AEPD (Spain) - PS/00464/2020

From GDPRhub
AEPD - PS/00464/2020
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 32(1) GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided:
Published: 05.04.2021
Fine: 3000 EUR
Parties: KUKIMBIA S.L.
National Case Number/Name: PS/00464/2020
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Spanish
Original Source: AEPD decision (in ES)
Initial Contributor: CSO

The AEPD fined a controller €3000 for abandoning documentation containing personal data next to a building, which was considered a data breach and therefore a violation of Article 32(1) GDPR.

English Summary

Facts

The Police Force of Navarra (Spain) reported to the AEPD the fact that they had found documentation held by controller next to a garbage container in a building. The documents included personal data of clients and suppliers. The police officers tried to locate the controller, but the business activity had ceased the activity at their premises. However, the person responsible for the company responded to a communication from the police informing that they had ceased their activity and that they had disposed of the "files that they could".

Dispute

Did the controller appropriately process the personal data under its responsibility by adopting the necessary technical and organizational measures?

Holding

The AEPD concluded that the facts constitute a personal data breach and that the controller had not adopted the necessary technical and organizational measures to prevent it. The AEPD reminds that the GDPR does not require the adoption of specific measures, but that controller must assess in each case what measures are necessary according to a risk assessment.

The AEPD found that there was therefore a violation of Article 32(1) GDPR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

                                                                               1/10









                                                    Procedure No.: PS / 00464/2020


                 RESOLUTION OF SANCTIONING PROCEDURE

Of the procedure instructed by the Spanish Agency for Data Protection and based on
to the following


                                  BACKGROUND

FIRST: The POLICIA FORAL DE NAVARRA (hereinafter, the claimant) dated
08/07/2020 sent a complaint bulletin to the Spanish Agency for the Protection of
Data. The claim is directed against KUKIMBIA S.L., with NIF B99352023 (in
ahead, the claimed one). The reasons on which you base the claim are that you have

found abandoned documentation containing personal data,
from a company that abandoned a warehouse adjacent to the area where
said documentation has been found abandoned.

Photographs are provided with the abandoned material.


SECOND: Upon receipt of the claim, the General Sub-Directorate of
Data Inspection proceeded to carry out the following actions:

On 09/28/2020, the claim submitted for analysis was transferred to the respondent.

and communication to the claimant of the decision adopted in this regard. Likewise, he is
required so that within a month it sent to the determined Agency
information:

       - Copy of the communications, of the adopted decision that has been sent to the
       claimant regarding the transfer of this claim, and accreditation that

       the claimant has received the communication of that decision.
       - Report on the causes that have motivated the incidence that has originated the
       claim.
       - Report on the measures adopted to prevent the occurrence of
       similar incidents.

       - Any other that you consider relevant.

There is no response from the complainant to the request for information from the AEPD.

THIRD: On 12/09/2020, in accordance with article 65 of the LOPDGDD, the

Director of the Spanish Agency for Data Protection agreed to admit for processing the
claim filed by the claimant against the defendant.

FOURTH: On 02/12/20210, the Director of the Spanish Protection Agency
of Data agreed to initiate a sanctioning procedure for the claimed party, for the alleged
infringement of article 32.1 of the RGPD, typified in article 83.4.a) of the aforementioned

Regulation, and considered for the purposes of prescription as a serious offense in the
article 73.g) of the LOPDGDD, a penalty of 3,000 euros.



C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 2/10








FIFTH: Notified the initiation agreement, the one claimed at the time of the present
resolution has not submitted a brief of allegations, so it is applicable
indicated in article 64 of Law 39/2015, of October 1, on the Procedure

Common Administrative of Public Administrations, which in its section f)
establishes that in case of not making allegations within the term provided on the
content of the initiation agreement, it may be considered a proposal for
resolution when it contains a precise statement about the responsibility
imputed, for which a Resolution is issued.


SIXTH: Of the actions carried out in this proceeding, there have been
accredited the following:


                                PROVEN FACTS


FIRST: The 08/07/2020 has an entry in the AEPD police report bulletin
FORAL DE NAVARRA (hereinafter, the claimant), stating the abandonment of
documentation of clients and suppliers of the claimed, containing data from
personal character, next to a garbage container and third party access.


