AEPD (Spain) - PS/00268/2022

From GDPRhub
Revision as of 09:16, 31 October 2022 by Michelle.ayora (talk | contribs) (Created page with "{{DPAdecisionBOX |Jurisdiction=Spain |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoES.jpg |DPA_Abbrevation=AEPD |DPA_With_Country=AEPD (Spain) |Case_Number_Name=PS-00...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
AEPD - PS-00268-2022
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 5(1)(f) GDPR
Article 25(1) GDPR
Article 32 GDPR
Article 33 GDPR
§72(1) LOPDGDD
§73(1)(d) LOPDGDD
§77 LOPDGDD
Type: Complaint
Outcome: Upheld
Started:
Decided:
Published:
Fine: 0 EUR
Parties: Madrid Public Health Service
National Case Number/Name: PS-00268-2022
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: Michelle Ayora

The Public Health Service of Madrid was officially reprimanded for the violation of Articles 5(1)(f), 25(1), 32 and 33 GDPR due to a website failure which resulted in the exposure of personal data. The system was launched to allow citizens to get a vaccination appointment against Covid-19.

English Summary

Facts

A consumer association (FACUA) submitted a complaint against the Regional Ministry of Health (Madrid Public Health Service), the controller, due to a defective appointment system put in place on the controller’s website to allow citizens to request the Covid-19 vaccine.

The website was affected by a security breach which responded to a session cookie (a cookie which starts when you launch a website or web app and ends when you leave the website or close your browser window) which combined with the editing of the URL (Uniform Resource Locator) by adding a national ID card number allowed the access to additional data subjects’ information such as name and surnames, date of birth, telephone numbers, gender, and ID healthcare card numbers. Furthermore, the website had insufficient blocking mechanisms in cases of multiple authentication login attempts and the controller did not communicate the incident to the DPA.

The Spanish DPA requested the controller detailed information regarding facts of the incident, causes, the number of affected people, category of the data exposed, consequences, actions carried out to solve the incident and reduce its impact, notification to the data subjects, justification of the lack of information to the DPA and security measures adopted previously to the security breach including documents containing risk and impact assessments, and activity register about the processing activities affected by exposure.

The controller claimed that the launch of the system was to attend to the urgency of the population’s vaccination in May and June 2021, a critical moment for the management of the pandemic that obliged the creation of multiple tools; that they fixed the system as soon as they were aware of the breach, and they have improved and updated the system as well as implemented security measures such as the reduction of information to be exchanged between the user’s browser and the server (by eliminating the phone number and gender), two-step identification verification system, and that the security measures implemented on the controller’s IT applications are according to the Madrid Autonomous Community’s standards which included security measures.

The controller’s allegations were extended, justifying the failure to communicate the data breach to the DPA due to their evaluation of the lack of damage to the data subject’s freedoms.

Holding

Although the DPA valued positively the security measures implemented, it found a violation of Articles 5(1)(f), 25(1), 32 and 33 GDPR.

Regarding Article 5(1)(f) GDPR, the DPA stated that personal data contained in the controller’s database were unlawfully exposed to third parties. Considering the national legislation (Article 72.1 LOPDGDD) this violation is considered a very serious violation.

About Article 25(1) GDPR, it’s stated that the application of appropriate technical and organizational measures was not achieved due to the described system’s failure. Considering the national legislation (Article 73.1(d) LOPDGDD) this violation is considered a serious violation.

Moreover, for the DPA, at the time of the data breach occurrence, the controller did not fulfil the appropriate technical and organizational measures to avoid the incident since the system did not have a two-step authentication nor did the personal data appear pseudonymized which resulted in the violation of Article 32 GDPR. This is considered a serious violation under national law (Article 73.1(f) LOPDGDD).

In addition, the controller did not notify the data breach within the legal term which implies a violation of Article 33 GDPR; being this considered a serious violation under the national law (Article 73.1(f) LOPDGDD).

Finally, the Spanish DPA insisted that Articles 25.1 and 32 GDPR highlight the need for the implementation of appropriate technical and organizational measures according to the risk both when deciding the purposes and the means and in the moment of the processing itself to have an effective application of the data protection principles, guaranteeing an adequate security level for that risk. In the present case, the urgency due to a sanitary emergency cannot be accepted as an exemption since the launch of a defective application which exposed personal data on a large scale could cause greater chaos than the one it is trying to avoid.

Article 77 of the national law (LOPDGDD) foresees that Public Administration offices must be reprimanded for the violation of data protection legislation, not applying a financial penalty.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

1/23








     File No.: PS/00268/2022

               RESOLUTION OF PUNISHMENT PROCEDURE


Of the procedure instructed by the Spanish Agency for Data Protection and based on
to the following

                                  BACKGROUND


FIRST: ASSOCIATION OF CONSUMERS AND USERS IN ACTION OF
MADRID FACUA, (hereinafter, FACUA), on June 14, 2021 filed
claim before the Spanish Data Protection Agency. The claim is
directed against the MINISTRY OF HEALTH OF THE COMMUNITY OF MADRID, with NIF
S7800001E, (hereinafter COUNSELING). The grounds on which the claim is based are

the following:

-That, due to a programming error, data from
personal character (DNI, telephone number, date of birth and numbers of
health identification) of citizens when accessing the self-citation website, activated by
the Community of Madrid on May 24. This platform of the Community of Madrid

has been created so that citizens who had not yet received any dose of
the COVID-19 vaccine could schedule an appointment for your vaccination, depending on
has been able to check the digital communication medium EL DIARIO.ES.

Together with the claim, a screenshot of the application's home page is provided.

COVID self-citation from the Ministry of Health of the Autonomous Community of Madrid, and
the news published by elDiaro.es on 06/15/2021, which includes a screenshot of the
data that appears in said application, although in the one attached as an example
anonymized all except the name "A.A.A."


SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5
December, of Protection of Personal Data and guarantee of digital rights (in
hereinafter LOPDGDD), the claim presented by FACUA was transferred to the
MINISTRY, to proceed with its analysis and inform this Agency in the
period of one month, of the actions carried out to adapt to the requirements
provided for in the data protection regulations.


The transfer, which was carried out in accordance with the regulations established in Law 39/2015, of
October 1, of the Common Administrative Procedure of the Administrations
Public (hereinafter, LPACAP), was collected on 06/18/2021 as recorded in the
acknowledgment of receipt that works in the file.


No response has been received to this transfer letter.

THIRD: On September 10, 2021, in accordance with article 65 of
the LOPDGDD, the claim presented by the FACUA was admitted for processing.


FOURTH: The General Subdirectorate for Data Inspection proceeded to carry out
of previous investigative actions to clarify the facts in
question, by virtue of the functions assigned to the control authorities in the

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 2/23









article 57.1 and the powers granted in article 58.1 of the Regulation (EU)
2016/679 (General Data Protection Regulation, hereinafter RGPD), and

in accordance with the provisions of Title VII, Chapter I, Second Section, of the
LOPDGDD, having knowledge of the following extremes:


INVESTIGATED ENTITY
During these proceedings, the following entity has been investigated:

MINISTRY OF HEALTH OF THE COMMUNITY OF MADRID, with NIF S7800001E

with address at C/ MELCHOR FERNÁNDEZ ALMAGRO, Nº 1 - 28029 MADRID
(MADRID)



















































C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 3/23








RESULT OF THE INVESTIGATION ACTIONS

1.- On June 10, 2021, the digital medium ElDiario.es publishes an article in
which reported, among others, the following:

       “The Community of Madrid activated its self-citation system on May 24

       by age groups so that citizens who had not yet received
       no doses of the COVID-19 vaccine could schedule an appointment.
       From that day and until this Thursday, the web page enabled by the Ministry
       of Health to request that citation has had a security breach that has
       affected all people with a health card in the region, according to

       been able to check elDiario.es.
       Due to a programming error, the page left the name

       complete, DNI, telephone number, date of birth and the numbers of
       both regional and national health identification of any
       citizen when an appointment request was made with his CIPA number (Code
       of Personal Identification of the Community of Madrid).

Said article also publishes what it claims are the data of a citizen
affected by the security breach of the “self-appointment” portal to be vaccinated against the
coronavirus of the Community of Madrid, in which it can be seen that in the web code
the data corresponding to the following fields are crossed out: NIF, name,

surname1, surname2, date of birth, phone number, gender and the numbers of
both regional and national health identification.
In the image published by the media, it can be seen that in the tab

"network", within the browser inspection tool, a JSON (database notation)
JavaScript object, is a simple text format for data exchange) in the
that the aforementioned data appears with the content hidden
willfully.

The article also mentions that this information was not visible to the naked eye, but rather
was present in the computer code of the Web and that to access it you had to
enable the browser's developer tools, an option that is
available to any user but not usually used without some knowledge
prior technicians.

It also informs that the gap has been closed after receiving a notice from
of the media.

2.- On October 5, 2021, the data inspection was requested from the
MINISTRY OF HEALTH OF THE COMMUNITY OF MADRID, hereinafter the
Counseling, the following documentation and information:

    1. Detailed and chronological description of the events that occurred.

    2. Detailed specification of the causes that have made the incident possible.

    3. Number of people affected by the data security breach
       personal.

    4. Category of personal data involved.
    5. Possible consequences for affected people.

    6. Detailed description of the actions taken to solve the incident and
       minimize its impact on affected people.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 4/23








    7. Security measures of personal data processing adopted with
       prior to the incident, as well as supporting documentation of the Analysis
       of Risks that has entailed the implementation of said security measures

       and, if applicable, a copy of the Impact Assessments of the treatments where
       The personal data security breach has occurred.
    8. Copy of the Activity Record of the treatments where the

       incident.
    9. If the security breach has been notified to the affected people, indicate

       than the channel used, date of the communication and details of the message sent.
       If not, indicate the reasons.
    10. Reason why the breach has not been notified within 72 hours of the

       happened.
    11. Any other that you consider relevant.

Said requirement was notified through the Electronic Address service
Enabled Unique and was accepted by the recipient on October 10, 2021, according to

accredit this service.
On October 21, 2021, a letter is received from the Delegate Committee for the Protection of
Details of the Ministry requesting an extension of the term to respond to the

request.
3.- After the period given to respond to the request for information without obtaining

response, dated December 1, 2021, the request for information was reiterated to the
Counseling, through the Single Enabled Electronic Address service and was
accepted by the recipient on December 2, 2021, as evidenced by said
service.

4.- In the absence of a response to the data inspection requirements, dated
March 14, 2022 the Director of the Spanish Agency for Data Protection
agrees to initiate a sanctioning procedure against the Ministry, for the infraction of the
Article 58.1 of the General Data Protection Regulation (RGPD), typified in the

art. 83. 5 e) of the aforementioned RGPD, within the framework of which, the claimed body alleges that
the Delegate Committee for Data Protection of the Ministry, in the exercise of its
functions, sent a response to the request for data inspection through
document dated February 1, 2022 with reference to the Filing Registry
REGAGE22e00002434053 and provides proof of presentation documentation in the

record and copy of the letter of attention to the request for information, in which
reveal the following:

Regarding the causes that made the incident possible:
- After analyzing the facts, they conclude that the failure detected related to this
    information system is due to an exposure of data information

    personal (public) accessed through a valid session cookie, and editing
    the URL accessed one of the input fields called "idPatient" with a DNI
    valid. In this way, a series of personal data can be displayed
    corresponding to the person with the DNI used. Additionally, it is found that
    the web application had insufficient blocking mechanisms before

    retries when entering the authentication data (Code of
    Autonomous Population Identification [CIPA], Date of birth and DNI) for
    request the appointment.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 5/23








Regarding the affected data

- There is no record in the Ministry of Health that the failure occurred has
    affected any citizen, beyond the information published in the media
    Communication. Likewise, there is no evidence that there has been
    any damage to the freedoms and rights of citizens.

