publishable_uk_2019-06_personaldatabreach_summarypublic.pdf

Summary Final Decision Art 60
Complaint

No violation

Background information
Date of final decision: 22 June 2019

LSA: UK
CSAs: IE

Legal Reference: Personal data breach (Articles 33 and 34)

Decision: No violation

Key words: Data Breach

Summary of the Decision

Origin of the case
A third party ordered products from the Living Social website. The cost of the products was mistakenly charged to the data subject. On discovery of the error, the third party was able to access the data subjects personal data (name, email address etc.) from Living Social’s website.
The third party then contacted the data subject regarding what had happened. The Controller has refunded the data subject, but the data subject is not satisfied with their response as the Controller states that they do not believe a breach has occurred.

Findings
The LSA, after consulting with the controller, reached the conclusion that no breach had taken place since the controller only stores the last two digits of credit cards in its databases and uses payment tokens instead.

Decision
No violation.


This text has been converted automatically from the PDF available via
https://edpb.europa.eu/our-work-tools/consistency-findings/register-for-article-60-final-decisions_en
using Apache Tika to allow for a better search. This might result in some characters being mangled.
Please see the original file for the official wording at
https://edpb.europa.eu/sites/edpb/files/article-60-final-decisions/summary/publishable_uk_2019-06_personaldatabreach_summarypublic.pdf

Please see also EDPB Copyright page

publishable_lt_2019-05_allegedillegalpersonaldataprocessing_summarypublic.pdf

Summary Final Decision Art 60
Investigation

Imposition of a fine

Background information
Date of final decision: 16 May 2019

LSA: LT
CSAs: LV

Legal Reference: Principles relating to processing of personal data (Article 5), Lawfulness of processing (Article 6), Information to be provided where personal data have not been obtained from the data subject (Article 14), Responsibility of the controller (Article 24), Security of processing (Article 32), Notification of a personal data breach to the supervisory authority (Article 33), General conditions for imposing administrative fines (Article 83).

Decision: Imposition of fine

Key words: Data breach, unlawful processing, security of the processing

Summary of the Decision

Origin of the case
This case concerned the taking of screenshots by the data controller when a user made an online payment using its service. The user, however, was not notified about the screenshots being taken. The screenshots recorded personal data of the payer, such as their name and surname, numbers, recent transactions, loans, amounts, mortgages, etc. Moreover, the data controller had provided access to individuals that were not authorised for that purpose and did not report the relevant data breach.

Findings
Regarding the processing of personal data in screenshots: The LSA considered that the processing of the personal data by the controller was beyond what is necessary for the performance of the payment service, and was also stored for a longer period that necessary. The controller failed to demonstrate the need to collect such amount of personal data. Thus, the processing violates the data minimisation and the storage limitation principles. Moreover, users are not informed of the
processing. Therefore, the LSA considers that the processing of personal data is deemed as unlawful.

Regarding the publicity of the personal data: Due to a security breach, unauthorised individuals had access to the data concerned, since access could be gained on the controller’s website merely by using the ID of the transaction number. The LSA found that the controller failed to implement the appropriate technical or organisational measures to ensure data security.

Regarding the notification of the personal data breach: The data controller failed to notify the relevant data breach as required by Art. 33 of the GDPR without providing a sufficient explanation of that failure to notify.

Decision
The LSA decided to impose a fine of 61.500 €(2,5% of the controller’s total annual worldwide turnover).

Comments
This is the first fine issued by this SA under OSS mechanism.


This text has been converted automatically from the PDF available via
https://edpb.europa.eu/our-work-tools/consistency-findings/register-for-article-60-final-decisions_en
using Apache Tika to allow for a better search. This might result in some characters being mangled.
Please see the original file for the official wording at
https://edpb.europa.eu/sites/edpb/files/article-60-final-decisions/summary/publishable_lt_2019-05_allegedillegalpersonaldataprocessing_summarypublic.pdf

Please see also EDPB Copyright page

publishable_dk_2020-02_security_of_processing_article_32_summarypublic.pdf

Summary Final Decision Art 60
Complaint

Dismissal of the case

Background information
Date of final decision: 5 February 2020

LSA: DK
CSAs: DE-Schleswig-Holstein, FR, SE

Controller: Garnio ApS/Hobbii Aps (Garnio ApS changed its name on 8 April 2019).

Legal Reference: Right of access by the data subject (Article 15), Security of processing (Article 32), Personal data breach (Articles 33 and 34), and Tasks of the Data Protection Officer (Article 39).

Decision: Dismissal of the case

Key words: Data breach, security

Summary of the Decision

Origin of the case
The complainant requested access to his data processed by the controller. As a result of this request, the controller provided the personal data of another individual. The complainant contacted the controller again about the breach but the controller did not reply to the inquiry.

Findings
The LSA found that the data subject in this case was not entitled to complain, as the processing of personal data did not relate to that individual.

Decision
The LSA took notice of the security issue and the occurred breach of personal data. This will be taken into consideration during the planning of audits.


This text has been converted automatically from the PDF available via
https://edpb.europa.eu/our-work-tools/consistency-findings/register-for-article-60-final-decisions_en
using Apache Tika to allow for a better search. This might result in some characters being mangled.
Please see the original file for the official wording at
https://edpb.europa.eu/sites/edpb/files/article-60-final-decisions/summary/publishable_dk_2020-02_security_of_processing_article_32_summarypublic.pdf

Please see also EDPB Copyright page

publishable_de_berlin_2019-05_databreach_summarypublic_0.pdf

Summary Final Decision Art 60
Data Breach Notification

No violation

Background information
Date of final decision: 3 April 2019
LSA: DE-Berlin
CSAs: DE-Lower Saxony, UK
Controller: AWIN AG
Legal Reference: Notification of a personal data breach to the supervisory authority (Article 33), Communication of a personal data breach to the data subject (Article 34)

Decision: No violation
Key words: Data breach

Summary of the Decision
Origin of the case
The controller reported a data breach to the LSA after some laptops were stolen. The laptops contained personal data of business partners, but the majority of the laptops had encrypted hard disks.

