publishable_de-berlin_2019_12_data_breach_summarypublic.pdf

Summary Final Decision Art 60
Data Breach Notification

No Infringement of the GDPR

Background information
Date of final decision: 17 December 2019
LSA: DE-Berlin
CSAs: BE, DE-Rhineland-Palatinate, DE-Saarland, DE-Lower Saxony, DK, ES, FR, HU, LU, NO, SE, SK DE-Berlin
Controller: Schwarzkopf-Stiftung Junges Europa
Legal Reference: Personal Data Breach (Articles 33 and 34)

Decision: No infringement of the GDPR
Key words: Personal data breach, Hacker attack

Summary of the Decision
Origin of the case
One of the controller’s member platforms was attacked by a malicious code, which enabled unauthorised redirect to third party websites. The controller immediately asked the processor to inactivate the platform.

Findings
The LSA found that appropriate security measures, such as the update of number of software components and the request to change users’ passwords, were taken by the controller after the incident. Additionally, specific technical and organisational measures were undertaken by the controller to remedy the data breach. Such measures included the automatic check of the content uploaded by users, as well as regular manual check of the platform activity.
The LSA found that all the security measures were appropriate. Additionally, the LSA found that a second data breach that followed did not occur because of inadequate security measures and that data breaches in the future could be avoided to a reasonable degree, based on these measures.

Decision
The LSA found that the controller complied with their obligations under the GDPR and closed the case.


This text has been converted automatically from the PDF available via
https://edpb.europa.eu/our-work-tools/consistency-findings/register-for-article-60-final-decisions_en
using Apache Tika to allow for a better search. This might result in some characters being mangled.
Please see the original file for the official wording at
https://edpb.europa.eu/sites/edpb/files/article-60-final-decisions/summary/publishable_de-berlin_2019_12_data_breach_summarypublic.pdf

Please see also EDPB Copyright page

publishable_de_baden-wurttemberg_2020-01_personal_data_breach_summarypublic.pdf

Summary Final Decision Art 60
Data Breach Notification

No infringement of the GDPR

Background information
Date of final decision: 27 January 2020
LSA: DE-Baden-Wuerttemberg
CSAs: All SAs
Legal Reference: Personal data breach (Articles 33 and 34)

Decision: No infringement of the GDPR
Key words: Personal data breach, Phishing emails

Summary of the Decision
Origin of the case
The controller stated that a phishing attack had been launched on their central servers. The email address of a subsidiary’s manager had been compromised and used to send phishing emails to employees and clients.

Findings
The LSA found that the controller had carried out an investigation and a risk assessment of the breach, before communicating it to the LSA within 72 hours of becoming aware of it, as well as to the data subjects. Further, the password of the affected account was immediately changed. They also stated that the employees had been informed about the phishing attempt.

Decision
The LSA found that the controller complied with its obligations under the GDPR and closed the case.


This text has been converted automatically from the PDF available via
https://edpb.europa.eu/our-work-tools/consistency-findings/register-for-article-60-final-decisions_en
using Apache Tika to allow for a better search. This might result in some characters being mangled.
Please see the original file for the official wording at
https://edpb.europa.eu/sites/edpb/files/article-60-final-decisions/summary/publishable_de_baden-wurttemberg_2020-01_personal_data_breach_summarypublic.pdf

Please see also EDPB Copyright page