Sending personal data by email without encryption can lead to a penalty
The communication of personal data through various means, such as e-mail, is a practice that all entities, public and private, will necessarily have to carry out at some point in time.
Despite being an aspect to which, because it is so commonplace, no special attention is paid, the sending of this type of data through digital means of communication may involve a series of risks, especially linked to the possibility that someone may capture that communication, and consequently, that personal data.
Therefore, it is important to adopt security measures aimed at avoiding possible breaches of the confidentiality of this information, preventing not only access by third parties who could intercept these communications, but also avoiding knowledge of the information derived from an error in the recipient of the information.
Penalty for sending personal data by email to customers
The AEPD penalizes a pharmacy with 11,000 euros for sending personal information about its customers via email without legitimacy and without adopting security measures.
The AEPD initiated an investigation after receiving a complaint from the Direcció General D'Ordenació i Regulació Sanitària de la Comunidad Autónoma de Cataluña, after carrying out inspections to pharmacy offices in the exercise of their powers, in which possible violations of data protection regulations were detected regarding the processing of personal data of residents in geriatric centers by certain pharmacy offices such as, among others: alleged unlawful accesses and transfers of personal health data or the exchange of personal data through unsecured electronic means.
From the investigations carried out by the AEPD, it was possible to verify the existence of an access granted by a pharmacy to another pharmacy to the database of patients in residences to which the first one provided an SPD service. The other pharmacy accessed this database with passwords provided by the first one, through which it obtained the CIP of the residents, to access their electronic prescription and proceed to dispense the diapers to the persons indicated in an Excel file sent by e-mail also by the first pharmacy. Subsequently, the pharmacy sent a list of the monetary contribution of the residents served, which was paid by the other pharmacy.
From the investigations carried out, it was possible to conclude, firstly, that the processing of personal data carried out by the pharmacy for the dispensing of diapers to the nursing homes, through the data obtained by the other pharmacy, lacked legitimacy, as the consent of these persons for this processing of personal data by this pharmacy had not been obtained.
In addition, it was also detected that at no time did the pharmacy inform these individuals, through a clause or a service provision contract, about the processing of their personal data.
Finally, and as the most relevant aspect of this sanction, the AEPD considered the sending of personal data via e-mail, without adopting security measures, such as, for example, the encryption of the document, in line with some of its latest resolutions issued by the authority. These security measures may have been provided by the e-mail provider (which must be documented), but, otherwise, it will have to be the Data Controller who implements them.
Which articles are infringed?
For the alleged infringement of Article 6 of the GDPR, as there is no basis of legitimacy, an administrative fine of 5,000 euros is imposed.
For the alleged infringement of Article 14 of the GDPR, for breach of the duty of information and transparency, an administrative fine of 3,000 euros is imposed.
For the alleged infringement of Article 32 of the GDPR, for the communication via e-mail of personal information of residents, an administrative fine of 3,000 euros is imposed.
