Resolutions, opinions and reports search tool

A citizen accesses, through his personal folder to the electronic headquarters of the City Council, the documentation of a third person in relation to a file that has nothing to do with his complaint. The violation of the principle of confidentiality is alleged. The infringement of art is also proven. 25 RGPD, of technical measures from the design and by default, although, after a medial competition, it is only charged for the most serious infringement.

The Agency is admonished as being responsible for a serious breach of security measures because its main website did not implement a secure website authentication protocol (HTTPS).

It is decided to sanction FMB S.A. because the lack of implementation of appropriate technical and organisational measures has prevented it from locating the personal file of the person who provided services to the complained company. This fact violates Article 32.1 of the GDPR, which provides for the controller's obligation to guarantee the availability and security of personal data.

It resolves to admonise the City Council since for an unspecified period, which at least covers the months of November 2020 until January 2021, it did not have a risk analysis of the personal data it processed, nor had it implemented all the security and technical measures, in accordance with the National Security Scheme, as required by Article 32 GDPR, in relation to the recording of telephone calls maintained by the local police. On the other hand, the dissemination by a local police officer to other agents of the body, of the content of a telephone conversation held by the complainant with a Medical Emergencies Service worker, contravened the principle of confidentiality.

The complaint is filed about how a Hospital carried out the transfer of documentation from a trade union section to another room inside the hospital, since that transfer was carried out without jeopardising the protection of the personal data contained there, and the security measures taken to do so were appropriate to guarantee its safety and confidentiality.

Indra, in his capacity as sub-processor, did not apply the basic level security measures required by SocMobility in the treatment processor's contract, to ensure a safety level appropriate to the risk (thus to prevent unauthorised persons from accessing these data), since the T-Mobility access portal did not modify the password that the manufacturer of the "Liferay" undercuture assigns to the admin, so that access was opened, and in turn accessible to third parties.

SocMobility (processing controller) did not adequately determine the appropriate security measures to guarantee a safety level appropriate to the risk of the data processing entrusted to Indra (those who are in charge of processing) for the implementation and management of the T-Mobility card, while in the processing order contract the SocMobility entity indicated to Indra that the security measures it had to implement for the provision of the services being commissioned were of the basic level, i.e. it categorized the system as basic, when according to the concurrent circumstances in the processing being commissioned, the basic level was not sufficient.

The person in charge of the treatment must implement the appropriate measures to ensure that the conversations held between their staff and the patients cannot be heard by unauthorized third parties. It is necessary to carry out a risk analysis to determine the applicable security measures.

The CTTI, in its capacity as processor, did not implement adequate security measures to guarantee the personal data it processed on behalf of the controller (Dept EDU). This allowed a student, when making a telematic pre-enrolment at a given training, to display the data of a third party on screen.