropriate technical and organizational measures”, which are not strictly security measures.
Likewise, it means again that article 5.1.f) of the RGPD is one of the
principles relating to treatment. The principles relating to treatment are, on the one hand,
side, the starting point and the closing clause of the legal protection system
of data, constituting true informing rules of the system with an intense
expansive force; On the other hand, since they have a high level of concreteness, they are standards of
mandatory compliance susceptible to being infringed.
The violation of confidentiality that is attributed to I-DE is for failing to comply with the
obligation imposed in article 5.1.f to process the data in such a way that
ensures adequate security, including protection against
unauthorized or illicit treatment, through the application of technical measures or
appropriate organizational structures.
Finally, it should be added that, in relation to the alleged violation of the principle
of non bis in idem, a response to this allegation was already given in the Proposal of
Resolution, in which the non-existence of the triple
identity of facts, subject and foundation, as required by jurisprudence,
response that appears fully transcribed in the Third section of the Fundamentals of
Law IV of this Resolution and to which reference should be made.
Finally, regarding the allegations by IBERDROLA regarding the fact that in the imputation of
the violation of article 5.1.f) an obligation of result is being required, which
is contrary to the Judgment of February 15, 2022 (cassation appeal
7359/2020), which indicates that the obligation imposed by the regulations for the protection of
personal data, to adopt technical and organizational measures is an obligation to
means and not results, it means that what is analyzed in said Judgment is the
compliance with technical and organizational measures in the sense of whether they are
adequate to guarantee the safety of the treatments, that is, we would be
not in the scope of compliance with article 5.1.f, but in the scope of compliance
of article 32 RGPD when dealing with security measures. Therefore, the argument
given by IBERDROLA and the analysis of the same that is going to be carried out must refer
exclusively in relation to the violation of article 32 GDPR, which will be
develop in the Fifth section of this Legal Basis relating to the
violation of article 32.
FOURTH: On the application of the principles of the right to sanctions to the activity
of the AEPD and the concurrence of a media competition.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 64/99
IBERDROLA alleges again that, if the existence of the bis in is not appreciated
idem, at least one of the infractions would be subsumed and embedded in the
another, since the imputation of the violation of article 5.1.f) of the RGPD is due to the fact that the
treatment has not been carried out, in the opinion of the AEPD, in compliance with the
necessary security measures. IBERDROLA therefore understands the existence of
an absolute link between the alleged absence of security measures
adequate and the breach of the principle of confidentiality. That is, it is the supposed
insufficiency of security measures which directly leads to the
violation of article 32 and violation of 5.1.f). There is, therefore, a clear
case of medial competition, since the two infractions charged cannot
commit one without the other.
Below, IBERDROLA argues the reasons why it considers that it is
of application of article 29 of the LRJSP and that, with its non-application, the AEPD is
implicitly repealing, in terms of data protection, all guarantees
of the sanctioning regime established by the Constitutional Court.
In this regard, since this allegation was already formulated against the Agreement of
Start and response is given in the Third section of the Fundamentals of Law IV,
It is necessary to refer to it in its entirety.
On the other hand, in relation to the mention made by the AEPD regarding the non-
applicability of art. 29 of Law 40/2015, of October 1, on the Legal Regime of the
Public Sector (hereinafter, “LRJSP”), IBERDROLA brings up the Royal Decree
389/2021, of June 1, which approves the Statute of the Spanish Agency for
Data Protection, article 3 of which establishes that the AEPD is governed by what
provided in the RGPD, and additionally, by the LRJSP. IBERDROLA understands that
above implies that, in relation to everything not expressly regulated
in the RGPD or the LOPDGDD, the provisions for this purpose in the LRJSP will be followed, as is
the case of competitions for infringements provided for in article 29 of the LRJSP in
relationship with the principle of proportionality as a principle of power
sanctioning.
Faced with this, it means that article 3.2 of the aforementioned Statute of the AEPD establishes
the next:
2. Additionally, as soon as it is compatible with their full independence,
will be governed by Law 40/2015, of October 1, on the Legal Regime of the Sector
Public, particularly what is provided for autonomous organizations; by the law
39/2015, of October 1, of the Common Administrative Procedure of the
Public administrations; by Law 47/2003, of November 26, General
Budgetary; by Law 9/2017, of November 8, on Sector Contracts
Public, by which the
Directives of the European Parliament and of the Council 2014/23/EU and 2014/24/EU,
February 26, 2014; by Law 33/2003, of November 3, of the
Heritage of Public Administrations, as well as the rest of the regulations
of general and special administrative law that may apply. In
defect of administrative rule, common law will apply.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 65/99
Therefore, what is being indicated is that the regime is additionally applied
legal of the Public Sector, but in relation to its consideration as an organism
public belonging to the General Administration of the State, that is, to
considerations such as its composition, organization, structure, etc.
For its part, article 3.3 of the AEPD Statute indicates the following:
3. The procedures processed by the Spanish Agency for the Protection of
Data will be governed by the provisions of Regulation (EU) 2016/679 of the
European Parliament and of the Council, of April 27, 2016, the Organic Law
3/2018, of December 5, on Protection of Personal Data and guarantee of
digital rights, by the regulatory provisions issued in their
development and, insofar as they do not contradict them, on a subsidiary basis, by the
general rules on administrative procedures.
Therefore, in the procedures processed by it, among them, the procedure
sanctioning, neither the LRJSP nor the LPAC is applied additionally, but rather declares
that the procedures processed by the AEPD will be governed by the RGPD and the
LOPDGDD. And on a subsidiary basis (not supplementary) by the rules on the
administrative procedures.
In this regard, it is insisted that there is no supplementary application of the aforementioned precept, for
as there is no legal loophole regarding the application of the media competition provided for in
said article 29 of the LRJSP. Neither the RGPD allows nor the LOPDGDD provides for the
supplementary application of the provisions of art. 29 of the LRJSP.
In Title VIII of the LOPDGDD related to “Procedures in case of possible
violation of data protection regulations”, article 63 that opens the Title is
provides that "The procedures processed by the Spanish Agency for the Protection of
Data will be governed by the provisions of Regulation (EU) 2016/679, in this law
organic, by the regulatory provisions dictated in its development and, as
do not contradict them, on a subsidiary basis, by the general rules on the
administrative procedures.". Although there is a referral to the LPACAP, it is not
establishes in no way a subsidiary application with respect to the LRJSP that does not
contains in its articles any provision relating to administrative procedure
some.
In the same way that the AEPD is not applying the aggravating and mitigating circumstances provided
in the same art. 29 of the LRJSP, since the RGPD establishes its own, for
Therefore, there is no legal loophole or subsidiary application of the same, nor is there any
application of the section relating to the media contest and for identical reasons.
As already indicated, in addition to the application of rules other than the GDPR regarding the
determination of fines in each of the Member States applying their
national law, whether due to aggravating or mitigating circumstances not provided for in
the RGPD -or in the LOPDGDD in the Spanish case-, either by the application of a
media contest other than that provided for in the RGPD, would reduce the effectiveness of the system that
would lose its meaning, its teleological purpose, resulting in the fines imposed by
different infringements would no longer be effective, proportionate and dissuasive. And of
This way would also deprive the interested parties of the effective guarantee of their
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 66/99
rights and freedoms, weakening the uniform application of the GDPR. The
mechanisms for the protection of the rights and freedoms of citizens and would be
contrary to the spirit of the GDPR.
Clarify, in advance, that supplementary status refers to cases in which, in
a certain norm does not regulate a specific assumption, legal loophole, giving
give rise to the application of another legal norm that regulates such a situation, provided that it does not
is inconsistent with the legal system.
While subsidiarity refers to a competition of standards, which means
that for a given case two or more rules may be applicable, so
so that the subsidizing norm cedes to the benefit of the main one.
Well, having examined both suppletoriness and subsidiarity, we conclude the
not application of article 29 of the LRJSP but of article 83 of the RGPD in relation
with the principle of proportionality.
This is so because:
• The principle of proportionality applies to the sanctioning procedure.
• The principle of proportionality is fully regulated in article 83 of the
GDPR.
• There is no legal loophole.
• Neither the RGPD nor the LOPDGDD refer to the application, due to the existence of a legal loophole,
of article 29 of the LRJSP.
• In the procedures processed by the AEPD, for the procedures
administrative procedures processed, the subsidiary application of the general rules is foreseen
on administrative procedures.
• In the procedures processed by the AEPD, for the procedures
administrative procedures processed and not in relation to the principles of the procedure
sanctioning, a subsidiary application of the LRJSP is not established in the LOPDGDD.
Therefore, there is neither supplementary nor subsidiarity that would make the article apply.
29 of the LRJSP.
Regarding the fact that, as indicated by IBERDROLA, the Agency itself
has previously considered said article 29 applicable considering the existence of
cases of media competition, as in its Resolution of April 23, 2021, issued
In the procedure PS/00240/2019, it should be noted that the Administration can
separate from what was previously resolved. Thus, article 35 of the LPACAP establishes
that:
1. They will be motivated, with succinct reference to facts and foundations of
right:
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 67/99
c) Acts that are separated from the criteria followed in preceding actions or
of the opinion of advisory bodies.
Therefore, it is legitimate for the Administration to separate itself from the criteria followed in
preceding actions, as long as said change is motivated, which
occurs in the present case. Thus, in addition to what has just been argued in this
own section, it is worth remembering again that this allegation was already made against the
Initiation Agreement, relating to the media contest and responded to it by motivating and
arguing why the existence of the medial competition is not considered and, furthermore,
The non-applicability of article 29 LRJSP is motivated. Therefore, it is necessary to refer to the
arguments put forward and that appear transcribed in the Third section of the
Legal basis IV of this Resolution.
Therefore, once argued and motivated, not only is the existence
of concurrence of infractions, as well as the reasons why it is not considered
applicable to article 29 LRJSP, the change of
criterion.
