Summary Final Decision Art 60
Date of final decision: 22 June 2019
Legal Reference: Personal data breach (Articles 33 and 34)
Decision: No violation
Key words: Data Breach
Summary of the Decision
Origin of the case
A third party ordered products from the Living Social website. The cost of the products was mistakenly charged to the data subject. On discovery of the error, the third party was able to access the data subjects personal data (name, email address etc.) from Living Social’s website.
The third party then contacted the data subject regarding what had happened. The Controller has refunded the data subject, but the data subject is not satisfied with their response as the Controller states that they do not believe a breach has occurred.
The LSA, after consulting with the controller, reached the conclusion that no breach had taken place since the controller only stores the last two digits of credit cards in its databases and uses payment tokens instead.
This text has been converted automatically from the PDF available via
using Apache Tika to allow for a better search. This might result in some characters being mangled.
Please see the original file for the official wording at
Please see also EDPB Copyright page