FACUA reports the Board of Alhambra to Spain's Data Protection Agency for leaving visitors' data exposed

Information on 4.5 million people who visited the monumental complex and almost a thousand travel agencies was left publicly exposed due to a failure in the official ticket booking website.

FACUA reports the Board of Alhambra to Spain's Data Protection Agency for leaving visitors' data exposed

FACUA -Consumers in Action has reported the Board of the Alhambra and Generalife to Spain's Data Protection Agency (AEPD, according to its initials in Spanish) for leaving the personal and financial data of 4.5 million visitors and almost a thousand travel agencies exposed due to a failure on the official ticket booking website. As published by El Confidencial this Wednesday, information such as DNI numbers (National Document of Identification for Spaniards), telephone and current account details, names and surnames, passwords, email addresses, postal addresses, etc. has been left publicly exposed for two years.

In their report, the association recalls that according to current European legislation (Regulation (EU) No 2016/679, Article 6), the processing of personal data can only take place if the interested party has given their explicit consent to do so, or if it is necessary to execute the contract, fulfil some legal obligation, protect the fundamental interests of the interested party or of another person, or for public interest.

Likewise, FACUA indicates that "infractions that entail a substantial violation" of what appears in the aforementioned Article 6 of the EU Regulation are considered "very grave", in accordance with Article 72 of Organic Law 3/2018, of December 5, Protection of Personal Data and Guarantee of Digital Rights.

Moreover, Article 32 of that same EU Regulation states that "the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk". According to the information published this Wednesday, the technological provider of the Board is Hiberus Technology, which uses a computer system for ticket sales called lacpos, but a completely outdated version and without the relevant security measures.

In their written statement, the association also brings to light that the Board, upon realizing there was an irregularity, should have communicated what happened to the AEPD and any and all users that could be affected, as indicated in Article 33 of the EU Regulation "not later than 72 hours after having become aware of it, [...] unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons".