AEPD - E/08501/2019
|AEPD - E/08501/2019|
|Relevant Law:||Article 33 GDPR|
|National Case Number:||E/08501/2019|
|European Case Law Identifier||n/a|
|Original Source:||AEPD (in ES)|
The AEPD decided that the corrective actions taken by CaixaBank S.A. after the reported data breach were in accordance with the data protection law.
English Summary[edit | edit source]
Facts[edit | edit source]
On 30 May 2019 CaixaBank S.A. notified the Spanish Data Protection Agency (AEPD) about a security breach relating to the paper documentation which related to its customers and which was deposited in a public waste container. There was no evidence, but it could not be ruled out that the documentation did not contain personal data.
On 12 September 2019, the director of the AEPD agreed to initiate an investigation to clarify the facts that have not were not mentioned in the notification.
CaixaBank S.A. submitted further documentation and a security protocol which was in place during the data breach.
Dispute[edit | edit source]
In the present case, it is presumed that the personal data breach occurred in the circumstances categorised as a possible breach of confidentiality as a result of the deposit in public access containers of documentation on clients of the entity during a transfer.
In the present case, there is no evidence that such documentation contained personal data of the Bank's clients. The investigation revealed that CaixaBank S.A. had taken a number of technical and organisational measures to prevent this type of incident, and these measures were passed on to the collaborating agencies and employees.
It is also noted that on the occasion of the incident, an impact assessment was carried out on the affected treatments and technical and organisational improvements were implemented.
Holding[edit | edit source]
As a result of the investigation and taking into account all the risk minimisation corrective actions after the data breach, the AEPD found that the actions taken by CaixaBank S.A. as the entity responsible for the processing were in accordance with the law on personal data protection.
Comment[edit | edit source]
Share your comments here!
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the original. Please refer to the Spanish original for more details.
Procedure No.: E/08501/2019940-0419 RESOLUTION OF ACTIONS From the actions carried out by the Spanish Data Protection Agency and based on the followingFIRST ACTS: On 30 May 2019 the entity CAIXABANK, S.A. (hereinafter CAIXABANK) notified this Agency of a security breach relating to the paper documentation of customers deposited in a public waste container, among which there is no evidence, but it could not be ruled out, that there were personal data.SECOND: On September 12, 2019, the director of the Spanish Data Protection Agency agreed to initiate investigative actions urging the Subdirectorate General of Data Inspection to proceed with the realization of investigations to clarify the facts that were the object of the notification, having knowledge of the following points: ENTIDADES INVESTIGADASCAIXABANK S.A. ENTIDADES INVESTIGADASCAIXABANK S.A. with NIF A08663619 and domiciled in C/ PINTOR SOROLLA 2-4 -46002 VALENCIA (VALENCIA)RESULTS OF THE INVESTIGATION ACTIONSWith regard to the factsCaixabank has communicated to this Agency the following facts in the notification of security work: "During the transfer of an office of the entity, some boxes with confidential documents for internal use, among which it is not stated, but it has not been ruled out, that there were personal data, were deposited in the wrong waste container (not dedicated to paper destruction) that took 3 days to be removed from the public road."They declare that they found out about the gap through comments on a social network. The approximate number of people affected by the gap Caixabank consign zero. Caixabank was asked to print the commentary published on the social network, which reads: "It is normal that a huge amount of internal papers from the branch 4364-AUDITORIUM are thrown in a container of works in Valencia? This is internal documentation with details of customer accounts, reports, etc... from 1999 to 2004! ..." "In the report made by the entity, which includes the investigations carried out as a result of the incident detected, a possible account of the events is included: "In the final work of emptying the furniture, documentation, equipment, materials and equipment and cleaning of the integrated office, which was carried out on Friday 24 May, two cardboard boxes were removed from the office which had been erroneously classified by the Office as obsolete advertising material and were therefore considered to be waste. ...] All the material resulting from the final work that was classified as waste was transferred to the management facility located in the Campanar district of Valencia's municipal district in the late afternoon of Friday 24 May. This facility was closed at that time so the material was deposited in the containers located for that purpose at the access to the facility with the idea that they were treated for management and destruction by the facility the next working day, Monday 27/5. During the period of time that elapsed between Friday afternoon/night (when the material was deposited there) and the first hour of Monday (when it was managed and destroyed), the deposited materials (including documentation incorrectly classified at source) were placed in the aforementioned containers. It was in these containers (or around them) where the complainant located the reference documents and proceeded to make the complaint through social networks. It can be assumed that someone, at some point prior to the arrival of the denouncer, must have rummaged through these containers, breaking and/or emptying the boxes of documents mentioned and that they arrived there closed, thus exposing their contents". In response to the Agency's request for information, the representatives of CaixaBank stated: 'This incident was communicated to the Agency as a matter of prudence, since neither at the time nor at the date of issue of this letter has it been confirmed that the documents deposited in the destruction containers referred to in this procedure actually contained personal data. In particular, it is not possible to determine from the photograph that accompanied a citizen's commentary published on social networks that this incident was brought to our attention whether the documents thrown into the container included personal data (books, a financial report of a legal entity, accounting balances of CaixaBank branches, etc.). "With respect to the measures implemented before the breach: Caixabank has provided the following information and documentation at the request of the Data Inspection Authority:-With respect to general security policies and measures: Caixabank has provided a copy of the Registry of Processing Activities, in which they are recorded as activities: (i) Transfer of paper documentation and (ii) Destruction of paper documentation: The representatives of Caixabank indicate that the data processing activities that were compromised were carried out before the General Data Protection Regulation came into force and have not been modified in any way, so it was not necessary to carry out a Risk Analysis or an Impact Assessment, and that, notwithstanding the above, in response to the security breaches that have occurred, the process has been initiated to carry out the corresponding impact assessment.The entity has implemented a procedure for the management of security breaches, a copy of which has been provided.With regard to specific policies for the transfer/destruction of documentation, in order to guarantee the security of documentation and material in paper format during the branch integration process, CaixaBank has had a Branch Integration Protocol in place since October 2018, which specifies how to act during the transport of documentation and which security measures must be adopted. A copy of the Branch Integration Protocol is provided in section three of the Branch Integration Protocol, which refers to the operational aspects and defines the tasks to be carried out during the branch integration process in all matters relating to the transfer and destruction of documents and paper material. According to the Protocol, documentation is treated differently depending on whether it contains confidential client information or simply paper-based material, mainly advertising material, posters, etc. According to the provisions of the Office Integration Protocol, days before the transfer of documentation and paper-based material, the office to be transferred is obliged to separate all the archives, distinguishing (i) documentation to be destroyed, (ii) documentation to be filed and (iii) documentation to be sent to the receiving office. Once classified, the documentation must be stored in boxes, clearly indicating what type of documentation it contains and then transported. They also provide a copy of the CaixaBankFacilities Management Integration Task Protocol, which defines the functions and responsibilities in relation to the transport and destruction of documentation in the case of office integrations. Under this protocol, branches must first destroy all documentation in accordance with the internal standards of CaixaBank. Once this has been done, the branch must determine which documentation must be sent and stored at the integrating branch and which must be filed at a third branch or removed by third party file management companies. Once all the documentation is classified and packed in boxes, it is then moved. The transfer is supervised by the technical service. All the documentation that has not been destroyed on the day the office closes is transferred to the integrating office, with a copy of the integration protocol of LEVIRA Spain, the supplier contracted to transport the boxes. According to the protocol, the documentation is only handled by the office and is always packed in the transfer boxes, so that LEVIRA employees never have access to the documentation. As an additional security measure, it establishes the obligation to count the number of boxes that are withdrawn and the number of boxes that are delivered, confirming if the number coincides. The number of boxes must be noted in the register and both the issuing and receiving offices must sign it. -Regarding the reason why the measures implemented could not serve to avoid the alleged access to the documentation by a third party, the representatives of the entity state: Before analyzing the possible reasons why the described security measures were not sufficient to avoid the access to the documentation by a third party, Caixabank wants to show that they have been carried out numerous integrations of offices without any incidence.Specifically, the only two incidents that occurred were notified to the Spanish Data Protection Agency on 20 March and 30 May 2019.They understand that the security measures provided for in the protocols in force prior to the security breach that occurred were effective and have been effective in general, and as to why the existing measures did not prevent the incident, they conclude that, as described in the protocols, in office integration processes, the responsibility for classifying the documentation and deciding when it should be destroyed in a confidential manner, which should be filed and which should be transferred directly to the integrating office, lies with the offices. In this way, it was the offices themselves that decided whether paper material should be destroyed on a routine basis, i.e., without the guarantees of destruction of confidential documentation. This process implies that the classification of the documentation as confidential or as mere paper-based material depended on the criteria of the office staff, and therefore there was a margin of error. With respect to the actions taken and the measures implemented as a consequence of the occurrence of the breach: Caixabank has provided a copy of a report that includes the investigations carried out as a result of the incident detected during the documentation transfer phase in the integration of offices 4364 and 5052. The report details the analysis of the actions carried out by each of the parties involved in the integration process of offices 4364 and 5052. It includes a chronological list of the actions carried out during the integration, a detailed description of the incident that occurred and a proposal for corrective measures. An action plan has been drawn up to modify the Integration Protocols of the offices and add additional security measures. A copy of the modified version of the Integration Protocol, dated May 2019, is included in the action plan drawn up to reinforce the guarantees of the office integration protocols and to strengthen the traceability and centralisation of the archive.Specifically, these measures are:(i) Assurance of the early delivery of material (boxes) to the office to facilitate the appropriate classification of the documentation to be transferred to the integrating premises, documentation to be transferred to the Centralised Archive and documentation to be managed by means of confidential destruction. (ii)Classification of all documentation into one of the three groups indicated. All documentation that is not transferred to the destination location or that is not filed centrally must be managed by confidential destruction. (iii) The documentation to be transferred will be organized in boxes that will be numbered and classified, leaving a photographic record both in the location of origin and destination.