AEPD - PS/00187/2020

From GDPRhub
AEPD - PS/00187/2020
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 5(1)(f) GDPR
Article 25 GDPR
Article 32 GDPR
Article 34 GDPR
Article 77 LOPDPGDD
Type: Investigation
Outcome: Violation Found
Started:
Decided: 16.11.2020
Published:
Fine: None
Parties: Secretaría General para la Innovación y Calidad del Servicio Público de Justicia
National Case Number/Name: PS/00187/2020
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: Francesc Julve Falco

The Spanish DPA (AEPD) imposed a warning sanction against the Secretary General for Innovation and Quality of the Public Justice Service for a security breach (Articles 5(1)(f), 25, 32 and 34 GDPR), in the process of granting nationality and residence to immigrants.

English Summary[edit | edit source]

Facts[edit | edit source]

On 14 January 2020, the Subdirectorate-General for Nationality and Civil Status notified the Spanish DPA (hereinafter AEPD) of a security breach of personal data dated 22/11/2019 after becoming aware through an e-mail by a citizen of notification of granting of Spanish nationality corresponding to another person.

The notified security breach concerned 34 affected persons and subsequently incorporated 2 more, up to 36. These breaches all related to decisions of nationality being unduly shared with third parties. The security breach was communicated to the interested parties on 16/01/2020.

The security gap had its technical origin in a modification in the process of generating decisions to grant nationality by residence that had been made in the application for processing nationality by residence files.

Dispute[edit | edit source]

Is the infringement of the principles of integrity and confidentiality in granting nationality and residence a breach of Articles 5(1)(f), 25, 32, and 34 GDPR?

Holding[edit | edit source]

The Secretary-General for Innovation and Quality of the Public Justice Service (SGICSPJ) did not apply the appropriate technical and organizational measures to guarantee a level of security appropriate to the risk. This is evident as it has been proven that third parties had access to information reserved for the interested party (the applicant, a Spanish national) as a result of the malfunctioning of the new version of the application.

The AEPD considered Articles 25, 32 and 34 GDPR in relation to Article 5(1)(f) GDPR to have been infringed as a result of the security breach caused by the transmission of personal data to third parties in the processes of granting Spanish nationality and the residence permit of foreign nationals.

Comment[edit | edit source]

Since Article 77 of the Organic Law on the Protection of Personal Data and Guarantees of Digital Rights (LOPDPGDD) limits the penalties for infringements by public administrations to a warning, no pecuniary fine was imposed on the offending public administration in this case.

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

                                                                                 1/17








     Procedure No.: PS / 00187/2020




                RESOLUTION OF SANCTIONING PROCEDURE


Of the procedure instructed by the Spanish Agency for Data Protection and with
based on the following



                                   BACKGROUND

FIRST: On January 14, 2020, the Subdirectorate General for Nationality
and Civil Status (hereinafter, SGNEC) attached to the General Directorate of Registries and
of the Notary Public (currently the General Directorate of Legal Security and Public Faith, in

hereinafter, DGSJFP) currently organically and functionally dependent on the
General Secretariat for Innovation and Quality of the Public Justice Service (in
hereinafter, SGICSPJ) of the Ministry of Justice, notifies this Spanish Agency for
Data Protection (hereinafter, AEPD) a data security breach
personal information (hereinafter, security breach) after having knowledge through a

email by a citizen of a notification of granting of the
Spanish nationality corresponding to another person (treatment related to the
app *** APP.1).

The SGNEC contacted by telephone the director of the Technology Division of

Information and Communications of the Ministry of Justice (currently Division of
Technologies and Digital Public Services, hereinafter, DTSPD) to know the
nature and scope of the problem and the number of potential notifications affected.
Finally, having confirmed the security breach, the SGNEC states that it was decided to
stoppage of automated notifications until the cause and scope of the

incident and its resolution.

SECOND: On February 4, 2020, the director of the AEPD agrees
initiate investigation actions, for which the Subdirectorate General of Inspection
of Data proceeded to carry out preliminary investigation actions for the

clarification of the facts object of the notification, having knowledge of the
following extremes:
















C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 2/17






BACKGROUND


Date of the events: *** DATE.1


Date of detection of the security breach: *** DATE.2


Date of notification of security bankruptcy: 01/14/2020

INVESTIGATED ENTITIES

General Directorate of Legal Security and Public Faith of the Ministry of Justice with
NIF S2813610I and DIR3 E00131304, and with address at Plaza de Jacinto Benavente 3,

28012 Madrid (organically and functionally attached to the SGICSPJ with NIF S2813610I and
DIR3 E05077001 as data controller).

RESULT OF INVESTIGATION ACTIONS

1. Regarding the facts:


     Around 2:30 p.m. on *** DATE.2, the SGNEC states that it
       received telephone communication regarding the receipt of an email

       electronic by a citizen of a notification of granting of the
       Spanish nationality by residence corresponding to another applicant. In that
       At the moment, the SGNEC contacted the DTSPD by telephone to find out the

       nature of the problem and the number of potentially
       affected by the security breach, and it was decided to stop the
       automated notifications until the cause of the incident is known and solved.

       No copy of the citizen's email is provided.

     The SGNEC informs that on January 13, 2020 it received from the DTSPD
       base report of the notification of the security bankruptcy that was communicated

       to the AEPD on January 14, 2020. From the aforementioned report, the SGNEC
       states that the incident reached 34 cases and subsequently incorporated

       another 2 more, up to 36, of the 23,394 nationality resolutions resolved
       until that moment. The intervention of the Delegate of Protection of
       Data as indicated in art 39 of the RGPD.


     The SGNEC declares that it has attached said report to the AEPD in its notification
       bankruptcy, and specifies the following:

       "The problem had its origin in a modification in the generation process

       of resolutions granting nationality by residence that had been
       made in the application *** APPLICATION.1, of processing of files of
       nationality by residence, on *** DATE.1 ”.


     The SGNEC informs that the detected failure originated when attaching the certificate
       of birth of the nationality applicant to the document of resolution of

       granting of nationality. The high number of resolutions generated from
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 3/17






       concurrently is the consequence of a reinforcement plan that punctually
       implies a scenario of high concurrence of requests. Likewise, the SGNEC
       adds that this reinforcement plan has involved the participation of a number

       much higher number of processing personnel than initially foreseen in the design of the
       application.

     The SGNEC indicates that the personal data affected in the breach of

       security would correspond to the NIE (Foreigner Identification Number),
       name, surname, place and date of birth, address at the time of

       submit the application, the concession of nationality and a copy of the
       birth certificate (which again includes date and place information
       birth and name and surname of the parents).


        The SGNEC reports that it has registered two other incidents of
       security of personal data, on 06/28/2019 and 10/31/2019,
       also with incorrect notifications due to the error of recipients when communicating

       concessions of nationality, with 11 and 70 people affected respectively
       and already solved. The SGNEC states that the incident that occurred on 06/28/2019
       derived from the process of sending telematic notifications for an incident in

       the application database, while that of 10/31/2019 consisted of
       an incorrect handling of exceptions in the case of saturation of different
       systems with which the application interacts, including the signature holder of the

       Ministry of Justice.

        The Data Inspection confirms that, on 09/05/2018, the
       AEPD issued a resolution of sanctioning procedure, of reference

       AP / 00049/2018, in which the now
       investigated to the General Directorate of Registries and Notaries
       dependent on the Undersecretary of Justice (now DGSJFP, dependent on the

       SGICSPJ). Specifically, in the aforementioned sanctioning file it was accredited
       that “The Information Technology and Communications Division of the

       Ministry of Justice reported that the service did not contemplate the attendance and
       he made a mistake when composing the birth certificate. He took and page that
       listed in the certificate are correct and correspond to the data of your

       birth registration, but the content with the digitized image are the
       of another request, that of marriage ”. (the underlining is from the AEPD).


2. Regarding the measures prior to the event of the security bankruptcy:

     The SGNEC is currently identified in the RAT (registry of
       treatment activities) of the Ministry of Justice as responsible for the

       processing of data in the management of applications for Spanish nationality.
       The SGNEC provides an internal working document to update the RAT in
       that DTSPD is specified as joint controller now

       analyzed as of January 2020.


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 4/17






     The SGNEC states that it has carried out an EIPD (impact assessment
        on data protection) in June 2019, which contains an analysis of

        risks associated with the data processing it manages.

     The SGNEC has a report on actions derived from the EIPD in the

        management of applications for Spanish nationality, which aims to minimize
        the potential risks analyzed through the implementation of various
        corrective actions to reduce them to residual risks that have resulted

        be of high level.

     The DTSPD, as joint controller of the treatment (according to the RAT
        provided and in force since January 2020), has a procedure on

        the quality of the software projects of the Ministry of Justice throughout
        its entire life cycle, which serves as the basis for its construction and development in the
        defining the phases that govern the analysis and design of the solution, as well as

        the tests to be carried out in the different environments (development,
        integration, quality and pre-production), until its definitive implementation in the

        production environment, and active monitoring after it is put into production.

3. Regarding the measures after the occurrence of the security breach:


    3.1. Of a corrective nature (reactive to correct the security gap):

         The SGNEC states that, once the incident is known, on *** DATE.2 at
           2:30 p.m., the signature and notification process was blocked

           automated concessions of Spanish nationality in the application
           involved (*** APPLICATION.1).

         On Tuesday, January 14, 2020, the security breach is notified to the

           AEPD.

         The SGNEC states that on Wednesday, January 15, 2020 at 3:50 p.m.

           hours, the Citizen Folder is removed from the notifications
           electronic documents of the concessions of Spanish nationality issued with
           erroneous content when referring to another applicant for nationality.


         The SGNEC provides evidence that on Thursday, January 16, 2020, the
           72 notices electronically signed communicating the security breach

           both to the addressees of the resolutions and to the people who
           received erroneously, received acknowledgments were completed,
           envelopes and delivery notes for postal delivery to those interested.


         The SGNEC states that on January 21, 2020 the departure was registered
           from the General Registry of the Ministry of Justice the relationship of
           administrative notifications along with envelopes, acknowledgments and

           delivery notes for processing communications to interested parties.


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 5/17






         The SGNEC informs that the signature process will be enabled again on the 23rd
           January 2020 at 3:40 p.m., not the notification process

           automatic granting of Spanish nationality that continued
           blocked as of February 26, 2020.

         The SGNEC states that as of Friday, January 24, 2020 at

           9:00 am they begin to make notifications of granting
           nationality manually after checking that the document

           to notify is correct.

    3.2. Of a preventive nature (proactive to avoid a repeat bankruptcy of
    security):


         DTSPD states that it has designed in the application *** APPLICATION.1
           a more robust measure that checks the content of documents
           of granting Spanish nationality prior to notification,

           in such a way that no document can be notified
           corresponding in contents with the treated file. SGNEC
           informs that a prior quality control protocol has been established (not

           details it) to ensure that the document to be notified is correct,
           the notification being carried out manually and supervised.

         The DTSPD states that the new version is in the testing phase

           of the application that incorporates in the notification process the reading and
           checking the content of the document to be communicated with character

           prior to notification. The SGNEC conveys that the new version of the
           application is (as of February 26, 2020) undergoing controls
           quality tests (functional tests, performance tests and

           concurrence).

         DTSPD reports having detected the source of the security breach

           in improper handling of temporary files when attaching
           the birth certificate to the nationality grant resolution.
           Additionally, the SGNEC highlights that it is working on the

           implementation of an automatic process that goes through the forms of the
           application and that allows to carry out a quality control in addition to the
           performed in the application options, in such a way as to guarantee

           that the resolutions granting Spanish nationality are
           notified correctly.

         On the date of this agreement to initiate the Data Inspection of the AEPD

           has not been informed of the progress and the guarantees established / implemented
           in the new app / version of grant notifications

           nationality, as well as the tests in the new version of November
           2019 carried out, risk analysis, impact assessment on the
           rights and freedoms of the interested parties and if the incident has been resolved.


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 6/17






THIRD: On July 9, 2020, the Director of the Spanish Agency for
Data Protection agreed to initiate a sanctioning procedure to the claimed, by the
alleged violation of Article 32 of the RGPD, Article 5.1.f) of the RGPD, Article 25 of the

RGPD, typified in Article 83.5 of the RGPD.

FOURTH: On October 7, 2020, a resolution proposal was formulated,
proposing in the following terms:

<< That the Director of the Spanish Data Protection Agency sanctions

the General Secretariat for Innovation and Quality of the Public Justice Service, with
NIF S2813610I, by:
    1. Infringement of article 5.1.f) of the RGPD typified in article 83.5.a) of the RGPD
        with penalty of warning.
    2. Infringement of articles 25, 32 and 33 of the RGPD in relation to the article

        5.1.f) of the RGPD, typified in article 83.4.a) of the RGPD with sanction of
        awareness.
    3. Violation of article 34 of the RGPD in relation to article 5.1.f) of the RGPD,
        typified in article 83.4.a) of the RGPD, with penalty of warning.
    4. And require the SGICSPJ to contribute to this AEPD a summary of the final result
        of the action plan, already started in February 2020, by which the

        more robust security measures in data processing in the
        applicative *** APPLICATION. 1 for which it is responsible for protection
        of data through the SGNEC >>.



FIFTH: On 10/23/2020 the investigated submitted allegations to the proposal of
resolution in the following terms:

In the first place, the investigated considers that there was no integrity breach, since
that as defined by the National Security Scheme (ENS), integrity is

that “property or characteristic consisting in that the information asset has not
been altered in an unauthorized manner ”, so it does not apply to the present
case.

In this regard, it should be noted that the new principle of integrity, previously called
security, included in article 5.1. f) of the RGPD, brings cause of the provisions of the

Article 1 of the aforementioned regulation (object of the RGPD) regarding the processing of data
personal in a broad sense and with a temporal projection regardless of the
specific data that are subject to treatment, and not only with respect to specific data
and static in time for a given treatment. Consequently, the
claim must be rejected.


Second, regarding the confidentiality dimension of the processed data, the
investigated indicates that it was limited to 36 direct people and another 36 indirectly,
so that a number of finite and determined people were produced, and not a
undetermined number of people, as indicated in article 25.2 of the RGPD.


In this sense, it is meant that the indeterminacy referred to in the article
25.2 of the GDPR refers to the default design principle under which the
technical and organizational measures applied will guarantee in particular that, by default,
personal data is not accessible to an undetermined number of people


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 7/17






physical, and not the number of people affected by the gap. Consequently, the
claim must be rejected.