In this sense, the Sentence of March 12, 2018, of the Superior Court of
Justice of Madrid, Administrative Litigation Chamber, Section 4 (Rec. 761/2017),
points out, on the occasion of the review of a sanctioning procedure, that:
“(…) the Administration can separate itself from what was previously resolved
motivating the change (art. 35.c) of Law 39/2015, of October 1, of the
Common Administrative Procedure of Public Administrations). As
points out the Supreme Court in its Order of December 4, 1998 "... so that
the doctrine of the acts of the Administration has application is
It is fundamentally necessary that a first body of the Administration has
issued a first act declaring rights and then in the second
revoke the decision taken in the first", and said circumstance does not occur
in this case because the present administrative act of tax settlement does not
revokes any decision taken in a preceding act relating to it
tax concept nor is there an express declarative act that is now
modify.
For these purposes, it is necessary to distinguish between the effectiveness of the acts of the
Administration and the connection of the Administration to precedents
interpretative measures applied in previous situations since, in the event that
is questioned, and using the words of the Supreme Court (ruling of 25
February 2000), it is not possible to speak of "own act but at most a change of
criterion and interpretation, which is perfectly valid." Likewise, the STS
of June 27, 2000 states:
"...the principle of acting against one's own acts could not be taken to extremes
such that they obstruct the conformity with the Law of a certain action,
by the mere fact of" (the existence of) "another previous one of a different sign although
this was not protected by legality, in the same way that equality only
falls within the scope of legality, as is sufficiently known,
under penalty of being able to consolidate illegal or inappropriate resolutions forever
to Law, irreversible and impossible to modify later.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 68/99
The High Court has expressed itself in the same sense in other Sentences. So,
In that of February 1, 1999, it declares that "this principle cannot be invoked
to create, maintain or extend in the field of public law, situations
contrary to the legal system, or when the preceding act results in
contradiction with the purpose or interest protected by a legal norm that, due to its
nature, is not capable of protecting a discretionary action of the
Administration that involves the recognition of rights and/or
obligations that arise from its own acts. Or said by another
In this way, the doctrine of proper acts without the limitation that has just been explained
could introduce into the field of public law relations the principle
of the autonomy of the will as an ordering method of regulated matters
by norms of a mandatory nature, in which the public interest prevails
safeguarded by the principle of legality; a principle that would be violated
If an action by the Administration contrary to the
legal system for the sole fact that this has been decided by the
Administration or because it responds to a precedent thereof. (...) or, said in
In other words, it cannot be said that the trust placed
in an act or precedent that is contrary to the mandatory norm” (the emphasis
is ours).
Likewise, and for greater completeness, this criterion of understanding the article as not applicable
29 LRJSP is not new as it has been applied in previous sanctioning proceedings
at the moment. As an example, PS/00020/2023 and PS/00667/2023 are noted.
Finally, IBERDROLA alleges that the application of article 29 is a possibility
also recognized by Guidelines 4/2022, on the calculation of fines
administrative under the RGPD, which expressly stipulates the criteria that must be
follow the administrative authority to evaluate, prior to the imposition of the
sanction, the possible concurrence of these.
In light of this, it is noted that, in relation to the citation of Guidelines 04/2022 of the
CEPD on the calculation of administrative fines under the GDPR, in its version
2.1, adopted on May 24, 2023, in section 22 reference is made to three
types of concurrence, namely, infringement, unity of action and plurality of
actions: “When examining the analysis of the traditions of the Member States in
matter of competition rules, as indicated in the jurisprudence of the CJEU,
and taking into account the different areas of application and the consequences
legal, these principles can be roughly grouped into the three categories
following: - Concurrence of violations (chapter 3.1.1), - Unity of action (chapter
3.1.2), - Plurality of actions (chapter 3.2).
In cases of concurrence of infractions, the provision established in this regard
is that contained in article 83.3 of the RGPD, which establishes a quantitative limit in
these cases of concurrence: “If a person responsible or in charge of the treatment
breaches intentionally or negligently, for the same operations of
treatment or related operations, various provisions of this
Regulation, the total amount of the administrative fine will not be higher than the amount
provided for the most serious infractions.”
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 69/99
Likewise, at this moment we must remember that the seriousness of the infractions
of the GDPR is determined in accordance with the rules established in it and not in the
LOPDGDD. The classification of infractions is regulated in article 83,
sections 4, 5 and 6 of the GDPR, while the classification of infringements as
very serious, serious or minor for the sole purposes of the prescription is provided in the
articles 72, 73 and 74 of the LOPDGDD.
Last but not least, the AEPD does not sanction for the same offense, such as
IBERDROLA alleges, but have been verified through proven facts not
refuted by IBERDROLA, the commission of two differentiated infractions, classified
in a differentiated manner, and in the specific case there is also no media competition.
For all the above reasons, this allegation is rejected.
FIFTH: Regarding the lack of violation by I-DE of article 32 of the RGPD
IBERDROLA once again indicates that it had carried out an analysis of the risks that
The processing of data could affect the rights and freedoms of the
interested parties, as well as implemented security measures that allowed mitigating the
mentioned risks.
Faced with this, it should be indicated that the analysis of the risks of the treatment of
activity affected by the incident does not show any measures to be adopted to alleviate the
alleged risks detected.
Thus, in response to the request made by this Agency during the actions of
prior investigation, copy of the risk analysis on the rights and
freedoms of natural persons carried out prior to the incident and in relation to
with the processing activity affected by the personal data breach, both
IBERCLI and CURENERGÍA provided the same document and indicate that it is the
scheme followed within the Iberdrola Group for the assessment of risk in the
processing of personal data and that is carried out in accordance with it:
(…)
Likewise, both companies attached a document explaining the logic followed
for calculating the risk level according to this methodology, called “Logic
“Risk Level calculation”:
(…)
(…)
They explain that this methodology is implemented in an automated way in the
own corporate tool for recording treatment activities, so that
In the registration process itself, the risk level of the treatment is determined.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 70/99
As can be seen, the aforementioned document details certain threats or
circumstances - which are transferred to the Registry of Treatment Activities, to the
corresponding activity -, such as “vulnerable groups” “access to data
“personal transactions by more than 10 people” “international transfers” “treatments
large scale” “profiles with legal effects”. These circumstances are established as
questions and, depending on whether the answer is “yes” or “no”, a result is applied.
Thus, the application of said methodology in relation to the activity of
affected treatment “(…)” (“…”) for which they are responsible, in relation to their
respective clients IBERCLI and CURENERGIA, resulted in a level of
Medium risk.
Therefore, several of these questions appear in the Log of Activities of
Treatment of the activity affected by the personal data breach, in which
Answer “Yes” or “No” and a “Medium” risk is indicated, but nothing more. That is, no
Any measure is indicated that should be adopted to alleviate this average risk. I don't even know
It is an inherent risk or a residual risk.
Likewise, IBERDROLA was required to provide the risk analysis and, where appropriate,
case, the EIPDs, with respect to the treatments carried out as person in charge of the
treatment and in relation to the treatment activities affected by the gap,
responds, in its response brief (submitted on 01/24/2023 Registration number:
REGAGE23e00004670187) that:
“The Iberdrola Group has adopted a risk analysis methodology for
processing of personal data that is implemented in an automated way
in the corporate tool for recording treatment activities,
so that in the registration process itself the risk level of the
treatment.
In the case of treatments for which IBERDROLA acts as
responsible for the treatment, the methodology involves carrying out the risk analysis
in relation to each of the treatments for which my client has
said condition, so that this analysis is developed by the entity itself
responsible for the treatment in collaboration with my client.
For this reason, the risk analysis related to specific treatments
(…) is incorporated into the i-DE Processing Activity Records and the
of IBERCLI and CURENERGIA, their results having been communicated to me
principal. According to what these entities inform us, the result of said analysis appears
in the responses provided in this procedure to the requirements of
information made to them.”
Also, at the request of this Agency during the preliminary investigation phase,
IBERDROLA provided (registration number: REGAGE23e00004673128) the Registry of
Treatment activities corresponding to the treatments "Support and
IT Infrastructure Maintenance” (activity “RET_IT_001) and “Development of
applications (SWF)” (activity “RET_IT_011”) carried out by IBERDROLA in its
status of data processor with respect to various treatments of the
companies of the Iberdrola Group, among which are those affected by the
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 71/99
security breach. Analyzed said Registry, no information has been transferred to it.
of the questions or circumstances referred to in the documents above
reflected and that has been indicated for the entire Iberdrola Group as a methodology of
risk analysis of personal data processing found
implemented in an automated way in the corporate registration tool itself
treatment activities, so that the registration process itself determines
the risk level of the treatment.
Therefore, IBERDROLA has not proven that it has carried out a risk analysis
regarding the treatment activities outlined above and carried out in your
status of person in charge of the treatment, so it has not proven what
states that it has implemented the security measures that allowed
mitigate those risks. Nor has it proven that it has assessed the inherent risks
that derive from your participation as processor in other treatments nor that by
whether the measures adopted are appropriate to mitigate them. In particular, there has not been
accredited person who has assessed the inherent risks of the treatment he performs
consisting of storing the personal data of different people responsible for the
treatment (different companies) in the same database in which, in addition,
exceptionally (as indicated) it stores personal data in the same Table
There is only a logical separation, which means that it has not been accredited
nor the adoption of security measures that would mitigate these risks
not evaluated.
Likewise, after analyzing the methodology provided by both IBERCLI and
CURENERGÍA and who state (also IBERDROLA) that it is the one that applies to
the entire Iberdrola Group to carry out the risk analysis, as well as the
documentation provided, especially the Record of Treatment Activities
respective, it is not reflected that said analyzes are focused on the risks of
probability and 0gravity variables that for the “rights and freedoms of
natural persons may entail the treatment, such as damages
physical, material or immaterial, in particular problems of discrimination,
identity theft, fraud, financial loss, reputational damage,
loss of confidentiality of data subject to professional secrecy, reversal not
authorized pseudonymization or any other economic or social harm
significant; in cases where the interested parties are deprived of their rights and
freedoms or are prevented from exercising control over their personal data; In the cases
in which personal aspects are evaluated, in particular the analysis or prediction of
aspects related to performance at work, economic situation, health,
personal preferences or interests, reliability or behavior, situation or
movements, in order to create or use personal profiles; in cases where
personal data of vulnerable people, in particular children, are processed; or in cases
in which the processing involves a large amount of personal data and affects a
large number of interested parties, etc., all in accordance with Considering 75 of the
GDPR
For its part, art. 28.2 LOPDGDD determines that “For the adoption of the measures
referred to in the previous section, those responsible and in charge of the treatment
will take into account, in particular, the increased risks that could arise in the
following assumptions:
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 72/99
a) When the treatment could generate situations of discrimination,
identity theft or fraud, financial loss, damage to the
reputation, loss of confidentiality of data subject to professional secrecy,
unauthorized reversal of pseudonymization or any other harm
economically, morally or socially significant for those affected.
b) When the treatment could deprive those affected of their rights and
freedoms or could prevent them from exercising control over their data
personal (,,,)”
Likewise, as explained in the guide “Risk management and impact assessment in
processing of personal data” of the AEPD, “The RGPD establishes the obligation of
manage the risk that a risk to people's rights and freedoms poses
treatment. This risk arises both from the very existence of the treatment and from
its technical and organizational dimensions. The risk arises both from the
automated data processing and manual processing,
human elements and the resources involved. The risk arises from the purposes of the
treatment and its nature, and also by its scope and the context in which it is
unwraps.”
