2023-10-09 13:13:10
The Spanish Data Protection Agency (AEPD) had to give a wake-up call to the Tax Agency, after this body mistakenly sent the tax data of a taxpayer to her nephew, whom she had not authorized as a representative. The Treasury had notified her of the opening of the disciplinary file against her aunt because she was incorrectly listed as her successor in the databases.
The affected party filed a claim with the Tax Agency itself and also with the AEPD considering that the privacy of her personal data was being violated.
In October 2022, the taxpayer sent the Treasury a letter to inform them of the error she had made when sending her tax information to her nephew, a relative with whom she had no relationship. He did the same and also informed the entity of this misunderstanding, clarifying that in no case did he represent his aunt. And the nephew, in reality, was the successor of the taxpayer’s deceased mother, that is, her grandmother, but the Tax Agency had confused the mother’s DNI with that of her daughter. At the end of that month, this body contacted her wife to inform her of the rectification of the error, with the annulment of the sanctioning file.
The claim before the AEPD continued its course and opened a sanctioning procedure for these events. In its response, the Treasury maintains that the notification and communications system it has is secure and that the mistake in sending occurred earlier, due to a specific human error caused by a confusion in the registry of successors of the agency. “Specific human errors cannot be controlled,” he said in his response.
The Tax Agency also argued that the General Data Protection Regulation (GDPR) does not require absolute security, but rather requires that appropriate measures be applied that guarantee an adequate level of security. And he insisted that the error occurred due to human action and not due to lack of diligence, since he acted as quickly as possible to correct it as soon as he became aware of this mistake.
Finally, the AEPD considered that two serious infractions occurred and imposed the penalty of warning, which is included in the regulations for public administration entities. On the one hand, by allowing access by a third party to the taxpayer’s personal data, the duty of confidentiality has been breached, which involves avoiding data leaks not consented to by the owners. And it reiterates that this implies not only the agency as responsible and in charge of the treatment, but any person or entity that intervenes in the entire phase of data processing. Secondly, it considers that the due diligence of the technical and organizational measures to guarantee the principle of confidentiality established in the regulations has not been complied with, since a security breach of personal data occurred.
Although it recognizes that the GDPR does not detail a list of the measures that must be applied, the resolution recalls that these must be appropriate and proportionate to the risk posed by the processing of personal data. However, the Tax Agency recognizes that it has updated information technology risk analysis and annual plans and positively valued its commitment to carry out internal awareness campaigns to prevent this type of human error from occurring again.
#slap #wrist #Treasury #sending #taxpayers #tax #data #nephew #mistake