AEPD - PS/00054/2021
|AEPD - PS/00054/2021|
|Relevant Law:||Article 32(1) GDPR|
|Parties:||Electrotecnia Bastida SL|
|National Case Number/Name:||PS/00054/2021|
|European Case Law Identifier:||n/a|
|Original Source:||AEPD decision (in ES)|
The Spanish DPA (AEPD) fined a controller €3000 for the infringement of Article 32(1) GDPR, due to a data breach that was caused by the abandonment of several envelopes containing confidential medical data in a field.
English Summary[edit | edit source]
Facts[edit | edit source]
The Spanish DPA (AEPD) received a report from the Spanish National Guard saying that they had found several envelopes containing confidential medical data abandoned in a field.
The AEPD launched an investigation and discovered that the responsible for this was a company called Electrotecnia Bastida SL, and that the data corresponded to 29 of their employees. The envelopes, labelled "confidential", contained the names and surnames of the employees and two health reports about them. After their finding, the police contacted the administrator of the company in their address, who was not able to provide an explanation.
After receiving the report, the AEPD also tried to contact the company for an analysis of the case, measures to be taken and asking for documentation, without receiving any answer.
Dispute[edit | edit source]
Was there a breach of security that caused the unauthorized disclosure of personal data, thus leading to an infringement of Article 32(1) GDPR?
Holding[edit | edit source]
The AEPD concluded that there had been an unauthorized disclosure of personal data that caused a data breach. The AEPD therefore found that there had been a violation of Article 32(1) GDPR and fined Electrotecnia Bastida SL €3,000.
In order to establish the amount of the fine, the AEPD took into account the following factors:
- The nature and severity of the infringement, given the sensitive nature of the data.
- The fact that the processing was merely local.
- The high number of people affected (29).
- The lack of collaboration and the lack of adoption of measures by the company.
- The absence of intention.
- The fact that the processing was related to the company activities.
- The small size of the company.
Comment[edit | edit source]
Share your comments here!
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/9 Procedure No.: PS / 00054/2021 RESOLUTION OF SANCTIONING PROCEDURE Of the procedure instructed by the Spanish Agency for Data Protection and based on to the following BACKGROUND FIRST: D. G. DE LA GUARDIA CIVIL - MAIN POST OF *** LOCALIDAD. 1 (hereinafter, the claimant) on 08/07/2019 sent an official letter to the Spanish Agency for Data Protection, in which a written document is attached for possible violation of data protection regulations. The claim is directed against ELECTROTECNIA BASTIDA, S.L. with CIF B96466461 (hereinafter, the claimed one). The reasons on which the claim is based are that in an open field of the polygon industrial area of the town is in a state of abandonment envelopes containing confidential medical information, containing personal data corresponding to workers of the claimed. SECOND: In view of the facts denounced and the documents provided by the claimant of which this Agency has become aware, the Subdirectorate General of Data Inspection proceeded to carry out actions for the clarification of the facts in question. On 10/15/2019, the claim submitted for analysis was transferred to the defendant. and communication to the complainant of the decision taken in this regard. Likewise, required him to send within a month to the determined Agency information: - Copy of the communications, of the adopted decision that has been sent to the claimant regarding the transfer of this claim, and accreditation that the claimant has received the communication of that decision. - Report on the causes that have motivated the incidence that has originated the claim. - Report on the measures adopted to prevent the occurrence of similar incidents. - Any other that you consider relevant. The defendant has not responded to the request made by the Agency Spanish Data Protection. THIRD: On 06/08/2020, in accordance with article 65 of the LOPDGDD, the Director of the Spanish Agency for Data Protection agreed to admit for processing the claim filed by the claimant against the defendant. FOURTH: On 02/12/2021, the Director of the Spanish Protection Agency of Data agreed to initiate a sanctioning procedure for the claimed party, for the alleged infringement of article 32.1 of the RGPD, typified in article 83.4.a) of the aforementioned RGPD. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 2/9 FIFTH: Notified the initiation agreement, the one claimed at the time of the present resolution has not submitted a brief of allegations, so it is applicable indicated in article 64 of Law 39/2015, of October 1, on the Procedure Common Administrative of Public Administrations, which in its section f) establishes that in case of not making allegations within the term provided on the content of the initiation agreement, it may be considered a proposal for resolution when it contains a precise statement about the responsibility imputed, for which a Resolution is issued. SIXTH: Of the actions carried out in this proceeding, there have been accredited the following: PROVEN FACTS FIRST: On 08/07/2019 the G.C. of *** LOCALIDAD. 