However, as indicated, these risks have not been assessed. Not have
assessed the damages to natural persons, material or immaterial, or at least not
it is proven that it has been done, lacking, therefore, a risk analysis focused on
the protection of the rights and freedoms of the interested parties. Also, in that
risk analysis carried out nor does it indicate what security measures to
adopt to alleviate that “Medium” risk thrown.
Due to the above, as stated above, IBERDROLA has not accredited the
that he states that “he had carried out an analysis of the risks that the
processing of the data could affect the rights and freedoms of the
interested parties, as well as implemented security measures that allowed mitigating the
mentioned risks”
In another order of things, IBERDROLA alleges that the statements made by the
AEPD in the Proposed Resolution demonstrate the existence of a
absolute causal relationship between the vulnerability that is intended to be attributed to
IBERDROLA and that produced in the GEA application. This is how he transcribes the following from the
Proposal:
“(…) Therefore, it was not adequate or was insufficient, which means
a violation of art. 32, as it reflects a lack or insufficiency of measures
appropriate to ensure adequate safety, according to the risk, in the
processing of personal data.”
Faced with this, it means that what has been wanted and is intended to be indicated is that what is
revealed with the cyberattack and with the statements of IBERDROLA
Regarding how the database it manages works, the logical separation
existing in the database was not adequate as far as it was allowed, modifying a
parameter in an application of one of the companies, access personal data of
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 73/99
clients of other companies for whom there is no authorization for such
access. That is, you could “jump” or ignore that logical separation.
In this regard, it is worth remembering that as indicated by IBERDROLA, (...).
(…)
(…):
-(…).
Therefore, there was an inadequate logical separation of the personal data of
clients from different companies stored in the same Table in the database
managed by IBERDROLA, as far as it allowed, changing a parameter in a
URL (the Client code) in one of the applications of one of the companies (I-DE)
unauthorized access to personal data of clients of other companies
(IBERCLI and CURENERGIA), not guaranteeing, therefore, adequate security of
the personal data processed by these two companies.
Therefore, IBERDROLA, as the person in charge of processing with respect to the activities
of treatment affected by the personal data breach, since it gives them the
service consisting of “Maintenance and support of servers and databases
that support business applications affected by GDPR” (according to the
description of the treatment carried out in the Register of Treatment Activities,
regarding the Activity “RET_IT_001”), as well as the “Development and Maintenance of
applications” (Activity “RET_IT_011”), did not adequately guarantee the total
separation of the personal data of the clients of the different companies and that
are processed (stored) in the same database (in this case, in the same Table)
managed by IBERDROLA.
Therefore, IBERDROLA has not complied with the obligation that, as Manager of the
Treatment, is derived from the GDPR to adopt appropriate measures based on the
risk posed by the treatments carried out and imposed by section 7.5 of the
Clause Seven of the Framework Agreement for the protection of personal data for the Group
Iberdrola”, signed on May 18, 2018, outlined in the Eighth Proven Fact and
which reads like this:
“7.5.- Obligations of the Data Processor.
e) Security Measures.
In accordance with the GDPR, apply appropriate technical and organizational measures
to guarantee an adequate level of risk, taking into account the state of the
technique, the costs of implementation, and the nature, scope, context and
purposes of treatment, as well as risks of varying probability and severity
for the rights and freedoms of natural persons.
The security measures to be implemented are those indicated in Annex III of
this PDP Framework Agreement.”
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 74/99
For its part, it has not complied with the obligations indicated in the aforementioned Annex.
III “Security Measures. Cybersecurity and Information Security” of the
mentioned Framework Agreement, which, among others, indicates the following:
“The security conditions established in this Annex are applicable to the
provision of services, as well as compliance with the obligations of the Manager
of Processing in accordance with the PDP Framework Agreement
1.(…)
3.(…)
4. (…)
(…) .
IBERDROLA also alleges that the reasoning supported by the AEPD can only
be described as circular because, being clear that jurisprudence has established
emphasizes that the obligation to adopt security measures is one of means and not
of result, the AEPD carries out an assessment of the alleged non-compliance by
IBERDROLA of the obligation to implement security measures by investing the
reasoning that must be followed for this, by indicating throughout its Proposal of
Resolution that, ultimately, the measures were objectively inadequate as
consequence of the fact that the attack could actually occur and the breach
of personal data took place.
IBERDROLA therefore maintains that, in this way, the AEPD intends to avoid the doctrine
supported by the Supreme Court in its ruling of February 15, 2022
referring to the insufficiency of the measures, but ultimately their
reasoning is that the result is taken into consideration as a premise for
consider that the means were inadequate before it occurred.
In this regard, it should be noted, first of all, that this Agency has not relied
in the result of the cyber attack to justify non-compliance with article 32 of the
RGPD, since, as derived from everything indicated above, said
non-compliance already occurred before and independently of the attack suffered, which
shows that there were no appropriate measures to guarantee a
security level appropriate to the risks. Thus, it has not been the result, but the fact
If possible from an application of one of the companies to access the data
personal data from clients of other companies. What the incident has done is
precisely to highlight the prior existence of this possibility. Therefore,
that logical separation between personal data of clients from different
companies that were stored in the same Table in the database, it was not
appropriate. Likewise, it has not accredited the completion of risk analysis
regarding the treatment activities carried out as the person in charge of treatment,
Therefore, it has not been proven that the security measures implemented allowed
mitigate unevaluated risks.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 75/99
Secondly, regarding the Supreme Court Ruling of February 15,
2022 (cassation appeal 7359/2020), it means, as already stated in the
Proposal for a Resolution, which the aforementioned Judgment effectively indicates, regarding the
security measures regarding data protection, that “… the obligation that
falls on the person responsible and on the person in charge of the treatment with respect to the
adoption of necessary measures to guarantee the security of personal data
personnel is not an obligation of result but of means, without the obligation being enforceable.
infallibility of the measures adopted. Only the adoption and
implementation of technical and organizational measures, which according to the state of the
technology and in relation to the nature of the processing carried out and the data
personal data in question, reasonably allow to avoid its alteration, loss,
“unauthorized treatment or access.” (emphasis is ours)
However, the Judgment continues indicating, in the specific case analyzed in
same, that “…the program used to collect customer data does not
contained no security measures that would allow checking whether the address of
email entered was real or fictitious and whether it really belonged to the person
whose data was being processed and gave consent for it. The state
of the technique at the time these events occurred made it possible to establish
measures aimed at verifying the veracity of the email address, conditioning
the continuation of the process for the user to receive the contract at the address
provided and only from it provide the necessary consent for its
collection and treatment. Measures that were not adopted in this case.
(…) So, at the time these events occurred, there were
technical measures related to the registration process, which would have prevented the filtration of
personal data produced. This implies that the technical measures adopted
did not comply with the security conditions in the terms required in art. 9.1 of the
LO 15/1999, therefore incurring the infringement provided for in art. 44.3.h)
consisting of "Maintain the files, premises, programs or equipment that contain
personal data without due security conditions that via
regulations are determined [...]".
(…) It is stated that the technical security measures referred to the program
computer scientist were responsible for xxxx who designed the program and was responsible for the file
and treatment, and that the sanctioned company was only acting on its behalf
collecting data from clients who opted for financing. The truth is that the
data processor - the natural or legal person who, alone or jointly with
others, process personal data on behalf of the data controller, art. 4
section 8 of the Regulation, such as art. 3.g) of LOPD 15/1999, and the collection of
data implies processing (art. 3.c), - must also adopt measures of a nature
technical and organizational measures necessary to guarantee the security of data
personal character, as provided in art. 32.1 of Regulation (EU) 2016/679 of the
Parliament and the Council and art. 9.1 of the LOPD and is subject to the regime
sanctioning established in the Law (art. 43 of LOPD 15/1999).
The appellant company processed customer data on behalf of the person responsible for the
file so she implemented and used said program being knowledgeable, or would have
should be, that it lacked the necessary security measures…”
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 76/99
Therefore, although it is inferred from the Judgment that the obligations established by the
Article 32 of the GDPR are media, it also makes it clear that, if at the time of
When the incident occurred, there were adequate technical measures to avoid or mitigate the
effects thereof and were not applied, this represents a breach of the aforementioned
obligation imposed by the RGPD and, therefore, a violation of it. Amen that
These obligations apply to both the controller and the person in charge of the treatment.
It should be noted, first of all, that this ruling is issued under the protection of the
regulations prior to the RGPD, in which, in accordance with the system provided for in the LOPD and in
the RLOPD, security measures were perfectly standardized. Without
However, with the RGPD we have moved from a system with security measures
standard and static for any person responsible to own security measures to
each organization (adapted to its characteristics and idiosyncrasy), which considers the
risks specific to the entity concerned; Furthermore, now they are dynamic, so
way that is not exhausted by the implementation of appropriate security measures
to the risk at the beginning of the treatments, but there must be adequate management of the
risk and adapt to the risks that appear.
The new regulation provided for in the GDPR significantly expands the obligations of the
responsible for the treatment and its scope of action and responsibility, extending
now clearly to the actions carried out by those in charge of the
treatment, which fall within their scope of responsibility. Although in this case,
As indicated above, the treatments carried out by IBERDROLA are
specific risks arise due to their participation as manager who must have
foresee and mitigate and that there is no evidence that he has done. These are risks that are generated
for his own activity as manager.
Secondly, the cited Supreme Court Judgment considers, in relation to
a violation of art. 9 of the LOPDP that “the obligation that falls on the
responsible for the file and about the person in charge of processing regarding the adoption
of measures necessary to guarantee the security of personal data
It is not an obligation of result but of means, without infallibility being required.
of the measures adopted. Only the adoption and implementation of
technical and organizational measures, which in accordance with the state of technology and in
relation to the nature of the processing carried out and the personal data in question,
reasonably allow to avoid its alteration, loss, treatment or unauthorized access
authorized".
Regarding this, he specifies that “It is not enough to design the technical and organizational means
necessary, it is also necessary to correctly implement it and use it correctly.
appropriate, so that he will also be responsible for the lack of diligence in his
use, understood as reasonable diligence taking into account the circumstances
of the case".
As has been demonstrated and argued throughout this
sanctioning procedure, it is considered that there were no measures of
appropriate security measures to ensure security appropriate to the risk, including
even if there had been no personal data breach.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 77/99
In this regard, this Agency wishes to point out that in no way does it consider that the
obligation to implement security measures imposed by the regulations of
data protection has the nature of an obligation of result and not of means.
But it is no less true that IBERDROLA did not have, before the
incident, with measures that “in accordance with the state of technology and in relation to the
nature of the processing carried out and the personal data in question, allow
reasonably prevent its alteration, loss, treatment or unauthorized access.”
Therefore, although it is inferred from the Judgment that the obligations established by the
Article 32 of the GDPR are media, it also makes it clear that, if at the time of
When the incident occurred, there were adequate technical measures to avoid or mitigate the
effects thereof and were not applied, this represents a breach of the aforementioned
obligation imposed by the RGPD and, therefore, a violation of it.
In the present case, as has been pointed out, it was not duly guaranteed
this logical separation because, as has been indicated, it was possible, modifying a
parameter of a URL in an application of one of the companies, access data
personal data from clients of other companies. And this was the case before the attack.
Therefore, liability is not being demanded as an exclusive consequence of
a result caused by a cyber attack. Another thing is that it has become
manifest on the occasion of the existence of a data security breach
personal
Finally, and in addition to everything indicated, it means that, however
that regarding the Startup Agreement IBERDROLA formulated allegations against the accusation
If you have failed to comply with article 32 of the RGPD, you should refer to the Fourth section of the
Fundamentals of Law IV.
SIXTH: Regarding the absence of violation of the principle of confidentiality and
integrity.
IBERDROLA once again reviews the absolute identity between the two infractions that were
they charge him to the point that the alleged violation of article 5.1.f) of the RGPD or
well it turns out to be the result of the alleged violation of article 32 of said
Regulation or brings direct, immediate and exclusive cause of this assumption
second breach, that is, due to the lack of adequate security measures.
IBERDROLA points out in this regard that the AEPD has not considered the
existence of any violation that does not refer to security measures, since
no measure has been indicated that has ceased to comply other than those of
security that may be required.
In this regard, it was already indicated in the Proposed Resolution that when art. 5.1.f)
of the GDPR refers to appropriate technical or organizational measures to ensure the
rights and freedoms of data subjects within the framework of compliance management
regulations of the RGPD does so in the sense provided for in art. 25 of the GDPR regarding
privacy by design.
This precept determines that,
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 78/99
“Taking into account the state of the art, the cost of the application and the
nature, scope, context and purposes of the processing, as well as the risks of
varying probability and severity that the treatment entails for the rights and
freedoms of natural persons, the person responsible for the treatment will apply, both
at the time of determining the means of treatment as well as at the time
of the treatment itself, appropriate technical and organizational measures, such as
pseudonymization, designed to effectively apply the principles of
data protection, such as data minimization, and integrate safeguards
necessary in the treatment, in order to comply with the requirements of this
Regulation and protect the rights of the interested parties” (emphasis is
our)
It should be noted that there are multiple technical or organizational measures that are not
security and that the person responsible for the treatment can implement as a channel to
guarantee this principle.
In this sense, IBERDROLA has not proven that it has complied with what is established
in said precept, since it has not been proven that, in accordance with the
risks of varying probability and severity that the treatment entails, for those
rights and freedoms of natural persons, has applied technical measures and
appropriate organizational measures, such as pseudonymization, designed and
aimed at effectively applying data protection principles, among which
is the principle of confidentiality.
Therefore, the GDPR requires the applicability of data protection from design and implementation.
need to manage both the risks to the rights and freedoms of
individuals, such as the impact on those rights and freedoms that a
data breach, especially in web environments, because they can affect a large
population volume.
As stated in the guidelines for treatments that involve communication of
data between public administrations of this Agency, whose reasoning is
extrapolated to large organizations that handle large amounts of data, always
There are risks related to personal data breaches. However, these
will be especially considerable in the processing of personal data carried out
carried out by large public and private organizations that are serving a large
part of the citizens, and even much more if they are interconnected. Is very
It is important to keep in mind that the risk that data breaches can pose
personal data in such treatments does not depend so much on whether categories of
sensitive and/or specially protected data as well as the consequences for the
fundamental rights that can arise from a compromise of information.
To estimate the impact that a personal data breach could have, you must
consider the consequences that would arise from its materialization. A form of
To do so is, before a breach occurs, to consider the possible scenarios of
materialization of a compromise of personal data, determine its
consequences, and evaluate how it affects the rights and freedoms of the interested parties,
especially if these are irreversible consequences on their fundamental rights
Regarding measures appropriate to the level of risks to rights and freedoms,
the art. 24.1 of the GDPR establishes that the measures to be adopted in a
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 79/99
treatment to guarantee and be able to demonstrate its compliance with the Regulation
must take into account the scope, context and purposes of the treatment, and must
address, in particular, the extent of subjects affected by it and the risk that
means for fundamental rights and not only the typology of the data.
In the aforementioned Guidelines it is indicated that “the technical and organizational measures that
adopted must be specifically aimed at minimizing the risks
identified for rights and freedoms from potential data breaches
personal. This implies that the person responsible must evaluate the risks that may
appear, design measures aimed at minimizing its probability and impact, and
determine the extent to which such measures are appropriately managing the
“concrete risks in a dynamic process”
And it is added that “Appropriate measures must be selected and implemented
from the design of the treatments with the aim that all risk contexts
for rights and freedoms to be considered. It must be taken into account that
Some measures will be more effective in avoiding or mitigating the direct impact on the
individuals and other measures will be mainly about the social impact for the
Fundamental rights. It is necessary to apply a high level of data protection by
flaw (…)"
It is not disputed that a personal data breach may occur, therefore within
of the risk management of a given organization, precisely because
may produce a gap, said scenario must be evaluated as
inseparable part of risk management for the purposes of (i) adopting all types of
appropriate technical and organizational measures to prevent it from materializing and (ii)
determine ex post measures to minimize damage. On this particular
The aforementioned Guidelines explain that “given the possible scenarios of materialization of
different types of gaps, the answer must be found, at least, to the following
questions from the design of the treatment and prior to its implementation:
• What personal and social impact a personal data breach can have if
materializes.
• What data protection measures should be implemented a priori to
minimize the personal and social impact that a materialized breach could produce.
• What response measures should be planned and executed after the fact,
once the breach has occurred, to minimize the personal and social impact.”
Therefore, its management cannot be based exclusively on the scope of the
cybersecurity, but it has to encompass all the areas in which it is developed
treatment, since, otherwise, risk management would not be complete, and, therefore,
it would be useless. To achieve this, it is essential to adopt specific measures for the
data protection by design and by default, and also measures for a
effective management of the consequences of the gap aimed at protecting rights
fundamentals of natural persons.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 80/99
As has been pointed out, there are multiple technical or organizational measures that are not of
security and that the person responsible for the treatment can implement as a channel to
guarantee the principle of confidentiality.
In this sense, IBERDROLA has not proven that it has complied with what is established
in the RGPD, since it has not been proven that, in accordance with all of the above,
has assessed those risks and applied appropriate technical and organizational measures
aimed at effectively applying data protection principles, including
measures aimed at guaranteeing the principle of confidentiality. And along with this there must be
highlight that in this case the bankruptcy of the principle of
confidentiality.
Furthermore, and apart from the above, not even in the analysis of the risks
to adopt the security measures of article 32, the measures have been indicated.
measures to be adopted to alleviate the “medium” risk that the activity of
treatment affected by the gap, as indicated below in detail.
more extensive and detailed in the response to the Fourth allegation hereof
Foundation of Law.
Therefore, in the case examined, as stated in the proven facts, there is
a clear loss of confidentiality since access has occurred by a third party
unauthorized access to personal data processed by IBERCLI and CURENERGÍA regarding
of which IBERDROLA acts as the person in charge of the treatment, which does not imply
objective liability, since IBERDROLA was not diligent in not guaranteeing,
In this way, adequate security through the application of technical measures and
appropriate organizational measures, not only security, but of all kinds.
Regarding what was stated by IBERDROLA regarding that this AEPD has not accredited
in no way the materialization of the risk posed by the loss of
confidentiality for the affected persons, that no client of IBERCLI or of
CURENERGIA have had their rights affected as a result of the gap in
security occurred, which understands that it does not allow considering a principle violated
and impose a fine of two million as a consequence of said alleged violation.
of euros on the basis of a mere potentiality or the consideration that it could be
produce a high risk of fraud, in no way proven.
Faced with this, and as already indicated in the Proposed Resolution, what was
accuses IBERDROLA of violating the principle of confidentiality since it
that, after suffering a computer attack through the GEA website application, a
illegitimate access and extraction by an unauthorized third party of personal data
treated by CURENERGÍA and IBERCLI, which meant the loss of confidentiality and
of control of numerous personal data (…) and that affected 1,515,000 clients of
IBERCLI and 92,550 from CURENERGIA. Therefore, the risk did materialize,
consisting of loss of confidentiality and loss of control over data.
What is guaranteed is confidentiality in order to avoid serious damage that can
produce its bankruptcy, since it represents a high risk for the interested parties - in case of
confidentiality being violated-, fraudulent use of the data: impersonation of the
identity for online recruitment, phishing, financial fraud, etc. The lost of
confidentiality has already occurred in this case as access has occurred and
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 81/99
exfiltration, with which it is no longer that there is a “probability” of risk, but rather
of this risk causing harm itself. This implies non-compliance with the
duty to guarantee the confidentiality of personal data, since as has been
indicated, article 5.1.f) indicates that they must be treated in such a way that
ensures adequate security of personal data, including the protection
against unauthorized or illicit treatment.
