The Spanish Data Protection Agency (AEPD) has fined a consultancy firm 3,000 euros for sending an e-mail to a client that mistakenly contained attached documentation from another client of the consultancy firm.
This breached Articles 5.1.f and 32.1 of the GDPR, “Principle of integrity and confidentiality” and “Security of processing”, respectively. The attachment contained personal data of a third party to which the recipient of the e-mail had access, resulting in a breach of data confidentiality, in this case due to human error.
Anyone can make a mistake like this, which is why we at Edorteam always insist that attachments containing personal data must be sent previously encrypted. This is required by Article 32.1 of the GDPR:
32.1 Taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of processing, as well as risks of varying likelihood and severity to the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including, where applicable, inter alia:
a) pseudonymization and encryption of personal data
In fact, Article 34 of the GDPR, “Communication of a personal data security breach to the data subject”, exempts from the obligation to communicate a security breach if the information was encrypted.
This simple preventive gesture would have prevented the infringement, because even if we make a mistake in the recipient or attachment, the password would not correspond to the one known to the recipient of the message, and therefore we would have avoided breaching the confidentiality of the data.
ET Encrypt is a handy AES 256 secure encryption software with which you can encrypt any type of file in a couple of clicks: convenient, fast and secure.
Preemptively encrypt your e-mail attachments
With ET Encrypt you can easily encrypt all types of files with a virtually impenetrable algorithm, even for sending encrypted information by e-mail.
3,000 euros penalty, a significant amount for a small company
As a result of the complaint, the AEPD asked the consultancy for all the information it could provide on the matter.
As well as the possible causes of the incident and the measures that have been adopted to prevent something like this from happening again.
However, as explained in the resolution, the consultancy did not respond in any way to the requirements of the AEPD.
This is incomprehensible, since the AEPD has considered non-cooperation and lack of diligence as an aggravating circumstance.
On the other hand, some factors have been taken into account as mitigating factors:
- Only one person was affected by the incident.
- The reported consultancy is a small company.
- The data processing carried out by the consultancy is local in scope.
The AEPD resolves the case by fining the company 2,000 euros for breach of Article 5.1.f of the RGPD, and 1,000 euros for breach of Article 32.1 of the RGPD.