AEPD (Spain) - PS/00152/2020

From GDPRhub
AEPD - PS/00152/2020
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 33 GDPR
Article 58(2)(b) GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided:
Published:
Fine: None
Parties: n/a
National Case Number/Name: PS/00152/2020
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Spanish
Original Source: La Agencia Española de Protección de Datos (in ES)
Initial Contributor: n/a

The Spanish DPA (AEPD) held that a rare disease foundation violated Article 33 GDPR by failing to notify a data breach within the prescribed 72 hours.

English Summary

Facts

In December 2018 the Secretary and VP of a rare disease foundation resigned. They didn't hand over their computer files, documents and control for certain system accounts. The documents contained personal data processed by the foundation in its capacity of controller. In October 2019 the foundation notified the AEPD for the data breach.

Dispute

Which provisions of the GDPR did the AEPD consider violation following the notification and investigation of the breach?

Holding

The AEPD held that the facts revealed a violation of Article 33 GDPR. In particular, it noted that this provision "explicitly establishes" that security breaches posing a risk to the rights and freedoms of natural persons must be notified by the controller to the relevant data protection authority within 72 hours of becoming aware of the breach. Since the data in question included health data (such as patient diagnoses), a special category of data under Article 9(1), the AEPD concluded that in these cases a notification is always necessary. As a result, it concluded that the foundation was responsible for violating Article 33 GDPR, and issued it with a warning pursuant to Article 58(2)(b) GDPR.

Comment

The AEPD did not find the former Secretary and Vice President to have committed any violations. The GDPR defines a security breach of personal data as "all breaches of security that result in the accidental or unlawful destruction, loss or alteration of personal data transmitted, stored or otherwise processed, or the unauthorised communication of or access to such data." The AEPD noted that the documents submitted in the course of the investigation did not prove "the authorshhip of the alleged theft" or that the former Secretary and Vice President had made use of the personal data contained in the missing files.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

