publishable_cz_2019-08_databreach_summarypublic.pdf

Summary Final Decision Art 60
Complaint

Reprimand to controller

Background information
Date of final decision: 26 August 2019
LSA: CZ
CSAs: All SAs
Legal Reference: Security of processing (Article 32), Notification of a personal data breach to the supervisory authority (Article 33)

Decision: Reprimand to controller
Key words: Data breach, Request for compliance, Mitigating circumstances

Summary of the Decision

Origin of the case
The complainant, a website’s user, alleged that access to their personal information had been disclosed to another user.

Findings
The LSA found that there had been a data breach because a customer support officer accidentally copied the link to a complainant’s reservation and sent it to another customer. The controller therefore infringed the obligation to adopt appropriate security measures under art. 32 GDPR as well as the obligations set out by art. 33 GDPR in connection with data breaches. This incident had not been reported by the customer support officer in charge, contrary to the website owner’s internal regulations.
After the controller received the LSA’s communication, they investigated the incident and began adapting their technical and organisational measures in place and making new ones.

Decision
Also on the basis of the objections received, the LSA decided that although there had been an infringement by the controller of Articles 32 and 33, the imposition of a fine would not have been reasonable, given the mitigating circumstances, especially in connection to the fact that the isolated incident occurred as a result of a particular employee’s misconduct rather than of systemic non-compliance. Therefore, no sanctions were imposed, but a request for compliance and reprimand regarding infringement was sent to the controller.


This text has been converted automatically from the PDF available via
https://edpb.europa.eu/our-work-tools/consistency-findings/register-for-article-60-final-decisions_en
using Apache Tika to allow for a better search. This might result in some characters being mangled.
Please see the original file for the official wording at
https://edpb.europa.eu/sites/edpb/files/article-60-final-decisions/summary/publishable_cz_2019-08_databreach_summarypublic.pdf

Please see also EDPB Copyright page