Third, it provides a set of measures adopted of a reactive nature and
proactive, from which diligent conduct is derived in order to minimize the
impact of the gap and prevent similar situations from recurring in the future. In this
sense provides documentary on new quality actions in the code, tests
functional that specifically contemplate the concurrence of requests and composition
of documents to be notified, life cycle review, training of the

development and periodic monitoring plan of the code quality plan.

Fourth, the investigated provides documentary on the tender of a file
contracting for the adaptation of the treatments carried out in the unit to
ENS, starting its execution in September 2020, reinforcing the policies of

security both by the personnel assigned to the DTSPD and its main
service providers acting as data processors. To this end,
It provides a list of technical prescriptions that govern said contract.

Fifth, the investigated provides notification to the AEPD of the gaps in
security dates 06/28/2019 and 10/31/2019.


Finally, the investigated report on the new scenario of co-responsibility in
the treatments as indicated in article 26 of the RGPD by the DTSPD.

Of the actions carried out in this procedure and of the documentation

Obrante in the file, the following have been accredited:



                                PROVEN FACTS


FIRST: On January 14, 2020, the Subdirectorate General for Nationality
and Civil Status (hereinafter, SGNEC) attached to the General Directorate of Registries and
of the Notary Public (currently the General Directorate of Legal Security and Public Faith, in
hereinafter, DGSJFP) currently organically and functionally dependent on the
General Secretariat for Innovation and Quality of the Public Justice Service (in

hereinafter, SGICSPJ) of the Ministry of Justice, notifies this Spanish Agency for
Data Protection (hereinafter, AEPD) a data security breach
personal dated 11/22/2019 after having knowledge through an email
electronic by a citizen of a notification of granting of the
Spanish nationality corresponding to another person (treatment related to the

app *** APP.1).

SECOND: The reported security breach reaches 34 affected and
later they incorporated another 2 more, up to 36, all of them related to resolutions
of nationality unduly notified to third parties. The security breach

It was communicated to the interested parties on 01/16/2020.

THIRD: The security breach had its technical origin in a modification in the
process of generation of resolutions granting nationality by residence
that had been made in the application *** APPLICATION.1, processing of
nationality files by residence, on *** DATE. 1.

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 8/17







FOURTH: The fault detected originated by attaching the birth certificate of the
nationality applicant to the nationality grant resolution document

as a consequence of the high number of resolutions generated in a
concurrent.

FIFTH: The personal data affected in the security breach would correspond
to the NIE (Foreigner Identification Number), name, surname, place and date of
birth, address at the time of submitting the application, the granting of

nationality and copy of the birth certificate (which again contains data
date and place of birth and name and surname of the parents).

SIXTH: It is established that the SGNEC, organically dependent on the SGICSPJ, has
registered two other personal data security incidents, on dates

06/28/2019 and 10/31/2019, also with incorrect notifications due to error
recipients when communicating nationality concessions, with 11 and 70 people
affected respectively and already solved. These security breaches were
duly notified to the AEPD but there is no evidence that they were communicated to the
affected.



SEVENTH: On 09/05/2018, the AEPD issued a procedural resolution
reference sanctioner AP / 00049/2018, in which it was sanctioned by the same
facts to those now investigated to the General Directorate of Registries and
Notaries dependent on the Undersecretary of Justice (now DGSJFP, dependent

of the SGICSPJ). Specifically, in the aforementioned sanctioning file it was accredited and
thus it is stated in the proven facts that "The Information Technology Division
and Communications of the Ministry of Justice reported that the service did not contemplate the
concurrence and made a mistake when composing the birth certificate ”.


EIGHTH: Regarding the treatments carried out by the SGNEC, there has been evidence
carried out a DPIA (impact assessment on data protection) in June
of 2019, which contains a risk analysis (AR) associated with the data processing
that manages. However, there is no update of the AR and EIDP in the
modifications of the treatments carried out on 11/22/2019 that resulted in the
security breach from that date. However, in allegations the proposal of

resolution, the adequate update to the RGPD, LOPDGDD and ENS of the
treatments carried out by the researcher as well as the implantation of the
both active and proactive corrective measures to avoid recurrence in the future
of similar events.



                           FOUNDATIONS OF LAW

                                           I
By virtue of the powers that article 58.2 of the General Regulation of Protection of

Data (hereinafter RGPD) recognizes each control authority, and according to
established in articles 47 and 48 of the Organic Law on Data Protection and
Digital Rights Guarantee (hereinafter LOPDGDD), the Director of the Agency
Spanish Data Protection is competent to initiate and resolve this
process.


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 9/17






                                             II
Definitions:
Article 4.12 of the RGPD, "violation of the security of personal data": all

breach of security resulting in accidental destruction, loss or alteration
or illicit personal data transmitted, stored or otherwise processed, or the
unauthorized communication or access to said data.
Article 4.7 of the RGPD, "data controller" or "controller": the person
physical or legal, public authority, service or other body that, alone or together with
others, determine the purposes and means of the treatment; if the law of the Union or of the

Member States determine the purposes and means of the treatment, the person responsible for the
treatment or the specific criteria for their appointment may be established by the
Law of the Union or of the Member States ”.

