AEPD (Spain) - E/08452/2019

From GDPRhub
(Redirected from AEPD - E/08452/2019)
AEPD (Spain) - E/08452/2019
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 4(12) GDPR
Article 32 GDPR
Article 33 GDPR
Type: Investigation
Outcome: No Violation Found
Published: 03.02.2020
Fine: None
Parties: Department of Education w/ Benidorm City Council
National Case Number/Name: E/08452/2019
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: n/a

The AEPD found that the City of Benidorm had appropriate technical and organisational measures in place following a personal data breach.

English Summary

Facts and questions arising

The AEPD received a data breach notification by the city of Benidorm. In postings regarding provisional resolution on “psychopedagogical aids”, data regarding the applicants of aid was posted.

The information included identification data (name and surname, ID of parents; name and surnames of minors); economic data (treatment costs, bank account, amount and postponement); health data (the applied treatment and end of it), as well as other data (school and reasoning for refusal).


The AEPD found that there had been a “personal data breach” pursuant to Article 4 (12) of the GDPR as a result of the publication on the municipal website regarding the provisional resolution on psychopedagogical aid grants. As the investigation showed that the Benidorm City Council had reasonable protocols for such incidents, and reacted in a timely manner to minimize the impact and to avoid it reoccurring in the future, no fine was imposed. No affected data subjects had filed a complaint or been in contact with the AEPD.


Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the original. Please refer to the Spanish original for more details.

Procedure Nº: E / 08452/2019

Of the actions carried out by the Spanish Agency for Data Protection and based on the following

FIRST: On August 16, 2019, the CITY COUNCIL OF BENIDORM,
with NIF P0303100B, it notifies the Spanish Agency for Data Protection (as far as successive AEPD) who have had knowledge through the media that the Department of Education stated, in the Education section of the municipal website, the provisional resolution of psychopedagogical aids in which are a series of personal data of minors, their parents, mothers or guardians and of the treatments they are receiving.

SECOND: On September 11, 2019, the Director of the AEPD urges the Subdirectorate General for Data Inspection to proceed with the realization of previous actions of investigation for the clarification of the facts object of
the security breach notification, having knowledge of the following extremes:

Bankruptcy notification date: August 16, 2019

CITY COUNCIL OF BENIDORM with NIF P0303100B with domicile in PLAZA DE

1. On August 16, 2019, you have access to the Spanish Agency of Data Protection a security breach notice sent by the City of Benidorm, which includes a report of violation of security from which the following follows:

1.1. Chronology of the facts:
• On Monday, August 5, 2019, the Department of Education presented both in the Bulletin Board as in the Education section of the page
municipal website, the provisional resolution of psychopedagogical aids. In it contains a series of data on the resolution and was intended to give a minimum information on the subject, since this exhibition serves to correct errors (provisional resolution). Families can formulate claims or observations deemed appropriate.

• On Wednesday, August 14, 2019, the City Council has knowledge of this public exhibition through the news published in the newspaper
digital “” in which the PSOE is denounced to the City Council of Benidorm for the publication on the website of this City Council of phases corresponding to the granting of psychopedagogical aids

• On Thursday, August 15, 2019, web access to said website has been removed information and the Data Protection Delegate is officially notified the incident, proceeding to the elaboration of the report of violation of

1.1. Categories of affected:
Aid applicants (minors and their representatives).

1.2. Number of records: 100

1.3. Committed personal data:
• Identification data (name and surname, ID of parents; name and surnames of minors).
• Economic data: treatment costs, bank account, amounts to reintegrate and postponement.
• Health data: applied treatment and end of this.
• Others: school, reason for refusal of help

1.1. Description of detected risks
Improper access to personal information by third parties to the website of Benidorm

1.2. Description of measures taken
The content of the URL that communicated the character data has been removed denounced personnel.

