Secretaría General para la Innovación y Calidad del Servicio Público de Justicia – Violation Found (Spain, 2020)

On 14 January 2020, the Subdirectorate-General for Nationality and Civil Status notified the Spanish DPA (hereinafter AEPD) of a security breach of personal data dated 22/11/2019 after becoming aware through an e-mail by a citizen of notification of granting of Spanish nationality corresponding to another person. The notified security breach concerned 34 affected persons and subsequently incorporated 2 more, up to 36. These breaches all related to decisions of nationality being unduly shared with third parties. The security breach was communicated to the interested parties on 16/01/2020. The security gap had its technical origin in a modification in the process of generating decisions to grant nationality by residence that had been made in the application for processing nationality by residence files. Is the infringement of the principles of integrity and confidentiality in granting nationality and residence a breach of Articles 5(1)(f), 25, 32, and 34 GDPR? The Secretary-General for Innovation and Quality of the Public Justice Service (SGICSPJ) did not apply the appropriate technical and organizational measures to guarantee a level of security appropriate to the risk. This is evident as it has been proven that third parties had access to information reserved for the interested party (the applicant, a Spanish national) as a result of the malfunctioning of the new version of the application. The AEPD considered Articles 25, 32 and 34 GDPR in relation to Article 5(1)(f) GDPR to have been infringed as a result of the security breach caused by the transmission of personal data to third parties in the processes of granting Spanish nationality and the residence permit of foreign nationals.