AEPD (Spain) - PS/00028/2022

From GDPRhub
Revision as of 17:44, 20 February 2023 by Mapez (talk | contribs) (Created page with "{{DPAdecisionBOX |Jurisdiction=Spain |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoES.jpg |DPA_Abbrevation=AEPD |DPA_With_Country=AEPD (Spain) |Case_Number_Name=PS-00...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
AEPD - PS-00028-2022
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 5(1)(f) GDPR
Article 32 GDPR
Article 33 GDPR
72, 73, 77 Spanish Data Protection Act
Type: Complaint
Outcome: Upheld
Started: 31.03.2021
Decided:
Published: 03.02.2023
Fine: n/a
Parties: Getafe City Council
National Case Number/Name: PS-00028-2022
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: Mapez

The Spanish DPA imposed a warning to a local administration for violating Articles 5(1)(f), 32 and 33 GDPR by making available online during several months the personal data of data subjects without their consent.

English Summary

Facts

On 31 March 2021, the City Council of Getafe (the controller) published by mistake on its website an excel sheet containing the personal data of the vehicle owners that had requested a change of address in the previous week (the data subjects). The excel sheet included the name, surname, address, date of birth, tax identification number, ID number, vehicle registration number, and date of registration of vehicle of the data subjects. The excel sheet had thirty-six entries, but the vast majority of the data subjects that were mentioned were included several times in the list. On 31 March 2021, A.A.A. (the applicant), notified the breach to controller and the AEPD. The controller unlinked the excel sheet from the website, so that it would not be available when using the navigation route on the portal. However, the excel sheet itself was not deleted from the internet and stayed online as an "orphan document" until 24 January 2022, which could be retrieved when typing the exact URL in the browser. During the procedure, the controller submitted that it had originally intended to publish a call for the plenary session of the City Council, and instead published the excel sheet by mistake. Despite the fact that the excel sheet stayed online during several months after the initial complaint of the applicant, the controller submitted that it was unlikely that the data had been retrieved, as the excel sheet could only be accessed through the exact URL and not through a link on the website. According to the controller, no serious harm had been identified following the data breach.

Holding

The AEPD qualified the upload of the excel file as a confidentiality breach and identified three subsequent infringing conducts: infringement of Article 5(1)(f) and Article 32 for not handling the data with the appropriate level of security, and of Article 33 for not notifying the data breach to the AEPD.

With regards to Article 5(1)(f), the AEPD found that the publication of the excel sheet online enabled unauthorised access to the personal data of the data subjects, in violation of the principle of confidentiality.

With regards to Article 32, the AEPD found that the controller failed to properly take out the excel sheet and did not involve the IT services in the process. Furthermore, the AEPD found that the controller had failed to make an appropriate assessment of the risks generated by the initial breach of confidentiality, and should have considered potential further risks to prevent its persistence. The AEPD noted that although the controller was aware of the persistence of the data breach, all the details of the infringement were probably not known.

With regards to Article 33, the AEPD found that the controller had failed to assess the level of severity of the data breach and the risks to the rights and freedoms of the data subjects. In the case at hand, the AEPD found that such confidentiality breach would have justified a notification to the AEPD, which the controller did not undertake.

On the basis of Articles 72 and 73 of the Ley Orgánica 3/2018 de 5 de diciembre, de Protección de Datos Personales y garantía de los derechos digitales (Spanish Data Protection Act - LOPDGDD), the AEPD classified the infringement of Article 32 and 33 as "serious" offences whilst the breach of Article 5(1)(f) was considered a "very serious" offence. The AEPD issued a warning decision to the controller in accordance with the special regime of administrative fines applicable to local administrations (Article 77 LOPDGDD).

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

https://www.aepd.es/es/documento/ps-00028-2022.pdf