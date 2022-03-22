The Spanish Agency for Data Protection or AEPD has presented its 2021 reports summarizing the most relevant activities and decisions of this body, “its management figures, and an analysis of trends and the challenges facing this fundamental right”.

The figures of the fines stand out, which have tripled compared to 2020 and the security breaches that have marked many of these fines. They say from the Agency that one of its main challenges in 2021 was to ensure that the Covid Certificate, which has been so prominent in various moments of our lives last year (and this year), always complies with data regulation.

Specifically, in terms of fines imposed, we find that the average amount of fines has tripled compared to the previous year and, if we take into account all total fines, the money raised as a whole has increased by 337%. In this, it stands out, according to the words of the Spanish Data Protection Agency itself, that data breaches are the protagonists of many of the cases of infractions.

Phishing and ransomware are key

When we talk about fines, there are various causes that have led to these sentences, but from the AEPD they highlight the role that data breaches have in many of the infractions that companies. And those data breaches can trigger future phishing and ransomware attacksespecially and in accordance with the information provided by the Agency.

We can also highlight the investigations carried out as a result of various security incidents such as the ransomware attack suffered by a private entity that encrypted and made many of its services unavailable and accompanied by data exfiltration. He also recalls a phishing attack on the employees of a City Hall. other fine Featured was due to human error: A company emailed applicants for a job offer the complete list of applicants with their personal data.

In 2021, personal data breaches caused by cyber incidents of external origin have been more prominent than any other cause. “Within this type of incident, ransomware is the most repeated, and cases continue to increase in which the encryption of data is preceded by an exfiltration of information and its sale” on the Dark Web.

Record fines in 2021





Key moments in 2021 must be remembered, such as CaixaBank’s fine of 6 million euros for forcing the transfer of personal data to its clients. And, in the 2021 reports, the Agency speaks about this again, recalling that the sanction came after considering that “the procedures through which it obtains consent from its clients to create profiles for commercial purposes do not comply with the RGPD” since clients do not get to know the treatment that is being consented.

In October, the AEPD fined a sports club in Córdoba 4,000 euros for adding a former member to a WhatsApp group for commercial purposes without her permission, ten years after the relationship between the two had ended and without guaranteeing the confidentiality of her personal information, according to the judgment in this case.

In March 2021, Vodafone starred in a new “record fine” of 8.1 million euros for skipping data protection and not stopping commercial actions when asked.