AEPD - PS/00322/2020
|AEPD - PS/00322/2020|
|Relevant Law:||Article 5(1)(f) GDPR|
Article 32 GDPR
Article 58(2)(b) GDPR
Article 58(2)(i) GDPR
Article 58(2)(d) GDPR
Article 83(2)(b) GDPR
Article 83(2)(g) GDPR
Article 83(4)(a) GDPR
|National Case Number/Name:||PS/00322/2020|
|European Case Law Identifier:||n/a|
|Original Source:||AEPD (in ES)|
The Spanish DPA (AEPD) held that failing to put recipients of an email into blind carbon copy (bcc) violates Articles 5(1)(f) and 32 GDPR, and fined a law firm €10,000 for violating the former.
English Summary[edit | edit source]
Facts[edit | edit source]
The respondent, a law firm, sent an email to multiple recipients without putting them in bcc. The complainant was one of the recipients.
Dispute[edit | edit source]
Does sending an email without putting the recipients in bcc constitute a violation of the GDPR?
Holding[edit | edit source]
The AEPD held that the email constituted a confidentiality breach and violated Article 32 GDPR, as the law firm had failed to ensure the security of the recipients’ email addresses and other personal data. They also held that the sending of the email violated the principle of data integrity, security and confidentiality under Article 5(1)(f) GDPR.
For the violation of Article 32, the AEPD issued the law firm with a reprimand and an order to bring the processing in line with the GDPR, pursuant to Articles 58(2)(b) and (d) respectively.
For the violation of Article 5(1)(f), it issued a fine of €10000, pursuant to Article 58(2)(i). The negligent behaviour of the law firm and the categories of data (emails, names, surnames) affected by the breach were aggravating factors for the fine.
The law firm ultimately paid €6000 for the breach, by applying two reductions offered under Spanish law, for the voluntary payment of the fine and for recognising their responsibility in the breach. By applying the reduction, the respondents waived their right to appeal or take other actions against the complaint.
Comment[edit | edit source]
Share your comments here!
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/12 Procedure No.: PS / 00322/2020 RESOLUTION R / 00583/2020 TERMINATION OF THE PROCEDURE FOR PAYMENT VOLUNTARY In the sanctioning procedure PS / 00322/2020, instructed by the Spanish Agency for Data Protection to LOSADA ADVOCATS S.L., considering the complaint filed by A.A.A., and based on the following, BACKGROUND FIRST: On November 3, 2020, the Director of the Spanish Agency for Data Protection agreed to initiate a sanctioning procedure against LOSADA ADVOCATS S.L. (hereinafter, the claimed), through the Agreement that is transcribed: << Procedure Nº: PS / 00322/2020 AGREEMENT TO INITIATE THE SANCTIONING PROCEDURE Of the actions carried out by the Spanish Agency for the Protection of Data and based on the following ACTS FIRST: A.A.A. (hereinafter, the claimant) dated April 21, 2020 filed a claim with the Spanish Agency for Data Protection. The claim is directed against LOSADA ADVOCATS S.L. with NIF B17634296 (in forward, the claimed). The reasons on which the claim is based are the receipt by the claimant, of an email without a blind copy sent by the defendant to dozens of recipients, including the claimant. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 2/12 A copy of the message is provided, dated 04/19/2020. SECOND: The present claim was transferred to the defendant on June 5, 2020, requiring you to send this Agency information within a month on the response given to the claimant for the facts denounced, as well as the causes that have motivated the incidence and the measures adopted, but the entity claimed has not answered within the specified period. THIRD: On September 18, 2020, in accordance with article 65 of the LOPDGDD, the Director of the Spanish Agency for Data Protection agreed admit to processing the claims presented by the claimant against the claimed. FOUNDATIONS OF LAW I By virtue of the powers that article 58.2 of the RGPD recognizes to each control authority, and as established in articles 47 and 48 of the LOPDGDD, the Director of the Spanish Data Protection Agency is competent to initiate and to solve this procedure. II The RGPD establishes in article 5 the principles that must govern the treatment of personal data and mentions among them that of "integrity and confidentiality". The article notes that: "1. The personal data will be: C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 12/3 (…) f) treated in such a way as to guarantee adequate security for the personal data, including protection against unauthorized or illegal processing and against their loss, destruction or accidental damage, by applying measures appropriate technical or organizational ('integrity and confidentiality') ”. In turn, the security of personal data is regulated in article 32 of the RGPD. Article 32 of the RGPD "Security of treatment", establishes that: "1. Taking into account the state of the art, the application costs, and the nature, scope, context and purposes of the treatment, as well as risks of variable probability and severity for the rights and freedoms of individuals physical, the controller and the person in charge of the treatment will apply technical measures and appropriate organizational arrangements to ensure a level of security appropriate to the risk, that in your case include, among others: a) pseudonymisation and encryption of personal data; b) the ability to guarantee confidentiality, integrity, availability and permanent resilience of treatment systems and services; c) the ability to restore availability and access to data personnel quickly in the event of a physical or technical incident; d) a process of regular verification, evaluation and assessment of effectiveness of the technical and organizational measures to guarantee the safety of the treatment. 2. When evaluating the adequacy of the security level, the take into account the risks presented by the data processing, in particular as consequence of accidental or illegal destruction, loss or alteration of data personal data transmitted, preserved or otherwise processed, or the communication or unauthorized access to such data. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 4/12 3. Adherence to a code of conduct approved in accordance with article 40 or to a certification mechanism approved under article 42 may serve as an element to demonstrate compliance with the requirements established in section 1 of the this article. 4. The person in charge and the person in charge of the treatment will take measures to ensure that any person acting under the authority of the controller or the manager and have access to personal data can only process said data following instructions of the person in charge, unless it is obliged to do so by virtue of the Law of the Union or of the Member States ”. The violation of article 32 of the RGPD is typified in article 83.4.a) of the aforementioned RGPD in the following terms: "4. Violations of the following provisions will be sanctioned, in accordance with paragraph 2, with administrative fines of maximum EUR 10 000 000 or, in the case of a company, an amount equivalent to a maximum of 2% of the total annual global business volume of the previous financial year, opting for the highest amount: a) the obligations of the controller and the processor pursuant to articles 8, 11, 25 to 39, 42 and 43. (…) " For its part, the LOPDGDD in its article 71, Infractions, states that: “The acts and conducts referred to in sections 4, 5 and 6 of article 83 of Regulation (EU) 2016/679, as well as those resulting contrary to the present organic law ”. And in its article 73, for the purposes of prescription, qualifies as "Infractions considered serious ”: C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 5/12 "Based on what is established in article 83.4 of Regulation (EU) 2016/679 are considered serious and will prescribe after two years the infractions that suppose a substantial violation of the articles mentioned therein and, in particular, the following: (…) g) The breach, as a consequence of the lack of due diligence, of the technical and organizational measures that have been implemented in accordance with required by article 32.1 of Regulation (EU) 2016/679 ”. III The facts revealed in this claim are specified in the receipt by the claimant, of an email without hidden copy sent by the claimed to dozens of recipients, including the claimant. The RGPD defines personal data security violations as “All those security violations that cause destruction, loss or accidental or illegal alteration of personal data transmitted, kept or processed otherwise, or unauthorized communication or access to said data ”. From the documentation in the file there are clear indications of that the respondent has violated article 32 of the RGPD, due to a breach of security in your systems by sending an email without blind copy, to eight recipients, including the claimant, who are informed of the blocking of their accounts. It should be noted that the RGPD in the aforementioned precept does not establish a list of the security measures that are applicable according to the data that are object of treatment, but establishes that the person in charge and the person in charge of the treatment will apply technical and organizational measures that are appropriate to the risk involved in the treatment, taking into account the state of the art, the costs of application, the nature, scope, context and purposes of the treatment, the risks of probability and seriousness for the rights and freedoms of the persons concerned. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 6/12 Likewise, security measures must be adequate and proportionate to the risk detected, noting that the determination of the measures technical and organizational must be carried out taking into account: pseudonymization and encryption, the ability to ensure confidentiality, integrity, availability, and resilience, the ability to restore availability and access to data after a incident, verification process (not audit), evaluation and assessment of the effectiveness of the measures. In any case, when evaluating the adequacy of the security level, the particularly take into account the risks presented by data processing, such as consequence of accidental or illegal destruction, loss or alteration of data personal data transmitted, preserved or otherwise processed, or the communication or unauthorized access to said data and that could cause damages physical, material or immaterial. In this same sense, recital 83 of the RGPD states that: “(83) In order to maintain security and prevent the treatment from violating the provisions of this Regulation, the person in charge or the person in charge must assess the risks inherent to the treatment and apply measures to mitigate them, such as encryption. These Measures should ensure an adequate level of security, including confidentiality, taking into account the state of the art and the cost of its application with respect to the risks and the nature of the personal data that must protect yourself. When assessing risk in relation to data security, you should take into account the risks derived from the processing of personal data, such as accidental or illegal destruction, loss or alteration of personal data transmitted, stored or otherwise processed, or the communication or access does not authorized to said data, susceptible in particular to cause damages physical, material or immaterial ”. IV In accordance with the evidence available and without prejudice to the resulting from the instruction, from the documentation