Likewise, regarding the fact that none of its clients have been affected in any
of their rights as a consequence of the security breach, IBERDROLA forgets
that the loss of confidentiality suffered in itself means that it is seen
affected the core of the fundamental right to data protection, which is none other
than having control of personal data.
Regarding the high risk that these data, in the hands of
cybercriminal/s, were used fraudulently, this was indicated to express what
involves the loss of confidentiality, but is not necessary in any way, to
understand that article 5.1.f has been violated, that said risks of fraudulent use are
materialize, because what has materialized with the gap is the loss of
confidentiality of the personal data processed by IBERDROLA, which is what is
exclusively imputes.
For the above reasons, the allegation is rejected.
SEVENTH: Regarding the violation of the principle of proportionality to the detriment of the
IBERDROLA rights
IBERDROLA draws attention to the fact that the same circumstances have been applied
aggravating circumstances in relation to the two infractions charged, which means that
evidence to what extent the connection between both in total, proceeding the application
of what was invoked in the Second and Third allegations (violation of the non bis principle
in idem and existence of media competition)
In this regard, it was already indicated, in relation to the application of identical aggravating factors
in both infractions, that the circumstances provided for in art. 83.2 of the GDPR and the
provided in art. 76.2 of the LOPDGDD are the only ones that can be applied by
AEPD for any infraction.
The determining factor in this case is not that they coincide in their use, but rather the foundation
to be established for your consideration.
Likewise, IBERDROLA alleges the inappropriate application of article 83.2.a) of the
GDPR, drawing attention to the fact that it has been considered appropriate
aggravate the penalty imposed due to the fact that a loss of property has occurred
confidentiality of personal data, both in relation to article 32 and
article 5.1.f)
Thus, IBERDROLA maintains that, in relation to the violation of article 32, in accordance with
to the traditional concept of security in systems, its objective is the
guarantee of the integrity, confidentiality and availability of the information, therefore
that, if the AEPD considers that the fact that a gap occurs
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 82/99
confidentiality would aggravate the conduct consisting of the alleged absence of such
security measures, any accusation for the alleged violation of article 32,
will be aggravated by the AEPD, which would entail the inclusion in the catalog of
violations of a kind aggravated by their very nature, which without
However, it is not included in the RGPD or the LOPDGDD.
In this regard, it should be noted, contrary to what has been argued, that the violation of
Confidentiality is not necessary or essential in the commission of the
violation of article 32, since as already indicated above, it can be
violate the aforementioned article 32 due to the absence of appropriate security measures or due to
inefficiency in its use or implementation, without necessarily having
a personal data breach has occurred. Another different thing is that it is put into
evidences the violation of article 32 as a consequence of the materialization of a
violation of the security of personal data that, by its very definition, involves
“any breach of security that results in the destruction, loss or alteration
accidental or unlawful personal data transmitted, preserved or otherwise processed
form, or unauthorized communication or access to said data” (section 12 of
article 4 of the GDPR)
Therefore, in the present case, the logical separation existing in the database does not
was adequate as far as it was allowed, modifying a parameter in a
one of the companies, access personal data of clients of other companies
with respect to which there is no authorization for such access.
This shows that IBERDROLA was not applying appropriate measures
to guarantee a level of security appropriate to the risk of their treatments, which
in itself represents a violation of article 32. If, in addition, said deficiencies
have allowed or facilitated, as is the case, a breach of
personal data (in this case, confidentiality breach), there is no obstacle
to consider said violation as an aggravating circumstance of article 83.2.a),
which allows taking into account the “nature, severity and duration of the infraction,
taking into account the nature, scope or purpose of the processing operation
in question as well as the number of interested parties affected and the level of damages and
damages they have suffered” (emphasis added).
Regarding the application of the aggravating circumstance of article 83.2.a) for violation of the article
5.1.f), although it is true that the violation of confidentiality is not appropriate
as a circumstance to be taken into account to aggravate the infringement since
is subsumed in the offending type itself, it is also true that said precept, the
83.2.a) of the RGPD has been applied as an aggravating circumstance, also taking into account the
number of interested parties affected, which are very numerous, amounting to more than one
million people (1,607,550) as well as numerous data were stolen
personal (…), so it is appropriate to continue taking these circumstances into account
as aggravating factors, so article 83.2.a) of the GDPR continues to apply.
Regarding the fact that IBERDROLA understands that in relation to this aggravating circumstance, it is intended
take into account some alleged damages and losses suffered, which have not been
accredited by the AEPD, it means that what is taken into account in said aggravating circumstance
is the damage and risk that loss of confidentiality entails in itself, which
entails a total loss of control over one's personal data and high risk
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 83/99
which entails that they are used fraudulently, since they have been stolen by a
cybercriminal.
On the other hand, IBERDROLA argues that the aggravating circumstance of the article cannot be applied
83.2.b) of the RGPD regarding the existence of negligence since, in the Judgment of the
European Court of Justice, of December 5, 2023 (case C-807/21), declares
that:
“75 Consequently, it must be declared that article 83 of the GDPR does not
allows imposing an administrative fine for an infraction contemplated in
its sections 4 to 6 without proving that said infringement was committed
intentionally or negligently by the person responsible for the treatment and that, for
Therefore, guilt in the commission of the infraction constitutes a requirement
for the imposition of the fine.”
From this IBERDROLA deduces that whether such intentionality or negligence is necessary
for the infringement to be considered committed, it can hardly be considered
that the most serious form of enforceable guilt can act as a circumstance
aggravating factor, and even less so on a subjective criterion, such as the volume of
IBERDROLA.
Faced with this, it should be noted that one thing is that, in order to impute an infringement
administrative is necessary the existence of intention or negligence and another, which does not
The existence of especially negligent negligence may be used as an aggravating circumstance.
highlighted, due to the circumstances of the case. The opposite would be contrary to one's own
article 83.2.b) which establishes that “When deciding to impose an administrative fine
and its amount in each individual case will be duly taken into account:
b) intentionality or negligence in the infringement”
Thus, in any violation of data protection regulations,
the existence of intentionality or negligence. And this both to a
data controller as a natural person, as a legal entity, whether a small
company with little connection with the processing of personal data, whether it is a
large company, a multinational, etc., and with processing of personal data in a manner
continuous and on a large scale, for example.
Therefore, once it has been determined that, as a premise, this subjective element occurs
base guilt, this does not prevent the aggravating factor from being considered
intentionality or negligence indicated by considering that, in accordance with the
specific circumstances of the case, a different degree of intentionality is considered
or negligence in the actions of the offending subject. Thus, in accordance with the
Guidelines 04/2022 of the European Data Protection Board on the calculation of
administrative fines under the GDPR, version 2.1, adopted on 24
May 2023, notes the following:
“4.2.2 — Intentional or negligent nature of the infringement
55. In its previous guidance the EDPB stated that "in general, the intention
includes both knowledge and will in relation to the characteristics of
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 84/99
a crime, while "unintentional" means that there was no intention to cause the
infringement, although the controller/processor breached the duty to
care required by law.
Example 4 — Illustrations of intent and negligence (from WP 253)
"Circumstances indicative of intentional violations may be a
illicit processing explicitly authorized by the senior management hierarchy of the
responsible for the treatment, or despite the advice of the protection delegate
of data or violating existing policies, for example, obtaining and
processing of data about the employees of a competitor with the intention of
discredit that competitor in the market. Other examples here can be:
- the modification of personal data to give a (positive) impression
misleading about whether objectives have been met; we have seen it in the context
of targets for hospital waiting times
- the trading of personal data for commercial purposes, i.e. the sale of
data as “opted” without checking or ignoring the opinions of users.
interested parties about how their data should be used
Other circumstances, such as failure to read and follow policies
existing, human error, lack of verification of personal data in the
published information, the lack of application of technical updates in the
timing, lack of policy adoption (rather than simply lack of
of application) may be indicative of negligence";
56. The intentional or negligent nature of the infringement [Article 83(2)(b) of the
GDPR] must be evaluated taking into account the objective elements of conduct
obtained from the facts of the matter. The EDPB highlighted that it is generally accepted that
intentional violations, "demonstrate contempt for the provisions of the law,
are more serious than unintentional ones. In the case of intentional infringement, it is
The supervisory authority is likely to give more weight to this factor. According to
the circumstances of the case, the supervisory authority may also attribute weight to the
degree of negligence. At best, negligence could be considered
neutral." (emphasis is ours)
In the present case, the aggravating circumstance of negligence is appreciated since IBERDROLA
manages a database in which personal data of clients of
different companies, having to guarantee adequate security at all times
for such treatment and absolute separation. However, there was a
inadequate configuration that did not guarantee an appropriate logical separation and that
allowed access to be made from an application of one of the companies
unauthorized access to the personal data of other companies.
Likewise, in relation to the violation of article 5.1.f) of the RGPD, it is appreciated
Also as an aggravating factor is the negligence shown by IBERDROLA because, as
has been pointed out, due to its subjective circumstances and the high number of data
personal data of numerous clients of the companies for which it acts as
responsible for the treatment (21 million I-DE clients; 8 million IBERCLI clients; 3
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 85/99
million of CURENERGÍA), a greater degree of professionalism and
diligence in the duty to guarantee the confidentiality of the personal data of
those companies.
Regarding the consideration of the size of IBERDROLA as an aggravating factor, it is appropriate
point out that the same level of diligence cannot be required from a company like
IBERDROLA, which is payable to a natural person or a small business, for
example. This means that a higher level of diligence is required because the level
of professionalism is greater.
It is appropriate to recall again, in this sense, the Judgment of the National Court of
10/17/2007 (rec. 63/2006), that with respect to entities whose activity involves the
continuous processing of customer data, indicates “…the Supreme Court comes
understanding that imprudence exists whenever a legal duty of
care, that is, when the offender does not behave with the required diligence. And in the
assessment of the degree of diligence, special consideration must be given to professionalism
or not of the subject, and there is no doubt that, in the case now examined, when the
activity of the appellant is constant and abundant handling of data of a
personnel must insist on rigor and exquisite care to conform to the
legal provisions in this regard.