                                            III

In the present case, in accordance with the provisions of the aforementioned article 4.7 of the RGPD and in the RD
453/2020, of March 10, which develops the basic organic structure of the
Ministry of Justice, article 3.1, corresponds to the SGICSPJ the direction, impulse and
management of ministerial powers related to civil status and nationality, to
through the DGSJFP (art 7.1.b) of the aforementioned RD) that processes and resolves the files
Nationality.


Consequently, at present the SGICSPJ is responsible for the treatments
of personal data in all the actions carried out by the different
organic units attached to it relative to civil status and nationality, whenever
that, as indicated in article 4.7 of the aforementioned RGPD, is the natural or legal person,

public authority, service or other body that, alone or together with others, determines the
purposes and means of the treatment, in coherence with the provisions of article 3 of the aforementioned RD
453/2020 whereby the SGICSPJ is responsible for the “direction, promotion and management of
Ministerial powers related to civil status and nationality… “.


It should be noted that although the General Secretariat for Innovation and Quality of the
Public Justice Service was not responsible for data processing now
analyzed at the time of the security breach (s) (dated
06/28/2019, 10/31/2019 and 11/22/2019), it is true that with the current basic structure of the
The Ministry of Justice is responsible for carrying out the mandatory regularizations in the
data processing for which it is responsible and promote with due diligence

its compliance with the RGPD.

                                            IV
Article 5.1.f) of the RGPD, Principles relating to treatment, states the following:
"1. The personal data will be:

(…)
f) treated in such a way as to guarantee adequate data security
personal data, including protection against unauthorized or illegal processing and against
its loss, destruction or accidental damage, through the application of technical measures
or appropriate organizational ('integrity and confidentiality') ”.


In the present case, the security breach must be classified as integrity and
confidentiality as a consequence, in the first place, of the lack of security
adequate and appropriate technical or organizational measures (integrity), and secondly
place for unauthorized access to personal data by third parties


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 10/17






(confidentiality), both principles regulated in the same article 5.1.f) of the RGPD
transcribed above.


                                            V
Establishes Article 25 of the RGPD, the following:

"Data protection by design and by default

1. Taking into account the state of the art, the cost of the application and the nature,

scope, context and purposes of the treatment, as well as the risks of varying probability and
seriousness that the treatment entails for the rights and freedoms of individuals
the data controller will apply, both at the time of determining the
means of treatment such as at the time of treatment itself, technical measures and
appropriate organizational measures, such as pseudonymisation, designed to apply

effective data protection principles, such as data minimization, and
integrate the necessary guarantees in the treatment, in order to meet the requirements of the
these Regulations and protect the rights of the interested parties.

2. The person responsible for the treatment will apply the technical and organizational measures
appropriate in order to ensure that, by default, they are only processed

the personal data that are necessary for each of the specific purposes of the
treatment. This obligation will apply to the amount of personal data collected, to
the extension of its treatment, its conservation period and its accessibility. Such
measures will ensure in particular that, by default, personal data is not
accessible, without the intervention of the person, to an indeterminate number of people

physical.

3. A certification mechanism approved in accordance with Article 42 may be used
as an element that proves compliance with the obligations established in the
sections 1 and 2 of this article ”.

In this sense, and with regard to the allegation that the security breach that
gave rise to the sanctioning procedure AP / 00049/2018 (resolved on 09/05/2018)
corresponds to "completely different data processing", it should be noted that
the origin of the gaps analyzed has a common cause in the lack of foresight since
the design of the concurrency factor in the processes of both applications
(*** APPLICATION.2 and *** APPLICATION.1).


Article 32 of the RGPD establishes the following:

"1. Taking into account the state of the art, the application costs, and the
nature, scope, context and purposes of the treatment, as well as risks of

variable probability and severity for the rights and freedoms of individuals
physical, the controller and the person in charge of the treatment will apply technical measures and
appropriate organizational arrangements to ensure a level of security appropriate to the risk,
that in your case include, among others:
    a) pseudonymisation and encryption of personal data;

    b) the ability to guarantee confidentiality, integrity, availability and
permanent resilience of treatment systems and services;
    c) the ability to restore the availability and access to personal data of
quick way in case of physical or technical incident;
     d) a process of regular verification, evaluation and assessment of the effectiveness of
the technical and organizational measures to guarantee the security of the treatment.

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 11/17







2. When evaluating the adequacy of the security level, particular attention will be paid to
takes into account the risks presented by the data processing, in particular as

consequence of accidental or illegal destruction, loss or alteration of data
personal data transmitted, preserved or otherwise processed, or the communication or
unauthorized access to said data ”.

