Spanish Data Authority Fines Data Processor for Failure to Assess and Address Risks of Security Breach

Written by

Achieved Compliance

The Spanish data protection authority (AEPD) recently fined I-DE Redes Electricas Inteligentes (I-DE) 3 million euros for the company's failure to assess its risk of a security breach. The AEPD found that I-DE, acting as the processor of Iberdrola Group's data, violated Articles 5(1)(f) and 32 of the GDPR. In doing so, the AEDP emphasized the data processor's responsibilities to secure the data shared with them, their obligation to conduct security risk assessments, and the need to implement preventive measures to address the risk. The AEDP also noted that the measures taken must be commensurate to the nature of the risk and that remedial, after-the-fact measures were insufficient.

I-DE is a brand of Iberdrola Group, serving as its energy distribution arm. On March 15, 2022, I-DE detected an attack on its GEA portal, which manages service connections for the electric distribution network. On March 28, 2022, I-DE informed other companies in the Iberdrola Group about the breach. Iberdrola Clientes, S.A. and Curenergía Comercializador de Ultimo Recurso SA reported to the AEPD that the personal data of 92,550 and 1,515,000 clients was affected, respectively. This data included names, email addresses, phone numbers, addresses, ID card numbers, and client codes. They notified the affected clients by 1 April 2022.

The Spanish DPA (AEPD) noted that I-DE is a processor under Article 4(8) GDPR because it provides IT and maintenance services to the Iberdrola Group. It found that Iberdrola companies act as controllers of their client's data.

The Analysis and Findings

Analysis revealed that the breach resulted in the leak of personal data of 1.35 million clients, including names, email addresses, phone numbers, addresses, ID card numbers, and client codes. In proceedings initiated by the AEPD, I-DE argued that the cyber attacker, not the processor, was responsible for the spread of the breach of I-DE's system to other companies. It further argued that it had complied with Article 32 of the GDPR, highlighting that the company had implemented breach detection measures—and that those measures had enabled it to detect the breach almost immediately.

The AEPD found that while it recognized that I-DE was the victim of a cyberattack, it was not enough to claim victimhood. The AEPD also found that the company's quick action to remedy the problem was insufficient. Instead, companies must implement not only remedial measures but also preventive measures to meet GDPR requirements.

If you'd like to implement measures to meet GDPR requirements and assess your risk of a security breach, contact Achieved Compliance today to schedule your complimentary consultation.

PRIVACY BLOG