📌 Facts
• 📅 Security Incident: On May 11, 2023, the company sent an encrypted USB key by postal mail containing the personal data of 143 individuals, including payment information.
• ❗ Major Error: The decryption key was included in the same envelope, compromising the data's security.
The mail was returned empty, without the code or USB key—likely indicating loss or theft.
🔎 Identified Failures
• Violation of Article 32 of the GDPR: Failure to implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.
o ❌ Code sent in the same package as the encrypted USB key.
o ❌ Lack of effective procedures to prevent this type of incident.
🧯 Measures Taken by the Insurance Company
• 📄 Internal procedures in place (prohibiting sending USB keys with the code).
• 💻 Regular employee training on security.
• 👥 Awareness-raising with the responsible employee.
• 🔍 Dark web monitoring to detect possible fraudulent use of the data.
• 📩 Notification to the affected individuals.
• 📈 Follow-up by the DPO and cybersecurity team.
• 📨 Change of transport provider (SEUR replaced by Correos).
⚖️ Sanction
• 💸 Initial Fine: €100,000
• ✅ Reduced Fine for Voluntary Payment: €80,000
• ✅ No admission of responsibility
• 📆 Fine was paid on June 17, 2024, closing the procedure.
📢 Corrective Measures Imposed
• The insurance company and SEUR must notify, within two months, the concrete steps taken to ensure data confidentiality, restore data access, and verify the effectiveness of technical measures.