Findings
Only 4 laptops could have included personal data, 3 of which were located in Germany and one in the UK. The controller posted breach notifications online following the recommendations by the LSA as per Article 34(3)(c) GDPR.

Decision
The case was closed as the controller followed the recommendations of the LSA.


This text has been converted automatically from the PDF available via
https://edpb.europa.eu/our-work-tools/consistency-findings/register-for-article-60-final-decisions_en
using Apache Tika to allow for a better search. This might result in some characters being mangled.
Please see the original file for the official wording at
https://edpb.europa.eu/sites/edpb/files/article-60-final-decisions/summary/publishable_de_berlin_2019-05_databreach_summarypublic_0.pdf

Please see also EDPB Copyright page

publishable_cz_2019-08_databreach_summarypublic.pdf

Summary Final Decision Art 60
Complaint

Reprimand to controller

Background information
Date of final decision: 26 August 2019
LSA: CZ
CSAs: All SAs
Legal Reference: Security of processing (Article 32), Notification of a personal data breach to the supervisory authority (Article 33)

Decision: Reprimand to controller
Key words: Data breach, Request for compliance, Mitigating circumstances

Summary of the Decision

Origin of the case
The complainant, a website’s user, alleged that access to their personal information had been disclosed to another user.

Findings
The LSA found that there had been a data breach because a customer support officer accidentally copied the link to a complainant’s reservation and sent it to another customer. The controller therefore infringed the obligation to adopt appropriate security measures under art. 32 GDPR as well as the obligations set out by art. 33 GDPR in connection with data breaches. This incident had not been reported by the customer support officer in charge, contrary to the website owner’s internal regulations.
After the controller received the LSA’s communication, they investigated the incident and began adapting their technical and organisational measures in place and making new ones.

Decision
Also on the basis of the objections received, the LSA decided that although there had been an infringement by the controller of Articles 32 and 33, the imposition of a fine would not have been reasonable, given the mitigating circumstances, especially in connection to the fact that the isolated incident occurred as a result of a particular employee’s misconduct rather than of systemic non-compliance. Therefore, no sanctions were imposed, but a request for compliance and reprimand regarding infringement was sent to the controller.


This text has been converted automatically from the PDF available via
https://edpb.europa.eu/our-work-tools/consistency-findings/register-for-article-60-final-decisions_en
using Apache Tika to allow for a better search. This might result in some characters being mangled.
Please see the original file for the official wording at
https://edpb.europa.eu/sites/edpb/files/article-60-final-decisions/summary/publishable_cz_2019-08_databreach_summarypublic.pdf

Please see also EDPB Copyright page

What breaches do you need to notify the ICO about?

https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/personal-data-breaches/

with a special emphasis on Recital 85:
“A personal data breach may, if not addressed in an appropriate and timely manner, result in physical, material or non-material damage to natural persons such as loss of control over their personal data or limitation of their rights, discrimination, identity theft or fraud, financial loss, unauthorised reversal of pseudonymisation, damage to reputation, loss of confidentiality of personal data protected by professional secrecy or any other significant economic or social disadvantage to the natural person concerned.”

(from 2015) Rethinking Personal Data Breaches (EU)

So as the world stands still – and waits for GDPR to pass the European Parliament vote in a few days, and just before we are all hit by a wave of audit/certification/consulting firms selling their services – here’s a quick look at Personal Data Breaches.

According to Opinion 03/2014 of the Article 29 Working Party – which back in the days was just an opinion, but now gets quite a bit more muscle: http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp213_en.pdf

Most people think of a data breach as an event in which data is accessed by an authorized person, resold on the darknet, made public by some creant, etc..

The Article 29 Working Party took a much more holistic view – and includes loss of integrity and timely accessibility along with the loss of confidentiality.

Opinion 03/2014 gives examples of data breaches, and walks the reader through accessing the impact.  While the GDPR will provide us with more details and requirements (e.g. to notify within 72 hours), the Opinion does a good job illustrating the underlying thinking.

So quoting from the Opinion:

Case 1: Four laptop computers were stolen from a “Children’s Healthcare Institute”; they stored sensitive health and social welfare data as well as other personal data concerning 2050 children.

  • Potential consequences and adverse effects of the confidentiality breach:
    The first impact is a breach of medical secrecy: the database contains intimate medical information on the children which are available to unauthorized people. [..]
  • Potential consequences and adverse effects of the availability breach: 
    It may disturb the continuity of children’s treatment leading to aggravation of the disease or a relapse. [..]
  • Potential consequences and adverse effects of the integrity breach:
    The lost data may affect the integrity of the medical records and disrupt the treatments of the children. For example, if only an old back-up of the medical records exists, all changes to the data that were made on the stolen computers will be lost, leading to corruption of the integrity of the data. The use of medical records that are not up-to-date may disrupt the continuity of children’s treatments leading to aggravation of the disease or a relapse. [..]

So the overall paradigm is a bit different than elsewhere. – It will be interesting to see how many changes were made last minute to the GDPR, but assessments like the one above should be common place in 2018 and beyond.