AEPD - PS/00322/2020

From GDPRhub
Revision as of 11:24, 9 December 2020 by Isabel Hahn (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
AEPD - PS/00322/2020
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 5(1)(f) GDPR
Article 32 GDPR
Article 58(2)(b) GDPR
Article 58(2)(i) GDPR
Article 58(2)(d) GDPR
Article 83(2)(b) GDPR
Article 83(2)(g) GDPR
Article 83(4)(a) GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided:
Published: 02/12/2020
Fine: 10000 EUR
Parties: n/a
National Case Number/Name: PS/00322/2020
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: n/a

The Spanish DPA (AEPD) held that failing to put recipients of an email into blind carbon copy (bcc) violates Articles 5(1)(f) and 32 GDPR, and fined a law firm €10,000 for violating the former.

English Summary[edit | edit source]

Facts[edit | edit source]

The respondent, a law firm, sent an email to multiple recipients without putting them in bcc. The complainant was one of the recipients.

Dispute[edit | edit source]

Does sending an email without putting the recipients in bcc constitute a violation of the GDPR?

Holding[edit | edit source]

The AEPD held that the email constituted a confidentiality breach and violated Article 32 GDPR, as the law firm had failed to ensure the security of the recipients’ email addresses and other personal data. They also held that the sending of the email violated the principle of data integrity, security and confidentiality under Article 5(1)(f) GDPR.

For the violation of Article 32, the AEPD issued the law firm with a reprimand and an order to bring the processing in line with the GDPR, pursuant to Articles 58(2)(b) and (d) respectively.

For the violation of Article 5(1)(f), it issued a fine of €10000, pursuant to Article 58(2)(i). The negligent behaviour of the law firm and the categories of data (emails, names, surnames) affected by the breach were aggravating factors for the fine.

The law firm ultimately paid €6000 for the breach, by applying two reductions offered under Spanish law, for the voluntary payment of the fine and for recognising their responsibility in the breach. By applying the reduction, the respondents waived their right to appeal or take other actions against the complaint.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

                                                                           1/12








    Procedure No.: PS / 00322/2020


RESOLUTION R / 00583/2020 TERMINATION OF THE PROCEDURE FOR PAYMENT
                                  VOLUNTARY

In the sanctioning procedure PS / 00322/2020, instructed by the Spanish Agency for
Data Protection to LOSADA ADVOCATS S.L., considering the complaint filed by

A.A.A., and based on the following,

                                BACKGROUND

FIRST: On November 3, 2020, the Director of the Spanish Agency for

Data Protection agreed to initiate a sanctioning procedure against LOSADA
ADVOCATS S.L. (hereinafter, the claimed), through the Agreement that is transcribed:

<<





Procedure Nº: PS / 00322/2020




           AGREEMENT TO INITIATE THE SANCTIONING PROCEDURE



       Of the actions carried out by the Spanish Agency for the Protection of

Data and based on the following



                                    ACTS




FIRST: A.A.A. (hereinafter, the claimant) dated April 21, 2020
filed a claim with the Spanish Agency for Data Protection.




The claim is directed against LOSADA ADVOCATS S.L. with NIF B17634296 (in

forward, the claimed).



The reasons on which the claim is based are the receipt by the claimant, of

an email without a blind copy sent by the defendant to dozens of
recipients, including the claimant.

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 2/12











A copy of the message is provided, dated 04/19/2020.



SECOND: The present claim was transferred to the defendant on June 5, 2020,

requiring you to send this Agency information within a month
on the response given to the claimant for the facts denounced, as well as the

causes that have motivated the incidence and the measures adopted, but the entity
claimed has not answered within the specified period.




THIRD: On September 18, 2020, in accordance with article 65 of
the LOPDGDD, the Director of the Spanish Agency for Data Protection agreed
admit to processing the claims presented by the claimant against the claimed.