- Only identification data of the users could have been affected.
    citizens: Name and Surname, CIPA, Date of birth, Patient ID, DNI,
    Phone number, Gender.

- There is no record in the Ministry of Health that there has been a
    damage to the freedoms and rights of citizens, without any evidence of
    until the date that material or immaterial damage has been derived in the
    citizens who may have been affected. The correction of this

    vulnerability was prior to its dissemination in the media.
Detailed description of the actions taken to solve the incident and minimize
its impact on affected people:

- The application was modified in order to improve the
    information system and the version was uploaded, being the following
    the most relative changes:

    June 9th:

     Minimize the information to be exchanged between the user's browser and
    the server. Only information that is displayed on the screen or that the
    user has previously entered. No number is exchanged in any case
    telephone, CIP SNS (Population Identification Code of the National System of

    Health), sex. The rest (date of birth, name and surname), are shown by
    screen.

     Request the verification code sent by SMS as a first step, nothing more
    enter the identification data.
     Do not return specific error codes, only generic ones.

    The data required in the identification process is increased, offering two
    possibilities to the user:

               o CIPA + Date of birth + DNI

               o DNI/NIE/PASSPORT + Date of birth + First surname
- The design of the application architecture does not allow the modification of the data

    of user affiliation. Because the application makes use of a database
    independent and the requested mobile is only used as part of the OTP
    implemented to validate the appointment request.

Regarding security measures
- The SERMAS development team uses a development methodology

    continuously updated collected in (...) in the Ministry of Health of the
    Madrid's community.

    They provide a copy of (...), whose objective is to have the standards that must be
    fulfill the applications from the technical and functional point of view, as well as the
    whitepapers describing the platforms with which they should be integrated
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 6/23








    the same. The indications and guidelines (...) are mandatory for
    all the development of new applications for the DGSIS.

- The point (...) establishes with respect to the access to the applications of the citizens what
    Next:

    (…)

- Manifest in relation to the impact assessment (EIPD) on the present
    treatment, taking into account its nature, scope, context and purposes, as well as

    that in the present treatment there is no systematic evaluation and
    exhaustive of personal aspects that is based on automated processing,
    nor is there a treatment of special categories of data. Therefore, it
    considers that in the present treatment it is not necessary to carry out a
    EIPD.

5.- It has been verified by data inspection that the Internet Archive (library
managed by a non-profit organization containing millions of

Internet pages recorded since 1996) has registered the web page
https://autocitavacuna.sanidadmadrid.org existing on June 14, 2021,
in which it can be verified that to request an appointment for the vaccine, it is requested
only the CIPA code and in case of not having said code, a DNI is requested and
Date of Birth.





































C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 7/23








CONCLUSIONS

- Regarding the causes that have made possible the incident published in
    ElDiario.es, the representative of the Ministry states that, after analyzing the
    facts conclude that the failure detected related to this system of
    information is due to an exposure of personal data information
    (public) accessed via a valid session cookie, and editing the URL
    accessed one of the input fields called "idPatient" with a valid DNI.

    This explanation is inconsistent with the security incident reported to this
    Agency by FACUA, incident in which personal data was left
    exposed when making an appointment request with a CIPA number (Code of
    Personal Identification of the Community of Madrid) existing. It has been proven
    for the inspection of data that the Internet Archive maintains the website
    https://autocitavacuna.sanidadmadrid.org existing on the date of June 14,

    2021, in which it can be verified that to request an appointment for the vaccine,
    only requests the CIPA code and in case of not having said code,
    request ID and date of birth.

    On the other hand, the representative of the Ministry recognizes that, among the actions
    taken to solve the incident, the information has been reduced to a minimum.
    exchange between the user's browser and the server. only broadcast
    information that is displayed on the screen or that the user has entered
    previously. Telephone number is not exchanged in any case, CIP SNS
    (Population Identification Code of the National Health System), sex. The

    rest (date of birth, name and surname), are displayed on the screen. Also,
    The data required in the identification process has been increased, offering
    two possibilities for the user: CIPA + Date of birth + DNI or
    DNI/NIE/PASSPORT + Date of birth + First surname.

- Regarding security measures, the Madrid Health Service (SERMAS)

    dependent on the Ministry, uses a methodology for the development of
    computer applications that is collected in (...) of the Community of Madrid.

       o The (…) related to authentication establishes regarding access to
           Citizen applications the following:


           (…)
           It has been verified by data inspection that the Internet Archive

           maintains the existing website https://autocitavacuna.sanidadmadrid.org
           on the date of June 14, 2021, in which it can be verified that for
           request an appointment for the vaccine, only the CIPA code is requested and in case
           If this code is not available, ID and date of birth are requested.

       o The (...) called (...) establishes, among others, the following:

              (…)

              It is unknown if the Ministry has carried out a risk analysis,
              as established by the methodology (...).

       o The same (...) establishes the following:

              (…)
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 8/23








              It is unknown if tests and analyzes have been carried out
              of this treatment by the Security Office, according to
              establishes the methodology (...).


FIFTH: On July 15, 2022, the Director of the Spanish Agency for
Data Protection agreed to initiate a sanctioning procedure against the claimed party,

for the alleged infringement of Article 5.1.f) of the RGPD, Article 33 of the RGPD, Article
25 of the RGPD and Article 32 of the RGPD, typified in Article 83.5 of the RGPD.

Once the Start Agreement was notified, the MINISTRY presented a brief of allegations in the
which in summary stated:


-That in the months of May and June 2021, we were at a very
critical related to the management of the pandemic. In this period, when the
vaccination process for the general population - albeit in a staggered manner
age groups-, the organization and opening of said
process massively and, consequently, it was necessary to offer a

system with clear and simple information on the process to be followed by the
citizenship and the urgency required for its adoption at the organizational level, including
also several channels to facilitate citizen citations.
This state of health emergency made it necessary to develop a
large number of new tools with great speed to be able to provide the best

service to citizens by developing and deploying the citation process
for vaccination in an agile way in authorized centers, even allowing the
citizen to select the time and center of his preference, which facilitated the
Community of Madrid reached a high number of vaccinated population,
contributing with said action to be able to face this situation of

pandemic as soon as possible, and facilitate the mobility of the population before the start of
periods traditionally considered as vacations in which there would be
the mobility of the population.

