The recent Judgment of the Supreme Court 188/2022 outlines the duty of data protection and clarifies the responsibility of companies in relation to this obligation to ensure the protection of the personal data of their clients.
The case focuses upon an error which allowed the non-authorised access of third parties to the personal information of clients. Specifically, the infringement came about because the email address which appeared in applications for the financing of telephone products did not correspond with that of the clients/applicants and, as a result, third parties were allowed non-authorised access to the information contained in said applications (name and surname, financial data, bank account details and signature).
The Spanish Data Protection Agency (AEPD) imposed a fine of Euro 40,001 upon the company for the breach of article 9.1 of the Data Protection Act, classified as a serious infringement in article 44.3.h) of said regulation. An appeal was filed against the fine which was dismissed by the National Court pursuant to judgment of 22ndJuly 2020, which resulted in an appeal before the Supreme Court which issued the Judgment which we are analysing herein.
Article 9.1 of the Data Protection Act states that: “ the party responsible for the file, and, processing, as the case may be, must take the technical and organisational measures which are necessary to guarantee the security of the personal data and avoid their alteration, loss, processing or non-authorised access, in view of the technology, the nature of the data stored and risks to which they are exposed, whether they be derived from human action or from the physical or natural environment.”
The appealing party argues that article 9.1 of the Data Protection Act establishes an obligation to achieve results and that said obligation is contrary to the legislation and case law which establishes an obligation to provide means.
The Third Chamber of the High Court rejects this argument and clarifies that the obligation of companies to ensure the security of personal data contained in their files is an obligation of means and not results. Thus, we do not find ourselves before an breach of strict liability, but before an obligation “of diligence”.
The contentious-administrative court outlines that the obligation is to establish measures which are technically adequate and to implement and use them with reasonable diligence. The court adds that such measures must “guarantee an appropriate level of security in relation to the nature and risk of the data to be protected”. This requirement is closely linked to the “existing technical knowledge and the cost of applying the measures”.
This interpretation conforms with the European Directive 95/46/CE which was implemented in our legal system pursuant to the now repealed Personal Data Protection Act of 1999.
Thus, this obligation of diligence is composed of two elements:
i) to design technical and organisation means for data protection;
ii) the correct introduction and implementation of these measures in order to achieve the intended purpose.
The infallibility of the measures adopted is neither required nor necessary, but merely the implementation of such measures and their suitability to the nature of the information to be protected.
In this way the Supreme Court confirms the penalty applied by the AEPD after considering that the appealing company did not have any security measures in place to check whether the email address introduced was real or fictitious, and whether it belonged to the persons whose data was being processed. The Supreme Court emphasises that at the time when the breach was committed, systems allowing the verification of this information existed, therefore the state of technology at that time allowed for adequate measures to be taken for the protection of the information. The company was negligent in not applying these measures.
The Court also points out that the fact that the breach of the article was the result of the negligent conduct of an employee does not absolve the company of responsibility, rather the opposite, it is indicative that the data processing programme of the company was not used appropriately.
Aleix Cuadrado
Vilá Abogados
For more information, please contact:
4th March 2022
