The Spanish Data Protection Agency (AEPD) has fined the cruise company RCL Cruises LDT (Royal Caribbean) 15,000 euros for leaking personal data by mistake to third parties through emails.
And although the facts occurred in 2019, the infringement is not time-barred because it has been carried out continuously, thus violating Article 32 and 5.1.f of the General Data Protection Regulation (GDPR).
As mentioned above, the complaint was lodged on 16 October 2019 by a consumer who had contacted the cruise company to request general information.
However, days later he mistakenly received an automated email containing a document with a cruise offer addressed to an unknown person with his personal details, those of his companion and details of the trip that was the subject of the offer. The consumer replied to the email and told them that he had nothing to do with it and although the offer was cancelled, no explanation was given.
He therefore decided to lodge a complaint after questioning the security measures taken by the controller to safeguard the confidentiality of the personal data in its custody, given the company’s global prominence in the industry.
THE CASE WAS TRANSFERRED TO THE UNITED KINGDOM AS IT WAS BASED IN THE UNITED KINGDOM, BUT RETURNED TO SPAIN AFTER LEAVING THE EU.
On 20 December 2019, the case was transferred to the United Kingdom through the Internal Market Information System, which aims to promote cross-border cooperation and mutual assistance between Member States and the exchange of information exchange as RCL Cruises was headquartered there.
However, as the UK ceased to belong to the European Union in January 2021, the entity ceased to be the main establishment of the controller in the EU.
But on 23 December 2020, when they were still EU, the English data protection authority informed the AEPD that it had several cases of complaints filed in Spain on this matter, so it decided to investigate.
On 10 February 2022, the APED requested explanations from RCL Cruises as the data controller of the personal data of Spanish customers who use the website to request a quote or book a cruise within the European Economic Area.
EMAIL SENT BY MISTAKE
The cruise company said that the email was sent by mistake by one of the agents and that, after checking the database, there is no record of the complainant’s details having been shared with other customers “as the incident was a unilateral error”.
They reported that, in order to prevent a similar error from occurring in the future, the agents had been trained to detect any type of incident as soon as possible so that it could be handled and resolved quickly, providing clear explanations to those affected.
In June 2022 RCL Cruises argued that such a serious infringement was time-barred because Article 73 of Organic Law 3/2018 of 5 December on Data Protection and Guarantees of Digital Rights sets the deadline at two years.
However, the AEPD understood that the conduct could not be considered time-barred because article 30.2 of Law 40/2015 of 1 October on the Legal Regime of the Public Sector states that “in the case of continuous or permanent infringements, the period will begin to run from the end of the infringing conduct”.
And, in this case, there was a record of other complaints and the necessary measures had not been taken.
In addition, the AEPD reported that, in accordance with the Supreme Court ruling of 15 February 2022, the negligent action of the employee in the production of security does not exempt the company from liability because names and surnames appeared; that the offer was for the over 55s; its budget, which gives clues about the family’s financial solvency; and its possible date of absence from the home, which was August. .
As a result, the AEPD has fined the company 15,000 euros. 10,000 for infringing article 5.1.f, which refers to the principles relating to processing, and another 5,000 for violating article 32, which refers to the security of processing. The sanction is not final and can be appealed before the Audiencia Nacional.
They have taken into account that in 2020 a total of 1,250,000 passengers of RCL Cruises could have been affected by the failure to adopt technical and organisational measures to prevent security breaches.