SECOND: The defendant is a company incorporated in Zaragoza on 08/03/2012 and its
corporate purpose is the storage, distribution and transportation throughout the national territory and
foreigner of all kinds of merchandise.

THIRD: Report No. 01132421 of the Navarra Foral Police has been provided,

matter of documentation spilled in the Ezkarbarte de Arre industrial estate, pointing out that
their passage through the aforementioned polygon they observed the existence of documentation
abandoned containing personal data of carriers and customers (name and
surnames, DNI number, telephone number) from the company *** COMPANY.1 located
in the transport city at *** LOCALIDAD.1, *** ADDRESS.1; who went to

the company, although they verified that they no longer operated in the area, having ceased
their activity in the ship they had rented; however, they tried to contact the
cited company; On 06/16/2020 they received the following response from it:

Good Morning,
In response to the photos received

On XX / YY / 2020 we vacated the facilities of *** COMPANY. 2.
Removing the merchandise and office supplies and "files that we could."
At that time we did not have access or keys to the facilities again.

FOURTH: Photographs of abandoned documentation are provided: letters,

delivery notes, etc., containing personal data.


                           FOUNDATIONS OF LAW


                                           I
       By virtue of the powers that article 58.2 of the RGPD recognizes to each
control authority, and as established in articles 47 and 48 of the LOPDGDD,


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 3/10








the Director of the Spanish Data Protection Agency is competent to initiate
and to solve this procedure.


                                             II
        Law 39/2015, of October 1, on the Common Administrative Procedure of
the Public Administrations, in its article 64 “Agreement of initiation in the
procedures of a sanctioning nature ”, provides:

        "1. The initiation agreement will be communicated to the instructor of the procedure, with

transfer of how many actions exist in this regard, and the interested parties will be notified,
understanding in any case the accused as such.
Likewise, the initiation will be communicated to the complainant when the regulatory norms
of the procedure so foresee it.


        2. The initiation agreement must contain at least:

        a) Identification of the person or persons allegedly responsible.
        b) The facts that motivate the initiation of the procedure, its possible
        qualification and the sanctions that may correspond, without prejudice to what
        result of the instruction.

        c) Identification of the instructor and, where appropriate, Secretary of the procedure, with
        express indication of the regime of challenge of the same.
        d) Competent body for the resolution of the procedure and regulation that
        attributes such competence, indicating the possibility that the alleged
        responsible can voluntarily acknowledge their responsibility, with the

        effects provided for in article 85.
        e) Provisional measures that have been agreed by the body
        competent to initiate the sanctioning procedure, without prejudice to those that
        can be adopted during the same in accordance with article 56.
        f) Indication of the right to make allegations and to the hearing in the

        procedure and the deadlines for its exercise, as well as an indication that, in
        case of not making allegations within the term provided on the content of the
        initiation agreement, this may be considered a resolution proposal
        when it contains a precise statement about liability
        charged.


        3. Exceptionally, when at the time of issuing the initiation agreement
there are not enough elements for the initial qualification of the facts that motivate
the initiation of the procedure, the aforementioned qualification may be carried out in a phase
later by preparing a Statement of Charges, which must be notified to
the interested".


        In application of the previous precept and taking into account that they have not
formulated allegations to the initiation agreement, it is necessary to resolve the procedure initiated.

                                             III

        Article 58 of the RGPD, Powers, states:

        "two. Each supervisory authority shall have all of the following powers
corrective measures listed below:

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 4/10









       (…)
       i) impose an administrative fine in accordance with article 83, in addition or in

       instead of the measures mentioned in this section, according to the
       circumstances of each particular case;
       (…) "

       Article 5 of the RGPD establishes the principles that must govern the treatment
of personal data and mentions among them that of "integrity and confidentiality".


       The aforementioned article points out that:

       "1. The personal data will be:


       (…)
       f) treated in such a way as to guarantee adequate security of the
       personal data, including protection against unauthorized processing or
       illicit and against its loss, destruction or accidental damage, through the application
       appropriate technical or organizational measures ('integrity and
       confidentiality »)”.

       (…) "

                                           IV
       The denounced events materialize in the abandonment of documentation in
the public thoroughfare in which personal data corresponding to the claimed person appears,

violating the regulations on data protection.

       The security of personal data is regulated in articles 32, 33 and
34 of the GDPR.


