The Incident (The Laptop Theft): The case originated in March 2023 when COLEGIO NUESTRA SEÑORA DE LA CARIDAD DEL COBRE (a school) notified the AEPD of a serious security breach. The school’s Pedagogical Director had her laptop stolen, which contained highly sensitive information: identifying data of parents and pupils, along with academic records that included health data (classified as a "special category" of data under GDPR).
The Victims: The breach affected approximately 450 individuals, of whom 150 were minors. This significantly elevated the level of risk and the proactive responsibility required of the school.
The Failure in Security Measures (Article 32): During the initial investigation, the school admitted that the data on the laptop was not encrypted. Although the device had a screen lock, the lack of encryption (such as BitLocker or similar) meant that any third party with basic technical knowledge could access the hard drive’s information after the theft.
The Delayed Notification (Article 34): The theft occurred on 21 March, but the school failed to formally notify the affected families until 3 May 2023—and only after the AEPD issued a formal order forcing them to do so. The GDPR mandates that when a breach poses a "high risk" to individuals, communication must be immediate.
The Appeal (Recurso de Reposición): The school attempted to challenge the €5,000 fine by submitting a late technical certificate claiming the laptop was actually encrypted. However, the AEPD rejected this evidence based on the "Doctrine of Own Acts": the school had previously admitted in writing during the investigation that they did not encrypt data because they deemed it "unnecessary." You cannot change your story once the penalty is proposed.
The Final Ruling: The AEPD upheld the sanction for the lack of security measures (Art. 32). However, they agreed to drop the sanction for the notification delay (Art. 34) due to statutory limitation (prescription); the infraction was classified as "minor," and more than a year had passed since the procedure began. The final fine was set at €3,000.
This resolution serves as a masterclass in the importance of technical evidence and response speed. Here are the mandatory steps for any educational entity or SME in Spain:
A Windows login password is not enough. If an employee handles data outside the office, the hard drive must be encrypted (BitLocker for Windows, FileVault for Mac).
Action: Conduct an audit of all company laptops and tablets. Issue a technical certificate documenting that 100% of devices have active encryption.
The school lost its defense because its initial statements contradicted the evidence it tried to present later.
Protocol: In the event of a breach, never send a response to the AEPD without your DPO and technical team validating every word. Your first statement is legally binding and very difficult to retract.
Waiting for the AEPD to order you to notify victims is a guaranteed path to a maximum fine.
Action: Create a "Breach Response Kit" with email templates. If the data involves minors or health, you must notify families at the same time you notify the Agency.
This case shows that timing is a critical legal tool. The school saved €2,000 because the Agency was too slow.
Action: Ensure your legal counsel monitors AEPD deadlines strictly. If the Agency exceeds the statutory timeframe for a minor infraction, you can move to have that portion of the fine dismissed.
The weakest link is often senior staff who carry critical information on laptops for convenience.
Protocol: Implement a "Local Data Ban." Laptops should not store databases locally; they should access them via secure cloud environments or VPNs.
Informational Purposes Only: The content provided by ANRO DIGITAL SOLUTIONS S.L.U. (including resolution summaries, infographics, and case analyses) is for educational and informational purposes only.
No Legal Advice: This information does not constitute legal advice, a formal legal opinion, or a substitute for professional legal counsel. The interpretation of data protection laws (including the GDPR, LOPDGDD, and AEPD resolutions) is subject to change and can vary based on specific facts and circumstances.
No Liability: ANRO DIGITAL SOLUTIONS S.L.U. assumes no responsibility or liability for any actions taken, or not taken, based on the information provided on this website. While we strive for accuracy, we make no guarantees regarding the completeness or timeliness of the information.
Consult a Professional: Data protection compliance is a complex legal requirement. You should not act upon this information without seeking advice from a qualified Data Protection Officer (DPO) or a specialist data protection lawyer licensed to practice in your jurisdiction.
Third-Party Links: Links to official AEPD documents are provided for convenience. We are not responsible for the content or availability of these external government portals.
Este resumen tiene carácter meramente informativo. Para más información, consulte nuestro Aviso Legal.