By Estrella Arana, Head of the Privacy and Data Protection Area.

The Spanish Data Protection Agency (“AEPD”) has imposed a fine of 70,000 Euros on a medical oncology foundation that processes health data for failing to implement sufficient security measures (Case No. EXP202416691).

The Fundación Sociedad Científica de Oncología Médica (Scientific Society of Medical Oncology Foundation, hereinafter, “FSEOM” or “the Foundation”) notified the AEPD that one of its providers had suffered a security breach that had affected the health data of around 2,600 patients who were part of an observational study led by the Foundation. Said provider was a CRO (i.e., a company that is subcontracted by the sponsor of a clinical study to manage the study) that managed the observational study as a whole and also provided technological services, as it provided a mobile application (app) and technological architecture. As the data processor for FSEOM, a contract was signed with a processor that included several annexes specifying the security measures to be applied by the provider, and the Foundation therefore considered that it had acted correctly.

The personal data breach occurred through a cyberattack and took place on the provider’s systems, as the provider stored the email addresses of the participants in the observational study, their mobile phone numbers and various data relating to each participant’s health on its servers. As a result, this attack affected the confidentiality of their data.

Once the breach was discovered, both the Foundation and the provider worked to mitigate the consequences of the incident as quickly as possible and technical and organisational measures were implemented to prevent, to the extent possible, security incidents such as this one. These actions included notification by FSEOM, as the data controller, to both the AEPD and the people affected by the cyberattack.

An investigation was subsequently launched by the AEPD and, after analysing all the documentation and information provided by FSEOM (which included expert reports from the Asociación Nacional de Ciberseguridad y Pericia Tecnológica (National Association of Cybersecurity and Technological Expertise)), it was concluded that the fact that the provider (the processor) did not have certain measures in place at the time of the incident facilitated the personal data breach and its greater impact. The AEPD considers that the measures, which would most likely have prevented the breach from occurring or reduced its impact, were introduced by the processor itself after the event (reactively) in order to prevent a similar data breach from occurring again, but not before or in accordance with the Foundation’s instructions.

The AEPD recalls that, in accordance with Article 4.8 of the GDPR, the processor is the person who “processes personal data on behalf of the controller”, and therefore considers that FSEOM, as the controller, did not have the appropriate technical or organisational measures in place to prevent an incident such as the one that occurred. Therefore, the AEPD considers that the facts constitute an infringement attributable to FSEOM for violation of Article 5(1)(f) of the GDPR (principle of integrity and confidentiality), since, as the controller, it did not ensure suitable security of personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, by implementing appropriate technical or organisational measures.

Initially, the AEPD imposed a fine of 70,000 Euros on FSEOM, taking into account its turnover (although this is not indicated in the decision) and also considering that there were aggravating circumstances, such as:

• The nature, severity and duration of the infringement, taking into account the nature, scope or purpose of the processing operation in question, as well as the number of data subjects concerned and the level of damage suffered by them (Article 83(2)(a) of the GDPR): in this regard, the unauthorised access to personal data occurred due to the lack of appropriate technical or organisational measures to prevent an incident such as the one that gave rise to these proceedings.
• The categories of personal data affected by the infringement (Article 83(2)(g) of the GDPR): as indicated, the data affected by the breach included the health data of patients participating in the observational study, and therefore special category data protected by Article 9 of the GDPR.
• The link between the activity of the offender and the performance of personal data processing (Article 76(2)(b) of the Organic Law on the Protection of Personal Data and Guarantee of Digital Rights (LOPDGDD)): FSEOM is an organisation dedicated to collecting health data on a specific disease, so it is accustomed to processing personal data and should exercise greater diligence.

Finally, FSEOM acknowledged the infringement committed, took the necessary measures to correct the effects of its conduct and voluntarily paid the amount proposed by the Agency, so that the penalty was reduced to 42,000 Euros.

In conclusion, the AEPD has made it clear that companies (as data controllers) that contract a provider (processor) to perform a service remain responsible for the processing of personal data and must take an active role in guiding the processor on the technical and organisational measures to be implemented. In other words, the fact of having a provider and signing a contract with a processor does not mean that all responsibility is transferred to that entity, but rather that the controller remains responsible throughout the entire data processing process and must therefore also bear the consequences of this. As in this case, this includes paying any fines imposed by the supervisory authority.