The Phone House Spain – €6,500,000 Fine (Spain, 2023)

On 14 April 2021, the Spanish DPA (AEPD) received a notification of a personal data breach registered by the controller, a telecommunications provider. The Security Breach Assessment Report showed that approximately 13,000,000 people were affected by the data breach. The attackers downloaded a database containing the personal data of clients, former clients, suppliers and employees of the controller and published the information on a public website. The personal data included names, ID numbers, postal addresses, email addresses, mobile numbers, nationality, sex, dates of birth, bank account numbers as well as employment details of employees. The controller stored the data in plain text without any pseudonimisation or anonymisation measures in place. The controller argued that adequate measures were in place and that the attack could not have been prevented due to the technical expertise of the cyber attackers. Crucially the controller submitted that there is no relationship between the alleged inadequacy and the data breach as more robust measures could not have prevented the attack. Therefore, no causal link could be established between the actions of the controller and the incident. The controller firmly posited itself as a victim of an unforeseen attack and argued that every security system shows room for improvement but that Article 5(1)(f) GDPR cannot be interpreted as an obligation of a specific result. The AEPD clarifies that Article 5(1)(f) GDPR is violated if there is a personal data breach regardless of whether the breach was caused due to the absence or deficiency of security measures. In its capacity as a controller for large amounts of personal data concerning a large number of people, the controller should have foreseen the risks and implemented measures which could have prevented the cyberattack. As aggravating factors, the AEPD highlights the amount of personal data leaked and the number of people affected by the breach. Further, it highlighted