       -In this regard, this Agency recalls that both article 25.1 of the RGPD
       as 32 of the same legal text, stress the need that, both in the

       time of determining the means of treatment as well as at the time of
       treatment itself, the controller adopts technical and organizational measures
       appropriate to effectively apply the principles of data protection
       and guarantee a level of security appropriate to the risk, without being able to accept
       as excuse the circumstance of urgency alleged by health emergency.

       It is not possible to appreciate, in the present case, a state of necessity that justifies the
       put into production of a faulty application, which allowed access to
       personal data of a large number of citizens, without making
       previously the necessary checks to determine its correct
       operation, and whose use can cause greater harm than that which is

       intends to avoid.

-That in the initial agreement reference is made in the section “Regarding the
security measures” to the point (…), which is generic, and which for Self-citation is
enabled other access procedures so that citizens who do not
had a Health Card of the Community of Madrid, they could request the


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 9/23








vaccination through the website. They consider, therefore, that the reference (...)
should be deleted as it bears no relation to this particular case.


       -In this regard, this Agency has simply reflected the information
       provided by the MINISTRY itself in its response to the request for
       information made by the AEPD, in which they attach a (...) to which they make
       reference in paragraph 6 of your answer:

       “6. Security measures of personal data processing adopted

       prior to the incident, as well as supporting documentation of the
       Risk Analysis that has led to the implementation of said safety measures
       security and, if applicable, a copy of the Impact Assessments of the
       treatments where the data security violation has occurred
       personal”.


       And that, according to the MINISTRY itself, is the development methodology
       used.

-That measures have been established for the continuous improvement of crisis management and
cyber incidents, focused on the prevention, detection and response to incidents of

security. Specifically, the following measures have been implemented to
strengthen security:

• The process of development and start-up of applications has been reviewed, such as
part of the continuous improvement process in the development and commissioning cycle of

applications, with special emphasis on the following aspects:

       o Reinforcement of the resources allocated to the prior validation of the security of the
       application before going into production.
       o Reinforcement of penetration testing and analysis methods

       code to all self-developed systems and will not be put into production
       even with solving the possible vulnerabilities detected.
       o Reassessment of all self-developed systems to verify that they
       the vulnerabilities with High or Critical typology have been corrected,
       detected during the “pentest” phase.


• The (...) has been reviewed, updating the main areas to take into account when
of developing applications, as well as the main tasks tasks to consider
when implementing applications in the Continuous Integration structure and
Continuous Deployment in the CSCM, in order to have the highest standards
that the applications must comply with from the technical point of view and

functional, as well as the technical documents that describe the platforms with which
which must be integrated.

• Use cases in security audits have been improved.


Lastly, it is relevant to mention that work is currently being done on a
project to adopt a tool (...).



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 10/23








       -In this regard, this Agency values positively the adoption of new
       measures that result in greater security in terms of the treatment of
       personal data refers and that can prevent, in the future, incidents

       such as the one substantiated in this proceeding.

-That the (...) is part of the security regulatory body of the CSCM and is
is qualified as a RESTRICTED USE document, so it is
considered a controlled release document and its use is restricted to personnel
organization, since its public dissemination may pose a risk

for security. The content (...) constitutes confidential information whose dissemination,
outside the organization or the scope of the people who do not need to know said
information, it can cause damage or cyberattacks on the
services considered essential by law.
Therefore, it is required that such information, given its extraordinary sensitivity, be

object of reservation and, consequently, that information about the content is not displayed
(...) in the Resolution that falls on this procedure and that could, in its
case, be published.

       -In this regard, this Agency states that the documentation contained in the
       file is used exclusively to carry out an exhaustive and correct

       instruction of the same, not being, in any case, of public access. Even
       in the event that in the resolution that falls some type of
       information of restricted use, it would be anonymized as a step
       prior to publication.



SIXTH: On August 12, 2022, a resolution proposal was formulated,
proposing that the Director of the Spanish Data Protection Agency
sanction the MINISTRY OF HEALTH, with NIF S7800001E,


-Due to an infringement of Article 5.1.f) of the RGPD, typified in article 83.5 of the
GDPR, with a warning.

-For an infringement of Article 25 of the RGPD, typified in article 83.4 of the RGPD,
with a warning.


-For an infringement of Article 32 of the RGPD, typified in article 83.4 of the RGPD,
with a warning.

-For an infringement of Article 33 of the RGPD, typified in article 83.4 of the RGPD,
with a warning.


SEVENTH: Once the proposed resolution has been notified, the MINISTRY presents a new
brief of allegations in which, in summary, reproduces those already presented to the Agreement
Home, and adds that:


– Of the notification to the AEPD. As stated in the first letter sent to the AEPD
in relation to this sanctioning procedure, depending on the level of risk of the
incidence, taking into account the low volume of data that could have been
affected, the typology of the same, being only data of a

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 11/23








identification, and the non-existent impact caused on the interested parties, it was estimated that
it was mandatory to inform the Control Authority.
Thus, article 33 of the RGPD states that "In case of violation of the security of

personal data, the person responsible for the treatment will notify the authority of
competent control in accordance with Article 55 without undue delay and, if
possible, no later than 72 hours after you have been aware of it, to
unless such breach of security is unlikely to constitute a risk
for the rights and freedoms of natural persons”.


Therefore, in the present case, as we have indicated, taking into account that neither
At that time, nor currently, there is evidence that no citizen has
suffered negative consequences on their rights and freedoms, taking into account
further consideration that a significant number have not been affected
of personal data, nor have been affected special category data of the

citizens, it was considered at the time that such communication was not necessary
since it was unlikely to constitute a risk to the rights and
freed citizens.