1 sent official letter to the AEPD, in which it attaches a written document for possible violation of the regulations on the protection of data for the claimed, motivated by the abandonment of medical documentation confidentiality of its workers, in a wasteland of the industrial park of the location. SECOND: Report of the G.C. in which it is indicated that the patrol of the post went to the industrial estate taking photographs of the place where found the documents, collecting the same that were transferred to the barracks; that the documents are 29 envelopes, two of them open, from the Clinic *** CLÍNICA.1 (Management of medicine and prevention, SL) appearing in each of them the name and surname of the workers of the complained party who request a "Exam specific to health ”; examining one of the envelopes that was open and inside there are two reports: "Specific health exam" and a second two-page report of the clinic *** CLÍNICA.2 de *** LOCALIDAD.2 (Valencia); that On 06/25/2019, the agent signing the report appeared at the address of the claimed and identified the entity's administrator, who could not give an explanation of the abandonment of the documentation of its workers in the field. It is also recorded in the Report of the list of the 29 people affected for the facts together with the date of the specific health examination. THIRD: There is a photographic report, providing a general photograph of the abandoned documentation, 29 envelopes; as well as a detailed photograph of one of the envelopes containing the confidential letterhead. FOUNDATIONS OF LAW I By virtue of the powers that article 58.2 of the RGPD recognizes to each control authority, and as established in articles 47 and 48 of the LOPDGDD, the Director of the Spanish Data Protection Agency is competent to initiate and to solve this procedure. II Article 58 of the RGPD, Powers, states: C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 3/9 "two. Each supervisory authority shall have all of the following powers corrective measures listed below: (…) b) punish any person responsible or in charge of the treatment with warning when the processing operations have infringed the provided in this Regulation; (…) " Article 5 of the RGPD establishes the principles that must govern the treatment of personal data and mentions among them that of "integrity and confidentiality". The aforementioned article points out that: "one. The personal data will be: (…) f) treated in such a way as to guarantee adequate security of the personal data, including protection against unauthorized processing or illicit and against its loss, destruction or accidental damage, through the application appropriate technical or organizational measures ('integrity and confidentiality »)”. (…) III The denounced events materialize in the abandonment in a wasteland of the industrial estate of the town of *** LOCALIDAD.1, documentation containing confidential data of a personal nature enabling access to third parties; data that correspond to workers of the claimed, violating the regulations on data protection. Article 32 of the RGPD "Security of treatment", establishes that: "one. Taking into account the state of the art, the application costs, and the nature, scope, context and purposes of the treatment, as well as risks of variable probability and severity for people's rights and freedoms physical, the person in charge and the person in charge of the treatment will apply technical measures and appropriate organizational arrangements to ensure a level of security appropriate to the risk, that in your case include, among others: a) pseudonymisation and encryption of personal data; b) the ability to guarantee confidentiality, integrity, availability and permanent resilience of treatment systems and services; c) the ability to restore availability and access to data personnel quickly in the event of a physical or technical incident; d) a process of regular verification, evaluation and assessment of effectiveness of the technical and organizational measures to guarantee the safety of the treatment. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 4/9 2. When evaluating the adequacy of the security level, particularly the take into account the risks presented by the data processing, in particular as consequence of accidental or illegal destruction, loss or alteration of data personal data transmitted, preserved or otherwise processed, or the communication or unauthorized access to such data. 3. Adherence to a code of conduct approved in accordance with article 40 or to a certification mechanism approved under article 42 may serve as an element to demonstrate compliance with the requirements established in section 1 of the this article. 4. The person in charge and the person in charge of the treatment will take measures to ensure that any person acting under the authority of the controller or the manager and have access to personal data can only process said data following instructions of the person in charge, unless it is obliged to do so by virtue of the Law of the Union or of the Member States ”. The violation of article 32 of the RGPD is typified in article 83.4.a) of the aforementioned RGPD in the following terms: "4. Violations of the following provisions will be sanctioned, in accordance with with paragraph 2, with administrative fines of maximum EUR 10 000 000 or, in the case of a company, an amount equivalent to a maximum of 2% of the total annual global business volume of the previous financial year, opting for the highest amount: a) the obligations of the controller and the processor pursuant to articles 8, 11, 25 to 39, 42 and 43. (…) " For its part, the LOPDGDD in its article 73, for the purposes of prescription, qualifies of "Violations considered serious": "Based on the provisions of article 83.4 of Regulation (EU) 2016/679 are considered serious and will prescribe after two years the infractions that suppose a substantial violation of the articles mentioned therein and, in particular, the following: (…) g) The breach, as a consequence of the lack of due diligence, of the technical and organizational measures that have been implemented in accordance with as required by article 32.1 of Regulation (EU) 2016/679 ”. (…) " IV The GDPR defines personal data security breaches as “All those security violations that cause the destruction, loss or accidental or illegal alteration of personal data transmitted, stored or processed otherwise, or unauthorized communication or access to said data ”. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 5/9 From the documentation provided to the file there are evident indications of that the respondent has violated article 32 of the RGPD, when an incident of security, as documents containing sensitive personal data are abandoned of workers of the claimed, allowing access to them by third parties with breach of the established measures. It should be noted that the RGPD in the aforementioned precept does not establish a list of the security measures that are applicable according to the data that are object of treatment, but establishes that the person in charge and the person in charge of the treatment will apply technical and organizational measures that are appropriate to the risk involved in the treatment, taking into account the state of the art, the costs of application, the nature, scope, context and purposes of the treatment, the risks of probability and seriousness for the rights and freedoms of the persons concerned. Likewise, security measures must be adequate and proportionate to the risk detected, noting that the determination of the measures technical and organizational must be carried out taking into account: pseudonymisation and encryption, the ability to ensure confidentiality, integrity, availability, and resilience, the ability to restore availability and access to data after a incident, verification process (not audit), evaluation and assessment of the effectiveness of the measures. In any case, when evaluating the adequacy of the security level, the particularly take into account the risks presented by data processing, such as consequence of accidental or illegal destruction, loss or alteration of data personal data transmitted, preserved or otherwise processed, or the communication or unauthorized access to said data and that could cause damages physical, material or immaterial. In this same sense, recital 83 of the RGPD states that: “(83) In order to maintain security and prevent the treatment from infringing the provided in this Regulation, the person in charge or the person in charge must evaluate the risks inherent to the treatment and apply measures to mitigate them, such as the encryption. These measures must guarantee an adequate level of security, including the confidentiality, taking into account the state of the art and the cost of its application with respect to the risks and the nature of the personal data that must protect yourself. When assessing risk in relation to data security, you should take into account the risks arising from the processing of personal data, such as accidental or illegal destruction, loss or alteration of personal data transmitted, preserved or otherwise processed, or communication or access does not authorized to said data, susceptible in particular to cause damages physical, material or immaterial ”. In the present case, as stated in the facts and in the framework of the investigation file E / 09606/2019, the AEPD transferred to the defendant the 10/15/2019, the claim submitted for analysis requesting the contribution of information related to the incident claimed, without it having been received in this body any response. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 6/9 The defendant's liability is determined by the bankruptcy of security demonstrated by the claimant, since he is responsible for taking decisions aimed at effectively implementing technical measures and appropriate organizational arrangements to ensure a level of security appropriate to the risk to ensure the confidentiality of the data, restoring its availability and preventing access to them in the event of a physical or technical incident. However, from the documentation provided it is clear that the entity has not only breached this obligation, but also the adoption of measures in this regard is unknown, despite of having given him transfer of the claim presented. In accordance with the foregoing, it is estimated that the claimed would be allegedly responsible for the violation of the RGPD: the violation of article 32, offense typified in its article 83.4.a). V In order to establish the administrative fine to be imposed, they must observe the provisions contained in articles 83.1 and 83.2 of the RGPD, which they point out: "one. Each supervisory authority will guarantee that the imposition of fines administrative under this article for the infractions of this Regulations indicated in paragraphs 4, 5 and 6 are in each individual case effective, proportionate and dissuasive. 2. Administrative fines will be imposed, depending on the circumstances of each individual case, as an additional or substitute title for the measures contemplated in Article 58, paragraph 2, letters a) to h) and j). When deciding to impose a fine administrative and its amount in each individual case will be duly taken into account: a) the nature, severity and duration of the offense, taking into account the nature, scope or purpose of the processing operation in question as well as the number of affected stakeholders and the level of damage and damages they have suffered; b) intentionality or negligence in the infringement; c) any measure taken by the person in charge or in charge of the treatment to alleviate the damages suffered by the interested parties; d) the degree of responsibility of the person in charge of the treatment, taking into account the technical or organizational measures that have applied by virtue of articles 25 and 32; e) any previous infringement committed by the person in charge or the person in charge of the treatment; f) the degree of cooperation with the supervisory authority in order to establish remedy the violation and mitigate the possible adverse effects of the violation; g) the categories of personal data affected by the infringement; h) the way in which the supervisory authority learned of the infringement, in particular if the person in charge or the person in charge notified the infraction and, in such case, what extent; C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 7/9 i) when the measures indicated in article 58, paragraph 2, have been previously ordered against the person responsible or the person in charge in relation to the same matter, compliance with said measures; j) adherence to codes of conduct under article 40 or to mechanisms certification approved in accordance with Article 42, and k) any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits obtained