provided it appears that on 19 April 2020, the defendant sends an email without blind copy to dozens of C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 7/12 recipients, including the claimant, which could constitute, on the part of the claimed, two offenses, one against the provisions of article 32 of the RGPD and another against provided in article 5.1 f) of the RGPD, which governs the principles of integrity and confidentiality of personal data, as well as the proactive responsibility of the responsible for the treatment to demonstrate its compliance. V Article 58.2 of the RGPD provides the following: “Each control authority will have all of the following corrective powers listed below: b) sanction any person responsible or in charge of the treatment with warning when the processing operations have violated the provisions of these Regulations; d) order the person in charge of the treatment that the operations of treatment are in accordance with the provisions of this Regulation, where appropriate, in a certain way and within a specified time; i) impose an administrative fine in accordance with article 83, in addition or in place of the measures mentioned in this section, depending on the circumstances of each particular case; SAW Article 72.1.a) of the LOPDGDD states that “depending on what is established Article 83.5 of Regulation (EU) 2016/679 are considered very serious and The infractions that suppose a substantial violation will prescribe after three years of the articles mentioned therein and, in particular, the following: a) The processing of personal data violating the principles and guarantees established in article 5 of Regulation (EU) 2016/679 C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 12/8 This offense can be sanctioned with a fine of € 20,000,000 maximum or, in the case of a company, an amount equivalent to a maximum of 4% of the total annual global business volume of the previous financial year, opting for the higher amount, in accordance with article 83.5 of the RGPD. Likewise, it is considered that the sanction to be imposed should be adjusted according to with the following criteria established in article 83.2 of the RGPD: As aggravating factors the following: In the present case we are dealing with unintentional negligent action, but it signifies cativa (article 83.2 b) Basic personal identifiers are affected (name, surname, two, domicile), according to article 83.2 g) Therefore, based on the foregoing, By the Director of the Spanish Agency for Data Protection, HE REMEMBERS: FIRST: INITIATE SANCTIONING PROCEDURE for LOSADA ADVOCATS S.L. with NIF B17634296 for the alleged infractions of articles 5.1 f) and 32 of the RGPD, typified in articles 83.5 a) and 83.4 a) of the RGPD respectively. SECOND: APPOINT R.R.R. as instructor. and, as secretary, to S.S.S., indicate- do that any of them may be challenged, where appropriate, in accordance with the provisions in articles 23 and 24 of Law 40/2015, of October 1, on the Legal Regime of the Public Sector (LRJSP). C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 9/12 THIRD: INCORPORATE to the sanctioning file, for evidentiary purposes, the claim filed by the claimant and his documentation, the documents obtained and generated by the General Subdirectorate for Data Inspection during the investigation phase, as well as the report of previous Inspection actions. FOURTH: THAT for the purposes provided for in art. 64.2 b) of Law 39/2015, of 1 October, of the Common Administrative Procedure of Public Administrations, the sanctions that may correspond would be the following: for the violation of article 32 of the RGPD, typified in article 83.4 a) of the RGPD, the corresponding sanction would be a warning, requiring the respondent to proceed to adopt the necessary measures to cease the conduct that is the subject of this complaint, which has caused the security breach denounced, so that the effects of the infraction committed and its adaptation to the requirements contemplated in article 32 of the RGPD, as well as the contribution of supporting means of compliance with what is required. for the violation of article 5.1 f) of the RGPD, typified in article 83.5 a) of the RGPD the corresponding sanction would be a fine for an amount of 10,000 euros (ten thousand euros) without prejudice to what results from the instruction. FIFTH: NOTIFY this agreement to LOSADA ADVOCATS S.L. with NIF B17634296 granting a hearing period of ten business days to formulate the allegations and present the evidence that it deems appropriate. In his writing of allegations, you must provide your NIF and the procedure number that appears in the heading of this document. If, within the stipulated period, no allegations are made to this initiation agreement, the It may be considered a resolution proposal, as established in the Article 64.2.f) of Law 39/2015, of October 1, on Administrative Procedure Common of Public Administrations (hereinafter, LPACAP). In accordance with the provisions of article 85 of the LPACAP, in relation to with the alleged violation of article 5.1 f) of the RGPD, the complained party may recognize C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 10/12 their responsibility within the term granted for the formulation of allegations to the present initiation agreement; which will entail a reduction of 20% of the sanction that should be imposed in the present procedure. With the application of this reduction, the penalty would be set at 8,000 euros, resolving the procedure with the imposition of this sanction. In the same way, you may, at any time prior to the resolution of the present procedure, carry out the voluntary payment of the proposed sanction, which will mean a reduction of 20% of its amount. With the application of this reduction, the penalty would