AEPD (Spain) - PS/00483/2020
From GDPRhub
| AEPD - PS/00483/2020 | |
|---|---|
 | |
| Authority: | AEPD (Spain) |
| Jurisdiction: | Spain |
| Relevant Law: | Article 5(1)(f) GDPR Article 32(1) GDPR |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | |
| Decided: | |
| Published: | 17.03.2021 |
| Fine: | 3,000 EUR |
| Parties: | Asesoria Alpi Clua S.L. |
| National Case Number/Name: | PS/00483/2020 |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | Spanish |
| Original Source: | AEPD decision (in ES) |
| Initial Contributor: | n/a |
The Spanish DPA (AEPD) fined an audit company €3,000 for a security breach occurred when they sent the claimant information of another client, instead of theirs.
English Summary
Facts
Asesoria Alpi Clua S.L., an audit company, mistakenly sent via email the personal data of one of their clients to a different client, the claimant, when this client asked for documentation concerning their own data.
Dispute
Did Asesoria Alpi Clua infringe the principle of confidentiality established by Article 5(1)(f) GDPR?
Was there a personal data breach?
Holding
The AEPD considered that there was an infringement of Article 5(1)(f), as there was a leak of personal data without the consent of the data subject. Additionally, they considered that there was an infringement of Article 32(1), as they concluded that the audit company did not have the appropriate technical and organisational measures in place to ensure an adequate level of protection.
For this, the AEPD fined Asesoria Alpi Clua:
- for the infringement of Article 5(1)(f), €2,000.
- for the infringement of Article 32(1), €1,000.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/11
Procedure Nº: PS / 00483/2020
RESOLUTION OF SANCTIONING PROCEDURE
Of the procedure instructed by the Spanish Agency for Data Protection and based on
to the following
BACKGROUND
FIRST: D. A.A.A., representative of Mrs. B.B.B. (hereinafter the claimant), with
On 06/30/2020, he filed a claim with the Spanish Agency for the Protection of
Data. The claim is directed against ASESORÍA ALPI-CLÚA, S.L. with NIF
B63056162 (hereinafter, the claimed one). The reasons on which the claim is based are,
In short, the claimant requested the necessary documentation for some formalities
before the Treasury to said entity, and this entity, by email sent a
document in which personal data of another client appear. Provide the email and a
receipt of presentation of documentation to the Treasury by the Advisory, with
Indication of data from another client.
SECOND: Upon receipt of the claim, the Subdirectorate General of Inspec-
tion of Data proceeded to carry out the following actions:
On 08/05/2020, reiterated on 08/31/2020, the claim was transferred to the defendant
submitted for analysis and communication to the claimant of the decision adopted at the
respect. Likewise, he was required to submit to the
Agency certain information:
- Copy of the communications, of the adopted decision that has been sent to the
claimant regarding the transfer of this claim, and accreditation that
the claimant has received the communication of that decision.
- Report on the causes that have motivated the incidence that has originated the
claim.
- Report on the measures adopted to prevent incidents from occurring
similar companies.
- Any other that you consider relevant.
There is no evidence that the respondent has given any response to the request of the
AEPD.
THIRD: On 12/17/2020, in accordance with article 65 of the LOPDGDD, the Di-
rector of the Spanish Agency for Data Protection agreed to admit to processing the re
claim filed by the claimant against the defendant.
FOURTH: On 01/25/2021, the Director of the Spanish Protection Agency
of Data agreed to initiate a sanctioning procedure against the complained party, for the alleged
fractions of articles 5.1.f) and 32.1 of the RGPD, sanctioned in accordance with the provisions
to articles 83.5.a) and 83.4.a) of the aforementioned RGPD.
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 2/11
FIFTH: Notified the initiation agreement, the one claimed at the time of this resolution
tion has not submitted a brief of allegations, so the aforementioned is applicable
in article 64 of Law 39/2015, of October 1, on Administrative Procedure
Common of Public Administrations, which in its section f) establishes that in case
not to make representations within the term provided on the content of the initiation agreement
ciation, it may be considered a resolution proposal when it contains a
precise statement about the responsibility imputed, so we proceed to
issue Resolution.
