APDCAT (Catalonia) - PS93/2024
From GDPRhub
| APDCAT - PS93/2024 | |
|---|---|
 | |
| Authority: | APDCAT (Catalonia) |
| Jurisdiction: | Spain |
| Relevant Law: | Article 5(1)(f) GDPR Article 33 GDPR Article 34 GDPR Article 83(5)(a) GDPR Article 13 LPAC Article 5 LOPDGDD Article 77.5 LOPGDD |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | 10.12.2023 |
| Decided: | |
| Published: | 28.02.2025 |
| Fine: | n/a |
| Parties: | Badalona City Council |
| National Case Number/Name: | PS93/2024 |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | Spanish |
| Original Source: | APDCAT (in ES) |
| Initial Contributor: | r_e_ |
A city council infringed Article 5(1)(f) GDPR by publishing the personal data of 1,076 employees on its website, including salaries. The DPA considered the controller’s proposed remedial measures to be appropriate, so no further action was taken.
English Summary
Facts
The complainant discovered that their personal data, such as name, employment position within the controller’s organisation (Badalona City Council) and salary had been published on the controller’s website for several hours. The controller took the information down upon being alerted by other employees.
Alongside this information however, the controller had also mistakenly published similar categories of personal data of 1,076 other employees. Several more employees complained of the incident to the DPA, in addition to the relevant union body.
The information was available on the controller’s website from 1 December - 4 December 2023. The controller notified the DPA of the security breach on 11 December 2023. By this point, the information had been accessed 16 times.
As part of this notification, the controller listed the following technical and organisational measures to the DPA to address the current breach and avoid similar situations in future:
- An investigation to be carried out, assessing how the security breach occurred and what preventive measures to be applied to avoid future breaches;
- Internal procedures and protocols to be reviewed;
- Awareness training in data protection and information security to be carried out;
- Protocols for "publishing personal data versus transparency" to be reviewed; and
- An internal communication to all staff, apologising and explaining the measures that have been adopted to minimise the impact of the breach, to be sent.
Holding
The controller was found to have infringed the principle of processing data with integrity and on a confidential basis (Article 5(1)(f) GDPR, Article 5 LOPDGDD). It had failed to act with proper diligence in accidentally publishing the personal data of its employees, and that duty of diligence was at its maximum when concerning activities that affect fundamental rights such as data protection.
The controller was not required to take measures correcting the effects of the infringement, as the measures proposed by the controller to the DPA during the investigation were considered appropriate and sufficient.
The controller was further found to have complied with its data breach notification obligations to the DPA and to the data subjected affected by the breach (Article 33 GDPR, Article 34 GDPR).
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
Case identification
Resolution of the sanctioning procedure No. PS 93/2024, concerning the Badalona City Council.
Background
1. On 10/12/2023, the Catalan Data Protection Authority received a complaint against the Badalona City Council (hereinafter, the city council), for an alleged breach of the regulations on the protection of personal data.
The complainant (complainant A) stated the following:
— That “I have learned through social networks that my personal data, such as my name, surname, position within the city council and salary, have been
published on the website of the Badalona City Council.”
— That “this incident occurred on December 4 [2023] and remained published
for a few hours until several workers alerted them and the
document was deleted from the page.”
Along with the complaint, it provided a document entitled “Proposal Chapter 1. Valued staff
and other service relationships.” This document contains the following
personal data relating to 1,076 people: name and surname, category or position, job,
group, level of destination and remuneration (distributed into basic, complementary, productivity,
contribution and total). In addition, the electronic signature of the document displays the full DNI
of the person signing it, along with their name and surname.
2. On 11/12/2023, at 6:30 p.m., the city council notified the Authority that a security breach (NVS 172/2023) had occurred, which occurred on 04/12/2023 and was reportedly detected on the same day, at 9:00 a.m. In its letter, the city council stated the following:
— That “on December 4, an excel file with the list of all Badalona City Council staff identified by their name and surname, position held and their salary.”