Article 34.1 of the RGPD establishes the following:


"1. When it is probable that the violation of the security of personal data
entails a high risk for the rights and freedoms of natural persons, the
responsible for the treatment will communicate it to the interested party without undue delay. "

Regarding article 32, it is established that the person responsible for the treatment did not apply the

appropriate technical and organizational measures to ensure a level of security
appropriate to risk; risk that was not even evaluated in the update of the new
version of the application *** APPLICATION. 1.

Regarding article 34, it should be noted that the actions carried out are
It follows that the SGICSPJ, through the SGNEC, notified this AEPD of the gap in

security of personal data dated *** DATE.1 and communicated it to the interested parties
on 01/16/2020. However, the investigated also affirms that there were two gaps of
similar and previous security to the one now investigated. It appears in the allegations to the
resolution proposal that the gaps of dates 06/26/2019 and 10/31/2019 were
notified to this AEPD (art 33 RGPD) but there is no evidence that they have been communicated to

the interested parties (art 34 RGPD), although the first states in the notification that
will communicate to the interested parties but there is no record of completion and, in the second, it is stated that
It was communicated to the interested parties by telephone but there is no record of it.

                                           SAW

Article 24 of the RGPD, responsibility of the data controller, indicates what
next:

"1. Taking into account the nature, scope, context and purposes of the processing,
as well as risks of varying probability and severity to the rights and
freedoms of natural persons, the data controller will apply measures

appropriate technical and organizational measures in order to ensure and demonstrate that the
treatment is in accordance with this Regulation. These measures will be reviewed and
will update when necessary.
2. When they are provided in relation to the treatment activities, between
the measures mentioned in section 1 shall include the application, by the

responsible for the treatment, of the appropriate data protection policies ”(…).

                                           VII
From the facts described, it appears that the SGICSPJ, as responsible for the
treatments now analyzed and through their organs hierarchically

dependent, did not apply the appropriate technical and organizational measures to
guarantee a level of security appropriate to the risk, since it is proven
that third parties had access to information reserved to the interested party (applicant
of Spanish nationality) as a consequence of the malfunction in the commissioning
production of the new version of the application *** APPLICATION.1 that manages the
DGSJFP through SGNEC, both hierarchically dependent on SGICSPJ.

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 12/17







The risks in the treatment contemplated in the new version of the application
*** APPLICATION. 1 should have been taken into account and evaluated by the person responsible for the

treatment (SGICSPJ) through the mandatory risk analysis and where appropriate
impact assessment and, based on it, have established the measures
technical and organizational that would have prevented the loss of control of the data
personal data of applicants for Spanish nationality as a result of the
repeated and already known lack of anticipation of concurrent processes in the treatment
of data of the different applications (APLIACIÓN.1 and APLIACIÓN.2).


It should be emphasized that the level of risk and the impact were already known with
advance since there is in this AEPD a sanctioning file for facts
similar (AP / 00049/2018 and resolution date of 09/05/2018) and, in addition, the SGNEC
notes that similar events were recorded on dates prior to the security breach

dated 11/22/2019, specifically on 06/28/2019 and 10/31/2019.

It also appears in the aforementioned previous sanctioning procedure that the current DTSPD
informed the SGNEC that “the service did not contemplate the attendance and made a mistake when
compose the birth certificate… ”and, nevertheless, a year later it was repeated
on three other occasions faithfully the incident for the same cause.


The consequence of this absence in the control of data processing from the
design and by default (art 25 RGPD) and the implementation of security measures
appropriate (art 32 RGPD) to the risk of the new version of the application
*** APPLICATION.1 causing the date gap *** DATE.1, was the loss of

integrity and confidentiality of personal data, violating the two principles
contained in article 5.1.f) of the RGPD.

                                           VIII
Article 83.4 of the RGPD provides the following:


"4. Violations of the following provisions will be sanctioned, in accordance with the
paragraph 2, with administrative fines of a maximum of EUR 10 000 000 or,
in the case of a company, an amount equivalent to a maximum of 2% of the
total annual global business volume of the previous financial year, opting for
the highest amount:


a) The obligations of the person in charge and the person in charge in accordance with articles 8, 11, 25 a
39, 42 and 43; "

In the present case, articles 25, 32 and 34 of the RGPD, typified

in article 83.4 of the RGPD transcribed above.

Article 83.5 of the RGPD provides the following:

"5. Violations of the following provisions will be sanctioned, in accordance with the

paragraph 2, with administrative fines of up to EUR 20,000,000 or,
in the case of a company, an amount equivalent to a maximum of 4% of the
total annual global business volume of the previous financial year, opting for
the highest amount:



C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 13/17






    a) the basic principles for the treatment, including the conditions for the
        consent in accordance with articles 5, 6, 7 and 9; "


In the present case, article 5.1.f) of the RGPD is once again violated, this
once referred to the principle of confidentiality, for which the classification
which indicates article 83.5 of the RGPD transcribed above.

For its part, article 71 of the LOPDGDD, under the heading "Infractions" determines what
following: The acts and behaviors referred to in the

paragraphs 4, 5 and 6 of article 83 of Regulation (EU) 2016/679, as well as those that
are contrary to this organic law.

