Summary Final Decision Art 60
Data breach notification
No violation
Background information
Date of final decision: 25 January 2019
LSA: DE (Berlin)
CSAs: AT, DE (Lower Saxony), FI, FR, IT, SE, NO
Controller: Delivery Hero SE
Legal Reference: Personal data breach (Articles 33 and 34), Security of processing (Article 32
Decision: No infringement
Key words: Data Breach Notification
Summary of the Decision
Origin of the case
The controller was informed about a flaw in their service for exporting a user’s personal data. This flaw allowed a specific user to export the data of some additional users (30) of in total seven member states. To prevent further data leakage, the function for exporting a user’s personal data was temporarily disabled until the problem could be fixed. The controller notified the SA of the data breach within due time.
Findings
The controller provided all the required information and acted promptly. Following a general recommendation given by the LSA, contained in an automatic reply after receiving a breach notification, the affected data subjects were notified despite the initial reasoning provided by the controller where it deemed that the requirements of Art. 34.1 GDPR are not met.
Decision
Taking into account that only one data recipient received the data and that the breach was properly notified, the case was closed without any corrective measures being imposed on the controller.
—
This text has been converted automatically from the PDF available via
https://edpb.europa.eu/our-work-tools/consistency-findings/register-for-article-60-final-decisions_en
using Apache Tika to allow for a better search. This might result in some characters being mangled.
Please see the original file for the official wording at
https://edpb.europa.eu/sites/edpb/files/article-60-final-decisions/summary/publishable_de_berlin_2019-01_databreach_summarypublic.pdf
Please see also EDPB Copyright page