                             FOUNDATIONS OF LAW




                                              I

        By virtue of the powers that article 58.2 of the RGPD recognizes to each

control authority, and as established in articles 47 and 48 of the LOPDGDD,
the Director of the Spanish Data Protection Agency is competent to initiate
and to solve this procedure.




                                              II




        The RGPD establishes in article 5 the principles that must govern the treatment
of personal data and mentions among them that of "integrity and confidentiality".




        The article notes that:




        "1. The personal data will be:




C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 12/3








        (…)




        f) treated in such a way as to guarantee adequate security for the
personal data, including protection against unauthorized or illegal processing and

against their loss, destruction or accidental damage, by applying measures
appropriate technical or organizational ('integrity and confidentiality') ”.




        In turn, the security of personal data is regulated in article 32
of the RGPD.




        Article 32 of the RGPD "Security of treatment", establishes that:



        "1. Taking into account the state of the art, the application costs, and the

nature, scope, context and purposes of the treatment, as well as risks of
variable probability and severity for the rights and freedoms of individuals
physical, the controller and the person in charge of the treatment will apply technical measures and

appropriate organizational arrangements to ensure a level of security appropriate to the risk,
that in your case include, among others:




        a) pseudonymisation and encryption of personal data;

        b) the ability to guarantee confidentiality, integrity, availability and
        permanent resilience of treatment systems and services;


        c) the ability to restore availability and access to data
        personnel quickly in the event of a physical or technical incident;


        d) a process of regular verification, evaluation and assessment of effectiveness
        of the technical and organizational measures to guarantee the safety of the
        treatment.




        2. When evaluating the adequacy of the security level, the
take into account the risks presented by the data processing, in particular as

consequence of accidental or illegal destruction, loss or alteration of data
personal data transmitted, preserved or otherwise processed, or the communication or
unauthorized access to such data.


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 4/12










        3. Adherence to a code of conduct approved in accordance with article 40 or to a

certification mechanism approved under article 42 may serve as an element
to demonstrate compliance with the requirements established in section 1 of the

this article.



        4. The person in charge and the person in charge of the treatment will take measures to

ensure that any person acting under the authority of the controller or the
manager and have access to personal data can only process said data
following instructions of the person in charge, unless it is obliged to do so by virtue of the

Law of the Union or of the Member States ”.



        The violation of article 32 of the RGPD is typified in article

83.4.a) of the aforementioned RGPD in the following terms:



        "4. Violations of the following provisions will be sanctioned, in accordance

with paragraph 2, with administrative fines of maximum EUR 10 000 000 or,
in the case of a company, an amount equivalent to a maximum of 2% of the

total annual global business volume of the previous financial year, opting for
the highest amount:




        a) the obligations of the controller and the processor pursuant to articles 8,
11, 25 to 39, 42 and 43.

        (…) "




        For its part, the LOPDGDD in its article 71, Infractions, states that:
“The acts and conducts referred to in sections 4,

5 and 6 of article 83 of Regulation (EU) 2016/679, as well as those resulting
contrary to the present organic law ”.




        And in its article 73, for the purposes of prescription, qualifies as "Infractions
considered serious ”:




C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 5/12








        "Based on what is established in article 83.4 of Regulation (EU) 2016/679
are considered serious and will prescribe after two years the infractions that suppose a

substantial violation of the articles mentioned therein and, in particular, the
following:




        (…)




        g) The breach, as a consequence of the lack of due diligence,
of the technical and organizational measures that have been implemented in accordance with
required by article 32.1 of Regulation (EU) 2016/679 ”.




                                             III




        The facts revealed in this claim are specified in
the receipt by the claimant, of an email without hidden copy
sent by the claimed to dozens of recipients, including the claimant.




        The RGPD defines personal data security violations as
“All those security violations that cause destruction, loss or

accidental or illegal alteration of personal data transmitted, kept or processed
otherwise, or unauthorized communication or access to said data ”.




        From the documentation in the file there are clear indications of
that the respondent has violated article 32 of the RGPD, due to a breach of

security in your systems by sending an email without blind copy, to eight
recipients, including the claimant, who are informed of the blocking of their accounts.