Finally, contrary to what was stated by IBERDROLA, the consideration of this
aggravating circumstance of negligence has at no time meant that it has increased
the maximum limit of the sanction to be imposed, since the maximum limits are found
established in sections 4 and 5 of article 83 of the RGPD, which allow
impose a penalty, respectively of 10,000,000 euros or 2% of the volume
of global annual total business and 20,000,000 euros or 4% of the volume of
global annual total business. Therefore, at no time has the amount been established
maximum of the sanction that could be imposed as a consequence of the application of
the aggravating factors as indicated by IBERDROLA.
Regarding the aggravating circumstance included in article 76.2.b of the LOPDGDD,
IBERDROLA points out that its conduct is getting worse due to the mere fact of
belong to a specific sector of activity. In this regard, it means that in said
precept does not take into consideration the specific activity to which one is dedicated
IBERDROLA (electricity sector), but its connection with the performance of treatments
of personal data, since it carries out massive and large-scale processing (at least 21
million I-DE clients; 8 million from IBERCLI; 3 million from CURENERGÍA) and
continuously.
In this sense, the Spanish legislator has considered including in article 76 of the
LOPDGDD that: “2. In accordance with the provisions of article 83.2.k) of the Regulations
(EU) 2016/679 may also be taken into account:
(…)
b) The linking of the offender's activity with the performance of medical treatment.
personal information."
This Agency simply takes into consideration that circumstance, provided for by the
legislator, when deciding the imposition of the administrative fine.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 86/99
Finally, IBERDROLA alleges the breach of the principle of equal treatment if
taking into consideration the precedents of this Agency. Thus, it indicates the procedure
PS/000179/2020 in which it indicates that a minor penalty was imposed despite
understand that the circumstances were more serious, but that, above all, in said
file, no sanction was imposed for violation of article 5.1.f) of the RGPD,
despite the existence of a data confidentiality breach being evident,
The AEPD having therefore modified its criteria, since by now converting what was
considered a violation of article 32 of the GDPR in two violations, by making
now refers to 5.1.f) of the RGPD, and considerably multiply the total amount of
The infringement represents a flagrant breach of the principle of equality, security
legal and public faith. Likewise, he points out that this also goes against the doctrine of
own acts.
Faced with this, as already pointed out in the Proposed Resolution, the
circumstances and facts of procedure PS/000179/2020 are not the same nor
comparable, just as there is no equality in illegality, so there is no
try to equate sanctions in the face of different facts and circumstances. Therefore,
It is necessary to refer to the response to this same allegation and which appears
transcribed in its entirety in the Sixth section of the Fundamentals of Law IV of the
present Resolution.
Regarding what IBERDROLA maintains regarding the fact that the principle of
equality also in the fact that PS/000179/2020 only sanctioned
for a violation of article 32 and was not considered a violation of article 5.1.f) of the
GDPR, there having also been a confidentiality breach, and that this also
goes against the doctrine of own acts, it means that IBERDROLA has only
selected and brings up this file to defend an alleged treatment
unequal but which, however, ignores the numerous sanctioning procedures
existing prior to the present in which, after a gap of
confidentiality, has been sanctioned for violating both precepts. By way
As an example and without exhaustive character, since there are more, the following should be indicated:
PS/00444/2021, PS/00420/2021, PS/00528/2021, PS/00099/2022, PS/00113/2022,
PS/00164/2022, PS/00419/2022, PS/00168/2022.
Finally, regarding the procedure PS/0002/2023 in which they have been imposed
also two sanctions for violating both article 32 and 5.1.f) of the RGPD and that for
also refer to a company in the electricity sector, brings up IBERDROLA to
make a comparison, because there it was imposed, in the total sum of the two sanctions
for these two infractions, an amount that only exceeds by one million euros the
imposed on IBERDROLA, despite the fact that there were injured parties, it means
new that the facts and circumstances are different and that, for this reason, it was imposed
a different fine (in this case higher), in addition to other fines for other
different violations that were considered.
In this sense, it is once again recalled that, in terms of data protection, the
technical and organizational security measures to be adopted by those responsible and
data processors and other obligations to comply required by the RGPD,
must be appropriate in relation to the specific risks posed by the
specific treatments carried out by each person responsible. Therefore, when analyzing the
diligence of each other in compliance with the regulations must be at the
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 87/99
circumstances of each case, taking into account the nature, scope, context
and the purposes of each treatment, there being, therefore, no identical cases. In this
sense, it must be remembered that article 83, in section 2, establishes that “The
Administrative fines will be imposed, depending on the circumstances of each case
individual…” (emphasis added). It should not be ignored that in that procedure
A fine exceeding one million euros was imposed in relation to the present.
Therefore, it is necessary to attend to the circumstances of each individual case, there being no
two identical files and, therefore, with equal results.
As a general and final consideration, it should be noted that none of the sanctions
applied violates the principle of proportionality. Thus, it must be remembered that the
articles 83.4 and 83.5 of the RGPD, where the
violation of article 32 and article 5.1.f), establish limits on the amounts
of the fines that can be imposed, very far from those that have finally been imposed
established.
Thus, article 83.4 of the aforementioned Regulation establishes that sanctions will be imposed, in accordance
with paragraph 2, with administrative fines of a maximum of EUR 10 000 000 or,
In the case of a company, an amount equivalent to a maximum of 2% of the
global total annual business volume of the previous financial year, opting for the
of greater amount. In this regard, according to the Axesor entity, the volume
IBERDROLA's business forecast for 2022 was ***AMOUNT.2 euros, which
would have allowed imposing a penalty of up to ***AMOUNT.3 euros, for the
violation of article 32.
For its part, article 83.5 of the RGPD establishes that sanctions will be imposed, in accordance with
paragraph 2, with administrative fines of a maximum of EUR 20 000 000 or,
In the case of a company, an amount equivalent to a maximum of 4% of the
global total annual business volume of the previous financial year, opting for the
of greater amount. In this regard, in accordance with the turnover
indicated, would have allowed imposing a penalty of up to ***AMOUNT.4 euros,
for violation of article 5.1.f).
Therefore, taking into account the above, as well as IBERDROLA's negligence in
manage a database in which personal data of millions of people are stored
clients from different companies, which requires it to guarantee at all times a
adequate security for said treatment and absolute separation, existed, without
However, an inadequate configuration that did not guarantee proper separation
logical and that allowed from an application of one of the companies to be able to
make unauthorized access to the personal data of other companies. In addition,
taking into account the high number of affected people whose personal data
were exfiltrated by a cybercriminal, which represents a loss of control over
personal data irremediably, with the risk that this entails, cannot be
It can be said that the sanctions finally imposed violate the principle of
proportionality, taking into account that “Each supervisory authority will ensure that
the imposition of administrative fines in accordance with this article for the
infringements of this Regulation indicated in paragraphs 4, 5 and 6 are in
each individual case effective, proportionate and dissuasive” (emphasis is
our)
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 88/99
For the above reasons, the allegation is rejected.
SAW
Integrity and confidentiality
Article 5.1.f) “Principles relating to processing” of the GDPR establishes:
"1. The personal data will be:
(…)
f) treated in such a way as to ensure adequate safety of the
personal data, including protection against unauthorized processing or
unlawful and against its loss, destruction or accidental damage, through the application
of appropriate technical or organizational measures ("integrity and
confidentiality»).”
The principle of data integrity and confidentiality requires a guarantee of
security in the application of technical or organizational measures that prevent alteration
of personal data, its loss, unauthorized or illicit processing or access. It's not
the existence of this fundamental right is not possible if the
confidentiality, integrity and availability thereof.
Hence, the integrity and confidentiality of personal data are considered
essential to prevent the interested parties from suffering negative effects. Therefore, they must
be treated in a manner that ensures adequate integrity and confidentiality of
personal data, especially to prevent access, processing or use
authorized users of said data.
In short, both the person responsible and the person in charge of the treatment have the
obligation to integrate the necessary guarantees in the treatment, with the purpose of,
under the principle of proactive responsibility, comply and be able to demonstrate
compliance, while respecting the fundamental right to protection
of data.
In this regard, it should be remembered that the confidentiality of personal data is
regulated in article 5 of the RGPD, being, therefore, one of the principles related to the
treatment. The principles relating to treatment are, on the one hand, the starting point
and the closing clause of the legal data protection system, constituting
true informing rules of the system with an intense expansive force; for another
On the other hand, as they have a high level of specificity, they are mandatory standards.
likely to be infringed.
Article 5.1.f) of the GDPR establishes a clear obligation of consistent compliance
in preventing unauthorized or illicit treatments by implementing security measures
suitable. Therefore, one must be in a position to guarantee the confidentiality of
personal data to prevent a third party from accessing data that does not belong to them.
ownership, since it is mandatory to process personal data in accordance with the RGPD and
LOPDGDD. For this reason, it is an activity where the diligence provided by
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 89/99
responsible and those in charge of the treatment is essential to avoid this type of
unauthorized access.
In the present case, the principle of confidentiality has been violated since it is clear that
after suffering a computer attack against a web application of the company I-DE (GEA),
In addition to illegal access to personal data processed by it,
also produced illegitimate access to personal data - and the extraction of the
same - from two companies different from the first and treated by IBERDROLA in
quality of treatment manager.
In this regard, it must be remembered that IBERDROLA, as the person in charge of processing
of IBERCLI and CURENERGÍA, processes personal data on their behalf,
Specifically in this case, IBERDROLA manages and administers the systems and the database
of data where the personal data of these two companies are housed. However,
the attack suffered by another company in the Group (and which also hosts its data in the
same place) has led to the exfiltration of personal data contained in the database
of data referred to and belonging to clients of other entities of the Group, not
having guaranteed, therefore, the confidentiality of the personal data of some
and others.
This has led to the loss of confidentiality and control of numerous data
personal (…) and that has affected 1,515,000,000 IBERCLI clients and 92,550
CURENERGÍA clients. This represents a breach of the duty to guarantee the
confidentiality of personal data, since as indicated, article 5.1f)
points out that they must be treated in such a way as to guarantee safety
adequate protection of personal data, including protection against unauthorized processing.
authorized or illegal.