– Security measures initially taken. In addition to the above, as indicated
In the initial communication to the AEPD, from the design the tool had

adequate security measures to avoid, so much so that the impact of possible
security incidents were high, as they happened.

Thus, in the first letter sent, it was already indicated that at all times the
communication between the user and the SERMAS servers are secured. The

The design of the application architecture does not allow the modification of the data of
user affiliation. Because the application makes use of a database
independent and the requested mobile is only used as part of the OTP (One
Time Password) implemented to validate the appointment request.


In the same way and to correct what happened, once the failure was known and
identified the same, before it was published in the media,
We proceeded to make the modification of the application in order to improve the
information system and the version was uploaded, being the following
the most relative changes:


June 9th:
(…)

In view of everything that has been done, by the Spanish Data Protection Agency
In this proceeding, the following are considered proven facts:


                                PROVEN FACTS

FIRST: It is proven that on 05/24/2021, the MINISTRY activated a
self-appointment system so that citizens could request an appointment to be vaccinated

against COVID-19.

SECOND: It is proven that there was a failure in the system, due to which
personal data (public) were exposed by accessing through a cookie of

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 12/23








valid session, and editing the URL accessed one of the input fields called
"idPatient" with a valid DNI.


THIRD: It is proven that the web application had mechanisms for
Insufficient blocking before retries when entering the authentication data.

FOURTH: It is proven that, after becoming aware of the security breach,
the MINISTRY did not communicate it to the AEPD.


                           FOUNDATIONS OF LAW

                                           Yo
In accordance with the powers that article 58.2 of Regulation (EU) 2016/679
(General Data Protection Regulation, hereinafter RGPD), grants each

control authority and as established in articles 47 and 48.1 of the Law
Organic 3/2018, of December 5, on the Protection of Personal Data and guarantee of
digital rights (hereinafter, LOPDGDD), is competent to initiate and resolve
this procedure the Director of the Spanish Data Protection Agency.

Likewise, article 63.2 of the LOPDGDD determines that: “The procedures

processed by the Spanish Agency for Data Protection will be governed by the provisions
in Regulation (EU) 2016/679, in this organic law, by the provisions
regulations issued in its development and, as long as they do not contradict them, with a
subsidiary, by the general rules on administrative procedures.”


                                           II
In relation to the arguments presented to the resolution proposal, the
MINISTRY reiterates those already presented above and adds that:

1-Regarding the notification of the breach to the AEPD, depending on the level of risk

of the incidence, taking into account the low volume of data that could have been
affected, the typology of the same, being only data of a
identification, and the non-existent impact caused on the interested parties, it was estimated that
it was mandatory to inform the Control Authority.

In the present case, taking into account that, neither at that time, nor currently,

there is evidence that no citizen has suffered negative consequences in
their rights and freedoms, taking into account additionally that they have not been
a significant number of personal data have been affected, nor have they been affected
special category data of citizens, it was estimated at the time that said
communication was not necessary since it was unlikely that a

risk to the rights and freedoms of citizens.

       -In this regard, this Agency indicates that it has not been submitted by the
       COUNSELING an assessment of risks actually carried out, resulting, by
       Therefore, very indeterminate the concept of: "it was unlikely that it would be constituted

       a risk to the rights and freedoms of citizens”

2- Security measures initially taken. In addition to the above, as indicated
In the initial communication to the AEPD, from the design the tool had

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 13/23








adequate security measures to avoid, so much so that the impact of possible
security incidents were high, as they happened.


       -In this regard, this Agency confirms that, in fact, the incidents
       materialized, that a fault was detected in the system, due to a
       exposure of personal (public) data information accessed through
       a valid session cookie, and editing the URL accessed one of the fields
       entry called "idPatient" with a valid DNI.
       Additionally, it was found that the web application had mechanisms for

       Insufficient blocking before retries when entering the data of
       authentication.

                                            III
Article 5.1.f) “Principles related to treatment” of the RGPD establishes:


"1. The personal data will be:
(…)

f) processed in such a way as to ensure adequate security of the data
including protection against unauthorized or unlawful processing and against

its loss, destruction or accidental damage, through the application of technical measures
or appropriate organizational structures (“integrity and confidentiality”).”

In the present case, it is stated that the personal data of those affected, contained in the
database of the MINISTRY, were unduly exposed to a third party,

according to the news published in elDiario.es.

From the investigation carried out in this proceeding, it is concluded that the
CONSEJERIA has violated the provisions of article 5.1.f of the RGPD.


                                            IV
The infringement is typified in article 83.5 of the RGPD that under the heading "Conditions
rules for the imposition of administrative fines” provides:

“The infractions of the following dispositions will be sanctioned, in accordance with the
paragraph 2, with administrative fines of a maximum of EUR 20,000,000 or,

in the case of a company, an amount equivalent to a maximum of 4% of the
global total annual turnover of the previous financial year, opting for
the largest amount:

a) the basic principles for the treatment, including the conditions for the

consent under articles 5, 6, 7 and 9; (…)”

In this regard, the LOPDGDD, in its article 71 "Infringements" establishes that:

“The acts and behaviors referred to in sections 4,

5 and 6 of article 83 of Regulation (EU) 2016/679, as well as those that result
contrary to this organic law.



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 14/23








For the purposes of the limitation period, article 72 “Infringements considered very
serious” of the LOPDGDD indicates:


"1. Based on the provisions of article 83.5 of Regulation (EU) 2016/679,
considered very serious and will prescribe after three years the infractions that suppose
a substantial violation of the articles mentioned therein and, in particular, the
following:

a) The processing of personal data violating the principles and guarantees

established in article 5 of Regulation (EU) 2016/679. (…)”

                                          v
Without prejudice to the provisions of article 83.5 of the RGPD, the aforementioned article provides in
its section 7 the following:


“7. Without prejudice to the corrective powers of the control authorities under the
Article 58(2), each Member State may lay down rules on whether
can, and to what extent, impose administrative fines on authorities and organizations
public authorities established in that Member State.