        It should be noted that the RGPD in the aforementioned precept does not establish a list of
the security measures that are applicable according to the data that are
object of treatment, but establishes that the person in charge and the person in charge of the

treatment will apply technical and organizational measures that are appropriate to the risk
involved in the treatment, taking into account the state of the art, the costs of
application, the nature, scope, context and purposes of the treatment, the risks of

probability and seriousness for the rights and freedoms of the persons concerned.

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 6/12










       Likewise, security measures must be adequate and

proportionate to the risk detected, noting that the determination of the measures
technical and organizational must be carried out taking into account: pseudonymization and
encryption, the ability to ensure confidentiality, integrity, availability, and

resilience, the ability to restore availability and access to data after a
incident, verification process (not audit), evaluation and assessment of the
effectiveness of the measures.




       In any case, when evaluating the adequacy of the security level, the
particularly take into account the risks presented by data processing, such as

consequence of accidental or illegal destruction, loss or alteration of data
personal data transmitted, preserved or otherwise processed, or the communication or
unauthorized access to said data and that could cause damages

physical, material or immaterial.



       In this same sense, recital 83 of the RGPD states that:




“(83) In order to maintain security and prevent the treatment from violating the provisions of
this Regulation, the person in charge or the person in charge must assess the risks

inherent to the treatment and apply measures to mitigate them, such as encryption. These
Measures should ensure an adequate level of security, including
confidentiality, taking into account the state of the art and the cost of its application

with respect to the risks and the nature of the personal data that must
protect yourself. When assessing risk in relation to data security, you should

take into account the risks derived from the processing of personal data,
such as accidental or illegal destruction, loss or alteration of personal data
transmitted, stored or otherwise processed, or the communication or access does not

authorized to said data, susceptible in particular to cause damages
physical, material or immaterial ”.




                                           IV



       In accordance with the evidence available and without prejudice to the

resulting from the instruction, from the documentation provided it appears that on 19
April 2020, the defendant sends an email without blind copy to dozens of

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 7/12








recipients, including the claimant, which could constitute, on the part of the claimed,
two offenses, one against the provisions of article 32 of the RGPD and another against

provided in article 5.1 f) of the RGPD, which governs the principles of integrity and
confidentiality of personal data, as well as the proactive responsibility of the

responsible for the treatment to demonstrate its compliance.



                                           V




       Article 58.2 of the RGPD provides the following: “Each control authority
will have all of the following corrective powers listed below:




       b) sanction any person responsible or in charge of the treatment with
warning when the processing operations have violated the provisions of

these Regulations;



       d) order the person in charge of the treatment that the operations of

treatment are in accordance with the provisions of this Regulation, where appropriate,
in a certain way and within a specified time;




       i) impose an administrative fine in accordance with article 83, in addition or in
place of the measures mentioned in this section, depending on the circumstances

of each particular case;



                                           SAW




       Article 72.1.a) of the LOPDGDD states that “depending on what is established
Article 83.5 of Regulation (EU) 2016/679 are considered very serious and

The infractions that suppose a substantial violation will prescribe after three years
of the articles mentioned therein and, in particular, the following:




    a) The processing of personal data violating the principles and guarantees
    established in article 5 of Regulation (EU) 2016/679


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 12/8











        This offense can be sanctioned with a fine of € 20,000,000 maximum
or, in the case of a company, an amount equivalent to a maximum of 4% of the
total annual global business volume of the previous financial year, opting for the

higher amount, in accordance with article 83.5 of the RGPD.




        Likewise, it is considered that the sanction to be imposed should be adjusted according to
with the following criteria established in article 83.2 of the RGPD:




        As aggravating factors the following:



     In the present case we are dealing with unintentional negligent action, but it signifies

        cativa (article 83.2 b)




     Basic personal identifiers are affected (name, surname,
        two, domicile), according to article 83.2 g)




        Therefore, based on the foregoing,



        By the Director of the Spanish Agency for Data Protection,




HE REMEMBERS:




FIRST: INITIATE SANCTIONING PROCEDURE for LOSADA ADVOCATS S.L.
with NIF B17634296 for the alleged infractions of articles 5.1 f) and 32 of the

RGPD, typified in articles 83.5 a) and 83.4 a) of the RGPD respectively.