Therefore, the risk of loss of confidentiality has materialized, having been
usurped by a cybercriminal, which means that they can be used for
not known (sold, communicated, published, etc.), all without consent
of its owners, leading to a total and absolute loss of control over them.
In addition, it also poses a very high risk of fraudulent use of them.
(identity theft, fraud, financial losses, etc.) or that serve to
any other utility that in certain circumstances constitutes a threat
for its owners. It should also be taken into account that most of the data
Leaked personal information is data that cannot be modified or changed by others.
(name, surname, ID, address...)
This loss of control over one's own personal data results in a
violation of the fundamental right to data protection recognized in the article
18 of the Spanish Constitution, as the Constitutional Court has indicated
(Sentence 292/2000, of November 30, 2000) “the fundamental right to
Data protection seeks to guarantee the person power of control over their
personal data, about its use and destination, with the purpose of preventing its illicit trafficking and
harmful to the dignity and rights of the affected person (…) The right to data protection
"It guarantees individuals the power to dispose of these data."
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 90/99
For all the above and in accordance with the evidence available, it is
considers that the known facts constitute an infringement, attributable to
IBERDROLA, for violation of article 5.1.f) of the RGPD.
VII
Classification of the violation of article 5.1.f) of the RGPD
The aforementioned violation of article 5.1.f) of the RGPD implies the commission of the violations
typified in article 83.5 of the RGPD that under the heading “General conditions
for the imposition of administrative fines” provides:
“Infractions of the following provisions will be sanctioned, in accordance with the
paragraph 2, with administrative fines of a maximum of EUR 20 000 000 or,
In the case of a company, an amount equivalent to a maximum of 4% of the
global total annual business volume of the previous financial year, opting for
the largest amount:
a) the basic principles for the treatment, including the conditions for the
consent under articles 5, 6, 7 and 9; (…)”
In this regard, the LOPDGDD, in its article 71 “Infringements” establishes that
“The acts and conduct referred to in sections 4,
5 and 6 of article 83 of Regulation (EU) 2016/679, as well as those that result
contrary to this organic law.”
For the purposes of the limitation period, article 72 “Infringements considered very
“serious” of the LOPDGDD indicates:
"1. Based on what is established in article 83.5 of Regulation (EU) 2016/679,
considered very serious and will prescribe violations that involve three years
a substantial violation of the articles mentioned therein and, in particular, the
following:
a) The processing of personal data violating the principles and guarantees
established in article 5 of Regulation (EU) 2016/679. (…)”
VIII
Penalty for violation of article 5.1.f) of the RGPD
For the purposes of deciding on the imposition of an administrative fine and its amount,
In accordance with the evidence available, the sanction should be graduated to
impose in accordance with the following criteria established in article 83.2 of the
GDPR:
As aggravating factors:
- Article 83.2.a) RGPD: Nature, severity and duration of the infringement.
-Number of interested parties affected: there are very numerous people affected, since
It amounts to more than a million and a half people (1,607,550).
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 91/99
-Level of damages and losses suffered: High. Numerous were stolen
personal data (…) and a very considerable number of clients (1,607,550)
by a cybercriminal, therefore losing all control over the
themselves, which poses a high risk of fraudulent use (identity theft,
fraud, financial losses, etc.), thus emptying the right of its content.
fundamental to the protection of personal data that, as indicated by the Court
Constitutional Court in the previously reviewed Judgment, seeks to guarantee the
person a power of control and disposal over their personal data, over their
use and destination, with the purpose of preventing illicit trafficking and harm to the
dignity and rights of the affected person.
- Article 83.2.b) RGPD. Intentional or negligence in the infringement: The
existence of negligence in compliance and observance of technical measures and
organizational measures to ensure the security necessary for data protection
personal data, specifically to guarantee their confidentiality. To this
In this regard, it must be remembered that IBERDROLA is a large company, which carries out, as
manager, large-scale treatments, affecting numerous
natural persons (from the statements made by the three companies
affected by the breach, at least processes data from 21 million people) so
A higher level of diligence and adequate security measures are required to
guarantee the confidentiality of the personal data processed.
It is worth remembering, in this sense, the Judgment of the National Court of
10/17/2007 (rec. 63/2006), that with respect to entities whose activity involves the
continuous processing of customer data, indicates “…the Supreme Court comes
understanding that imprudence exists whenever a legal duty of
care, that is, when the offender does not behave with the required diligence. And in the
assessment of the degree of diligence, special consideration must be given to professionalism
or not of the subject, and there is no doubt that, in the case now examined, when the
activity of the appellant is constant and abundant handling of data of a
personnel must insist on rigor and exquisite care to conform to the
legal provisions in this regard.”
As mitigating factors:
- Article 83.2.c) RGPD. Measures taken by the person responsible or in charge to alleviate
the damages and losses suffered by the interested parties: Positive. As it was she
who, upon detecting performance and availability problems on the Web, confirmed that
It was a bankruptcy and he proceeded to block the attacker's IP and communicate the
gap to I-DE, which could have avoided a much more serious impact. Also
managed the gap jointly with I-DE.
Likewise, it is considered that it is appropriate to graduate the sanction to be imposed in accordance with the
following criteria established in section 2 of article 76 “Sanctions and measures
“corrective measures” of the LOPDGDD:
As aggravating factors:
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 92/99
- Article 76.2.b) LOPDGDD. Linking the offender's activity with the performance
of personal data processing: The development of the activity
business that IBERDROLA carries out involves continuous and wide-ranging
scale of personal data, since it processes data as a person in charge of at least 21
millions of people. Therefore, it is a large company accustomed to
processing of personal data.
For the purposes of deciding on the imposition of an administrative fine and its amount,
in accordance with the evidence available, taking into account the
circumstances of the case and the criteria established in article 83.2 of the RGPD with
regarding the infraction committed by violating the provisions of article 5.1.f) of the
RGPD allows a fine of €2,000,000 (two million euros) to be set.
IX
Article 32 of the GDPR
Article 32 “Security of processing” of the GDPR establishes:
"1. Taking into account the state of the art, the application costs, and the
nature, scope, context and purposes of the processing, as well as risks of
variable probability and severity for people's rights and freedoms
physical, the person responsible and the person in charge of the treatment will apply technical and
appropriate organizational measures to guarantee a level of security appropriate to the risk,
which, if applicable, includes, among others:
a) pseudonymization and encryption of personal data;
b) the ability to guarantee the confidentiality, integrity, availability and
permanent resilience of treatment systems and services;
c) the ability to restore availability and access to data
personnel quickly in the event of a physical or technical incident;
d) a process of regular verification, evaluation and assessment of effectiveness
of the technical and organizational measures to guarantee the security of the
treatment.
2. When evaluating the adequacy of the security level, particular consideration will be given to
takes into account the risks presented by data processing, in particular as
consequence of accidental or unlawful destruction, loss or alteration of data
personal data transmitted, preserved or otherwise processed, or the communication or
unauthorized access to said data.
3. Adherence to a code of conduct approved under Article 40 or to a
certification mechanism approved pursuant to article 42 may serve as an element
to demonstrate compliance with the requirements established in section 1 of the
present article.
4. The controller and the person in charge of the treatment will take measures to ensure that
any person acting under the authority of the person responsible or in charge and
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 93/99
has access to personal data can only process said data following
instructions of the person responsible, unless it is obliged to do so by virtue of the Law of
the Union or the Member States.”
Article 32 does not establish static security measures, but will correspond to
responsible and in charge determine those security measures that are
necessary to guarantee the confidentiality, integrity and availability of the
personal data, therefore, the same data processing may involve measures
different security measures depending on the specific specificities in which it has
where such data processing takes place.
In line with these provisions, Recital 75 of the GDPR establishes:
risks to the rights and freedoms of natural persons, serious and
variable probability, may be due to data processing that could cause
physical, material or immaterial damages, particularly in cases where
that the treatment may give rise to problems of discrimination, usurpation of
identity or fraud, financial loss, reputational damage, loss of
confidentiality of data subject to professional secrecy, unauthorized reversal of the
pseudonymization or any other significant economic or social harm; in the
cases in which the interested parties are deprived of their rights and freedoms or are
prevents you from exercising control over your personal data; in cases where the data
processed personal reveals ethnic or racial origin, political opinions, religion
or philosophical beliefs, militancy in unions and the processing of genetic data,
data relating to health or data on sexual life, or convictions and offenses
criminal or related security measures; in cases in which they are evaluated
personal aspects, in particular the analysis or prediction of aspects related to the
performance at work, economic situation, health, preferences or interests
personal, reliability or behavior, situation or movements, in order to create or
use personal profiles; in cases in which personal data of
vulnerable people, particularly children; or in cases where the treatment
involves a large amount of personal data and affects a large number of
interested. (emphasis is ours)
Likewise, Recital 83 of the GDPR establishes: In order to maintain the security and
prevent the processing from infringing the provisions of this Regulation, the
responsible or the person in charge must evaluate the risks inherent to the treatment and
apply measures to mitigate them, such as encryption. These measures must guarantee a
appropriate level of security, including confidentiality, taking into account the status
of the technique and the cost of its application with respect to the risks and the nature of
personal data that must be protected. When assessing risk in relation to
data security, the risks that arise from the
processing of personal data, such as destruction, loss or alteration
accidental or unlawful personal data transmitted, preserved or otherwise processed
form, or unauthorized communication or access to said data, susceptible in
particular of causing physical, material or immaterial damages. (he
emphasis is ours)
In this regard, it should be emphasized that article 28.3.c) of the RGPD attributes to the
responsible for the treatment the obligation to take all necessary measures to
in accordance with article 32.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 94/99
Data security requires the application of technical or organizational measures
appropriate in the processing of personal data to protect said data
against access, use, modification, dissemination, loss, destruction or accidental damage,
unauthorized or illicit. In this sense, security measures are key when
to guarantee the fundamental right to data protection. It is not possible
existence of the fundamental right to the protection of personal data if it is not
possible to guarantee their confidentiality, integrity and availability.
It should not be forgotten that, in accordance with article 32.1 of the aforementioned GDPR, the
technical and organizational measures to apply to guarantee a level of security
appropriate to the risk must take into account the state of the art, the costs of
application, nature, scope, context and purposes of the processing, as well as
risks of varying probability and severity to the rights and freedoms of
Physical persons.