SIXTH: Of the actions carried out in this proceeding, there have been
accredited the following:
PROVEN FACTS
FIRST: D. A.A.A., representative of Mrs. B.B.B. (hereinafter the claimant), with
On 06/30/2020, he filed a claim with the Spanish Agency for the Protection of
Data stating that you requested the required documentation to carry out
carried out procedures before the AEAT and, by email, sent him a document in
the one that appears personal data of another client.
SECOND: A copy of the representative's DNI is provided, number *** DNI.1.
THIRD: A copy of the e-mail sent and a receipt of the
establishment of the extension of the deadline for completing the procedures before the AEAT, in which
there are personal data corresponding to a third party.
FOUNDATIONS OF LAW
I
By virtue of the powers that article 58.2 of the RGPD recognizes to each authority
control, and according to what is established in articles 47 and 48 of the LOPDGDD, the
rector of the Spanish Data Protection Agency is competent to initiate and
to solve this procedure.
II
Law 39/2015, of October 1, on the Common Administrative Procedure of
the Public Administrations, in its article 64 “Agreement of initiation in the procedures
actions of a sanctioning nature ”, provides:
"1. The initiation agreement will be communicated to the instructor of the procedure, with
transfer of how many actions exist in this regard, and the interested parties will be notified,
understanding in any case the accused as such.
Likewise, the initiation will be communicated to the complainant when the regulatory norms
of the procedure so foresee it.
2. The initiation agreement must contain at least:
a) Identification of the person or persons allegedly responsible.
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 3/11
b) The facts that motivate the initiation of the procedure, their possible qualification
tion and sanctions that may correspond, without prejudice to what may result
of the instruction.
c) Identification of the instructor and, where appropriate, Secretary of the procedure, with
express indication of the regime of challenge of the same.
d) Competent body for the resolution of the procedure and norm that attributes
buya such competition, indicating the possibility that the alleged responsible
can voluntarily acknowledge its responsibility, with the intended effects
in article 85.
e) Measures of a provisional nature that have been agreed upon by the
petitioner to initiate the sanctioning procedure, without prejudice to those
may adopt during the same in accordance with article 56.
f) Indication of the right to make allegations and to a hearing in the proceeding
terms and deadlines for its exercise, as well as an indication that, in the event
not to make allegations within the term provided on the content of the
initiation agreement, this may be considered a resolution proposal
when it contains a precise pronouncement about the implicit responsibility
bitch.
3. Exceptionally, when at the time of issuing the initiation agreement
there are not enough elements for the initial qualification of the facts that motivate
the initiation of the procedure, the aforementioned qualification may be carried out at a later stage
by means of the preparation of a Statement of Charges, which must be notified to the
interested ”.
In application of the previous precept and taking into account that no
side allegations to the initiation agreement, it is necessary to resolve the procedure initiated.
III
The claimed facts that have given rise to the present proceeding are subject to
They engage in the disclosure of personal data when an email is sent to the claimant
electronic with document belonging to third party in which they were contained with
breach of technical and organizational measures violating the confidentiality
the data.
Article 58 of the RGPD, Powers, states:
"two. Each supervisory authority shall have all the following powers co-
Rectives listed below:
(…)
b) sanction any person responsible or in charge of the treatment with warning
when the processing operations have violated the provisions of the
these Regulations;
(…) "
Article 5, Principles relating to treatment, of the RGPD establishes that:
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 4/11
"1. The personal data will be:
(…)
f) treated in such a way as to guarantee adequate security of the data
personal coughs, including protection against unauthorized or unlawful processing
to and against its loss, destruction or accidental damage, by applying
appropriate technical or organizational measures ("integrity and confidentiality").