SECOND: APPOINT R.R.R. as instructor. and, as secretary, to S.S.S., indicate-

do that any of them may be challenged, where appropriate, in accordance with the provisions
in articles 23 and 24 of Law 40/2015, of October 1, on the Legal Regime of the

Public Sector (LRJSP).
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 9/12










THIRD: INCORPORATE to the sanctioning file, for evidentiary purposes, the

claim filed by the claimant and his documentation, the documents
obtained and generated by the General Subdirectorate for Data Inspection during the

investigation phase, as well as the report of previous Inspection actions.



FOURTH: THAT for the purposes provided for in art. 64.2 b) of Law 39/2015, of 1

October, of the Common Administrative Procedure of Public Administrations, the
sanctions that may correspond would be the following:




     for the violation of article 32 of the RGPD, typified in article 83.4 a) of the
        RGPD, the corresponding sanction would be a warning, requiring
        the respondent to proceed to adopt the necessary measures to cease the

        conduct that is the subject of this complaint, which has caused the security breach
        denounced, so that the effects of the infraction committed and its

        adaptation to the requirements contemplated in article 32 of the RGPD, as well
        as the contribution of supporting means of compliance with what is required.




     for the violation of article 5.1 f) of the RGPD, typified in article 83.5 a)
        of the RGPD the corresponding sanction would be a fine for an amount of

        10,000 euros (ten thousand euros) without prejudice to what results from the instruction.



FIFTH: NOTIFY this agreement to LOSADA ADVOCATS S.L. with NIF

B17634296 granting a hearing period of ten business days to formulate
the allegations and present the evidence that it deems appropriate. In his writing of
allegations, you must provide your NIF and the procedure number that appears in the

heading of this document.



       If, within the stipulated period, no allegations are made to this initiation agreement, the

It may be considered a resolution proposal, as established in the
Article 64.2.f) of Law 39/2015, of October 1, on Administrative Procedure
Common of Public Administrations (hereinafter, LPACAP).




       In accordance with the provisions of article 85 of the LPACAP, in relation to

with the alleged violation of article 5.1 f) of the RGPD, the complained party may recognize
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 10/12








their responsibility within the term granted for the formulation of allegations to the
present initiation agreement; which will entail a reduction of 20% of the

sanction that should be imposed in the present procedure. With the application of this
reduction, the penalty would be set at 8,000 euros, resolving the

procedure with the imposition of this sanction.



       In the same way, you may, at any time prior to the resolution of the

present procedure, carry out the voluntary payment of the proposed sanction,
which will mean a reduction of 20% of its amount. With the application of this
reduction, the penalty would be set at 8,000 euros and its payment will imply the

termination of the procedure.



       The reduction for the voluntary payment of the penalty is cumulative to that

corresponds to apply for the recognition of responsibility, provided that this
acknowledgment of responsibility is revealed within the term

granted to formulate allegations at the opening of the procedure. The pay
Voluntary amount of the amount referred to in the previous paragraph may be done at any
time before resolution. In this case, if applicable, apply both

reductions, the amount of the penalty would be set at 6,000 euros.



       In any case, the effectiveness of either of the two mentioned reductions

It will be conditioned to the withdrawal or resignation of any action or remedy in progress.
administrative against the sanction.




       In the event that you choose to proceed to the voluntary payment of any of the
amounts indicated above, (8,000 or 6,000 euros) must be paid

by entering the account number ES00 0000 0000 0000 0000 0000 open to
name of the Spanish Data Protection Agency in Banco CAIXABANK,
S.A., indicating in the concept the reference number of the procedure that appears in

the heading of this document and the cause of reduction of the amount to which
welcomes.




