Old data, deficient contracts and a 300,000 euro penalty
Security breach and data exposure
In the summer of 2023, a technology company and service provider to an asset management company suffered a ransomware-type cyberattack. The breach not only compromised the security of its systems, but also took with it the asset management company's information, including sensitive data of former employees who had left the company more than ten years ago. Names, IDs and other personal data were exposed in a vulnerable environment.
Insufficient contracts and obligations of the responsible party
When the Spanish Data Protection Agency investigated the case, it discovered something even more worrying: not only had the confidentiality and availability of the data been put at risk, but also the contract between the agency and its data processor was insufficient, because it was limited to generic clauses that did not detail the security measures to be applied or the retention periods for the information . In other words, the agency had allowed old data to continue to exist unnecessarily in the hands of its supplier, becoming a weak point exploited by the attack.
The AEPD was not convinced by the agency's allegations: neither the reference to tax obligations nor the formal existence of a contract was sufficient to avoid liability. The authority was clear in recalling that it is not enough to reproduce standard formulas in a contract; it is essential to expressly define what measures are to be adopted, how they are to be applied and for how long the data will be kept. Otherwise, the controller is in breach of its obligation to actively supervise, instruct and control its data controllers.
The sanction and its consequences
The result was a blunt one: a fine of 300,000 euros (250,000 euros for breach of the principle of integrity and confidentiality and 50,000 euros for deficiencies in the contract with the person in charge). With the reductions for voluntary payment and acknowledgement of liability, the figure could be reduced to €180,000, but the lesson was clear: data that is kept in excess and contracts that are empty of content not only increase the risk, but sooner or later end up being very expensive.