— That “this document was uploaded by mistake (since it was thought to be anonymized),
since it was part of a Human Resources file that went to the Plenary Session on December 1st where modifications were made to the remuneration of some of the staff.”
— That “this file was on the city council server and within approximately 2
hours it was removed from the portal
https://www.badalona.cat/ca/ajuntament/normativa/expedients-en-exposicio-
publica/expedient-2023-35205l.”
— That, within two hours, “the published file was removed, preventing its dissemination.” Regarding the technical and organizational measures planned or adopted to end the incident and prevent it from occurring again in the future, the city council specified the following:
— That “an investigation will be carried out and how the security breach occurred will be assessed and
preventive measures will be applied so that it does not occur again.”
— That “(...) internal procedures and protocols (...) will be reviewed.”
— That “(...) new awareness and training actions in the field of data protection and information security will be carried out.”
— That “the protocols for publishing personal data versus
transparency will be reviewed.”
— That “an internal communication will be made to the entire staff apologizing and explaining
the measures that have been adopted to minimize the impact of the breach.”
3. On the same date, at 9:50 p.m., a second complaint
against the city council was received by the Authority, which referred to the same facts as the first. As far as
is concerned, the complainant (complainant B) stated the following:
— That “the City Council of Badalona published on the transparency website a complete list
of civil and labor personnel with names and surnames, the position they hold and the salary they receive.”
— That “this list was withdrawn shortly afterwards.”
— That “the news has been published in various media.”
4. On 12/12/2023, a third complaint
against the city council was received by the Authority, which referred to the same facts as the previous ones. The person
complaining (complainant C), together with the complaint, provided the document entitled
“Proposal Chapter 1. Valuable staff and other service relationships”, which had already been provided by
complainant A.
On 03/01/2024, complainant C submitted a second written statement for the same facts and a
third, this time through the Spanish Data Protection Agency (AEPD),
which transferred it to this Authority on 09/01/2024.
5. On 12/12/2023, a fourth complaint against the city council was received by the Authority.
In its statement, the complaining entity, the UGT union section of Badalona City Council
(hereinafter, complainant D), referred to the same facts, which it set out in
terms similar to those of the previous complaints.
6. On 21/12/2023, the Authority concluded the investigation of the actions linked to NVS 172/2023, during the processing of which it concluded that the city council complied with the obligation to notify the Authority of the violation and also to communicate it to the affected persons, with an email addressed to all municipal staff and a statement published on the intranet and the city council employee portal. 2/97. On 07/01/2024 and on successive dates (15/01/2024, 17/01/2024, 18/01/2024, 20/01/2024 and 13/02/2024) the Authority received seven more complaints against the city council. In their respective writings, the complainants (complainants E, F, G, H,
I, J and K) referred to the same facts as the previous complaints.
8. The Authority opened a preliminary information phase (no. IP 647/2023, IP 651/2023, IP
654/2023, IP 655/2023, IP 7/2024, IP 8/2024, IP 32/2024, IP 37/2024, IP 41/2024, IP
46/2024 and IP 186/2024), to determine whether the facts were likely to motivate the initiation of a sanctioning procedure, in accordance with the provisions of article 7 of Decree
278/1993, of 9 November, on the sanctioning procedure applicable to the areas of
competence of the Generalitat, and article 55.2 of Law 39/2015, of 1 October, on the common administrative procedure of the public administrations (LPAC).
9. On 22/10/2024, the director of the Catalan Data Protection Authority agreed
to initiate sanctioning proceedings against the Badalona City Council, for an alleged
infringement provided for in article 83.5.a, in relation to article 5.1.f, all of them of Regulation
(EU) 2016/679 of the European Parliament and of the Council, of 27 April, on the protection
of natural persons with regard to the processing of personal data and on the free movement
of such data (RGPD). This initiation agreement was notified to the accused entity on
30/10/2024.
10. In the initiation agreement, the accused entity was granted a period of 10 working days to
formulate allegations and propose the practice of evidence that it considered appropriate to
defend its interests.
On 14/11/2024, the city council formulated allegations in the initiation agreement.
Together with its letter, the accused entity provided various documentation.