RESOLUTION OF SANCTIONING PROCEDURE
From the procedure instructed by the Spanish Data Protection Agency and 
BACKGROUND
FIRST: The inspection actions are initiated by the receipt of a security bankruptcy notification letter sent by FUNDACION SINDROME 5P MENOS DE C.V. in which they inform the AEPD that the previous directors of the Vice-Presidency and Secretariat, who were also responsible for the management and security of the information, have not returned the documents and devices 
SECOND: In view of the aforementioned notification of a personal data security breach, the Subdirectorate-General for the Inspection of Data proceeded to carry out preliminary investigative actions, being aware of the following points:
BACKGROUND
Security breach notification date: 10 October 2019
ENTITY INVESTIGATED
FOUNDATION SYNDROME 5 P LESS OF C.V. (from now on Foundation) with NIF G54272836, and domiciled in Calle Calitxe nº 6, 03690 San Vicente del Raspeig, Alicante.
RESULT OF THE RESEARCH ACTIVITIES
1. On 31 October 2019, the Foundation was asked for information and the reply received on 14 November 2019 showed that this was the case:
Regarding the Foundation. 
•	As stated on the website www.fundaciónsindrome5p.org, the
The Foundation is a non-profit organisation under the auspices of the Protectorate of the Generalitat Valenciana, which allocates all of its assets to helping and informing families with members affected by a rare syndrome. 
•	On 13 December 2018, the executive positions of Secretary and Vice President resigned from the Foundation before a notary.
RESOLUTION OF SANCTIONING PROCEDURE
From the procedure instructed by the Spanish Data Protection Agency and 
BACKGROUND
FIRST: The inspection actions are initiated by the receipt of a security bankruptcy notification letter sent by FUNDACION SINDROME 5P MENOS DE C.V. in which they inform the AEPD that the previous directors of the Vice-Presidency and Secretariat, who were also responsible for the management and security of the information, have not returned the documents and devices 
SECOND: In view of the aforementioned notification of a personal data security breach, the Subdirectorate-General for the Inspection of Data proceeded to carry out preliminary investigative actions, being aware of the following points:
BACKGROUND
Security breach notification date: 10 October 2019
ENTITY INVESTIGATED
FOUNDATION SYNDROME 5 P LESS OF C.V. (from now on Foundation) with NIF G54272836, and domiciled in Calle Calitxe nº 6, 03690 San Vicente del Raspeig, Alicante.
RESULT OF THE RESEARCH ACTIVITIES
1. On 31 October 2019, the Foundation was asked for information and the reply received on 14 November 2019 showed that this was the case:
Regarding the Foundation. 
•	As stated on the website www.fundaciónsindrome5p.org, the
The Foundation is a non-profit organisation under the auspices of the Protectorate of the Generalitat Valenciana, which allocates all of its assets to helping and informing families with members affected by a rare syndrome. 
•	On 13 December 2018, the executive positions of Secretary and Vice President resigned from the Foundation before a notary.
RESOLUTION OF SANCTIONING PROCEDURE
From the procedure instructed by the Spanish Data Protection Agency and 
BACKGROUND
FIRST: The inspection actions are initiated by the receipt of a security bankruptcy notification letter sent by FUNDACION SINDROME 5P MENOS DE C.V. in which they inform the AEPD that the previous directors of the Vice-Presidency and Secretariat, who were also responsible for the management and security of the information, have not returned the documents and devices 
SECOND: In view of the aforementioned notification of a personal data security breach, the Subdirectorate-General for the Inspection of Data proceeded to carry out preliminary investigative actions, being aware of the following points:
BACKGROUND
Security breach notification date: 10 October 2019
ENTITY INVESTIGATED
FOUNDATION SYNDROME 5 P LESS OF C.V. (from now on Foundation) with NIF G54272836, and domiciled in Calle Calitxe nº 6, 03690 San Vicente del Raspeig, Alicante.
RESULT OF THE RESEARCH ACTIVITIES
1. On 31 October 2019, the Foundation was asked for information and the reply received on 14 November 2019 showed that this was the case:
Regarding the Foundation. 
•	As stated on the website www.fundaciónsindrome5p.org, the
The Foundation is a non-profit organisation under the auspices of the Protectorate of the Generalitat Valenciana, which allocates all of its assets to helping and informing families with members affected by a rare syndrome. 
•	On 13 December 2018, the executive positions of Secretary and Vice President resigned from the Foundation before a notary.
•	The Foundation has provided a copy of the modifications to the Statutes where it is stated - in article 16 - that the custody of the documentation is the function of the Secretary. 
Regarding the facts and causes of the incidence. Measures to minimise the incidence 
•	The security breach was caused by the failure of the former Secretary and Vice President of  the Foundation to return the computer files, media, documents, accounts control, etc., following their resignation as trustees of the Foundation on 13/12/2018. 
•	The facts have been reported to the Court of Instruction of San Vicente del Raspeig on 16 July 2019 and the documentation and personal data of the accused have been requested on several occasions, without receiving a reply. 
The Foundation has provided a copy of the complaint to the aforementioned Court where it is clear, among other aspects, that the accused have not handed over all the documentation, missing the children's medical records, among other documents. 
With regard to the data concerned. 
•	The Foundation states that the number of people affected is approximately 220 and the documents contain personal data of those affected (many of them minors) and their families, clinical diagnosis, degree of dependence, level, family economic situation, account numbers, information on parents, siblings and those affected.
•	The Foundation is aware and has provided an e-mail in this regard, that the e-mail address has been used to send mail to the Foundation's associates after the resignation of the aforementioned directors. The aforementioned e-mail is dated 14 December 2018. The following is the e-mail's header: 
--------- Forwarded message -------
From: A.A.A. < ***EMAIL.1> 
Date: Fri., 14 Dec. 2018 12:45 
Subject: IRREVOCABLE DIMITION A.A.A. AND B.B.B. OF FOUNDATION 
SYNDROME 5P 
To: A.A.A. < ***EMAIL.1> , AA B.B.B. ***EMAIL.2
•	The Foundation has written to the members of the Foundation, dated 15 October 2019, informing them that there has been an incident of data security violation as a result of the failure of the previous trustees of the Foundation - with positions of Vice President and Secretary - to hand over the documents in their custody after their resignation. 
Regarding the actions taken for the final resolution of the incident or to minimize its impact
•	On 23 October 2019, a bureaufax was sent to the former managers urging them to return the documentation in the light of a request for deletion of data. 
In this burofax, provided by the Foundation, it is stated that the data of those affected have been blocked in accordance with the Organic Law 3/2018, of 5 December, with the exception of those treatments to comply with a legal obligation and for the formulation, exercise or defence of claims.
It also appears that it has not been possible to delete data from the Foundation on the YouTube and Instragram platforms, since they were published by the Foundation when it held the posts of vice-president and secretary, and therefore the Foundation does not have the keys to manage these platforms, although it has asked them to control the profiles and be able to delete the personal data requested. 
Finally, the bureaucracy sent to you is included. "I take this opportunity to urge you to hand over any documentation, supports and equipment that you still have from the Foundation and remind you that any processing of data that you do with them, even their mere conservation, has no legal basis that legitimises it". 
The Foundation states that no calls and bureaucracies have been collected and provides a Certificate from the Post Office of the attempts to deliver the bureaucracies dated 23 October 2019. 
With regard to the security measures implemented prior to the incident
•	The Foundation states that all employees sign a confidentiality clause and provide a model in this regard, indicating that they do not have the signed documents because they have not been returned to the Foundation. 
They also provide the confidentiality clauses attached to employment contracts adapted to the RGPD.
 
