publishable_uk_2020-01_personal_data_breach_summarypublic.pdf

Summary Final Decision Art 60
Personal data breach notification

No infringement of the GDPR

Background information
Date of final decision 10 January 2020

LSA: UK

CSAs: AT, BE, CY, CZ, DE, DK, EE, EL, ES, FI, FR, IE, IT, HU, LT, LU, LV, MT, NL, PL, PT, SE, SI, SK

Legal Reference: Personal Data Breach (Articles 33 and 34)

Decision: No infringement of the GDPR

Key words: Data breach notification

Summary of the Decision

Origin of the case
The controller reported a data breach notification involving 643 of their customers in the EU. The former ex-employee accessed the customers data and exported them with the intention of extracting money from the controller.

Findings
In the course of its investigation, the LSA found that the controller had a relevant contract in place with the service provider, as a processor. The contract provided sufficient guarantees for their processing activities. There has been no damage or distress to any of the data subjects involved in this incident and the controller did not receive any complaints as a result of the infringement.

The controller implemented two remedial measures, by taking down the portals for which vulnerabilities were found, and by informing the data subjects about the data breach and possible phishing attempts.

Decision
Although no infringement to the GDPR was found, the LSA issued two recommendations to the controller.
First, to implement more regular reviews of any third parties to ensure that they are meeting their contractual agreements in relation to compliance with data protection legislation including having appropriate technical and organisational measures, confidentiality and the processing of data only on the documented instructions of the controller to ensure the protection of data subjects rights.
Second, to improve password management with their service providers.


This text has been converted automatically from the PDF available via
https://edpb.europa.eu/our-work-tools/consistency-findings/register-for-article-60-final-decisions_en
using Apache Tika to allow for a better search. This might result in some characters being mangled.
Please see the original file for the official wording at
https://edpb.europa.eu/sites/edpb/files/article-60-final-decisions/summary/publishable_uk_2020-01_personal_data_breach_summarypublic.pdf

Please see also EDPB Copyright page