AEPD (Spain) - E/05724/2019

From GDPRhub
(Redirected from AEPD - E/05724/2019)
AEPD (Spain) - E/05724/2019
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 32 GDPR
Article 33 GDPR
Type: Investigation
Outcome: No Violation Found
Decided: 06.11.2019
Fine: None
Parties: Centros comerciales Carrefour S.A.
National Case Number/Name: E/05724/2019
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: n/a

The AEPD approved Centros comerciales Carrefour S.A compliance with the GDPR after having used its investigation powers.

English Summary

Facts and questions arising

The AEPD received a data breach notification sent by Centros comerciales Carrefour S.A. (Carrefour) in which they inform having suffered from a cyberattack. Thus, the AEPED carried out an investigation.


Th AEPD found there was no evidence showing illegal access to the Carrefour information system. Also, it issued that the attacker obtained the user code and password to access to Carrefours' information system through external fraudulent databases. The use of this database allowed the attacker to act without being detected by the security measures that Carrefour had implemented so far.

However, the AEPD found that Carrefour has to implement suitable and appropriate measures to avoid such incidents. Consequently, Carrefour has been ordered to update its internal digital process to avoid as many vulnerabilities as possible.

Finally, the AEPD considered that Carrefour is the responsible entity and is needs to ensure compliance with the GDPR.


Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the original. Please refer to the Spanish original for more details.

Procedure No.: E/08158/2019


Of the actions carried out by the Spanish Data Protection Agency and based on the following


FIRST: The inspection actions are initiated by the receipt of a security bankruptcy notification letter sent by INTERCAMBIADOR DE TRANSPORTES AVENIDA DE AMERICA, S.A.U. (hereinafter ITAA) in which
inform the Spanish Data Protection Agency that a company employee, who received a message from WhatsApp, has learned of the extraction of a video captured by the cameras of the video surveillance system of the Avenida de America Transport Interchange facilities.

The video was allegedly extracted from the video surveillance system by a security guard from the company GSI Security and Systems Professionals
S.A.U. (from now on GSI), recording directly with your mobile phone the screen of the video surveillance system.

They indicate that the bankruptcy took place on 27/07/2019 and that they became aware of it on 31/07/2019. The notification was made on 02/08/2019. The number of people affected is three (two guards and one user of the Transport Interchange). They understand that it is not necessary to inform the interested parties of the existence of the security breach, due to the dissemination of the recorded images.

SECOND: The General Sub-directorate of Data Inspection proceeded to carry out previous investigation actions for the clarification of the facts object of the complaint, having knowledge of the following points:


Bankruptcy notification date: August 2, 2019


- 28022 MADRID.


Once a request for information has been made to the ITAA, the representatives of the entity report the following chronology of events:
- With date 31/07/2019, one of the employees of ITAA received the call of a representative of the Regional Consortium of Transport of Madrid (in ahead "CRTM") to inform him/her of an incident that had taken place in the facilities of the Responsible for Treatment. Following the telephone communication, the CRTM representative sends, through the instant messaging application WhatsApp, a video in which can be seen as one of the security guards of the transport interchange of Avenida de America assaults a user. After carefully analyzing the video received, it can be seen that the attack had taken place in the early morning of 27/07/2019 and that the images shown in the video had been captured by one of the cameras of the video surveillance system of the Avenida de America transport interchange. ITAA was not aware of the facts until the CRTM representative provided them with the video via WhatsApp.

- After the investigations, it was confirmed that one of the guards of the GSI company had recorded through his personal mobile phone, and in the presence of the shift leader who was at that time in the control room of the interchange, the images of the aggression that hours before had been captured by the video surveillance cameras of the interchange. It is not known why the security guard recorded the above-mentioned images by CCTV (Closed Circuit TV - Video Surveillance System) via his mobile phone.

- According to comments from the CCTV investigation team, the video was sent to a WhatsApp group involving several GSI employees.

With regard to the subsequent propagation of the video, they can only confirm that the video was shown through social networks, digital press and television, not knowing the medium or the way in which the different media obtained the video.
- They understand that the video broadcast by the media could be the one recorded by the guard, since in the images captured by the video surveillance camera installed in the control room of the exchange itself, it can be seen how the guard takes out his mobile phone and focuses on the computer screen where the CCTV images are displayed.


ITAA has provided a copy of the Treatment Activity Register (TAR) in which the committed treatments are listed (video surveillance system).
The entity has also provided a copy of the Risk Analysis (RA) of the treatment called "VIDEO-SURVEILLANCE". The RA includes, among other considerations, this treatment:

Application Initial risk	
Measures Final risk
Responsibility for treatment

Authorized personnel The data are treated by the organization's STAFF and there are CONFIDENTIALITY AGREEMENTS with
processing instructions	

Under Ensure that personnel authorized to process data have signed confidentiality agreements and that they are kept in a safe place.	