•	The Foundation has provided a copy of the Security Document, which indicates, among other things, the functions and obligations of the users.
 
With regard to the measures implemented after the incident. 
•	The Foundation states that further action has been taken as the documents are not available: 
o	Appointment of a Data Protection Officer.
o	Renewal of the confidentiality and information security policy documents in accordance with the RGPD and LOPDGDD. 
o	Making backups that guarantee the disposition of the data.
o	Review of procedures for action in the event of security breaches. o	Implementation of periodic security reviews.
THIRD: On 17 June 2020, the Director of the Spanish Data Protection Agency agreed to initiate sanctioning proceedings against FUNDACION SINDROME 5P MENOS DE C.V. for the alleged infringement of Article 33 of the RGPD, classified in accordance with the provisions of Article 83.4 of the aforementioned RGPD, qualified as minor for the purposes of the statute of limitations in Article 74.m) of the LOPDGDD.
FOURTH: On 16/06/2020, FUNDACION SINDROME 5P MENOS DE C.V. was notified of the agreement to start, and did not present any allegations. 
PROVEN FACTS
FIRST: Following the resignation of the Secretary and Vice President of the Foundation on 13/12/2018, they have not returned the computer media containing personal data processed by the Foundation in its capacity as controller.   
SECOND: The facts were denounced before the Court of Instruction of San Vicente del Raspeig on 16/07/2019 claiming the documentation and personal data in possession of the Secretary and Vice President of the Foundation since his resignation.
THIRD: On 10/10/2019 the Foundation notified the AEPD of the security breach:
LEGAL FOUNDATIONS
I
By virtue of the powers that Article 58.2 of the RGPD recognises to each supervisory authority, and in accordance with that established in Articles 47 and 48 of the LOPDGDD, the Director of the Spanish Data Protection Agency is competent to initiate and resolve this procedure.
II
Foundations are governed by Law 50/2002 and establishes, as regards their creation, that they can be created either privately or by public initiative.
In the present case, the Foundation is registered as a foundation subject to private law according to its own founding statutes.
III Article 58 of the RGPD, Powers, states
"Each supervisory authority shall have all the following corrective powers as set out below:
(b) punish any controller or processor with a warning where the processing operations have infringed the provisions of this Regulation; 
Recital 148 of the RGPD states
"In the case of a minor infringement, or if the fine likely to be imposed would constitute a disproportionate burden on a natural person, a warning may be imposed instead of a penalty in the form of a fine. However, particular attention must be paid to the nature, gravity and duration of the infringement, its intentional nature, the measures taken to mitigate the damage suffered, the degree of liability or any previous relevant infringement, the way in which the supervisory authority became aware of the infringement, compliance with measures ordered against the person responsible or entrusted, adherence to codes of conduct and any other aggravating or mitigating circumstances".
Article 33 of the RGPD, Notification of a personal data security breach to the supervisory authority, states that
"1. In the event of a breach of the security of personal data, the controller shall notify the competent supervisory authority pursuant to Article 55 without undue delay and, if possible, no later than 72 hours after becoming aware of the breach, unless the breach is unlikely to prejudice the rights and freedoms of natural persons. If notification to the supervisory authority does not take place within 72 hours, it must be accompanied by an indication of the reasons for the delay.
2.	The data processor shall, without undue delay, notify the data controller of any breach of the security of personal data of which he becomes aware.
3.	The notification referred to in paragraph 1 must, at least, be
a)	describe the nature of the breach of security of personal data, including, where possible, the categories and approximate number of data subjects concerned, and the categories and approximate number of records of personal data concerned;
b)	communicate the name and contact details of the data protection delegate or other contact point where further information can be obtained;
c)	describe the possible consequences of a breach of personal data security;
d)	describe the measures adopted or proposed by the controller to remedy the breach of security of personal data, including, where appropriate, the measures taken to mitigate any negative effects.
4.	If and to the extent that it is not possible to provide the information simultaneously, the information shall be provided gradually without undue delay.
5.	The data controller shall document any violation of the security of personal data, including the facts relating to it, its effects and the corrective measures taken. Such documentation shall enable the supervisory authority to verify compliance with the provisions of this Article.
For its part, the LOPDGDD in its Article 71, Infringements, states that: "The acts and conduct referred to in paragraphs 4, 5 and 6 of Article 83 of Regulation (EU) 2016/679, as well as those that are contrary to this organic law, constitute infringements".
And in Article 73 of the LOPDGDD, for the purposes of the statute of limitations it qualifies as "Infringements considered serious": 
"In accordance with the provisions of Article 83(4) of Regulation (EU) 2016/679, infringements that substantially violate the articles mentioned therein, and in particular those that follow, are considered serious and shall be subject to a two-year limitation period:
(r) Failure to notify the data protection authority of a security breach of personal data as provided for in Article 33 of Regulation (EU) 2016/679.
The facts revealed in the notification of the security breach in the Foundation's information systems and the investigation carried out by the AEPD, violate the aforementioned Article 33 of the RGPD. 
IV
The RGPD defines security breaches of personal data as "all breaches of security that result in the accidental or unlawful destruction, loss or alteration of personal data transmitted, stored or otherwise processed, or the unauthorised communication of or access to such data".
