In the digital era, let's not forget about physical media: New resolution by the Spanish Data Protection Agency

On 11 November, a resolution was published by the Spanish Data Protection Agency (hereinafter, "AEPD" or "Authority") regarding a complaint filed against the City Council of Vigo (hereinafter, the "City Council") for a breach of its duty of confidentiality by sending postal envelopes with expressions that revealed the content of its notifications.

Regarding the facts of the resolution, the claimant stated that the City Council had sent him two notifications, by registered post, on which the words "DILIGENCIA DE EMBARGO" and "NOTIFICACIÓN PROVIDENCIA DE APREMIO" were visibly printed, both accompanied by a reference number. Furthermore, the claimant mentions that all previous communications in this procedure had been carried out telematically, so there was no reason to change the notification system or to make such an identification of the documents sent.

In view of this situation, the AEPD has determined that the City Council, in its capacity as data controller vis-à-vis the claimant, has breached Article 5.1.f) of the General Data Protection Regulation with respect to the obligation relating to the integrity and confidentiality that it must maintain during processing, as it has allowed persons outside the procedure to become aware of information that revealed the existence of debts and enforcement actions.

However, during the course of the proceedings against him, the City Council adopted corrective measures to address this fact by eliminating any reference to the content of its postal notifications and replacing any kind of expression with the generic term "Administrative Notification". This measure was considered sufficient by the AEPD with regard to possible corrections.

In spite of the fact that nowadays we are trying to ensure that information is housed on digital servers, resolutions such as these remind us of the importance of safeguarding data contained on physical supports. To this end, here are the most relevant aspects to consider with respect to this type of documents:

• Minimisation of data and assessment of need: Do not collect papers, folders, files or other items if it is not strictly necessary. Also, avoid requesting more personal data than required for the fulfilment of the purpose.
• Secure storage and access control: If you have personal information on physical media, ensure that you store them in areas with limited access to prevent unauthorised persons from manipulating or consulting documents with personal data.
• Responsibility for the circulation of documents: In the event of any circulation or transport of a physical medium, send it in sealed envelopes, briefcases or other means that do not allow unauthorised third parties to know its contents. In addition, always confirm that your recipient has received the document correctly.
• Avoid duplication of information: Do not make additional copies of the same document and avoid duplicating information on both physical and digital media.
• Define time limits and secure destruction: By means of internal policies or guidelines, we recommend that you define the retention time of documents and the manner in which they will be destroyed once they are no longer needed. In addition, keeping an inventory of the physical media you store will allow you to keep better track of them.