11. On 27/11/2024, the investigator in this procedure formulated a proposal for
resolution, by which she proposed that the director of the Catalan Data Protection Authority
declare that the Badalona City Council had committed an infringement provided for in
article 83.5.a in relation to article 5.1.f, both of the GDPR.
This proposed resolution was notified on 03/12/2024 and a 10-day period was granted to formulate allegations.
12. The deadline has been exceeded by far and no allegations have been submitted.
Proven facts
On 01/12/2023, at 11:00 am, Badalona City Council published on its
website a document called “Proposal chapter 1. Valuable staff and other service relationships”, which contained the personal data (name and surname, category or position, place of work, group, level of destination and remuneration - distributed into basic, complementary, productivity, contribution and total) of the City Council's workforce of workers and civil servants; specifically, 1,076 people. In addition, this list included the electronic signature of a person, so that their full DNI was displayed, along with their name and surname.
3/9This document remained published until 04/12/2023, at 11:16 am. During
this time, the city council detected a total of 16 accesses to the document, the first of which occurred at 06:20 am on 04/12/2023. This publication occurred due to
a human error.
Legal basis
1. The provisions of the LPAC and article 15 of Decree
278/1993, as provided for in DT 2a of Law 32/2010, of October 1, of
the Catalan Data Protection Authority, apply to this procedure. In accordance with articles 5 and 8 of Law
32/2010, the resolution of the sanctioning procedure corresponds to the director of the Catalan Data Protection Authority.
2. The accused entity has not made allegations in the proposed resolution, but did so in the initiation agreement. In this regard, it is considered appropriate to reiterate the most relevant of the reasoned response of the investigator to these allegations below.
2.1. On the actions of the city council and the notification of the security breach
In the 1st section of its written statement of allegations, in summary, the accused entity stated:
— That “at the time when the DPD of the Badalona City Council became aware of
the security breach, the communication was made to the Control Authority and to
the interested parties within the period set in the initial communication and compliance with the
subsequent request of the APDCAT.”
— That, “in order to protect the privacy of those affected, the document
that had been erroneously published from the platform was withdrawn in the shortest possible time
(less than an hour as indicated in the human resources report) leaving
the general public without
access to said document, as proven in the reports of
the different departments of the City Council.”
— That “notification of the closure of actions relating to the breach file is received
in which the APDCAT indicates that the Badalona City Council correctly complied with
the provisions of articles 33 and 34 RGPD relating to security breaches.”
— That “notification of the closure of the file APDCAT considers the proposal for improving technical measures and training activities to
prevent an incident of the same nature from occurring again to be appropriate and
sufficient (...).”
— That “once the actions relating to the breach file have been archived (...) it notifies
via email all of its employees as well as those entities
that have filed a claim related to this matter (CSIF) a brief
description of the events that occurred with the chronology, the APDCAT’s decision to archive
actions in this regard as well as the measures on which it is proposed to work together
with its DPO (...).”
4/9Apart from these allegations, the city council provided several informationforms prepared by
different units or departments of the entity, including the report of the Secretary General,
of 21/12/2023. This report, among other things, states:
— That “there has been an unauthorized or accidental disclosure of personal data to
third parties, data published in the document called «AJ-12-02 Annex 2 - Proposal
chapter 1. Valued staff and other service relationships.pdf (…).”
— That “from the reports received, the following chronology of events is confirmed:
(...)
01/12/2023 11:00 [hours] Publication of index link of the file on public display
https://www.badalona.cat/ca/ajuntament/normativa/expedients-en-
exposiciopublica/expedient-2023-35205l
(...)
04/12/2023 06:21 [hours] First access to the document «AJ-12-02 Annex 2 - Proposal
chapter 1. Rated template and other service relationships.pdf (...)».
(...)
04/12/2023 11:16 [hours] Verification of replacement of the foliation document on public display
, the document with personal data no longer appears.”
— That, “from the report issued by the head of the IT Department, it appears that between
1/12/23 and 4/12/23 at 11 a.m., the period in which the PDF document that
contained the link to the document with non-anonymized personal data was available,
the link was accessed 16 times.”
