Post by nijhumnishita033 on Jan 10, 2024 21:52:02 GMT 10
On February 15, the Supreme Court issued an important ruling on the protection of personal data. The Third Chamber has determined that companies must adopt technical and organizational measures that, in accordance with the state of technology, reasonably allow them to avoid the loss or alteration of their clients' personal data. Now, said obligation is, in any case, an obligation of means, not of result . The fact that it was the negligent actions of an employee that caused the security breach does not exempt the company from liability.
In obligations of means, the obligor undertakes to carry out his activity with due diligence. Logically, if everything is done well, it is expected that the expected result will occur: in this case, that there will be Phone Number Data no leaks of customer data . However, there may be events that are beyond the company's control. If it has implemented all the necessary measures, it will not have to answer for them. The case Regarding the issue of data protection, in the ruling analyzed here there are two opposing positions: on the one hand, that of the State, which conceives the matter as an obligation of result. It advocates sanctioning in all cases the production of a harmful result. On the other hand, there is Commcenter , official and exclusive distributor of Movistar , which claims to have implemented sufficient protection measures and thereby aims to avoid the fine imposed by the Spanish Data Protection Agency (AEPD).
Well, the Court confirms the sanction of 40,000 euros imposed by the AEPD. It considers that the distributor is responsible for a serious infringement by allowing unauthorized access by third parties to at least 14 financing applications in which personal data of the clients appeared (name and surname, financial data, direct debit data and signature). "In obligations of means, the obligor undertakes to carry out his activity with due diligence." (Photo: Radio Interior) However, on the issue of whether data protection should be considered an obligation of means or results, the Supreme Court leans towards the first option . This has important repercussions, for example, it implies that failures in security measures that may be committed by employees of a legal entity will not be attributed to it as long as it has adopted all possible prevention measures.
In obligations of means, the obligor undertakes to carry out his activity with due diligence. Logically, if everything is done well, it is expected that the expected result will occur: in this case, that there will be Phone Number Data no leaks of customer data . However, there may be events that are beyond the company's control. If it has implemented all the necessary measures, it will not have to answer for them. The case Regarding the issue of data protection, in the ruling analyzed here there are two opposing positions: on the one hand, that of the State, which conceives the matter as an obligation of result. It advocates sanctioning in all cases the production of a harmful result. On the other hand, there is Commcenter , official and exclusive distributor of Movistar , which claims to have implemented sufficient protection measures and thereby aims to avoid the fine imposed by the Spanish Data Protection Agency (AEPD).
Well, the Court confirms the sanction of 40,000 euros imposed by the AEPD. It considers that the distributor is responsible for a serious infringement by allowing unauthorized access by third parties to at least 14 financing applications in which personal data of the clients appeared (name and surname, financial data, direct debit data and signature). "In obligations of means, the obligor undertakes to carry out his activity with due diligence." (Photo: Radio Interior) However, on the issue of whether data protection should be considered an obligation of means or results, the Supreme Court leans towards the first option . This has important repercussions, for example, it implies that failures in security measures that may be committed by employees of a legal entity will not be attributed to it as long as it has adopted all possible prevention measures.