       Likewise, you must send proof of admission to the Subdirectorate General of
Inspection to continue the procedure according to the quantity
entered.




C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 11/12








       The procedure will have a maximum duration of nine months from
the date of the initiation agreement or, where appropriate, the draft initiation agreement.

After this period, its expiration will occur and, consequently, the file of
performances; in accordance with the provisions of article 64 of the LOPDGDD.




       Finally, it is pointed out that in accordance with the provisions of article 112.1 of the
LPACAP, against this act there is no administrative appeal.






Mar Spain Martí


Director of the Spanish Agency for Data Protection



>>


SECOND: On November 21, 2020, the defendant has proceeded to pay
the sanction in the amount of 6000 euros making use of the two planned reductions
in the Initiation Agreement transcribed above, which implies the recognition of the
responsibility.


THIRD: The payment made, within the period granted to formulate allegations to
the opening of the procedure, entails the waiver of any action or appeal in the process
administrative against the sanction and the recognition of responsibility in relation to
the facts to which the Initiation Agreement refers.


                            FOUNDATIONS OF LAW

                                             I

By virtue of the powers that article 58.2 of the RGPD recognizes to each authority of

control, and as established in art. 47 of Organic Law 3/2018, of 5
December, Protection of Personal Data and guarantee of digital rights (in
hereinafter LOPDGDD), the Director of the Spanish Agency for Data Protection
is competent to sanction the infractions that are committed against said
Regulation; infractions of article 48 of Law 9/2014, of May 9, General

of Telecommunications (hereinafter LGT), in accordance with the provisions of the
article 84.3 of the LGT, and the offenses typified in articles 38.3 c), d) and i) and
38.4 d), g) and h) of Law 34/2002, of July 11, on services of the company of the
information and electronic commerce (hereinafter LSSI), as provided in article
43.1 of said Law.





C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 12/12








                                            II


Article 85 of Law 39/2015, of October 1, on Administrative Procedure
Common of Public Administrations (hereinafter, LPACAP), under the rubric
"Termination of sanctioning procedures" provides the following:
"1. Initiated a sanctioning procedure, if the offender acknowledges his responsibility,
the procedure may be resolved with the imposition of the appropriate sanction.


2. When the sanction is solely of a pecuniary nature or it is possible to impose a
pecuniary sanction and other non-pecuniary sanction, but the
inadmissibility of the second, the voluntary payment by the presumed responsible, in
any time prior to the resolution, will imply the termination of the procedure,

except in relation to the replacement of the altered situation or the determination of the
compensation for damages caused by the commission of the offense.

3. In both cases, when the sanction is solely of a pecuniary nature, the
competent body to resolve the procedure will apply reductions of, at least,

20% of the amount of the proposed penalty, these being cumulative among themselves.
The aforementioned reductions must be determined in the notice of initiation
of the procedure and its effectiveness will be conditioned to the withdrawal or resignation of
any action or appeal in administrative proceedings against the sanction.


The percentage of reduction foreseen in this section may be increased
regulations.

In accordance with the above, the Director of the Spanish Agency for the Protection of
Data RESOLVES:


FIRST: DECLARE the termination of procedure PS / 00322/2020, of
in accordance with the provisions of article 85 of the LPACAP.

SECOND: NOTIFY this resolution to LOSADA ADVOCATS S.L ..


In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once it has been notified to the interested parties.

Against this resolution, which puts an end to the administrative procedure as prescribed by

the art. 114.1.c) of Law 39/2015, of October 1, on Administrative Procedure
Common of Public Administrations, interested parties may file an appeal
administrative litigation before the Contentious-Administrative Chamber of the
National High Court, in accordance with the provisions of article 25 and section 5 of
the fourth additional provision of Law 29/1998, of July 13, regulating the

Contentious-Administrative Jurisdiction, within a period of two months from the
day following notification of this act, as provided in article 46.1 of the
referred Law.


                                                                                  936-031219
Mar Spain Martí

Director of the Spanish Agency for Data Protection

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es