AEPD (Spain) - PS-00246-2022
|AEPD - PS-00246-2022|
|Relevant Law:||Article 5(1)(f) GDPR|
Article 32 GDPR
Article 33 GDPR
|National Case Number/Name:||PS-00246-2022|
|European Case Law Identifier:||n/a|
|Original Source:||AEDP (in ES)|
The Spanish DPA fined a magazine company €31,200 for violating Articles 5(1)(f), 32, and 33 GDPR because of a personal data security breach caused by vulnerabilities on its website. The controller also failed to notify the DPA about this data breach on time.
English Summary[edit | edit source]
Facts[edit | edit source]
On 22 October 2021, the controller, a producer of children's educational magazines, received an e-mail from the individual in charge of its web-portal. This individual stated that an external alleged researcher had managed to access the company's data as a result of a vulnerability in the website. The researcher provided a screenshot as proof with the names of the tables in the database but without providing proof of a data leak.
The controller carried out an internal investigation. It stated that this was a case of ethical hacking without malicious intent, since the researcher had notified the web-portal manager about the vulnerabilities. The database contained location information and contact details of data subjects. This data was originally collected through a registration form. Nearly 470,000 people were affected by the breach. The controller sent its affected data subjects an e-mail informing about access by an unauthorised third party to the database. One data subject filed a complaint with the Spanish DPA after receiving the e-mail.
The DPA started an investigation in the course of which the controller stated that it hired a security contractor to fix the issues. The controller also argued that its web-portal manager had fixed all the vulnerabilities that enabled the unauthorised access. It had also implemented security incident protocols and regular audits and had provided encryption for the stored data.
Holding[edit | edit source]
First, the DPA confirmed that the personal data of the data subject had been unlawfully disclosed to a third party from the database of the controller. Therefore, the controller violated Article 5(1)(f) GDPR. The DPA considered several aggravating factors, such as the fact that in some cases the leaked data concerned minor children.
Second, the DPA held that the controller failed to implement appropriate technical and organisational measures to ensure an adequate level of security, breaching Article 32 GDPR. The risk analysis that the controller provided was the output of the ‘GESTIONA EIDP’ tool of the DPA itself. With this tool, data subjects, controllers and DPOs are informed about basic aspects that must be taken into account for adequate data protection, prior to carrying out adequate risk management. The DPA held that this tool only provided guidance for basic elements about risk analysis for processing operations and impact assessments. In this case, there was no link between the measures that were implemented by the controller and the risk analysis. Therefore, it could not be held the measures were deployed to mitigate a certain level of risk. The DPA considered again, among other factors, the fact that part of the leaked data was of minor children and considered this an aggravating factor.
Finally, the DPA found that a violation of Article 33 GDPR. The DPA stated that the controller knew it had suffered a data breach on 28 October 2021 and only informed the DPA on 11 November 2021. The controller had therefore notified the DPA almost two weeks after the data breach. Again, the DPA considered, among other factors, the fact that the leaked data was of minor children and considered this an aggravating factor.
The DPA fined the controller €52,000 for all the violations combined. This was reduced to €31,200 because the controller had already paid part of the fine voluntarily.
Comment[edit | edit source]
Share your comments here!
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/19 File No.: EXP202200399 RESOLUTION OF TERMINATION OF THE PROCEDURE FOR PAYMENT VOLUNTEER Of the procedure instructed by the Spanish Agency for Data Protection and based on to the following BACKGROUND FIRST: On July 18, 2022, the Director of the Spanish Agency for Data Protection agreed to initiate a sanctioning procedure against BAYARD REVISTAS, S.A. (hereinafter, the claimed party), through the Agreement that is transcribed: << File No.: EXP202200399 AGREEMENT TO START A SANCTION PROCEDURE Of the actions carried out by the Spanish Agency for Data Protection (AEPD) and based on the following: FACTS FIRST: D.A.A.A. (hereinafter, the complaining party) dated November 27, 2021 filed a claim with the Spanish Data Protection Agency. The claim is directed against BAYARD REVISTAS, S.A with NIF A78874054 (in forward, BAYARD). The grounds on which the claim is based are as follows: The complaining party informs this Agency that he has received an email by the person in charge of the web portal ***URL.1, in which he was informed about the unauthorized access to the database by an unauthorized third party, being responsible BAYARD. According to the email, location and contact data of the people who had provided their information on the website through the form of Registration. The person in charge assures that he has solved all the vulnerabilities that have enabled the attack, has implemented the protocols to follow in the event of an incident related to data protection, and has adopted a series of measures, including which is the encryption of stored information. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 2/19 Attached to this claim is the screenshot of the email received on November 19, 2021, warning of the breach. SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5 December, of Protection of Personal Data and guarantee of digital rights (in hereinafter LOPDGDD), said claim was transferred to BAYARD, so that proceed to its analysis and inform this Agency within a month of the actions carried out to adapt to the requirements set forth in the regulations of Data Protection. The transfer was sent on January 21, 2022 by electronic notification, in accordance with article 41 of Law 39/2015, of October 1, on the Procedure Common Administrative of Public Administrations (LPACAP). This notification was automatically rejected after ten days had elapsed natural from its availability for access according to paragraph 2, article 43, of Law 39/2015, of October 1, of the Common Administrative Procedure of the Public administrations; reiterating the transfer by certified mail, dated 01 of February 2022, resulting in the latter with an "unknown" status without the possibility of locate the person in charge. THIRD: On February 23, 2022, in accordance with article 65 of the LOPDGDD, the claim filed by the claimant was admitted for processing. FOURTH: The General Subdirectorate for Data Inspection proceeded to carry out of previous investigative actions to clarify the facts in matter, by virtue of the investigative powers granted to the authorities of control in article 57.1 of Regulation (EU) 2016/679 (General Regulation of Data Protection, hereinafter RGPD), and in accordance with the provisions of the Title VII, Chapter I, Second Section, of the LOPDGDD, dated March 1, 2022 BAYARD information was required, in order to clarify the aspects related to the security breach giving rise to the claim filed. The request for information was sent by electronic notification, in accordance with to article 41 of Law 39/2015, of October 1, on Administrative Procedure Common Public Administrations (LPACAP). Although this notification was automatically rejected after ten calendar days from its availability for access according to paragraph 2, Article 43 of Law 39/2015, of October 1, on Administrative Procedure Common of Public Administrations; reiterating the transfer by mail certified, dated March 14, 2022, but using a different fiscal address to the one used in the transfer, address obtained from the website of the person in charge, resulting this last successful request with an acknowledgment date of March 22, 2022. FIFTH: On April 6, 2022, a response to said request for information is received. SIXTH: Within the framework of the aforementioned preliminary investigation actions, again, request for information dated April 25 of that same year. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es