       Article 32 of the RGPD "Security of treatment", establishes that:

       "1. Taking into account the state of the art, the application costs, and the
nature, scope, context and purposes of the treatment, as well as risks of
variable probability and severity for people's rights and freedoms
physical, the person in charge and the person in charge of the treatment will apply technical measures and

appropriate organizational arrangements to ensure a level of security appropriate to the risk,
that in your case include, among others:

       a) pseudonymisation and encryption of personal data;
       b) the ability to guarantee confidentiality, integrity, availability and

       permanent resilience of treatment systems and services;
       c) the ability to restore availability and access to data
       personnel quickly in the event of a physical or technical incident;
       d) a process of regular verification, evaluation and assessment of effectiveness
       of the technical and organizational measures to guarantee the safety of the

       treatment.

       2. When evaluating the adequacy of the security level, particularly the
take into account the risks presented by the data processing, in particular as

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 5/10








consequence of accidental or illegal destruction, loss or alteration of data
personal data transmitted, preserved or otherwise processed, or the communication or
unauthorized access to such data.


       3. Adherence to a code of conduct approved in accordance with article 40 or to a
certification mechanism approved under article 42 may serve as an element
to demonstrate compliance with the requirements established in section 1 of the
this article.


       4. The person in charge and the person in charge of the treatment will take measures to
ensure that any person acting under the authority of the controller or the
manager and have access to personal data can only process said data
following the instructions of the person in charge, unless it is obliged to do so under the
Law of the Union or of the Member States ”.


       The violation of article 32 is classified in article 83.4.a) of the
cited GDPR in the following terms:

       "4. Violations of the following provisions will be sanctioned, in accordance with
with paragraph 2, with administrative fines of maximum EUR 10 000 000 or,

in the case of a company, an amount equivalent to a maximum of 2% of the
total annual global business volume of the previous financial year, opting for
the highest amount:

       a) the obligations of the controller and the processor pursuant to articles 8,

       11, 25 to 39, 42 and 43.
       (…) "

       For its part, the LOPDGDD in its article 71, Infractions, states that:
“The acts and conducts referred to in sections 4, constitute offenses.

5 and 6 of article 83 of Regulation (EU) 2016/679, as well as those resulting
contrary to the present organic law ”.

       And in its article 73, for the purposes of prescription, it qualifies as "Infractions
considered serious ”:


       "Based on the provisions of article 83.4 of Regulation (EU) 2016/679
are considered serious and will prescribe after two years the infractions that suppose a
substantial violation of the articles mentioned therein and, in particular, the
following:


       (…)
       g) The breach, as a consequence of the lack of due diligence,
       of the technical and organizational measures that have been implemented in accordance with
       as required by article 32.1 of Regulation (EU) 2016/679 ”.
       (…)


       The facts revealed in this claim are specified in
the existence of a security incident in the complainant's systems, making it possible to
its vulnerability by allowing documentation containing data from

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 6/10








personal character, were abandoned, allowing access to the data contained
in them.


                                           V
       The GDPR defines personal data security breaches as
“All those security violations that cause the destruction, loss or
accidental or illegal alteration of personal data transmitted, stored or processed
otherwise, or unauthorized communication or access to said data ”.


       From the documentation in the file there are evident indications of
that the complainant has violated article 32.1 of the RGPD, due to a breach of
security in their systems allowing access to personal data
contained in documents that were abandoned by the defendant with possible
violation of security measures.


       It should be noted that the RGPD in the aforementioned precept does not establish a list of
the security measures that are applicable according to the data that are
object of treatment, but establishes that the controller and the person in charge of the
treatment will apply technical and organizational measures that are appropriate to the risk
involved in the treatment, taking into account the state of the art, the costs of

application, the nature, scope, context and purposes of the treatment, the risks of
probability and seriousness for the rights and freedoms of the persons concerned.

Likewise, the security measures must be adequate and proportionate to the
risk detected, noting that the determination of the technical measures and

organizational must be carried out taking into account: pseudonymisation and encryption,
ability to guarantee confidentiality, integrity, availability and resilience, the
ability to restore availability and access to data after an incident, process
verification (not audit), evaluation and assessment of the effectiveness of
measures.


       In any case, when evaluating the adequacy of the security level, the
particularly take into account the risks presented by data processing, such as
consequence of accidental or illegal destruction, loss or alteration of data
personal data transmitted, preserved or otherwise processed, or the communication or
unauthorized access to said data and that could cause damages

physical, material or immaterial.