Therefore, IBERDROLA, when evaluating the risks and determining the measures
appropriate technical and organizational measures to guarantee a level of security appropriate to the
risk to the rights and freedoms of natural persons from the processing of
data that it carries out as data processor, is obliged to take into account
take into account the specific activity that your business entails, which involves processing data
personal information continuously and on a large scale (numerous data to be collected, processed,
store…); the type of data processed: identification, contact, those related to the
supply and consumption of electricity, current accounts, etc.); the context:
existence of web applications on the Internet, that is, in a non-isolated environment, which
entails risks derived from the interconnectivity of the network itself, which
They must be attended to in a specialized way; existence of a common database
several companies with separation requirements (physical or logical).
Therefore, derived from the activity to which it is dedicated, IBERDROLA is obliged to
carry out a highly specialized risk analysis and implementation of
appropriate technical and organizational measures to ensure a level of security
appropriate to the risk of its activity for the rights and freedoms of people.
In the present case, as noted above, through the cyber attack
suffered to a web application of one of the group companies, there was, in addition to
illicit access to personal data processed by said company, access not
authorized to personal data of clients of two other different companies and one
illicit exfiltration of the same, by being able to circumvent or violate the separation
existing logic in the database where personal data is hosted and stored
various companies of the Group and which IBERDROLA administers and manages
(…).
(…).
(…).
(…).
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 95/99
(…).
All of the above demonstrates that IBERDROLA did not have the technical and
appropriate organizational measures to guarantee complete separation between data
personnel of the different companies with respect to which it acts as manager
of the treatment and, therefore, the security incident such as the one that
took place in the present case and that CURENERGÍA and IBERCLI suffered, that is, not
applied appropriate technical and organizational measures to ensure a level of
security appropriate to the risk of your personal data processing.
Therefore, in accordance with the evidence available, it is considered that
The known facts constitute an infringement, attributable to IBERDROLA,
for violation of article 32 of the RGPD.
x
Classification of the violation of article 32 of the GDPR
The aforementioned violation of article 32 of the RGPD implies the commission of the violations
typified in article 83.4 of the RGPD that under the heading “General conditions
for the imposition of administrative fines” provides:
“Infractions of the following provisions will be sanctioned, in accordance with the
paragraph 2, with administrative fines of a maximum of EUR 10 000 000 or,
In the case of a company, an amount equivalent to a maximum of 2% of the
global total annual business volume of the previous financial year, opting for
the largest amount:
a) the obligations of the controller and the processor pursuant to Articles 8,
11, 25 to 39, 42 and 43; (…)”
In this regard, the LOPDGDD, in its article 71 “Infringements” establishes that
“The acts and conduct referred to in sections 4,
5 and 6 of article 83 of Regulation (EU) 2016/679, as well as those that result
contrary to this organic law.”
For the purposes of the limitation period, article 73 “Infringements considered serious”
of the LOPDGDD indicates:
“Based on what is established in article 83.4 of Regulation (EU) 2016/679,
are considered serious and will prescribe after two years the infractions that involve a
substantial violation of the articles mentioned therein and, in particular, the
following:
(…)
f) The lack of adoption of those technical and organizational measures that
are appropriate to guarantee a level of security appropriate to the risk
of the treatment, in the terms required by article 32.1 of the Regulation
(EU) 2016/679.
XI
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 96/99
Penalty for violation of article 32 of the GDPR
For the purposes of deciding on the imposition of an administrative fine and its amount,
In accordance with the evidence available, the sanction should be graduated to
impose, in accordance with the following criteria established in article 83.2 of the
GDPR:
As aggravating factors:
- Article 83.2.a) RGPD: Nature, severity and duration of the infringement.
-It is considered that the nature of the infraction is serious since it has
entailed a loss of confidentiality and, therefore, of disposition and control
irremediable on personal data.
-Number of interested parties affected: there are very numerous people affected, since
It amounts to more than a million and a half people (1,607,550).
-Level of damages and losses suffered: High. Numerous were stolen
personal data (…) and a very considerable number of clients (1,607,550)
losing, therefore, all control over them, which entails high risk
of fraudulent use (identity theft, fraud, financial losses, etc.),
thus emptying the fundamental right to data protection of content
personal that, as indicated by the Constitutional Court in the Sentence
previously outlined, seeks to guarantee the person power of control and
provision on your personal data, on its use and destination, with the
purpose of preventing illicit trafficking and harm to the dignity and rights of the
affected.
- Article 83.2.b) RGPD. The existence of negligence on the part of IBERDROLA is observed in the
compliance and observance of technical and organizational measures to guarantee the
security necessary for the protection of personal data, specifically to
guarantee their confidentiality. In this regard, it must be remembered that
IBERDROLA is a large company, which carries out, as manager, large-scale treatments
scale, affecting their treatments to numerous natural persons (including the
statements made by the three companies affected by the breach, at least deals
data of 21 million people) so a higher level of diligence is required and
appropriate security measures to ensure the confidentiality of data
personal it deals with.
It is worth remembering, in this sense, the Judgment of the National Court of
10/17/2007 (rec. 63/2006), that with respect to entities whose activity involves the
continuous processing of customer data, indicates “…the Supreme Court comes
understanding that imprudence exists whenever a legal duty of
care, that is, when the offender does not behave with the required diligence. And in the
assessment of the degree of diligence, special consideration must be given to professionalism
or not of the subject, and there is no doubt that, in the case now examined, when the
activity of the appellant is constant and abundant handling of data of a
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 97/99
personnel must insist on rigor and exquisite care to conform to the
legal provisions in this regard.
As mitigating factors:
- Article 83.2.c) RGPD. Measures taken by the person responsible or in charge to
alleviate the damages and losses suffered by the interested parties: Positive. As far as it was
she who, upon detecting performance and availability problems on the Web, confirmed
that it was a bankruptcy and proceeded to block the attacker's IP and communicate
the gap to I-DE, which could have avoided a much more serious impact. Also
managed the gap jointly with I-DE.
Likewise, it is considered that it is appropriate to graduate the sanction to be imposed in accordance with the
following criteria established in section 2 of article 76 “Sanctions and measures
“corrective measures” of the LOPDGDD:
As aggravating factors:
- Article 76.2.b) LOPDGDD. Linking the offender's activity with the performance
of personal data processing: The development of the activity
business that IBERDROLA carries out involves continuous and wide-ranging
personal data scale. Therefore, it is a large company accustomed to
processing of personal data.
The balance of the circumstances contemplated in article 83.2 of the RGPD and the
article 76.2 of the LOPDGDD, with respect to the infraction committed by violating the
established in article 32 of the RGPD, allows setting a penalty of €1,000,000 (a
million euros).
Therefore, in accordance with the applicable legislation and evaluated the criteria of
graduation of the sanctions whose existence has been proven, the Director of the
Spanish Data Protection Agency RESOLVES:
FIRST: IMPOSE IBERDROLA, S.A., with NIF A48010615, for an infringement
of Article 5.1.f) of the RGPD, typified in Article 83.5 of the RGPD, a fine
administrative amount of 2,000,000 euros (two million euros).
SECOND: IMPOSE IBERDROLA, S.A., with NIF A48010615, for an infringement
of Article 32 of the RGPD, typified in Article 83.5 of the RGPD, a fine of
1,000,000 euros (one million euros).
THIRD: NOTIFY this resolution to IBERDROLA, S.A.
FOURTH: This resolution will be enforceable once the deadline to file the
optional resource for replacement (one month counting from the day following the
notification of this resolution) without the interested party having made use of this power.
The sanctioned person is warned that he must make effective the sanction imposed once
This resolution is executive, in accordance with the provisions of art. 98.1.b)
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 98/99
of Law 39/2015, of October 1, on the Common Administrative Procedure of the
Public Administrations (hereinafter LPACAP), within the voluntary payment period
established in art. 68 of the General Collection Regulations, approved by Real
Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003, of 17
December, through your entry, indicating the NIF of the sanctioned person and the number of
procedure that appears in the heading of this document, in the account
restricted IBAN number: ES00-0000-0000-0000-0000-0000, opened in the name of the
Spanish Data Protection Agency in the banking entity CAIXABANK, S.A..
Otherwise, it will be collected during the executive period.
Once the notification is received and once enforceable, if the enforceable date is
between the 1st and 15th of each month, both inclusive, the deadline to make the payment
voluntary will be until the 20th of the following month or immediately following business month, and if
The payment period is between the 16th and last day of each month, both inclusive.
It will be until the 5th of the second following or immediately following business month.
In accordance with the provisions of article 76.4 of the LOPDGDD and given that the
The amount of the penalty imposed is greater than one million euros, it will be subject to
publication in the Official State Gazette of the information that identifies the offender, the
violation committed and the amount of the penalty.
In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once it has been notified to the interested parties.
Against this resolution, which puts an end to the administrative procedure in accordance with art. 48.6 of the
LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the
Interested parties may optionally file an appeal for reconsideration before the
Director of the Spanish Data Protection Agency within a period of one month to
count from the day following the notification of this resolution or directly
contentious-administrative appeal before the Contentious-administrative Chamber of the
National Court, in accordance with the provisions of article 25 and section 5 of
the fourth additional provision of Law 29/1998, of July 13, regulating the
Contentious-administrative Jurisdiction, within a period of two months from the
day following the notification of this act, as provided for in article 46.1 of the
referred Law.
Finally, it is noted that in accordance with the provisions of art. 90.3 a) of the LPACAP,
may provisionally suspend the final resolution through administrative means if the
interested party expresses his intention to file a contentious-administrative appeal.
If this is the case, the interested party must formally communicate this fact through
writing addressed to the Spanish Data Protection Agency, presenting it through
of the Agency's Electronic Registry [https://sedeagpd.gob.es/sede-electronica-
web/], or through any of the other registries provided for in art. 16.4 of the
cited Law 39/2015, of October 1. You must also transfer to the Agency the
documentation that proves the effective filing of the contentious appeal
administrative. If the Agency was not aware of the filing of the appeal
contentious-administrative procedure within a period of two months from the day following the
notification of this resolution would terminate the precautionary suspension.
938-16012024
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 99/99
Sea Spain Martí
Director of the Spanish Data Protection Agency
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es
