Telefónica – Dismissed (Spain, 2020)

The decision is the consequence of the notification of a possible personal data breach submitted by Telefónica (data controller) stating that some documentation (backup records) to be kept by an external security company located in Luxembourg (data processor) affecting to different categories of subjects (clients and directors/employees) and personal data (name, surname, email, address, national ID number, IBAN, employment agreement, insurance agreement, pension scheme), may have lost and accessed by third parties. The AEPD started the corresponding investigation, and Telefónica provided a copy of its communications with the different data processors involved, as well as a copy of the data processing agreements. Such investigation proved that (1) the data controller made a visit to the data processor's premises in order to verify its security measures, (2) the data controller reacted promptly not only by contracting a forensics service with an external company, but also taking external measures to prevent new breaches, (3) the data controller internally made a full Internet research of the affected personal data through a specialized cyber team, without any results in the deep neither in the dark web, and (4) due to the huge volume of affected subjects, the data controller clearly identified those that shall be informed: those relating to health, IBAN and photocopy of national ID numbers. Thus, with basis on the GDPR definition of personal data breach, the AEPD understood that Telefónica has complied with is personal data obligations and decided not to take further actions, according to these facts: (1) there is no proof that the affected data has been accessed by third parties, (2) the data controller complied with reasonable and adequate technical and organizational security measures, (3) the data controller has internal procedures that allowed a quick reaction, (4) complaints from possible affected subjects have not been received, (5) the data controller dra