AEPD (Spain) - PS/00028/2022
| AEPD - PS-00028-2022 | |
|---|---|
 | |
| Authority: | AEPD (Spain) |
| Jurisdiction: | Spain |
| Relevant Law: | Article 5(1)(f) GDPR Article 32 GDPR Article 33 GDPR 72, 73, 77 Spanish Data Protection Act |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | 31.03.2021 |
| Decided: | |
| Published: | 03.02.2023 |
| Fine: | n/a |
| Parties: | Getafe City Council |
| National Case Number/Name: | PS-00028-2022 |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | Spanish |
| Original Source: | AEPD (in ES) |
| Initial Contributor: | Mapez |
The Spanish DPA imposed a warning to a local administration for violating Articles 5(1)(f), 32 and 33 GDPR by making available online during several months the personal data of data subjects without their consent.
English Summary
Facts
On 31 March 2021, the City Council of Getafe (controller) accidentally published an Excel sheet on its website. This Excel sheet contained personal data of vehicle owners who had requested an address change. The Excel sheet included several categories of data, such as name, surname, tax identification number, ID number and vehicle registration number. The Excel sheet had thirty-six entries, but the vast majority of the data subjects that were mentioned were included several times in the list.
On 31 March 2021, the data subject informed both the controller and the Spanish DPA of this breach. After this, the controller unlinked the Excel sheet from its website, so that it would not be available when navigating the controller website. There was therefore no way to reach the Excel sheet any longer, navigating the controller's website. However, the Excel sheet itself was not deleted from the internet and stayed online as an "orphan document" until 24 January 2022. This meant that the Excel sheet could still be accessed, when typing the exact URL in the browser. People who were aware of the exact URL, could therefore still access the Excel sheet.
Despite the fact that the Excel sheet stayed online for several months after the initial complaint of the applicant, the controller stated that it was unlikely that any data had been retrieved by unauthorised third parties, because the Excel sheet could only be accessed through the exact URL and not through any linking on the controller's website. Also, the controller had not identified any serious harm as a result of this data breach.
Holding
First, the DPA found a violation of Article 5(1)(f) GDPR, since the publication of the Excel sheet online enabled unauthorised access to the personal data of the data subjects, in violation of the principle of confidentiality.
Second, the DPA found a violation of Article 32 GDPR, because the controller failed to properly remove the Excel sheet from its website and did not involve its own IT services in the process. Furthermore, the DPA found that the controller had failed to make an appropriate assessment of the risks as a result of the breach. The controller should have considered potential further risks.
Third, the DPA found a violation of Article 33 GDPR, because the controller failed to assess the level of severity of the data breach. In this case, the DPA found that such a confidentiality breach as in the present case would have justified a notification to the DPA, which the controller did not undertake.
On the basis of Articles 72 and 73 of the Spanish Data Protection Act - LOPDGDD, the DPA classified the infringement of Articles 32 and 33 GDPR as "serious" offences, whilst the violation of Article 5(1)(f) was considered a "very serious" offence. The DPA issued a warning pursuant to Article 77 LOPDGDD.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
https://www.aepd.es/es/documento/ps-00028-2022.pdf