It should be pointed out that the RGPD does not establish a list of the security measures that are applicable in accordance with the data being processed, but rather establishes that the controller will apply technical and organisational measures that are appropriate to the risk that the processing entails, taking into account the state of the art, the costs of implementation, the nature, scope, context and purposes of the processing, the risks of probability and seriousness for the rights and freedoms of the data subjects. In this respect, the Foundation has provided an updated security document to the RGPD and LOPDGDD which contains the technical and organisational measures adopted, including, among others, the confidentiality clause signed at the time by the previous directors.
In this regard, it should be noted that the documentation in the file does not prove the authorship of the alleged theft of computer equipment, media with personal data or that the former executives reported have made use of personal data contained in it, since the header of the email provided does not infer these circumstances. Specifically, it is an e-mail < forwarded> (Forwarded message), with origin <From: A.A.A. < ***EMAIL.1> and recipient <To: A.A.A. < ***EMAIL.1> , AA B.B.B.
***EMAIL.2>, that although the content alludes to the reasons for the resignation, at no time is there any accredited processing of data of associates or affected parties of the Foundation, nor of the origin or destination of other persons unrelated to them.
The aforementioned article also regulates that security breaches that may pose a risk to the rights and freedoms of natural persons must be notified to the competent supervisory authority, a circumstance that would be fulfilled in this case since the data allegedly stolen belong to the category of data regulated in article 9.1 of the aforementioned RGPD (Processing of special categories of personal data). 
Article 33 of the RGPD explicitly establishes that security breaches, whenever personal data are affected and imply a high risk to the rights and freedoms of natural persons, must be notified by the data controller within 72 hours after it has become known to the Supervisory Authority (AEPD). 
In the present case, it is recorded that the Foundation became aware of the security breach incident in December 2018, reported the facts to the Court on 16 July 2019 and did not notify the security breach until 10 October 2019.   
In accordance with the above, the Foundation is responsible for the infringement of Article 33 of the RGPD, typified in Article 83.4 of the RGPD, qualified as minor for the purposes of prescription in Article 74.m) of the LOPDGDD and punishable with a warning as it does not assess intentionality, being a non-profit making foundation and not establishing the existence of a previous infringement 
V Article 74(m) of the LOPDGDD states 
"The remaining infringements of a purely formal nature of the articles mentioned in Article 83(4) and (5) of Regulation (EU) 2016/679 are considered minor and shall be subject to a limitation period of one year, and in particular the following infringements
(…)
(m) Incomplete, late or defective notification to the data protection authority of information relating to a breach of the security of personal data pursuant to Article 33 of Regulation (EU) 2016/679".
Article 70.1 of the LOPDGDD indicates the subjects responsible. 
"1. They are subject to the penalty regime established in Regulation (EU) 2016/679 and in this organic law: 
a) The persons responsible for the processing".
VI
In the present case, given that the Foundation is a non-profit organisation under the protection of the Protectorate exercised by the Generalitat Valenciana, which allocates all of its assets to helping and informing families with members affected by a rare syndrome, there is no evidence of intention or recidivism. It is considered in accordance with the law not to impose a sanction consisting of an administrative fine and to replace it with the sanction of a warning in accordance with article 76.3 of the LOPDGDD in relation to article 58.2 b) of the RGPD.
Therefore, in accordance with the applicable legislation, the Director of the Spanish Data Protection Agency RESOLVES
FIRST: IMPOSE 5 P LESS C.V. SYNDROME FOUNDATION, with NIF
G54272836, for an infringement of Article 33 of the RGPD, typified in Article 83.4 of the RGPD, qualified as minor for the purposes of prescription in Article 74.m) of the LOPDGDD, a warning sanction.
SECOND: NOTIFY this resolution to FUNDACIÓN SÍNDROME 5 P MENOS DE C.V. with NIF G54272836, and domiciled in Calle Calitxe nº 6, 03690 San Vicente del Raspeig, Alicante.
In accordance with Article 50 of the LOPDGDD, this Resolution will be made public after it has been notified to the interested parties. 
Against this resolution, which puts an end to the administrative procedure in accordance with Article 48.6 of the LOPDGDD, and pursuant to the provisions of Article 123 of the LPACAP, data subjects may lodge, optionally, an appeal for reversal with the Director of the Spanish Data Protection Agency within one month starting from the day following notification of this decision or directly an administrative appeal before the Contentious-Administrative Chamber of the National Court, in accordance with the provisions of Article 25 and paragraph 5 of the fourth additional provision of Law 29/1998, of 13 July, regulating the Contentious-Administrative Jurisdiction, within a period of two months from the day following notification of this act, as provided in Article 46.1 of the aforementioned Law.
Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPACAP, the final resolution may be suspended as a precautionary measure through administrative channels if the interested party states his intention to file a contentious-administrative appeal. If this is the case, the data subject must formally communicate this fact in writing addressed to the Spanish Data Protection Agency, presenting it through the Electronic Register of the Agency
[https://sedeagpd.gob.es/sede-electronica-web/], or through any of the other registers provided for in Article 16.4 of the aforementioned Law 39/2015, of 1 October. He must also send the Agency the documentation proving the effective filing of the contentious-administrative appeal. Should the Agency not be aware of the lodging of the contentious-administrative appeal within two months from the day following the notification of the present resolution, it shall terminate the precautionary suspension.

