AFIANZA ASESORES, S.L. – €145,000 Fine (Spain, 2024)

AFIANZA ASESORES, S.L. is a consultancy company engaged in, among other work, the provision of legal advice. A USB stick with a large amount of personal data, including data pertaining to a criminal proceeding, was stolen. The USB was not encrypted. The controller conducted an internal investigation. It informed the Spanish DPA (AEPD) of the incident 13 days after its occurrence. On 2 July 2021, the AEPD ordered the controller to communicate the breach to data subjects. On 24 June 2022, the AEPD initiated sanctioning proceedings against the controller and proposed a sanction of €160,000. The AEPD considered that the controller had suffered a breach resulting in the unauthorized disclosure of personal data. The AEPD noted that it considered the controller’s storage of personal data on a removable device without encryption negligent, resulting in an aggravating factor for the fine. The controller argued that there was no evidence that a third party had ever accessed the information contained in the USB. Instead, the infringing ‘disclosure’ or ‘breach’ was entirely hypothetical. Thus, the controller argued, it could not be proved that any third party ever improperly accessed the information contained in the USB and no breach of confidentiality could be demonstrated. The controller also argued that it protected its data diligently and had adequate security measures in place. For instance, all personnel with access to personal data were instructed of their obligations and responsibilities. It also conducted IT audits to verify appropriate measures and security standards in place. The controller emphasised that Article 32 GDPR does not regulate a closed list of security measures – instead, it requires the controller to apply appropriate measures. It thus challenged the focus of the sanctioning proceedings on the absence of encryption on the USB because it was not an obligatory security measure and this did not take account of the controller’s other security measures.