       In this same sense, recital 83 of the RGPD states that:

       “(83) In order to maintain security and prevent the treatment from infringing the

provided in this Regulation, the person in charge or the person in charge must evaluate
the risks inherent to the treatment and apply measures to mitigate them, such as the
encryption. These measures must guarantee an adequate level of security, including the
confidentiality, taking into account the state of the art and the cost of its application
with respect to the risks and the nature of the personal data that must

protect yourself. When assessing risk in relation to data security, you should
take into account the risks arising from the processing of personal data,
such as accidental or illegal destruction, loss or alteration of personal data
transmitted, preserved or otherwise processed, or communication or access does not

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 7/10








authorized to said data, susceptible in particular to cause damages
physical, material or immaterial ”.


       In the present case, as stated in the facts and in the framework of the
investigation file E / 07635/2020, the AEPD transferred to the complainant the
09/28/2020 the written claim submitted for analysis requesting the
provision of information related to the incident claimed, without having
received in this body any response.


       Responsibility of the claimed person is determined by the incident / bankruptcy
of security revealed by the Navarra Provincial Police, since it is
responsible for making decisions aimed at effectively implementing the
appropriate technical and organizational measures to ensure a level of security
appropriate to the risk to ensure the confidentiality of the data, restoring its

availability and prevent access to them in the event of a physical or technical incident.
However, the documentation provided shows that the entity has not only
breached this obligation, but also the adoption of measures is unknown
respect, despite having given notice of the claim presented.

       In accordance with the foregoing, it is estimated that the claimed would be

allegedly responsible for the violation of the RGPD: the violation of article 32.1,
offense typified in its article 83.4.a).


                                           SAW

       In order to establish the administrative fine to be imposed, they must
observe the provisions contained in articles 83.1 and 83.2 of the RGPD, which
they point out:

       "1. Each supervisory authority will guarantee that the imposition of fines

administrative under this article for the infractions of this
Regulations indicated in paragraphs 4, 5 and 6 are in each individual case
effective, proportionate and dissuasive.

       2. Administrative fines will be imposed, depending on the circumstances
of each individual case, as an additional or substitute title for the measures contemplated

in Article 58, paragraph 2, letters a) to h) and j). When deciding to impose a fine
administrative and its amount in each individual case will be duly taken into account:

       a) the nature, severity and duration of the offense, taking into account the
       nature, scope or purpose of the processing operation in question

       as well as the number of affected stakeholders and the level of damage and
       damages they have suffered;
       b) intentionality or negligence in the infringement;
       c) any measure taken by the person in charge or in charge of the treatment
       to alleviate the damages suffered by the interested parties;

       d) the degree of responsibility of the person in charge of the
       treatment, taking into account the technical or organizational measures that have
       applied by virtue of articles 25 and 32;


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 8/10








        e) any previous infringement committed by the person in charge or the person in charge of the
        treatment;
        f) the degree of cooperation with the supervisory authority in order to establish

        remedy the violation and mitigate the possible adverse effects of the violation;
        g) the categories of personal data affected by the infringement;
        h) the way in which the supervisory authority learned of the infringement, in
        particular if the person in charge or the person in charge notified the infraction and, in such case,
        what extent;
        i) when the measures indicated in article 58, paragraph 2, have been

        previously ordered against the person responsible or the person in charge
        in relation to the same matter, compliance with said measures;
        j) adherence to codes of conduct under article 40 or to mechanisms
        certification approved in accordance with Article 42, and
        k) any other aggravating or mitigating factor applicable to the circumstances of the

        case, such as financial benefits obtained or losses avoided, direct
        or indirectly, through the infringement.

        In relation to letter k) of article 83.2 of the RGPD, the LOPDGDD, in its
Article 76, “Sanctions and corrective measures”, establishes that:


        "two. In accordance with the provisions of article 83.2.k) of Regulation (EU)
2016/679 may also be taken into account:

        a) The continuing nature of the offense.
        b) The linking of the activity of the offender with the performance of treatments

        of personal data.
        c) The benefits obtained as a result of the commission of the offense.
        d) The possibility that the affected person's conduct could have led to the
        commission of the offense.
        e) The existence of a merger process by absorption after the commission

        of the infringement, which cannot be attributed to the absorbing entity.
        f) Affecting the rights of minors.
        g) Have, when not mandatory, a delegate for the protection of
data.
        h) The submission by the person in charge or in charge, with character
        voluntary, to alternative dispute resolution mechanisms, in those

        cases in which there are controversies between those and any
        interested."