or losses avoided, direct or indirectly, through the infringement. In relation to letter k) of article 83.2 of the RGPD, the LOPDGDD, in its Article 76, “Sanctions and corrective measures”, establishes that: "two. In accordance with the provisions of article 83.2.k) of Regulation (EU) 2016/679 may also be taken into account: a) The continuing nature of the offense. b) The linking of the activity of the offender with the performance of treatments of personal data. c) The benefits obtained as a result of the commission of the offense. d) The possibility that the affected person's conduct could have led to the commission of the offense. e) The existence of a merger process by absorption after the commission of the infringement, which cannot be attributed to the absorbing entity. f) Affecting the rights of minors. g) Have, when not mandatory, a delegate for the protection of data. h) The submission by the person in charge or in charge, with character voluntary, to alternative dispute resolution mechanisms, in those cases in which there are controversies between those and any interested." - In accordance with the transcribed precepts, in order to set the amount of the sanction of a fine to be imposed in the present case for the offense typified in the Article 83.4.a) of the RGPD for which the claimed person is responsible, in a valuation initial, the following factors are considered concurrent: The nature and severity of the infringement given that it is data especially sensitive workers of the claimed. The merely local scope of the treatment carried out by the entity claimed. The high number of people whose data has been affected by the offending conduct (29). The claimed entity does not record that it has adopted measures to prevent produce similar incidents; It has not responded to the request either informative from the Agency which affects the absence of cooperation with the supervisory authority in order to remedy the infringement and mitigate the possible adverse effects of it. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 8/9 There is no evidence that the entity acted fraudulently, although the performance reveals a serious lack of diligence. The linking of the offender's activity with the performance of treatment of Personal data. The claimed entity is a small business. Therefore, in accordance with the applicable legislation and assessed the criteria of graduation of sanctions whose existence has been proven, The Director of the Spanish Data Protection Agency RESOLVES: FIRST: IMPOSE ELECTROTECNIA BASTIDA, S.L., with CIF B96466461, by an infringement of article 32.1 of the RGPD, typified in article 83.4.a) of the RGPD, a fine of € 3,000 (three thousand euros), in accordance with article 73.g) of the LOPDGDD. SECOND: NOTIFY this resolution to ELECTROTECNIA BASTIDA, S.L., with CIF B96466461. THIRD: Warn the sanctioned person that the sanction imposed by a Once this resolution is enforceable, in accordance with the provisions of the art. 98.1.b) of Law 39/2015, of October 1, on Administrative Procedure Common of Public Administrations (hereinafter LPACAP), within the payment period voluntary established in art. 68 of the General Collection Regulations, approved by Royal Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003, of December 17, by means of their entry, indicating the NIF of the sanctioned person and the number procedure that appears in the heading of this document, in the account restricted number ES00 0000 0000 0000 0000 0000, opened in the name of the Agency Spanish Data Protection in the banking entity CAIXABANK, S.A .. In case Otherwise, it will be collected in the executive period. Once the notification has been received and once it is executed, if the date of execution is finds between the 1st and the 15th of each month, both inclusive, the deadline to carry out the Voluntary payment will be until the 20th of the following or immediately subsequent business month, and if is between the 16th and last days of each month, both inclusive, the term of the payment will be up to the 5th of the second following or immediate business month. In accordance with the provisions of article 50 of the LOPDGDD, the This Resolution will be made public once it has been notified to the interested parties. Against this resolution, which ends the administrative procedure in accordance with art. 48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the interested parties may file, optionally, an appeal for reversal before the Director of the Spanish Agency for Data Protection within a period of month from the day following notification of this resolution or directly contentious-administrative appeal before the Contentious-Administrative Chamber of the National High Court, in accordance with the provisions of article 25 and section 5 of C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 9/9 the fourth additional provision of Law 29/1998, of July 13, regulating the Contentious-administrative jurisdiction, within two months from the day following notification of this act, as provided in article 46.1 of the referred Law. Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPACAP, the firm resolution may be suspended in an administrative way If the interested party expresses his intention to file a contentious appeal- administrative. If this is the case, the interested party must formally communicate this made by writing to the Spanish Data Protection Agency, Presenting it through the Electronic Registry of the Agency [https://sedeagpd.gob.es/sede-electronica-web/], or through any of the rest records provided for in art. 16.4 of the aforementioned Law 39/2015, of October 1. Too must forward to the Agency the documentation that proves the effective filing of the contentious-administrative appeal. If the Agency is not aware of the filing of the contentious-administrative appeal within a period of two months from the day after the notification of this resolution, I would terminate the precautionary suspension. Mar Spain Martí Director of the Spanish Agency for Data Protection C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es