publishable_de_baden-wurttemberg_2020-01_personal_data_breach_summarypublic.pdf

Summary Final Decision Art 60
Data Breach Notification

No infringement of the GDPR

Background information
Date of final decision: 27 January 2020
LSA: DE-Baden-Wuerttemberg
CSAs: All SAs
Legal Reference: Personal data breach (Articles 33 and 34)

Decision: No infringement of the GDPR
Key words: Personal data breach, Phishing emails

Summary of the Decision
Origin of the case
The controller stated that a phishing attack had been launched on their central servers. The email address of a subsidiary’s manager had been compromised and used to send phishing emails to employees and clients.

Findings
The LSA found that the controller had carried out an investigation and a risk assessment of the breach, before communicating it to the LSA within 72 hours of becoming aware of it, as well as to the data subjects. Further, the password of the affected account was immediately changed. They also stated that the employees had been informed about the phishing attempt.

Decision
The LSA found that the controller complied with its obligations under the GDPR and closed the case.

—
This text has been converted automatically from the PDF available via
https://edpb.europa.eu/our-work-tools/consistency-findings/register-for-article-60-final-decisions_en
using Apache Tika to allow for a better search. This might result in some characters being mangled.
Please see the original file for the official wording at
https://edpb.europa.eu/sites/edpb/files/article-60-final-decisions/summary/publishable_de_baden-wurttemberg_2020-01_personal_data_breach_summarypublic.pdf