2. On September 20, 2019, it is requested by the Data Inspection at Benidorm City Council additional information and documentation in relation to the facts reported, having entry dated October 10, 2019 written response that follows:

2.1. Provide a copy of the Activity Log of the treatments: The record Affected is the content in item "3.12.1. Education Area" (page 169)under the name of "TREATMENT ACTIVITY 02_ SCHOLARSHIP MANAGEMENT AND HELPS";

2.2.They provide information on Risk Analysis and Assessments of Impact of the treatments where the incidence has occurred: They have the Sandas GRC management tool, from which they have generated reports related to risk analysis and asset valuation(treatments)existing in the City of Benidorm;

2.3 Provide information on the procedure established in the event of gaps in Security: They have a protocol for action and notification in this regard which provide.

2.4. They do not know those possible uses by third parties of the information because they cannot Control who has accessed this document. However, the above, The gap was publicly disseminated through the news published in the ""

2.5 They are not aware that there have been complaints by the affected stakeholders or through the channel enabled for it in the City Council, or to the environment that He published it.

According to the investigative and corrective powers that article 58 of the Regulation (EU) 2016/679 (General data protection regulation, hereinafter GDPR) grants to each supervisory authority, and as provided in article 47 of the Organic Law 3/2018, of December 5, on the Protection of Personal Data and guarantee of digital rights (hereinafter LOPDGDD), is competent for resolve these research actions the Director of the Spanish Agency of Data Protection.

The GDPR defines, in a broad way, the “data security breaches personal ”(hereinafter bankruptcy of security) as“ all those violations of the security that causes the destruction, loss or accidental or unlawful alteration of personal data transmitted, preserved or otherwise processed, or the unauthorized communication or access to said data. ”

In the present case, there was a bankruptcy of personal data security in the circumstances indicated above, categorized as a possible breach of confidentiality as a result of publication by the Department of Education on the municipal public access website of the provisional resolution of the grants of psychopedagogical aids. The investigation shows that the Benidorm City Council had reasonable preventive technical and organizational measures to avoid this type of incidents and according to the level of risk.

Likewise, the Benidorm City Council had action protocols for face an incident like the one now analyzed, which has diligently allowed the identification, analysis and classification of the personal data security breach as well as the diligent reaction to it in order to notify, minimize the impact and implement new reasonable and timely means to avoid repeating the impact on the future through the implementation and effective execution of a plan acting by the different figures involved as they are responsible for the Treatment and Data Protection Delegate.

There are no claims before this Agency of those affected.

Consequently, it is stated that the Benidorm City Council previously had of reasonable technical and organizational measures depending on the level of risk for avoid this type of incident and that when they are insufficient they have been updated of diligently proceeding quickly to remove from the municipal website of public access the nominative list of subsidies granted and denied. It also states that the subsequent final resolution was published in a manner anonymized by entering the initials of the name and surname of the beneficiaries. In addition, the City of Benidorm prepared a Final Report on traceability of the event and its valuation analysis, in particular, regarding the final impact. East Report is a valuable source of information with which the analysis should be fed and risk management and will serve to prevent the repetition of a similar gap characteristics such as the one analyzed predictably caused by a specific error.

Therefore, it has been proven that the performance of Benidorm City Council as entity responsible for the treatment has been in accordance with the regulations on protection of personal data analyzed in the previous paragraphs. Therefore, in accordance with the above, by the Director of the Agency Spanish Data Protection,


FIRST: PROCEED TO THE FILE of these proceedings.

SECOND: NOTIFY this resolution to the CITY COUNCIL OF BENIDORM with NIF P0303100B and domiciled in PLAZA DE SS. MM. THE KINGS OF SPAIN, NUM 1 - 03501 BENIDORM (ALICANTE).

In accordance with the provisions of article 50 of the LOPDGDD, the This Resolution will be made public once the interested parties have been notified.

Against this resolution, which ends the administrative procedure as prescribed by art. 114.1.c) of Law 39/2015, of October 1, of the Procedure Common Administrative of Public Administrations, and in accordance with the established in arts. 112 and 123 of the aforementioned Law 39/2015, of October 1, the interested parties may, optionally, lodge an appeal for reinstatement before the Director of the Spanish Agency for Data Protection within one month to count from the day after notification of this resolution or directly administrative contentious appeal before the Contentious-Administrative Chamber of the National Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Contentious-Administrative Jurisdiction, within two months from the day following notification of this act, as provided in article 46.1 of the
referred Law.

Mar Spain Martí
Director of the Spanish Agency for Data Protection