(iv) The supplier in charge of the confidential destruction will always be summoned at the time of closing of the integrated premises in order to manage any documentation that may arise at the last moment. (v) The offices will sign a delivery note showing the documentation from the office of origin and the documentation that arrives at the office of destination.(vi)An employee of the office must always be present in both locations when the transfer work is carried out. (vii)At the beginning of the integration campaign, the delivery of the current integration protocol to the intervening technical services must be expressly recorded.(viii)An incident register is created for the transfer and integration processes so that they can be traced. The action plan expressly indicates that all the modifications and safety measures described must be incorporated into the protocols in force and communicated to the intervening agents. The incorporation of the above security measures into the protocols is intended to ensure greater traceability of the actions carried out in the integration processes of the offices and greater security of the documentation as all materials on paper are treated as confidential documents.According to the powers of investigation and correction that Article 58 of Regulation (EU) 2016/679 (General Regulation on Data Protection, hereinafter referred to as GPRD) grants to each supervisory authority, and in accordance with the provisions of Article 47 of Organic Law 3/2018, of December 5, on Personal Data Protection and Guarantee of Digital Rights (hereinafter referred to as LOPDGDD), the Director of the Spanish Data Protection Agency is competent to resolve these investigative actions.The RGPD defines, in a broad way, the "personal data security violations" (from now on security breach) as "all those security violations that cause the destruction, loss or accidental or illicit alteration of personal data transmitted, kept or otherwise treated, or the unauthorized communication or access to such data". In the present case, it is presumed that a breach of security of personal data occurred in the circumstances indicated above, categorised as a possible breach of confidentiality as a result of the deposit in public access containers of documentation on clients of the entity during an unbundling transfer. However, in the present case, there is no evidence that such documentation contained personal data of clients. The investigation revealed that Caixabank had taken a number of technical and organisational measures to prevent this type of incident, and these measures were passed on to the collaborating agencies and employees. Likewise, Caixabank had action protocols to deal with an incident like the one analyzed here, which allowed for the identification, analysis and classification of the personal data security breach as well as the diligent reaction to it in order to notify and communicate, minimize the impact and implement new reasonable and timely measures to avoid the repetition of the incidence in the future through the implementation and effective execution of an action plan by the various figures involved such as the person responsible for the treatment and the collaborating agencies as managers, as well as the Data Protection Delegate. It is also recorded that on the occasion of the incident, an impact assessment was carried out on the affected treatments and technical and organisational improvements were implemented. As a result, it is recorded that Caixabank had reasonable technical and organizational measures in place to avoid this type of incident and that, as they were insufficient, they were diligently updated. However, in order to close the security gap, it is suggested that a Final Report be drawn up on the traceability of the event and its assessment, particularly with regard to the final impact. This report is a valuable source of information to feed into risk analysis and management and will serve to prevent the repetition of a gap of similar characteristics as the one analyzed, which could be caused by a specific error.III Therefore, it has been accredited that the action of Caixabank as the entity responsible for the processing has been in accordance with the regulations on personal data protection analysed in the previous paragraphs. SECOND: TO NOTIFY the present resolution CAIXABANK S.A. with NIFA08663619 with address in C/ PINTOR SOROLLA 2-4 - 46002 VALENCIA(VALENCIA) In accordance with the provisions of article 50 of the LOPDGDD, the present resolution will be made public once it has been notified to the interested parties. Against this resolution, which puts an end to the administrative procedure according to the provisions of article 114.1.c) of Law 39/2015, of 1st October, on the Common Administrative Procedure of Public Administrations, and in accordance with the provisions of articles 112 and 123 of the aforementioned Law 39/2015, of 1 October, the interested parties may lodge, optionally, an appeal for reversal with the Director of the Spanish Data Protection Agency within a period of one month starting from the day following notification of this decision or from the day of the contentious-administrative proceedings before the Contentious-Administrative Chamber of the National Court, in accordance with the provisions of Article 25 and paragraph 5 of the fourth additional provision of Law 29/1998, of 13 July, regulating the Contentious-Administrative Jurisdiction, within a period of two months from the day following notification of this act, as provided for in Article 46.1 of the above-mentioned Law. Mar Spain Martí Director of the Spanish Data Protection Agency