Jurisdiction, within a period of two months from the day following notification of this act, as provided in Article 46.1 of the aforementioned Law.
Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPACAP, the final resolution may be suspended as a precautionary measure through administrative channels if the interested party states his intention to file a contentious-administrative appeal. If this is the case, the data subject must formally communicate this fact in writing addressed to the Spanish Data Protection Agency, presenting it through the Electronic Register of the Agency
[https://sedeagpd.gob.es/sede-electronica-web/], or through any of the other registers provided for in Article 16.4 of the aforementioned Law 39/2015, of 1 October. He must also send the Agency the documentation proving the effective filing of the contentious-administrative appeal. Should the Agency not be aware of the lodging of the contentious-administrative appeal within two months from the day following the notification of the present resolution, it shall terminate the precautionary suspension.
Jurisdiction, within a period of two months from the day following notification of this act, as provided in Article 46.1 of the aforementioned Law.
Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPACAP, the final resolution may be suspended as a precautionary measure through administrative channels if the interested party states his intention to file a contentious-administrative appeal. If this is the case, the data subject must formally communicate this fact in writing addressed to the Spanish Data Protection Agency, presenting it through the Electronic Register of the Agency
[https://sedeagpd.gob.es/sede-electronica-web/], or through any of the other registers provided for in Article 16.4 of the aforementioned Law 39/2015, of 1 October. He must also send the Agency the documentation proving the effective filing of the contentious-administrative appeal. Should the Agency not be aware of the lodging of the contentious-administrative appeal within two months from the day following the notification of the present resolution, it shall terminate the precautionary suspension.

Mar España Martí
Director of the Spanish Data Protection Agency