For its part, article 77 “Regime applicable to certain categories of
responsible or in charge of the treatment” of the LOPDGDD provides the following:

"1. The regime established in this article will be applicable to the treatment of
who are responsible or in charge:

       (…)
       c) The General Administration of the State, the Administrations of the
       autonomous communities and the entities that make up the Local Administration.
       (…)


2. When those responsible or in charge listed in section 1 committed
any of the infractions referred to in articles 72 to 74 of this law
organic, the data protection authority that is competent will dictate
resolution sanctioning them with a warning. The resolution will establish
also the measures that should be adopted to stop the behavior or correct it.
the effects of the infraction that had been committed.


3. Without prejudice to what is established in the previous section, the data protection authority
data will also propose the initiation of disciplinary actions when there are
sufficient evidence for it. In this case, the procedure and the sanctions to be applied
will be those established in the legislation on disciplinary or sanctioning regime that

result of application.

Likewise, when the infractions are attributable to authorities and managers, and
proves the existence of technical reports or recommendations for the treatment that
had not been duly attended to, in the resolution imposing the

The sanction will include a reprimand with the name of the responsible position and
will order the publication in the Official State or Autonomous Gazette that
correspond.


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 15/23








(…)
5. They will be communicated to the Ombudsman or, where appropriate, to similar institutions
of the autonomous communities the actions carried out and the resolutions issued

under this article. (…)”


                                           SAW
Article 25.1 of the RGPD indicates:


"1. Taking into account the state of the art, the cost of the application and the
nature, scope, context and purposes of the treatment, as well as the risks of various
probability and seriousness that the treatment entails for the rights and freedoms of
natural persons, the data controller will apply, both at the time of
determine the means of treatment as at the time of the treatment itself,

appropriate technical and organizational measures, such as pseudonymisation, designed
to effectively apply the principles of data protection, such as the
minimization of data, and integrate the necessary guarantees in the treatment, in order to
comply with the requirements of this Regulation and protect the rights of
interested.”


In the present case, it is known that a fault has been detected in the system, due to a
exposure of personal (public) data information accessed through a
valid session cookie, and editing the URL accessed one of the input fields
called "idPatient" with a valid DNI. Additionally, it is detected that the application
website had insufficient blocking mechanisms against retries at the time of

enter the authentication data.

From the investigation carried out in this proceeding, it is concluded that the
CONSEJERIA has violated the provisions of article 25.1 of the RGPD,


                                           7th
The infringement is typified in article 83.4 of the RGPD that under the heading "Conditions
rules for the imposition of administrative fines” provides:

“The infractions of the following dispositions will be sanctioned, in accordance with the
paragraph 2, with administrative fines of a maximum of EUR 10,000,000 or,

in the case of a company, an amount equivalent to a maximum of 2% of the
global total annual turnover of the previous financial year, opting for
the largest amount:

       a) the obligations of the person in charge and the person in charge pursuant to articles 8,

       11, 25 to 39, 42 and 43; (…)”

In this regard, the LOPDGDD, in its article 71 "Infringements" establishes that
“The acts and behaviors referred to in sections 4,
5 and 6 of article 83 of Regulation (EU) 2016/679, as well as those that result

contrary to this organic law.

For the purposes of the limitation period, article 73 “Infringements considered serious”
of the LOPDGDD indicates:

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 16/23









“Based on the provisions of article 83.4 of Regulation (EU) 2016/679,
considered serious and will prescribe after two years the infractions that suppose a

substantial violation of the articles mentioned therein and, in particular, the
following:

       (…)
       d) The lack of adoption of those technical and organizational measures that
       are appropriate to effectively apply the principles of protection

       of data from the design, as well as the non-integration of the guarantees
       necessary in the treatment, in the terms required by article 25 of the
       Regulation (EU) 2016/679. (…)

                                         viii

Without prejudice to the provisions of article 83.5 of the RGPD, the aforementioned article provides in
its section 7 the following:

“7. Without prejudice to the corrective powers of the control authorities under the
Article 58(2), each Member State may lay down rules on whether
can, and to what extent, impose administrative fines on authorities and organizations

public authorities established in that Member State.

For its part, article 77 “Regime applicable to certain categories of
responsible or in charge of the treatment” of the LOPDGDD provides the following:


"1. The regime established in this article will be applicable to the treatment of
who are responsible or in charge:

       (…)
       c) The General Administration of the State, the Administrations of the

       autonomous communities and the entities that make up the Local Administration.
       (…)

2. When those responsible or in charge listed in section 1 committed
any of the infractions referred to in articles 72 to 74 of this law
organic, the data protection authority that is competent will dictate

resolution sanctioning them with a warning. The resolution will establish
also the measures that should be adopted to stop the behavior or correct it.
the effects of the infraction that had been committed.

3. Without prejudice to what is established in the previous section, the data protection authority

data will also propose the initiation of disciplinary actions when there are
sufficient evidence for it. In this case, the procedure and the sanctions to be applied
will be those established in the legislation on disciplinary or sanctioning regime that
result of application.


Likewise, when the infractions are attributable to authorities and managers, and
proves the existence of technical reports or recommendations for the treatment that
had not been duly attended to, in the resolution imposing the
The sanction will include a reprimand with the name of the responsible position and

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 17/23








will order the publication in the Official State or Autonomous Gazette that
correspond.