— That, “at 11:00 a.m. on December 1, 2023, at which time the organic unit responsible for the file (...), makes the folio of file 2023/35205L
and sends it to IT to incorporate it on the municipal website at the link
https://www.badalona.cat/ca/ajuntament/normativa/expedients-en-exposicio-
publica/expedient-2023-35205l, the document with personal data “AJ-12-02 Annex
2 - Proposal Chapter 1. Valuable staff and other service relationships”, could be consulted
by any citizen.”
— That “the non-anonymized document with personal data was consulted for the first
time at 06:21 a.m. on December 4, 2023.”
— That “a total of 16 accesses to the document have been recorded.”
— That “on December 4, 2023, at 11:16 a.m., the replacement [of] the foliation document in the public exhibition is verified, the document with the personal data no longer appears.”
First of all, it must be said that, as stated in the 2nd precedent, on 11/12/2023
the city council notified this Authority that a security breach had occurred
(NVS 172/2023), related to the proven facts. However, this fact cannot imply
an exemption from the responsibility of the controller, since this
5/9notification to the control authority is an obligation that derives from articles 33 and 34 of the GDPR.
At the same time, it is an independent issue from the fact that, in the course of the security breach, one or more infringements of the regulations on the protection of personal data may have been committed; in this case, specifically an infringement related to the duty of confidentiality.
Certainly, as the city council alleges, this Authority concluded the investigation of the actions linked to NVS 172/2023 by means of the official letter dated 12/21/2023. Thus, it was resolved that the city council fulfilled its obligation to notify the violation to the Authority and also to communicate it to the affected persons. However, based on the content of the statement of allegations and the complementary documentation provided by the city council, the alleged facts have not been undermined; on the contrary, since it has been established that the document containing personal data without anonymization was published at 11:00 on 01/12/2023 and remained published until 11:16 on 04/12/2023.
For all this, it is considered that this allegation cannot succeed.
2.2. Regarding the dates on which the complaints were filed
In the written statement of allegations, the city council referred to the fact that “the dates indicated in point 7 of the agreement to initiate disciplinary proceedings do not correspond with the timeline of the events relating to the security breach since these are dates that took place months before the incident (although we understand that this may be due to an
error).”
Certainly, in the antecedent 7 of the initial agreement it was stated that “on 07/01/2024 and on successive dates (15/01/2023, 17/01/2023, 18/01/2023, 20/01/2023 and 13/02/2023) the Authority received seven more complaints against the city council. (...).”
As the city council mentions, this is a typographical error in the dates of the complaints. The wording, which has already been amended, should be as follows: “on
07/01/2024 and on successive dates (15/01/2024, 17/01/2024, 18/01/2024, 20/01/2024 and
13/02/2024) the Authority received seven more complaints against the city council. (...).”
2.3. On the fact that the city council has not been required to participate in the prior information phase
Following, the accused entity argued the following:
— That “the fact that almost a year after the event, the Control Authority has agreed to initiate a disciplinary proceeding without either the City Council of Badalona in its capacity as controller or its Data Protection delegate having been aware of any new fact or that, due to its magnitude, could have led the Control Authority to take this decision is difficult to understand.”
— That “the security breach affected all of the entity’s employees (...) so that
this Authority could foresee that a large number of employees
would file a complaint, once the facts were known, that is, after having received
information from the City Council of Badalona, at the time the
security breach occurred as well as when the action was closed by this
Control Authority.”
6/9 In this regard, it should be remembered that the prior information phase, as its name indicates, has
as its purpose to ascertain the circumstances of the reported facts and the advisability of initiating or not a sanctioning procedure. In this case, the investigator considered that it was not
necessary to require more information from the city council, because it had already provided it during the processing of
NVS 172/2023.
In accordance with what has been stated, it is estimated that this allegation cannot
succeed either.
3. In relation to the facts described in the proven facts section, it is necessary to refer to article 5.1.f of
the RGPD, which provides that "1. Personal data will be: f) treated in such a way that
guarantee adequate security of personal data, including protection against
unauthorized or illegal treatment and against accidental loss, destruction or damage,
through the application of appropriate technical or organizational measures ("integrity and
confidentiality")."