Establishes article 72 of the LOPDGDD, under the heading of considered infractions
very serious, the following: “1. Based on the provisions of article 83.5 of the

Regulation (EU) 2016/679 are considered very serious and will prescribe after three years
the infractions that suppose a substantial violation of the articles
mentioned in that and, in particular, the following:

a) The processing of personal data violating the principles and guarantees
established in article 5 of Regulation (EU) 2016/679 ”.


It establishes article 73 of the LOPDGDD, under the heading “Infractions considered
bass ", the following:" 1. Based on what is established in article 83.4 of the
Regulation (EU) 2016/679 are considered serious and will prescribe after two years the
offenses that involve a substantial violation of the aforementioned articles

in that and, in particular, the following:

(…)

d) The lack of adoption of those technical and organizational measures that result

appropriate to effectively apply the principles of data protection from
the design, as well as the non-integration of the necessary guarantees in the treatment, in
the terms required by article 25 of Regulation (EU) 2016/679.

(…)


f) The lack of adoption of those technical and organizational measures that result
appropriate to ensure a level of security appropriate to the risk of the treatment,
in the terms required by article 32.1 of Regulation (EU) 2016/679.

g) The breach, as a consequence of the lack of due diligence, of the

technical and organizational measures that have been implemented as required
by article 32.1 of Regulation (EU) 2016/679.

(…)


r) Failure to comply with the duty to notify the data protection authority of
a breach of personal data security in accordance with the provisions of
Article 33 of Regulation (EU) 2016/679

(…)


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 14/17






t) The processing of personal data without having carried out the evaluation of the
impact of processing operations on the protection of personal data in the
assumptions in which it is required. (…) ”. This section, in relation to

changes made on *** DATE.1 in the app *** APPLICATION.1.

It establishes article 74 of the LOPDGDD, under the heading “Infractions considered
mild ”, the following:“ They are considered mild and will prescribe the remaining
merely formal infractions of the articles mentioned in the
paragraphs 4 and 5 of Article 83 of Regulation (EU) 2016/679 and, in particular, the

following:

(…)

ñ) Failure to comply with the duty to notify the affected party of a violation of the

data security that poses a high risk to the rights and freedoms of the
affected, as required by article 34 of Regulation (EU) 2016/679,
Unless the provisions of article 73 s) of this organic law are applicable ”.

From all the above, the following is concluded:


Regarding the classification of infractions of article 83.5.a) of the RGPD

- Violation of the principle of confidentiality (art 5.1.f) RGPD), is considered
very serious offense for the purposes of prescription (three years) as indicated in article
72.1.a) of the LOPGDD, punishable by warning as provided in article 77.2

of the LOPDGDD.

Regarding the classification of infractions of article 83.4.a) of the RGPD

- Lack of diligence when implementing data protection from design

(art 25 RGPD in relation to article 5.1.f) of the RGPD), the absence,
breach lack of due diligence in the application of security measures
appropriate depending on the risk (art 32 RGPD in relation to article 5.1.f) of the
RGPD), are considered serious infringements for the purposes of prescription (two years)
as indicated in article 73.d), f), g) and t), of the LOPGDD and punishable with
warning according to article 77.2 of the LOPDGDD.


- Lack of communication to stakeholders of the date security breach
06/28/2020 and dated 10/31/2019 (article 34 of the RGPD in relation to article
5.1.f) of the RGPD) considered a minor infringement for the purposes of prescription (one year)
as indicated in article 74.ñ) of the LOPGDD and punishable by warning

according to article 77.2 of the LOPDGDD.

Consequently, the violation of both principles (integrity and confidentiality)
they constitute the element of guilt that requires the imposition of sanction.


It should be emphasized that the absence of consideration of the risk already known and
previously sanctioned by this AEPD in the aforementioned sanctioning procedure
(AP / 00049/2018) and after both security breaches prior to the current date
06/28/2019 and 10/31/2019, has again led to improper access by third parties
unrelated to the personal data of the interested party and repeatedly affecting the


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 15/17






principles of integrity and confidentiality, aggravates culpability and
sanctioner of the conduct carried out by the SGICSPJ.


                                          IX
Article 58.2 of the RGPD establishes the following:

          2. Each supervisory authority shall have all the following powers
corrective measures listed below:


         (…)

         b) sanction any person responsible or in charge of the treatment with
warning when the processing operations have violated the provisions of
these Regulations;


Establishes article 76 of the LOPDGDD under the heading "Sanctions and measures
corrective “, the following:

 1. The sanctions provided for in sections 4, 5 and 6 of article 83 of the Regulation
(EU) 2016/679 will be applied taking into account the graduation criteria

established in section 2 of said article.

         (…)

3. It will be possible, complementary or alternatively, the adoption, when appropriate, of

the remaining corrective measures referred to in article 83.2 of the Regulation
(EU) 2016/679.