(…)
5. They will be communicated to the Ombudsman or, where appropriate, to similar institutions
of the autonomous communities the actions carried out and the resolutions issued
under this article. (…)”



                                           IX
Article 32 “Security of treatment” of the RGPD establishes:

"1. Taking into account the state of the art, the application costs, and the
nature, scope, context and purposes of the treatment, as well as risks of

variable probability and severity for the rights and freedoms of individuals
physical, the person in charge and the person in charge of the treatment will apply technical measures and
appropriate organizational measures to guarantee a level of security appropriate to the risk,
which in your case includes, among others:
       a) pseudonymization and encryption of personal data;
       b) the ability to ensure the confidentiality, integrity, availability and

       permanent resilience of treatment systems and services;
       c) the ability to restore availability and access to data
       quickly in the event of a physical or technical incident;
       d) a process of regular verification, evaluation and evaluation of the effectiveness
       technical and organizational measures to guarantee the security of the

       treatment.

2. When evaluating the adequacy of the security level, particular account shall be taken of
takes into account the risks presented by the processing of data, in particular as
consequence of the accidental or unlawful destruction, loss or alteration of data

data transmitted, stored or otherwise processed, or the communication or
unauthorized access to said data.

3. Adherence to an approved code of conduct under article 40 or to a
certification mechanism approved under article 42 may serve as an element
to demonstrate compliance with the requirements established in section 1 of the

present article.

4. The person in charge and the person in charge of the treatment will take measures to guarantee that
any person acting under the authority of the person in charge or the person in charge and
has access to personal data can only process said data following

instructions of the person in charge, unless it is obliged to do so by virtue of the Right of
the Union or the Member States.

In the present case, at the time of the breach, the MINISTRY did not
had the appropriate technical and organizational measures in place to prevent

produced an incident such as the one substantiated in this proceeding, since
once the CIPA code was entered, a second authentication was not required, nor were the
Personal data appeared pseudonymized.


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 18/23








From the investigation carried out in this proceeding, it is concluded that the
CONSEJERIA has violated the provisions of article 32 of the RGPD,


                                           X
The infringement is typified in article 83.4 of the RGPD that under the heading "Conditions
rules for the imposition of administrative fines” provides:

“The infractions of the following dispositions will be sanctioned, in accordance with the
paragraph 2, with administrative fines of a maximum of EUR 10,000,000 or,

in the case of a company, an amount equivalent to a maximum of 2% of the
global total annual turnover of the previous financial year, opting for
the largest amount:

       a) the obligations of the person in charge and the person in charge pursuant to articles 8,

       11, 25 to 39, 42 and 43; (…)”

In this regard, the LOPDGDD, in its article 71 "Infringements" establishes that
“The acts and behaviors referred to in sections 4,
5 and 6 of article 83 of Regulation (EU) 2016/679, as well as those that result
contrary to this organic law.


For the purposes of the limitation period, article 73 “Infringements considered serious”
of the LOPDGDD indicates:

“Based on the provisions of article 83.4 of Regulation (EU) 2016/679,

considered serious and will prescribe after two years the infractions that suppose a
substantial violation of the articles mentioned therein and, in particular, the
following:
       (…)
       f) The lack of adoption of those technical and organizational measures that

       are appropriate to guarantee a level of security appropriate to the risk
       of the treatment, in the terms required by article 32.1 of the Regulation
       (EU) 2016/679.
       (…)

                                          eleventh

Without prejudice to the provisions of article 83.5 of the RGPD, the aforementioned article provides in
its section 7 the following:

“7. Without prejudice to the corrective powers of the control authorities under the
Article 58(2), each Member State may lay down rules on whether

can, and to what extent, impose administrative fines on authorities and organizations
public authorities established in that Member State.

For its part, article 77 “Regime applicable to certain categories of
responsible or in charge of the treatment” of the LOPDGDD provides the following:


"1. The regime established in this article will be applicable to the treatment of
who are responsible or in charge:


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 19/23








       (…)
       c) The General Administration of the State, the Administrations of the
       autonomous communities and the entities that make up the Local Administration.

       (…)

2. When those responsible or in charge listed in section 1 committed
any of the infractions referred to in articles 72 to 74 of this law
organic, the data protection authority that is competent will dictate
resolution sanctioning them with a warning. The resolution will establish

also the measures that should be adopted to stop the behavior or correct it.
the effects of the infraction that had been committed.

3. Without prejudice to what is established in the previous section, the data protection authority
data will also propose the initiation of disciplinary actions when there are

sufficient evidence for it. In this case, the procedure and the sanctions to be applied
will be those established in the legislation on disciplinary or sanctioning regime that
result of application.

Likewise, when the infractions are attributable to authorities and managers, and
proves the existence of technical reports or recommendations for the treatment that

had not been duly attended to, in the resolution imposing the
The sanction will include a reprimand with the name of the responsible position and
will order the publication in the Official State or Autonomous Gazette that
correspond.


(…)

5. They will be communicated to the Ombudsman or, where appropriate, to similar institutions
of the autonomous communities the actions carried out and the resolutions issued
under this article. (…)”


                                           XII
Article 33 “Notification of a violation of the security of personal data to
the control authority” of the RGPD establishes:

"1. In case of violation of the security of personal data, the person in charge of the

treatment will notify the competent control authority in accordance with the
article 55 without undue delay and, if possible, no later than 72 hours after
who was aware of it, unless it is unlikely that such violation
constitutes a risk to the rights and freedoms of individuals
physical. If the notification to the supervisory authority does not take place within the period of 72

hours, must be accompanied by an indication of the reasons for the delay.

2. The person in charge of the treatment will notify without undue delay the person in charge of the
treatment the violations of the security of the personal data of which it has
knowledge.


3. The notification referred to in section 1 must, at a minimum:
       a) describe the nature of the data security breach
       including, where possible, the categories and number

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 20/23








       approximate number of stakeholders affected, and the categories and approximate number
       of affected personal data records;
       b) communicate the name and contact details of the data protection delegate

       data or another point of contact where further information can be obtained;
       c) describe the possible consequences of the breach of the security of the
       personal information;
       d) describe the measures adopted or proposed by the person responsible for the
       processing to remedy the data security breach
       including, if applicable, the measures taken to mitigate the

       possible negative effects.

4. If it is not possible to provide the information simultaneously, and to the extent that
is not, the information will be provided gradually without undue delay.