On the other hand, Organic Law 3/2018, of December 5, on the protection of personal data and the guarantee of digital rights (LOPDGDD), establishes the following in article 5,
relating to the duty of confidentiality:
“1. Those responsible for and in charge of data processing as well as all
persons who intervene in any phase of it are subject to the duty of
confidentiality referred to in article 5.1.f) of Regulation (EU) 2016/679.
2. The general obligation indicated in the previous section is complementary to the duties of professional secrecy in accordance with its applicable regulations (...).”
Likewise, it is appropriate to mention article 13 of the LPAC, which lists a catalogue of rights of
persons in their relations with public administrations. In letter h
of this catalogue, the right “to the protection of personal data, and in particular to the security and confidentiality of the data contained in the files,
systems and applications of public administrations” is expressly included.
When the city council published the personal data of the entity’s workforce of workers and
officials, it did not act with the diligence that was required of it. It should be remembered that
the duty of diligence is maximum when activities are carried out that affect fundamental rights, such as
the right to the protection of personal data.
During the processing of this procedure, the fact described in the section of proven
facts has been proven, which constitutes the infringement provided for in article 83.5.a of the RGPD, which typifies
the violation of “the basic principles for processing”, among which is
the principle of confidentiality.
The conduct addressed here has been included as a very serious infraction in article 72.1.i of the
LOPDGDD, as follows:
“The violation of the duty of confidentiality established in article 5 of this organic Law.”
4. Article 77.2 of the LOPDGDD provides that, in the case of infringements committed by the
controllers or processors listed in Article 77.1 of the same law, the competent data protection authority:
7/9 “(...) must issue a resolution declaring the infringement and establishing, where appropriate, the
measures that should be adopted to cease the conduct or correct the effects
of the infringement that has been committed, with the exception of that provided for in Article 58.2.i of
Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016.
The resolution must be notified to the controller or processor, to the body
to which he or she is hierarchically subordinate, where appropriate, and to the affected parties who have the status of
interested party, where appropriate.”
In terms similar to the LOPDGDD, article 21.2 of Law 32/2010 determines the following:
“2. In the case of infringements committed in relation to publicly owned files, the
director of the Catalan Data Protection Authority must issue a
resolution declaring the infringement and establishing the measures to be adopted to correct its
effects. (...).”
In this case, it is not necessary to require measures to correct the effects of the infringement, because
the city council has already adopted them, as has been proven.
Resolution
For all of this, I resolve:
1. To declare that Badalona City Council has committed an infringement provided for in article 83.5.a
in relation to article 5.1.f, both of the GDPR.
It is not necessary to require measures to correct the effects of the infringement, in accordance with
what has been set out in legal basis 4.
2. To notify this resolution to Badalona City Council.
3. To communicate the resolution to the Catalan Ombudsman, in accordance with the provisions of article
77.5 of the LOPGDD.
4. To order that this resolution be published on the Authority's website (apdcat.gencat.cat), in accordance with
article 17 of Law 32/2010, of 1 October.
Against this resolution, which puts an end to the administrative procedure in accordance with articles 26.2 of Law 32/2010 and 14.3 of Decree 48/2003, of 20 February, which approves the Statute of the Catalan Data Protection Agency, the accused entity may optionally file an appeal for reconsideration before the director of the Catalan Data Protection Authority, within a period of one month from the day after its notification, in accordance with the provisions of article 123 et seq. of Law 39/2015. An administrative appeal can also be filed directly before the administrative courts of Barcelona, within two months from the day after notification, in accordance with articles 8, 14 and 46 of Law 29/1998, of 13 July, regulating administrative jurisdiction. If the accused entity informs the Authority of its intention to file an administrative appeal against the final administrative decision, the decision will be suspended as a precaution in the terms provided for in article 90.3 of the LPAC. Similarly, the accused entity may file any other appeal it deems appropriate to defend its interests. The director