(…)
Also article 5, Duty of confidentiality, of the new Organic Law
3/2018, of December 5, Protection of Personal Data and guarantee of rights
chos digital (hereinafter LOPDGDD), points out that:
"1. Those responsible and in charge of data processing as well as all
people who intervene in any phase of this will be subject to the duty of confi-
dentiality referred to in article 5.1.f) of Regulation (EU) 2016/679.
2. The general obligation indicated in the previous section will be complementary
of the duties of professional secrecy in accordance with its applicable regulations.
3. The obligations established in the previous sections will be maintained
even when the relationship of the obligated party with the person in charge or manager has ended
treatment ”.
IV
The documentation in the file provides evidence that the respondent,
violated article 5 of the RGPD, principles relating to treatment, in relation to the ar-
Title 5 of the LOPGDD, duty of confidentiality, when sent by e-mail documents
to containing personal data of a third party.
This duty of confidentiality, previously the duty of secrecy, must be understood
It should be noted that its purpose is to prevent leaks of data that are not included in the
felt by the holders thereof.
Therefore, this duty of confidentiality is an obligation incumbent upon not
only to the person responsible and in charge of the treatment but to everyone who intervenes in
any phase of the treatment and complementary to the duty of professional secrecy.
V
Article 83.5 a) of the RGPD, considers that the infringement of “the basic principles
costs for the treatment, including the conditions for consent under the
Articles 5, 6, 7 and 9 ”is punishable, in accordance with section 5 of the aforementioned article.
Article 83 of the aforementioned RGPD, "with administrative fines of € 20,000,000 at most
or, in the case of a company, an amount equivalent to a maximum of 4% of the
total annual global business lumen of the previous financial year, opting for the
of greater amount ”.
The LOPDGDD in its article 72 indicates: “Violations considered very serious:
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 5/11
1. In accordance with the provisions of article 83.5 of the Regulation (EU)
2016/679 are considered very serious and will prescribe after three years the infractions that
suppose a substantial violation of the articles mentioned therein and, in part,
ticular, the following:
a) The processing of personal data violating the principles and guarantees es-
established in article 5 of Regulation (EU) 2016/679.
(…)
SAW
Secondly, article 32 of the RGPD “Security of treatment”, establishes-
ce that:
"1. Taking into account the state of the art, the application costs, and the
nature, scope, context and purposes of the treatment, as well as risks of pro-
variable probability and severity for the rights and freedoms of natural persons,
The person in charge and the person in charge of the treatment will apply technical and organizational measures
are appropriate to guarantee a level of security appropriate to the risk, which in its
case include, among others:
a) pseudonymisation and encryption of personal data;
b) the ability to guarantee confidentiality, integrity, availability and re-
permanent silience of treatment systems and services;
c) the ability to restore the availability and access to personal data-
them quickly in the event of a physical or technical incident;
d) a process of regular verification, evaluation and assessment of effectiveness
of the technical and organizational measures to guarantee the security of the treatment
I lie.
2. When evaluating the adequacy of the security level, particularly the
take into account the risks presented by the data processing, in particular as a consequence of
of accidental or unlawful destruction, loss or alteration of personal data
transmitted, conserved or otherwise processed, or communication or unauthorized access
twisted to said data.
3. Adherence to a code of conduct approved in accordance with article 40 or to a
certification mechanism approved under article 42 may serve as an element
to demonstrate compliance with the requirements established in section 1 of the
Se article.
4. The person in charge and the person in charge of the treatment will take measures to guarantee
to ensure that any person acting under the authority of the controller or manager
do and have access to personal data can only process said data by following instructions
instructions of the person in charge, unless it is obliged to do so by virtue of the Law of the
Union or Member States ”.
VII
The violation of article 32 of the RGPD is typified in article
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 6/11
83.4.a) of the aforementioned RGPD in the following terms:
"4. Violations of the following provisions will be sanctioned, in accordance with
with paragraph 2, with administrative fines of a maximum of EUR 10 000 000 or,
for a company, an amount equivalent to a maximum of 2% of the volume
total annual global business menu for the previous financial year, opting for the
higher amount:
a) the obligations of the controller and the processor pursuant to articles 8,
11, 25 to 39, 42 and 43.