5. The data controller will document any breach of data security.
personal data, including the facts related to it, its effects and the
corrective measures taken. Said documentation will allow the authority of
control to verify compliance with the provisions of this article.”

In the present case, it is clear that the MINISTRY has suffered a security breach

of personal data on 05/24/2021 and has not informed this Agency.

From the investigation carried out in this proceeding, it is concluded that the
CONSEJERIA has violated the provisions of article 33 of the RGPD.


                                          XIII
The infringement is typified in article 83.4 of the RGPD that under the heading "Conditions
rules for the imposition of administrative fines” provides:

“The infractions of the following dispositions will be sanctioned, in accordance with the

paragraph 2, with administrative fines of a maximum of EUR 10,000,000 or,
in the case of a company, an amount equivalent to a maximum of 2% of the
global total annual turnover of the previous financial year, opting for
the largest amount:

       a) the obligations of the person in charge and the person in charge pursuant to articles 8,

       11, 25 to 39, 42 and 43; (…)”

In this regard, the LOPDGDD, in its article 71 "Infringements" establishes that
“The acts and behaviors referred to in sections 4,
5 and 6 of article 83 of Regulation (EU) 2016/679, as well as those that result

contrary to this organic law.

For the purposes of the limitation period, article 73 “Infringements considered serious”
of the LOPDGDD indicates:


“Based on the provisions of article 83.4 of Regulation (EU) 2016/679,
considered serious and will prescribe after two years the infractions that suppose a
substantial violation of the articles mentioned therein and, in particular, the
following:

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 21/23








       (…)
       r) Failure to comply with the duty to notify the data protection authority
       data from a security breach of personal data in accordance

       with the provisions of article 33 of Regulation (EU) 2016/679. (…)”

                                         fourteenth
Without prejudice to the provisions of article 83.5 of the RGPD, the aforementioned article provides in
its section 7 the following:


“7. Without prejudice to the corrective powers of the control authorities under the
Article 58(2), each Member State may lay down rules on whether
can, and to what extent, impose administrative fines on authorities and organizations
public authorities established in that Member State.


For its part, article 77 “Regime applicable to certain categories of
responsible or in charge of the treatment” of the LOPDGDD provides the following:

"1. The regime established in this article will be applicable to the treatment of
who are responsible or in charge:


       (…)
       c) The General Administration of the State, the Administrations of the
       autonomous communities and the entities that make up the Local Administration.
       (…)


2. When those responsible or in charge listed in section 1 committed
any of the infractions referred to in articles 72 to 74 of this law
organic, the data protection authority that is competent will dictate
resolution sanctioning them with a warning. The resolution will establish
also the measures that should be adopted to stop the behavior or correct it.

the effects of the infraction that had been committed.

3. Without prejudice to what is established in the previous section, the data protection authority
data will also propose the initiation of disciplinary actions when there are
sufficient evidence for it. In this case, the procedure and the sanctions to be applied

will be those established in the legislation on disciplinary or sanctioning regime that
result of application.

Likewise, when the infractions are attributable to authorities and managers, and
proves the existence of technical reports or recommendations for the treatment that

had not been duly attended to, in the resolution imposing the
The sanction will include a reprimand with the name of the responsible position and
will order the publication in the Official State or Autonomous Gazette that
correspond.

(…)


5. They will be communicated to the Ombudsman or, where appropriate, to similar institutions
of the autonomous communities the actions carried out and the resolutions issued
under this article. (…)”

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 22/23









Therefore, in accordance with the applicable legislation and having assessed the criteria for
graduation of sanctions whose existence has been proven,

the Director of the Spanish Data Protection Agency RESOLVES:

FIRST: IMPOSE THE MINISTRY OF HEALTH, with NIF S7800001E,

-Due to an infringement of Article 5.1.f) of the RGPD, typified in article 83.5 of the
RGPD, a sanction of warning.


-For an infringement of Article 25 of the RGPD, typified in article 83.4 of the RGPD,
a warning sanction.

-For an infringement of Article 32 of the RGPD, typified in article 83.4 of the RGPD,

a warning sanction.

-For an infringement of Article 33 of the RGPD, typified in article 83.4 of the RGPD,
a warning sanction.

SECOND: NOTIFY this resolution to the MINISTRY OF HEALTH.


THIRD: COMMUNICATE this resolution to the Ombudsman,
in accordance with the provisions of article 77.5 of the LOPDGDD.

In accordance with the provisions of article 50 of the LOPDGDD, this

Resolution will be made public once it has been notified to the interested parties.

Against this resolution, which puts an end to the administrative procedure in accordance with art. 48.6 of the
LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the
Interested parties may optionally file an appeal for reconsideration before the

Director of the Spanish Agency for Data Protection within a month from
counting from the day following the notification of this resolution or directly
contentious-administrative appeal before the Contentious-Administrative Chamber of the
National Court, in accordance with the provisions of article 25 and section 5 of
the fourth additional provision of Law 29/1998, of July 13, regulating the
Contentious-administrative jurisdiction, within a period of two months from the

day following the notification of this act, as provided in article 46.1 of the
aforementioned Law.

Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPACAP,
may provisionally suspend the firm resolution in administrative proceedings if the

The interested party expresses his intention to file a contentious-administrative appeal.
If this is the case, the interested party must formally communicate this fact by
writing addressed to the Spanish Agency for Data Protection, presenting it through
Electronic Register of the Agency [https://sedeagpd.gob.es/sede-electronica-
web/], or through any of the other registers provided for in art. 16.4 of the

aforementioned Law 39/2015, of October 1. You must also transfer to the Agency the
documentation proving the effective filing of the contentious appeal-
administrative. If the Agency was not aware of the filing of the appeal


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 23/23











contentious-administrative within a period of two months from the day following the
notification of this resolution would end the precautionary suspension.



                                                                                          938-120722
Sea Spain Marti

Director of the Spanish Data Protection Agency































































C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es