        - In accordance with the transcribed precepts, in order to establish the amount
of the sanction of a fine to be imposed in the present case for the offense typified in the

Article 83.4.a) of the RGPD for which the claimed person is responsible, they are considered
concurrent the following factors:

        The merely local scope of the treatment carried out by the claimed person.


        The nature and severity of the offending conduct as the documentation
        Abandoned affects the personal data of many people.



C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 9/10








       The claimed entity does not record that it has adopted measures to prevent
       produce similar incidents; It has not responded to the request either
       informative from the Agency which affects the absence of cooperation with the

       supervisory authority in order to remedy the infringement and mitigate the
       possible adverse effects of it.

       Although there is no evidence that the defendant had acted
       maliciously, the conduct observed is deeply negligent.


       The linking of the offender's activity with the performance of treatment of
       Personal data.

       The claimed is a small business.



       Therefore, in accordance with the applicable legislation and assessed the criteria of
graduation of sanctions whose existence has been proven,

       The Director of the Spanish Data Protection Agency RESOLVES:


FIRST: IMPOSE KUKIMBIA S.L., with NIF B99352023, for an infraction of the
Article 32.1 of the RGPD, typified in article 83.4.a) of the RGPD and considered to
Prescription effects as a serious offense, a fine of € 3,000 (three thousand euros).

SECOND: NOTIFY this resolution to KUKIMBIA S.L. with NIF

B99352023.


THIRD: Warn the sanctioned person that the sanction imposed by a
Once this resolution is enforceable, in accordance with the provisions of the

art. 98.1.b) of Law 39/2015, of October 1, on Administrative Procedure
Common of Public Administrations (hereinafter LPACAP), within the payment period
voluntary established in art. 68 of the General Collection Regulations, approved
by Royal Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003,
of December 17, by means of their entry, indicating the NIF of the sanctioned person and the number
procedure that appears in the heading of this document, in the account

restricted number ES00 0000 0000 0000 0000 0000, opened in the name of the Agency
Spanish Data Protection in the banking entity CAIXABANK, S.A .. In case
Otherwise, it will be collected in the executive period.

       Once the notification has been received and once it is executed, if the date of execution is

finds between the 1st and the 15th of each month, both inclusive, the deadline to carry out the
Voluntary payment will be until the 20th of the following or immediately subsequent business month, and if
is between the 16th and last days of each month, both inclusive, the term of the
payment will be up to the 5th of the second following or immediate business month.


       In accordance with the provisions of article 50 of the LOPDGDD, the
This Resolution will be made public once it has been notified to the interested parties.



C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 10/10








       Against this resolution, which ends the administrative procedure in accordance with art.
48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of the
LPACAP, the interested parties may file, optionally, an appeal for reversal

before the Director of the Spanish Agency for Data Protection within a period of
month from the day following notification of this resolution or directly
contentious-administrative appeal before the Contentious-Administrative Chamber of the
National High Court, in accordance with the provisions of article 25 and section 5 of
the fourth additional provision of Law 29/1998, of July 13, regulating the
Contentious-administrative jurisdiction, within two months from the

day following notification of this act, as provided in article 46.1 of the
referred Law.

       Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the
LPACAP, the firm resolution may be suspended in an administrative way

If the interested party expresses his intention to file a contentious appeal-
administrative. If this is the case, the interested party must formally communicate this
made by writing to the Spanish Data Protection Agency,
Presenting it through the Electronic Registry of the Agency
[https://sedeagpd.gob.es/sede-electronica-web/], or through any of the rest
records provided for in art. 16.4 of the aforementioned Law 39/2015, of October 1. Also

must forward to the Agency the documentation that proves the effective filing
of the contentious-administrative appeal. If the Agency is not aware of the
filing of the contentious-administrative appeal within a period of two months from the
day after the notification of this resolution, I would terminate the
precautionary suspension.



                                                                       Mar Spain Martí
                               Director of the Spanish Agency for Data Protection


























C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es