be set at 8,000 euros and its payment will imply the termination of the procedure. The reduction for the voluntary payment of the penalty is cumulative to that corresponds to apply for the recognition of responsibility, provided that this acknowledgment of responsibility is revealed within the term granted to formulate allegations at the opening of the procedure. The pay Voluntary amount of the amount referred to in the previous paragraph may be done at any time before resolution. In this case, if applicable, apply both reductions, the amount of the penalty would be set at 6,000 euros. In any case, the effectiveness of either of the two mentioned reductions It will be conditioned to the withdrawal or resignation of any action or remedy in progress. administrative against the sanction. In the event that you choose to proceed to the voluntary payment of any of the amounts indicated above, (8,000 or 6,000 euros) must be paid by entering the account number ES00 0000 0000 0000 0000 0000 open to name of the Spanish Data Protection Agency in Banco CAIXABANK, S.A., indicating in the concept the reference number of the procedure that appears in the heading of this document and the cause of reduction of the amount to which welcomes. Likewise, you must send proof of admission to the Subdirectorate General of Inspection to continue the procedure according to the quantity entered. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 11/12 The procedure will have a maximum duration of nine months from the date of the initiation agreement or, where appropriate, the draft initiation agreement. After this period, its expiration will occur and, consequently, the file of performances; in accordance with the provisions of article 64 of the LOPDGDD. Finally, it is pointed out that in accordance with the provisions of article 112.1 of the LPACAP, against this act there is no administrative appeal. Mar Spain Martí Director of the Spanish Agency for Data Protection >> SECOND: On November 21, 2020, the defendant has proceeded to pay the sanction in the amount of 6000 euros making use of the two planned reductions in the Initiation Agreement transcribed above, which implies the recognition of the responsibility. THIRD: The payment made, within the period granted to formulate allegations to the opening of the procedure, entails the waiver of any action or appeal in the process administrative against the sanction and the recognition of responsibility in relation to the facts to which the Initiation Agreement refers. FOUNDATIONS OF LAW I By virtue of the powers that article 58.2 of the RGPD recognizes to each authority of control, and as established in art. 47 of Organic Law 3/2018, of 5 December, Protection of Personal Data and guarantee of digital rights (in hereinafter LOPDGDD), the Director of the Spanish Agency for Data Protection is competent to sanction the infractions that are committed against said Regulation; infractions of article 48 of Law 9/2014, of May 9, General of Telecommunications (hereinafter LGT), in accordance with the provisions of the article 84.3 of the LGT, and the offenses typified in articles 38.3 c), d) and i) and 38.4 d), g) and h) of Law 34/2002, of July 11, on services of the company of the information and electronic commerce (hereinafter LSSI), as provided in article 43.1 of said Law. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 12/12 II Article 85 of Law 39/2015, of October 1, on Administrative Procedure Common of Public Administrations (hereinafter, LPACAP), under the rubric "Termination of sanctioning procedures" provides the following: "1. Initiated a sanctioning procedure, if the offender acknowledges his responsibility, the procedure may be resolved with the imposition of the appropriate sanction. 2. When the sanction is solely of a pecuniary nature or it is possible to impose a pecuniary sanction and other non-pecuniary sanction, but the inadmissibility of the second, the voluntary payment by the presumed responsible, in any time prior to the resolution, will imply the termination of the procedure, except in relation to the replacement of the altered situation or the determination of the compensation for damages caused by the commission of the offense. 3. In both cases, when the sanction is solely of a pecuniary nature, the competent body to resolve the procedure will apply reductions of, at least, 20% of the amount of the proposed penalty, these being cumulative among themselves. The aforementioned reductions must be determined in the notice of initiation of the procedure and its effectiveness will be conditioned to the withdrawal or resignation of any action or appeal in administrative proceedings against the sanction. The percentage of reduction foreseen in this section may be increased regulations. In accordance with the above, the Director of the Spanish Agency for the Protection of Data RESOLVES: FIRST: DECLARE the termination of procedure PS / 00322/2020, of in accordance with the provisions of article 85 of the LPACAP. SECOND: NOTIFY this resolution to LOSADA ADVOCATS S.L .. In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties. Against this resolution, which puts an end to the administrative procedure as prescribed by the art. 114.1.c) of Law 39/2015, of October 1, on Administrative Procedure Common of Public Administrations, interested parties may file an appeal administrative litigation before the Contentious-Administrative Chamber of the National High Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Contentious-Administrative Jurisdiction, within a period of two months from the day following notification of this act, as provided in article 46.1 of the referred Law. 936-031219 Mar Spain Martí Director of the Spanish Agency for Data Protection C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es