What?

My recent professional experience has taught me that data breach is not longer a data breach, therefore, data protection is not longer a burden for your company. Confused by the title of this article? That’s because you haven’t read the Resolution E/01135/2021 from the Spanish Agencia Española de Protección de Datos (AEPD). That resolution gives a new meaning to the word «confused«.

Data Breach: Context needed

Customer A asked the phone and Internet provider Company B to install the contracted services in his/her new flat. The Company B promptly settled the administrative tasks and sent an SMS to the Customer B, summoning him/her to the accorded place for the installation on Day X.

Only the Almighty God knows why, the Company B also sent an SMS to Mr/Ms D, with all the details of the contract: Customer A’s new address, type of installation, and time slot. Why? No idea…

Mr/Ms D sent a funny message to Customer A, saying «Now I know where you live«. The tone was not creepy at all, just a joke. But…

What If… A Data Breach can be a serious issue

What if Mr/Ms D were a disgruntled ex-partner, known for his/her violent behavior toward his/her ex-partner? Fortunately, it was not the case, but still… A data breach can lead to a very dangerous situation: data protection must be followed because, most of the times, the worse scenario is just around the corner.

Data Breach

Data Breach? Are you sure?

The Complaint

Customer A sent a formal complaint to the Agencia Española de Protección de Datos, telling them that, as far as he/she was concerned, disclosing personal information to a non-authorized third person, is a violation of the GDPR.

Surprise! No Data Breach found

The Agencia expressly solved the issue saying: «La identificación de infracciones, por vulneración de medidas de seguridad o por ruptura del deber de confidencialidad, se vincula generalmente con casos en los que la documentación con datos personales hubiera sido expuesta fuera del ámbito de protección que suponen las instalaciones donde son tratados los datos o con la constatación de la existencia de una observación de los datos tratados por parte de terceros, no apreciándose en el presente caso indicios documentales suficientes que permitan deducir una vulneración del deber de confidencialidad o que las medidas técnicas y organizativas aplicadas por el responsable del tratamiento no sean las apropiadas para garantizar un nivel de seguridad adecuado al riesgo.»

For the purpose of avoiding a data breach, my suggestion is: don’t even try to translate it. I am a Spanish speaker and I don’t have a clue about what that s**t really means!

 

Conclusions

As a result of the AEPD interpretation, sending an SMS with personal information of a customer to a non-authorized party is not longer a data breach.

You’re welcome 😉

Lastly, would you like to know more about this absurd story? Drop us a line and we’ll be happy to share the full details with you. We’re in Alicante, but, hey, your city ain’t that bad either… 😉