EL PAÍS launched an investigation into pedophilia in the Spanish Church in 2018 and has a data base updated with all known cases. If you know of any case that has not seen the light, you can write to us at: [email protected]. If it is a case in Latin America, the address is: [email protected].
───────────
The Spanish Episcopal Conference (CEE) published on its website between December and January, for at least 18 days, the identity of 45 victims of pedophilia in the Church and the details of their cases in a document that was supposed to be confidential, part of the report the audit commissioned by the law firm Cremades & Calvo-Sotelo. He then removed it, but this newspaper has confirmed that even four months later it was still traceable and accessible on the internet. EL PAÍS verified it before a notary on April 18 and then, on April 22, reported it to the Spanish Data Protection Agency (AEPD) to order it deleted, so that the document can no longer be located. The AEPD confirmed that until that moment no one had notified it and given the seriousness of the events, it sent a precautionary measure order to the company that manages the servers that still contained the information to remove this highly sensitive content. And it has finally been complied with this month. The EEC and the law firm blame each other for what happened.
According to the law, when a security breach occurs, the person responsible for the incident must notify the AEPD within 72 hours of becoming aware of it, and even warn those affected when extremely sensitive data is involved. The AEPD, for the moment, does not make assessments on the facts, nor does it clarify whether it will open an investigation into the actions of the bishops. He will do so if he receives a complaint about what happened, although sometimes he also does so ex officio after learning the details of the incident through the press.
The leaked information revealed the personal data of 45 people and the content of the complaints they reported to the Cremades & Calvo-Sotelo law firm. The document includes the names and surnames of the victims, and, among other details, a brief account of the events, the date and place in which they occurred, the age the victims were when they were attacked and the type of abuse they suffered.
The Cremades & Calvo-Sotelo office was commissioned by the CEE in 2022 to prepare an internal audit on pedophilia in the Church and, after speaking with victims who contacted its work team, it selected 45 valid testimonies for the study. . Their data and details were included in a table in an annex to their final report, delivered to the bishops last December. The EEC made this study public on its website on December 20, in a press release that included a 956-page PDF, a version that did not include the confidential data annex. However, later, at some point, the EEC modified its statement and published the PDF of another version of the audit, with a different cover and 984 pages, which included this sensitive data. Until he realized the mistake and removed it. But he did not inform the AEPD. And in reality it did not properly manage the deletion of the data either: this newspaper has verified that the document remained on the EEC website at least until December 28 and, what’s more, it has continued to be traceable on the internet for four months, until this month of May, and this is how this newspaper located it.
The versions of what happened from the EEC and the law firm clash. The episcopal entity blames the law firm, although the information was posted on its website. He explains that the firm submitted its audit on December 16, but then, “throughout the week,” he does not specify the date, it sent “a second version of the audit report, with the mandate that this new version be uploaded to the website, replacing the previous one, as the office considers it the definitive version”, and assures that this was done on December 22. This explanation does not clarify why, in any case, the two versions made public by the EEC, the first and the final one, only apparently differ in that annex with reserved information and otherwise seem identical. That is to say, why would the law firm demand the replacement of a document with another identical document with the only addition of private information that could not be disclosed.
In any case, the bishops attribute responsibility for the ruling to the legal firm, and add: “On December 23, the Cremades & Calvo-Sotelo firm, warning and acknowledging its error, detected that, at the end of the second version of the audit report submitted, after the bibliography, data appeared on a series of people who were not included in the first version of the report.” The EEC assures that it then “did everything possible to resolve the incident, quickly taking the relevant technical and organizational measures, and removing the access links.” Management that, in reality, was carried out poorly, because the document remained accessible.
The Madrid law firm, consulted in this regard, explains that it is the EEC that made the mistake by making changes to its press release and replacing a report without confidential data, which was originally there, with another where it had not been deleted. He points out that it was the office itself that discovered it when consulting the episcopal website and notified the bishops on December 23 in the afternoon. He assures that he warned the director of communications of the EEC, Josetxo Vera, and the deputy secretary for Economic Affairs, Fernando Giménez Barriocanal. The EEC withdrew the PDF with confidential information and replaced it with the other version. However, the office assures, another link from the bishops’ website that continued to lead to the PDF with information on the victims was not removed. The law firm discovered it, again, as stated in its account of what happened. It was on January 9, when doing a Google search and still came across the reserved document. That is, the sensitive information was on the bishops’ website for at least 18 days. The office had to notify the EEC again, which again rushed to delete that link as well, the office says. But on that occasion no careful work was done to effectively suppress access to private data, since the document has continued to be accessible until this month on some servers that had already copied it, as this newspaper has verified. For its part, the AEPD invites victims or anyone who may find private data to report it on the entity’s website, through the priority notification channel.