                                          X
However, the LOPDGDD in its article 77, Regime applicable to certain

categories of data controllers or managers, establishes the following:

"1. The regime established in this article will be applicable to the treatments of
who are responsible or in charge:

(…)


c) The General Administration of the State, the Administrations of the communities
autonomous entities and the entities that make up the Local Administration.

(…)


2. When the managers or managers listed in section 1 commit
any of the infractions referred to in articles 72 to 74 of this law
organic, the competent data protection authority will dictate
resolution sanctioning them with warning. The resolution will establish

Likewise, the measures to be adopted to stop the conduct or to correct
the effects of the offense that had been committed.
The resolution will be notified to the person in charge of the treatment, the body of the
that depends hierarchically, where appropriate, and those affected who had the condition
interested party, if applicable.


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 16/17






3. Without prejudice to the provisions of the previous section, the protection authority of
data will also propose the initiation of disciplinary actions when there are
sufficient evidence for it. In this case, the procedure and the penalties to apply

will be those established in the legislation on disciplinary or sanctioning regime that
result of application.

Likewise, when the infractions are attributable to authorities and managers, and
certify the existence of technical reports or recommendations for the treatment that
had not been duly addressed, in the resolution imposing the

The sanction will include a warning with the name of the position responsible and
will order the publication in the Official Gazette of the State or Autonomous
corresponds.

4. The resolutions that

fall in relation to the measures and actions referred to in the sections
previous.

5. They will be communicated to the Ombudsman or, where appropriate, to similar institutions
of the autonomous communities the actions carried out and the resolutions issued
under this article.


6. When the competent authority is the Spanish Agency for Data Protection,
this will publish on its website with due separation the resolutions referring to
the entities of section 1 of this article, with express indication of the identity
of the person in charge of the treatment that had committed the infringement.

When the competence corresponds to an autonomous authority for the protection of
data will be, in terms of the advertising of these resolutions, to what your
specific regulations ”.

Of the evidence available according to the facts proven in the

present sanctioning procedure, is accredited by the person in charge (the
SGICSPJ) violation of the provisions of articles 5.1.f) and 25, 32 and 34 in relation to
5.1.f) of the RGPD in the terms described above.

In the supposed object of this procedure, it is considered that the
appropriate measures to prevent the security incident from reoccurring

referred, so the person responsible for the adoption of new measures is not required.

Therefore, in accordance with the applicable legislation and the criteria of
graduation of the sanctions whose existence has been accredited, the Director of the
Spanish Agency for Data Protection RESOLVES:


FIRST: IMPOSE the GENERAL SECRETARIAT FOR INNOVATION AND
QUALITY OF THE PUBLIC JUSTICE SERVICE, with NIF S2813610I, by:

    1. Infringement of article 5.1.f) of the RGPD typified in article 83.5.a) of the RGPD

        with penalty of warning.

    2. Violation of articles 25 and 32 of the RGPD in relation to article 5.1.f)
        of the RGPD, typified in article 83.4.a) of the RGPD with sanction of
        awareness.


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 17/17






    3. Violation of article 34 of the RGPD in relation to article 5.1.f) of the RGPD,
       typified in article 83.4.a) of the RGPD, with penalty of warning.



SECOND: NOTIFY this resolution to the GENERAL SECRETARIAT FOR
THE INNOVATION AND QUALITY OF THE PUBLIC JUSTICE SERVICE, with NIF
S2813610I.

THIRD: COMMUNICATE this resolution to the Ombudsman, of

in accordance with the provisions of article 77.5 of the LOPDGDD.

THIRD: In accordance with the provisions of article 50 of the LOPDGDD, the
This Resolution will be made public once it has been notified to the interested parties.

Against this resolution, which ends the administrative procedure according to art. 48.6 of the

LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the
Interested parties may file, optionally, an appeal for reconsideration before the
Director of the Spanish Agency for Data Protection within a month to
count from the day after notification of this resolution or directly
contentious-administrative appeal before the Contentious-Administrative Chamber of the

National High Court, in accordance with the provisions of article 25 and section 5 of
the fourth additional provision of Law 29/1998, of July 13, regulating the
Contentious-administrative jurisdiction, within a period of two months from the
day following notification of this act, as provided in article 46.1 of the
referred Law.


Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPACAP,
may provisionally suspend the final resolution through administrative channels if the
interested party expresses his intention to file contentious-administrative appeal.
If this is the case, the interested party must formally communicate this fact through
letter addressed to the Spanish Agency for Data Protection, presenting it through

of the Electronic Registry of the Agency [https://sedeagpd.gob.es/sede-electronica-
web /], or through any of the other records provided for in art. 16.4 of the
cited Law 39/2015, of October 1. You must also transfer to the Agency the
documentation proving the effective filing of the contentious appeal-
administrative. If the Agency was not aware of the filing of the appeal

contentious-administrative within a period of two months from the day following the
notification of this resolution would terminate the precautionary suspension.


Mar Spain Martí
Director of the Spanish Agency for Data Protection













C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es