In late 2021, the Spanish Data Protection Authority (‘AEPD’) initiated an investigation on the data processing activities of Bayard Revistas S.A., a publishing house in Madrid, after receiving a complaint by an individual. According to this complaint, the person in charge of Bayard’s web portal notified all data subjects via e-mail that a third party had gained unauthorised access to Bayard’s user database, ultimately leading to a data breach. The breach concerned the leakage of contact and location data of all users who had submitted their information on the website through a registration form. During the course of the investigation, Bayard stated that the unauthorised third party had gained access to the website as a result of a system vulnerability. In addition, Bayard Revistas provided assurance to the AEPD that it had adopted appropriate technical and organisational measures to prevent future unauthorised access; it had enforced security incident protocols as well as deployed encryption mechanisms for the data stored in its databases.
The estimated number of users who were affected by the breach was 464,762. As a result, the AEPD published its decision on the case by imposing its – highest to date – fine of €52,000 on the Spanish publishing house. The fine was later reduced to €31,200 due to Bayard’s admission of guilt and voluntary payment. Bayard Revistas S.A. was fined for violation of articles 5, 32 and 33 of the GDPR.
Considering that Bayard Revistas S.A. is a small enterprise with up to 50 employees, it is noteworthy to examine the reasons that led to a large fine in proportion to the size of the organisation.
Unlawful disclosure to a third party
Article 5(1)(f) of the GDPR states that personal data shall be ‘processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’)’.
According to Bayard’s web portal administrator, the third party gaining unauthorised access to the data was exploring system vulnerabilities. After discovering the vulnerability, the third party provided the web portal administrator with a screenshot as evidence that it gained unauthorised access. The AEPD decided that user contact and location data were unlawfully disclosed to an unauthorised third party, violating article 5 of the GDPR. An important aggravating factor which influenced the AEPD’s decision was that the leaked data included minors’ data.
Ensuring security of data processing
Article 32 of the GDPR states that ‘the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk’.
Bayard Revistas S.A. provided assurance that as a result of the breach, it had implemented appropriate technical and organisational measures to address future unauthorised access. However, the AEPD held that Bayard Revistas had not carried out an adequate risk assessment with regards to the breach at hand. As such, the measures implemented by Bayard as part of its risk assessment were not appropriate to ensure that the risk is properly mitigated. The fact that minors’ data were leaked also played an important role in the security aspect of the decision.
Notification of a data breach
Article 33 of the GDPR states that ‘In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.’
Lastly, the AEPD noted that Bayard Revistas was aware of the data breach it had suffered on the 28th of October 2021, but only notified the AEPD on the 11th of November 2021, thus delaying the notification of the breach by 2 weeks which ultimately lead to the violation of article 33 GDPR.
How can you adequately protect your own business or service?
In its 2022 data breach report, IBM found that the global average data breach costs have reached the amount of $ 4.35 million, with healthcare, finance and technology being the most targeted industries. It is important for organisations, service or software providers or public institutions that process personal data to take appropriate data security measures to protect against cyber-attacks and malicious online activities.
Trilateral’s Data Protection and Cyber-Risk Team has significant experience consulting organisations and other entities in advanced data management and compliance as well as supporting experts working within research, businesses or regulatory bodies to advance knowledge and practice on responsible data practices. For more information, please feel free to contact our advisers, who would be more than happy to help.