AEPD - E/06179/2019
|AEPD - E/06179/2019|
|Relevant Law:||Article 32 GDPR|
Article 33 GDPR
Article 34 GDPR
|Outcome:||No further action|
|Decided:||5. 2. 2020|
|Published:||5. 2. 2020|
|National Case Number/Name:||E/06179/2019|
|European Case Law Identifier:||n/a|
|Original Source:||AEPD (in ES)|
The Spanish Data Protection Agency (AEPD) decided not to take further actions on Telefónica as data controller for a possible personal data breach affecting confidentiality, as per Article 32 GDPR.
The decision is the consequence of the notification of a possible personal data breach submitted by Telefónica (data controller) stating that some documentation (backup records) to be kept by an external security company located in Luxembourg (data processor) affecting to different categories of subjects (clients and directors/employees) and personal data (name, surname, email, address, national ID number, IBAN, employment agreement, insurance agreement, pension scheme), may have lost and accessed by third parties.
The AEPD started the corresponding investigation, and Telefónica provided a copy of its communications with the different data processors involved, as well as a copy of the data processing agreements. Such investigation proved that (1) the data controller made a visit to the data processor's premises in order to verify its security measures, (2) the data controller reacted promptly not only by contracting a forensics service with an external company, but also taking external measures to prevent new breaches, (3) the data controller internally made a full Internet research of the affected personal data through a specialized cyber team, without any results in the deep neither in the dark web, and (4) due to the huge volume of affected subjects, the data controller clearly identified those that shall be informed: those relating to health, IBAN and photocopy of national ID numbers.
Thus, with basis on the GDPR definition of personal data breach, the AEPD understood that Telefónica has complied with is personal data obligations and decided not to take further actions, according to these facts: (1) there is no proof that the affected data has been accessed by third parties, (2) the data controller complied with reasonable and adequate technical and organizational security measures, (3) the data controller has internal procedures that allowed a quick reaction, (4) complaints from possible affected subjects have not been received, (5) the data controller drafted a final report on the event traceability and value analysis that will be extremely useful to prevent further breaches.
Add your comment here!
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
To be added