It is very possible that it is due to the greater awareness of our rights to privacy and personal data, although it certainly also has to do with the increase in situations likely to give rise to a claim. The truth is that the Spanish Data Protection Agency (AEPD) has published its Annual Report and it turns out that in 2021 13,905 claims were filed with the Agency, an increase of 35% compared to 2020. This figure rises to 14,571 including cross-border cases, cases in which the Agency acts on its own initiative and security failures referred for inspection.
In many cases, these actions have had to do with the response to be posed to data protection challenges related to the pandemic, such as the use of applications with health information, the COVID passport itself, restrictions on access to certain spaces for reasons of discrimination based on vaccination... but what is ordinary at the Agency is to supervise those situations in which data is processed and the protection of privacy is compromised.
And when someone complains, does anything happen? At least, in 2021, resolved complaints have increased by 35% (14,098) compared to the previous year (10,443), a very remarkable figure that has allowed pending complaints from previous years to be resolved without a significant increase in average resolution times. To give you an idea, last year the average resolution time was approximately two months.
Regarding ordinary complaints, the most frequently raised by citizens in 2021 correspond to internet services (16%), video surveillance (12%), reception of advertising (except spam) (11%) and improper insertion in delinquency files (9%). Regarding sanctioning procedures, 585 were completed, 49% more than in 2021. The most frequent areas in sanctioning procedures are video surveillance (25%), internet services (22%), and advertising via email or mobile phone (9%).
Not all sanctions, however, end in a financial fine. There were 264, the overall amount of which amounted to more than 35 million euros. There have been more sanctions and, consequently, more fines. The fact that more complex cases are being dealt with also adds to this.
Also noteworthy is the smaller increase (4%) in notifications of personal data breaches made to the Agency, 1,647 notifications in 2021, but only 76 have been serious. The most frequent personal data breaches are those caused by cyber incidents of external/malicious origin and, within this type of incident, ransomware is the most repeated. In parallel, cases in which the encryption of data and/or systems is preceded by an information leak and its sale on the internet/darkweb continue to increase.
