The ways of the Lord, and the criteria of the AEPD are inscrutable. Today we will see how 2 assumptions very, yield radically different results, thanks to the interpretative criteria of the Spanish Agency of data protection. Course #1: By mistake, a mobile phone company sends another customer invoice by email. Data disclosed by error, include: name and surname; NIF; Address; zip code; locality; Bank; number of bank account (ten digits); detail of calls by phone number. Course #2: By mistake, a company of repair of mobile handsets gives a pendrive with 7 different than their own phones backup to a particular client. Data disclosed by error, include: name and surname of the holder of the phone, personal photos, personal agenda with phones, mails and addresses in your contacts list calls made and received, and issued and received sms. What differentiates both assumptions? In the first case, the telephone company Mobile is responsible for a file, according to the organic law of protection of data and responds to breaches incurred. However, in the second case, the client is not responsible for any files, because the files maintained by individuals in the exercise of exclusively personal or domestic activities are excluded from the scope of the data protection Act (2.2.
to LOPD). It is logical and understandable. Makes no sense that a latin lover would inform his conquests that their data will be incorporated to a file of their responsibility in good order, perhaps in this case Yes would be could be defensible but if each of us had to comply with the data protection act by the data of our relatives, friends and acquaintancesSurely we encerrariamos us at home. And what happens with the mobile terminal repair shop? It is not responsible for your negligence? Well not. For the AEPD, not to apply the law to the owner of the file as a file of personal agenda treatment that makes the store by instruction of the owner, nor is it subject to a sanction of the LOPD.
If the store had used the data for their own purposes, yes had been liable to treat data without consent but as what he did was to comply with the obligation of duty of secrecy with respect to 7 persons who were harmed their privacy by this shop, the AEPD understands whereas does not impose any sanctions. However, the company’s mobile telephony for the first course, they put him a fine of EUR 6000 jests and sonorants. Does this mean? Therefore to give some examples assumes the following: A Spanish email (e.g. @telefonica.net) service does not have to apply any security measures to a hypothetical database of addresses of recipients of emails from customers. Likewise, if @telefonica.net had a mishap of security affecting these data, nor would any responsibility. A service of targeted online agenda to individuals do not have to comply with any of the regulation safety measures. And a myriad of other examples. Is the criterion of the AEPD correct? Clearly is not. The files received by the person the second assumption complainant also include personal data specific to the customers of the shop, which Yes are the responsibility of the same, and should be protected by the data protection act. However, repeated by the AEPD, criterion does not sag nor before a duly reasoned appeal. That said, the criteria of the AEPD are inscrutable and we aren’t worthy of calling them into question.