Editing AEPD - PS/00287/2020

From GDPRhub

Warning: You are not logged in. Your IP address will be publicly visible if you make any edits. If you log in or create an account, your edits will be attributed to your username, along with other benefits.

The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then save the changes below to finish undoing the edit.

Latest revision Your text
Line 47: Line 47:
  
 
|Initial_Contributor=[https://networkinstitute.org/projects/appropriate-measures-for-security-investigating-legal-and-technical-requirements-under-the-gdpr/ GDPR MASTer Project]
 
|Initial_Contributor=[https://networkinstitute.org/projects/appropriate-measures-for-security-investigating-legal-and-technical-requirements-under-the-gdpr/ GDPR MASTer Project]
|}}
+
|
 +
}}
  
The Spanish DPA (AEPD) imposed a fine of €3,000 to an online perfume shop for displaying personal data (including billing information and address) to a different client when the claimant tried to access their user account.
+
The Spanish DPA (AEPD) imposed a fine of €3,000 to an online perfume shop for displaying personal data (including billing information and address) to a different client when the claimant tries to access their user account.
  
 
==English Summary==
 
==English Summary==
  
 
===Facts===
 
===Facts===
When a client tried to access their user account on the website of Comercio Online Levante, S.L., they were directed to the account if another client, therefore having access to the data of such client. The claimant sent an email sent to the online shop informing of the incident but received no answer, so they filed a complaint with the AEPD describing the incident.
+
On 21/01/2020 the claimant has filed a complaint with the AEPD describing the incident. The claimant provided a screen print which displays data from another client.
 +
 
 +
The claimant provided a copy of an email sent on the 26/04/2020 to the online shop informing of the incident.
 +
 
 +
The privacy policy of the online shop conforms with the GDPR, however the claimant indicates it is not possible to contact the online shop through the phone/email presented there.
  
 
===Dispute===
 
===Dispute===
  
Did Comercio Online Levante, S.L. infringe the principle of confidentiality established by Article 5(1)(f) GDPR?
 
 
Was there a personal data breach?
 
  
 
===Holding===
 
===Holding===
The AEPD considered that there was an infringement of Article 5(1)(f), as there was a leak of personal data without the consent of the data subject. Additionally, they considered that there was an infringement of Article 32(1), as they concluded that the online shop did not have the appropriate technical and organisational measures in place to ensure an adequate level of protection.
+
[To be filled in later]
 
 
For this, the AEPD fined Comercio Online Levante, S.L.:
 
 
 
* for the infringement of Article 5(1)(f), €2,000.
 
* for the infringement of Article 32(1), €1,000.
 
  
 
==Comment==
 
==Comment==

Please note that all contributions to GDPRhub are considered to be released under the Creative Commons Attribution-NonCommercial-ShareAlike (see GDPRhub:Copyrights for details). If you do not want your writing to be edited mercilessly and redistributed at will, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource. Do not submit copyrighted work without permission!

To edit this page, please answer the question that appears below (more info):

Cancel Editing help (opens in new window)

Template used on this page: