Posted on by stefan

publishable_de-berlin_2019_12_data_breach_summarypublic.pdf

Summary Final Decision Art 60
Data Breach Notification

No Infringement of the GDPR

Background information
Date of final decision: 17 December 2019
LSA: DE-Berlin
CSAs: BE, DE-Rhineland-Palatinate, DE-Saarland, DE-Lower Saxony, DK, ES, FR, HU, LU, NO, SE, SK DE-Berlin
Controller: Schwarzkopf-Stiftung Junges Europa
Legal Reference: Personal Data Breach (Articles 33 and 34)

Decision: No infringement of the GDPR
Key words: Personal data breach, Hacker attack

Summary of the Decision
Origin of the case
One of the controller’s member platforms was attacked by a malicious code, which enabled unauthorised redirect to third party websites. The controller immediately asked the processor to inactivate the platform.

Findings
The LSA found that appropriate security measures, such as the update of number of software components and the request to change users’ passwords, were taken by the controller after the incident. Additionally, specific technical and organisational measures were undertaken by the controller to remedy the data breach. Such measures included the automatic check of the content uploaded by users, as well as regular manual check of the platform activity.
The LSA found that all the security measures were appropriate. Additionally, the LSA found that a second data breach that followed did not occur because of inadequate security measures and that data breaches in the future could be avoided to a reasonable degree, based on these measures.

Decision
The LSA found that the controller complied with their obligations under the GDPR and closed the case.


This text has been converted automatically from the PDF available via
https://edpb.europa.eu/our-work-tools/consistency-findings/register-for-article-60-final-decisions_en
using Apache Tika to allow for a better search. This might result in some characters being mangled.
Please see the original file for the official wording at
https://edpb.europa.eu/sites/edpb/files/article-60-final-decisions/summary/publishable_de-berlin_2019_12_data_breach_summarypublic.pdf

Please see also EDPB Copyright page