The EEC, which is the one who disclosed the private data, risks facing serious consequences for this incident. Both on the part of the Spanish Data Protection Agency, which can open an investigation and impose a sanction, and on the part of the victims themselves, who can take legal action. According to article 33 of the General Data Protection Regulation, when a serious leak of personal data that affects fundamental rights is discovered, as in this case, it must be immediately reported to the competent authority, the AEPD. According to the standard, “it must be done without delay and within the next 72 hours at the latest.” Furthermore, according to article 34, those affected must be informed as soon as possible, “without undue delay”, when it is likely to entail a high risk for their rights and freedoms. It’s two things which the EEC has not done, as confirmed by the public entity and some of the victims who appear on the list, who have found out what happened from this newspaper.
Fines of hundreds of thousands of euros
For all this, the EEC may risk a fine, the amount of which may be high. The law provides for penalties of between 300,000 and 20 million euros, but the maximum figure has never been reached. For reference, the airline Air Europa was punished in 2021 with two fines from the AEPD for a total of 600,000 euros, after a security breach that affected the personal and banking data of thousands of users. The first fine was 100,000 euros, due to the type of data leaked, but the second was 500,000 euros, precisely because the company did not communicate the problem to the AEPD within 72 hours of it being discovered, as required. Air Europa took 41 days to do it. The EEC, as of today, more than four months later, has still not notified the authority.
The CEE, for its part, assures that “in relation to the data contained in the audit report, responsibility for them corresponds to the Cremades & Calvo-Sotelo office, which is the one that sent the information to the Spanish Episcopal Conference, requesting its publication to this, and without at any time warning the Episcopal Conference of its existence or that it did not have the authorization of those affected for its publication. It also states that “it is legally the responsibility” of the firm to adopt measures to protect the confidentiality of the data, “given that the ownership of the personal data file corresponds to the firm (…), and they are responsible to third parties, including those affected.” , the AEPD and the Episcopal Conference itself.” Finally, the EEC maintains that it cannot contact the people who appear in the document: “Your contact is confidential information that we neither know nor can use.”
As for the victims affected by the leak, 20 had already contacted this newspaper in the past to report their cases. When several of them were consulted about whether they had knowledge of what happened to their data, all of them declared that they had not been warned and were considering legal action. Some of those affected who appear in the leaked documentation expressly declare in the text that they are concerned about their story being made public, since not even their family knows that they suffered abuse. One of them is a priest and in one of the cases the victim is still a minor today. Some of the testimonies contain intimate details of the moment of the attack and also the harsh consequences that they have carried for life: sexual, emotional, and work problems.
All of these people signed a document provided by the firm detailing how they would process their data: “The personal information you provide us will only be accessed by professionals from the firm or collaborators with whom the corresponding confidentiality agreements have been reached and established. guarantees for the protection of information. If applicable, it could be provided to the Spanish Episcopal Conference for the audit.”
The incident occurred in the context of the controversial and hasty maneuvers that the EEC carried out in December to try to overshadow and detract from the audit of Cremades & Calvo-Sotelo, which was critical of the Church and has indicated 1,383 complaints and at least 2,056 victims, a figure that the bishops did not want to acknowledge. It all begins on December 20, when the firm delivered its long-awaited report to the bishops. Unusually, the bishops did not present it to the media and, instead, the next day they released a document of their own, called to give light, which reduced the number of complaints to 806 and considered the majority not credible. That study, as EL PAÍS later revealed, turned out to be a literal copy and paste of a provisional report, incomplete and full of gaps that leaked its information to the bishops. mole in the Cremades audit, Alfredo Dagnino, who was fired from the firm for this. Dagnino’s internal document, with its controversial classification of cases as proven or unproven, can be consulted at the end of this article. The outraged victims have rejected that report.
But the errors did not stop there. Then the leak of the victims’ personal data occurred, when disseminating the Cremades audit. The EEC did so on December 21 with a discreet press release and a download link with the document. The next day that statement was replaced by another, but here the error occurred: when adding the document that could be downloaded, the version with the victims’ data was placed.
Subscribe to continue reading
Read without limits
_
#bishops #mistakenly #disclosed #identity #details #sexual #assaults #victims #pedophilia #Church