(…) "
For its part, the LOPDGDD in its article 73, for the purposes of prescription, qualifies
of "Violations considered serious":
"Based on the provisions of article 83.4 of Regulation (EU) 2016/679
are considered serious and will prescribe after two years the infractions that suppose a
substantial violation of the articles mentioned therein and, in particular, the following
following:
(…)
g) The breach, as a consequence of the lack of due diligence,
of the technical and organizational measures that have been implemented in accordance with
as required by article 32.1 of Regulation (EU) 2016/679 ”.
(…) "
VIII
The RGPD defines personal data security violations as “all-
those security violations that cause the destruction, loss or alteration
accidental or illegal ration of personal data transmitted, stored or processed from
otherwise, or unauthorized communication or access to said data ”.
From the documentation in the file there are evident indications of
that the respondent has violated article 32 of the RGPD, when an incident of
security in your system allowing access to personal data of a third party, by
be sent mail allowing access to the document that contained them with bankruptcies.
treatment of the established measures.
It should be noted that the RGPD in the aforementioned precept does not establish a list of
the security measures that are applicable according to the data that are
object of treatment, but establishes that the person in charge and the person in charge of the treatment
They will apply technical and organizational measures that are appropriate to the risk that
entails the treatment, taking into account the state of the art, the costs of applying
cation, the nature, scope, context and purposes of the treatment, the risks of
probability and seriousness for the rights and freedoms of the persons concerned.
Likewise, security measures must be adequate and proportionate.
given to the risk detected, noting that the determination of the technical measures and
Giving must be carried out taking into account: pseudonymisation and encryption,
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 7/11
ability to guarantee confidentiality, integrity, availability and resilience, the
ability to restore availability and access to data after an incident, process
verification (not audit), evaluation and assessment of the effectiveness of the
you give.
In any case, when evaluating the adequacy of the security level, the
take into account the risks posed by data processing, as a consequence of
of accidental or unlawful destruction, loss or alteration of personal data
transmitted, conserved or otherwise processed, or communication or unauthorized access
to said data and that could cause physical damages, material
les or immaterial.
In this same sense, recital 83 of the RGPD states that:
“(83) In order to maintain security and prevent treatment from infringing the dis-
set out in this Regulation, the person in charge or the person in charge must evaluate the
risks inherent to the treatment and apply measures to mitigate them, such as encryption.
These measures must guarantee an adequate level of security, including the confidentiality
quality, taking into account the state of the art and the cost of its application with respect to
regarding the risks and the nature of the personal data to be protected. To the
assess the risk in relation to data security, should be taken into account
the risks arising from the processing of personal data, such as destruction
accidental or unlawful alteration, loss or alteration of personal data transmitted, conserved
used or otherwise treated, or unauthorized communication or access to such
data, susceptible in particular to cause physical, material or
immaterial ”.
In the present case, as stated in the facts and in the framework of the
investigation tooth E / 06014/2020 the AEPD transferred the claim to the defendant
submitted for analysis requesting the contribution of information related to the
incident claimed, without any response being received by this body.
The defendant's liability is determined by the insurance bankruptcy.
manifested by the claimant, since he is responsible for making decisions
tions aimed at effectively implementing technical and organizational measures
appropriate to ensure a level of security appropriate to the risk to ensure the
confidentiality of the data, restoring its availability and preventing access to
themselves in the event of a physical or technical incident. However, from the documentation provided
It follows that the entity has not only breached this obligation, but also
Furthermore, the adoption of measures in this regard is unknown, despite having given
do of the claim presented.
In accordance with the foregoing, it is estimated that the defendant would be presumed
responsible for the infringement of the RGPD: the infringement of article 32, infringement
tion typified in its article 83.4.a).
IX
In order to establish the administrative fine to be imposed, they must observe
See the provisions contained in articles 83.1 and 83.2 of the RGPD, which state:
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 8/11
"1. Each supervisory authority shall guarantee that the imposition of the fines administered
nistrative pursuant to this article for infractions of these Regulations.
indicated in sections 4, 5 and 6 are in each individual case effective,
and dissuasive.
