Spanish Society of Medical Oncology – €42,000 Fine (Spain, 2025)

The Spanish Society of Medical Oncology (controller) promoted the participation by cancer patients in a study being conducted by a data processor. The patients downloaded a mobile app and, using a code given to them by their oncologist, inputted data about their well-being. In June 2023, the controller notified the AEPD (Spanish DPA) that the processor had suffered a breach of security which resulted in the unauthorised access to 2,622 patients' personal data by an intentional bad-actor. The personal data consisted of the participants' email addresses, their phone number and their health-related data. The DPA’s investigation revealed that the processor had failed to properly implement cryptographic controls to allow for the encryption of the data. Based on evidence from the National Cybersecurity and Technology Expertise Association, the DPA found that the failure to implement such controls facilitated the occurrence of the breach. The DPA found that the controller had infringed Article 5(1)(f) GDPR for failing to ensure appropriate security of processing. The DPA initially levied a fine of €70,000 for the infringement but pursuant to Law 39/2015, a Spanish law concerning administrative proceedings, the DPA informed the controller that it may acknowledge its responsibility for the alleged violations and/or make a voluntary payment of the proposed fine. Each of these actions reduces the imposed fine by 20%. The controller opted to reduce the fine by 40%, both acknowledging its responsibility for the violations and paying the reduced sanction amount of €42,000.