Very low
Processors (TE) Data NOT PROCESSED by Processors No risk No risk
Co-responsible for treatment (CoRT) Data NOT PROCESSED by Co-responsible for treatment No risk No risk
Data recipients Data is NOT COMMUNICATED to third parties, unless legally required No risk No risk

A copy of the service contract with GSI and the data protection contract signed between the parties, which lists GSI as the contractor, has been obtained. The contract includes the provision of the security guard service and the video surveillance system via CCTV. It states that the staff is expressly committed in writing to maintaining confidentiality.
The representatives of ITAA inform that the security guards, employees of GSI, sign confidentiality commitments with the company, in which it is established the prohibition to reveal any type of information that has acquired in the performance of their functions without the express consent of GSI. A copy of the confidentiality agreement is attached.
They also inform that GSI employees are provided with data protection information for the proper performance of their duties. This information is provided to each employee and must be signed by each party, with each party retaining a copy of the document in question. As proof, in addition to the confidentiality commitment mentioned above, the circular on personal data security, the policy on the use and control of information and communication technologies, which includes information on restrictions on access to CCTV recordings, and the training acquired by the worker in question on the legal regulations governing security guards.
On the other hand, they point out the fact that the ports of the CCTV equipment are blocked, which would prevent the images from being downloaded to an external device, and that the only way to extract these images would be by recording the images shown by the screens of the video surveillance system through an external video recording device (mobile phone, video camera...).

It should be noted that, in order to access the control room, where the CCTV display screens are located, it is necessary to have an accreditation card for access control, a card that each security guard has. In addition, the aforementioned control room has a video surveillance camera and the presence of a security guard 24 hours a day.

As for the actions taken in order to minimize the adverse effects of video broadcasting, it is worth mentioning the fact that, on the part of the ITAA, the incident was self-reported to the AEPD on 02/08/2019 and that it was also reported to the police authorities on 07/08/2019. For its part, GSI imposed on the workers involved, both in the incident of aggression and in the recording of the video, a series of disciplinary measures that were made known to the rest of the workers, without mentioning the name of each employee involved, in addition to communicating the measures taken through a press release.
Finally, they highlight that they have valued the possibility of restricting the access of mobile phones to the control room; however, they consider that this option would be unfeasible as they understand that it is an essential working tool for security guards when communicating with ITAA.


In accordance with the investigative and corrective powers that Article 58 of Regulation (EU) 2016/679 (General Regulation on Data Protection, hereinafter RGPD) grants to each supervisory authority, and in accordance with the provisions of Article 47 of Organic Law 3/2018, of December 5, on the Protection of Personal Data and the Guarantee of Digital Rights (hereinafter LOPDGDD), the Director of the Spanish Data Protection Agency is competent to resolve these investigative actions.


The RGPD broadly defines "personal data security breaches" (hereinafter referred to as security breaches) as "all security breaches that result in the accidental or unlawful destruction, loss or alteration of, or unauthorized disclosure of or access to, personal data transmitted, stored or otherwise processed.

In the present case, it is known that a security breach of personal data occurred in the circumstances indicated above, categorized as a confidentiality breach due to improper access to data viewed by the security cameras of the ITAA video surveillance control center and subsequently disclosed to third parties through the Whatsapp application.

However, it is also recorded that ITAA had technical and organizational measures to deal with an incident like the one analyzed here, which has allowed detection,

identification, analysis and classification of the security breach of personal data as well as the diligent reaction to it in order to notify, communicate and minimize the impact and implement reasonable measures to prevent its repetition in the future through the implementation of an action plan previously defined by the figures involved the controller.

The adoption of procedural measures should also be assessed, urging the opening of disciplinary and judicial proceedings through the appropriate police report, for the purpose of charging the facts and repairing the damage caused.

The final report after monitoring and closing the gap and its impact is a valuable source of information with which to feed future risk analysis and management. The use of this information will serve to prevent the repetition of the impact of a gap.

Therefore, it has been accredited that the action of the claimed party as the entity responsible for the processing has been in accordance with the regulations on the protection of personal data analysed in the previous paragraphs.

Therefore, in accordance with what has been indicated, by the Director of the Spanish Data Protection Agency


FIRST: PROCEEDING TO THE ARCHIVE of the present proceedings.


In accordance with the provisions of Article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties.

Against this resolution, which puts an end to the administrative procedure according to the provisions of art. 114.1.c) of Law 39/2015, of 1 October, on the Common Administrative Procedure of Public Administrations, and in accordance with the provisions of articles 112 and 123 of the aforementioned Law 39/2015, of 1 October, the interested parties may lodge, optionally, an appeal for reversal with the Director of the Spanish Data Protection Agency within the period of one month starting from the day following the notification of this decision or directly an administrative appeal before the Contentious-Administrative Chamber of the National Court, in accordance with the provisions of Article 25 and paragraph 5 of the fourth additional provision of Law 29/1998, of 13 July, regulating the Contentious-Administrative Jurisdiction, within a period of two months from the day following notification of this act, as provided for in Article 46.1 of the aforementioned Act.

Mar Spain Martí
Director of the Spanish Data Protection Agency