2. Administrative fines will be imposed, depending on the circumstances
of each individual case, as an additional or substitute title for the measures contemplated
in Article 58, paragraph 2, letters a) to h) and j). When deciding to impose a fine
administrative and its amount in each individual case will be duly taken into account:
a) the nature, severity and duration of the offense, taking into account the
nature, scope or purpose of the processing operation in question
as well as the number of interested parties affected and the level of damages
cios that they have suffered;
b) intentionality or negligence in the infringement;
c) any measure taken by the controller or processor
to alleviate the damages suffered by the interested parties;
d) the degree of responsibility of the person in charge or the person in charge of the treatment
to, taking into account the technical or organizational measures that have been applied
by virtue of articles 25 and 32;
e) any previous infringement committed by the person in charge or the person in charge of the traffic-
I lie;
f) the degree of cooperation with the supervisory authority in order to bring about
gave the infringement and mitigate the possible adverse effects of the infringement;
g) the categories of personal data affected by the infringement;
h) the way in which the supervisory authority learned of the infringement, in
particular if the person in charge or the person in charge notified the infraction and, in such case,
what extent;
i) when the measures indicated in article 58, paragraph 2, have been ordered
previously filed against the person in charge or the person in charge of the
relationship with the same matter, compliance with said measures;
j) adherence to codes of conduct under article 40 or to mechanisms
certification approved in accordance with Article 42, and
k) any other aggravating or mitigating factor applicable to the circumstances of the
case, such as financial benefits obtained or losses avoided, direct
or indirectly, through the infringement.
In relation to letter k) of article 83.2 of the RGPD, the LOPDGDD, in its article
Article 76, “Sanctions and corrective measures”, establishes that:
"two. In accordance with the provisions of article 83.2.k) of Regulation (EU)
2016/679 may also be taken into account:
a) The continuing nature of the offense.
b) The linking of the activity of the offender with the performance of treatments
of personal data.
c) The benefits obtained as a result of the commission of the offense.
d) The possibility that the affected person's conduct could have led to the
commission of the offense.
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 9/11
e) The existence of a merger process by absorption after the commission
of the infringement, which cannot be attributed to the absorbing entity.
f) Affecting the rights of minors.
g) To have, when not mandatory, a data protection delegate
cough.
h) The submission by the person in charge or in charge, on a voluntary basis
to alternative conflict resolution mechanisms, in those sub-
positions in which there are controversies between those and any interested party. "
- In accordance with the transcribed precepts, in order to set the amount of the
sanction of a fine to be imposed in the present case for the offense typified in article
83.5.a) of the RGPD for which the claimed person is responsible, in an initial assessment
cially, the following factors are considered concurrent:
The merely local scope of the treatment carried out by the claimed entity
mada.
Only one person has been affected by the offending conduct.
The damage caused to the claimant having to go to this instance claim-
do the aforementioned facts.
The claimed entity does not record that it has adopted measures to prevent
produce similar incidents; Nor has it responded to the request for information
of the Agency, which affects the absence of cooperation with the
control in order to remedy the infringement and mitigate the possible
adverse effects of it.
There is no evidence that the entity acted fraudulently, although
the performance reveals a serious lack of diligence.
The linking of the offender with the performance of data processing of
personal character.
The claimed entity is a small business.
Therefore, in accordance with the established graduation criteria, both
adverse and favorable, a penalty of 2,000 euros is imposed for violation of the
Article 5.1.f) of the RGPD, for which the complainant must respond.
- Second, for the purpose of setting the amount of the fine to be imposed
ner in the present case for the offense typified in article 83.4.a) of the RGPD of the
that the claimed person is responsible, in an initial assessment, they are considered concurrent
the following factors:
The merely local scope of the treatment carried out by the claimed entity
mada.
Only one person has been affected by the offending conduct.
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 10/11
The damage caused to the claimant having to go to this instance claim-
do the aforementioned facts.
The claimed entity does not record that it has adopted measures to prevent
produce similar incidents; Nor has it responded to the request for information
of the Agency, which affects the absence of cooperation with the
control in order to remedy the infringement and mitigate the possible
adverse effects of it.
There is no evidence that the entity acted fraudulently, although
the performance reveals a serious lack of diligence.
The linking of the offender with the performance of data processing of
personal character.
The claimed entity is a small business.
Therefore, in accordance with the established graduation criteria, both
adverse and favorable, a penalty of 1,000 euros is imposed for violation of the
Article 32.1 of the RGPD, for which the complainant must respond.
In accordance with the applicable legislation and the graduation criteria assessed
of the sanctions whose existence has been proven,
The Director of the Spanish Data Protection Agency RESOLVES:
FIRST: TO IMPOSE ASESORÍAALPI-CLÚA, S.L., with NIF B63056162, for an
fraction of article 5.1.f) of the RGPD, typified in Article 83.5.a) of the RGPD, a
€ 2,000 fine (two thousand euros).
SECOND: IMPOSE ASESORÍA ALPI-CLÚA, S.L., with NIF B63056162, for a
violation of article 32.1 of the RGPD, typified in Article 83.4.a) of the RGPD, a
€ 1,000 fine (thousand euros).
THIRD: NOTIFY this resolution to ASESORÍA ALPI-CLÚA, S.L., with
NIF B63056162.
FOURTH: Warn the sanctioned person that the sanction imposed by a
Once this resolution is enforceable, in accordance with the provisions of the
art. 98.1.b) of Law 39/2015, of October 1, on the Administrative Procedure Co-
of the Public Administrations (hereinafter LPACAP), within the vo-
luntario established in art. 68 of the General Collection Regulations, approved
by Royal Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003,
of December 17, by means of their entry, indicating the NIF of the sanctioned person and the number
procedure that appears in the heading of this document, in the account
restricted number ES00 0000 0000 0000 0000 0000, opened in the name of the Spanish Agency
ñola of Data Protection in the banking entity CAIXABANK, S.A .. In case of
Otherwise, it will be collected in the executive period.
Once the notification has been received and once it is executed, if the date of execution is
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 11/11
between the 1st and the 15th of each month, both inclusive, the deadline to carry out the
Voluntary payment will be until the 20th of the following or immediately subsequent business month, and if
is between the 16th and last days of each month, both inclusive, the term of the
payment will be up to the 5th of the second following or immediate business month.
In accordance with the provisions of article 50 of the LOPDGDD, the
This Resolution will be made public once it has been notified to the interested parties.
Against this resolution, which ends the administrative procedure in accordance with art.
48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of the LPA-
CAP, the interested parties may file, optionally, an appeal for reconsideration before
the Director of the Spanish Data Protection Agency within one month to
count from the day after the notification of this resolution or directly appeal
contentious administrative procedure before the Contentious-Administrative Chamber of the
National authority, in accordance with the provisions of article 25 and section 5 of the
Fourth additional provision of Law 29/1998, of July 13, regulating the Jurisdiction
Contentious-administrative diction, within two months from the day if-
following the notification of this act, as provided in article 46.1 of the aforementioned
Law.
Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPA-
CAP, the final administrative resolution may be suspended provisionally if the
interested party expresses his intention to file contentious-administrative appeal.
If this is the case, the interested party must formally communicate this fact through
writing addressed to the Spanish Agency for Data Protection, presenting it through
of the Electronic Registry of the Agency [https://sedeagpd.gob.es/sede-electronica-
web /], or through any of the other records provided for in art. 16.4 of the ci-
Tada Law 39/2015, of October 1. You must also forward to the Agency the documentation
tion that proves the effective filing of the contentious-administrative appeal. Yes
the Agency was not aware of the filing of the contentious-administrative appeal
nistrative within a period of two months from the day following the notification of the
This resolution would terminate the precautionary suspension.
Mar Spain Martí
Director of the Spanish Agency for Data Protection
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es
