Data breach notification – Privacy Design®

Summary Final Decision Art 60
Personal data breach notification

No infringement of the GDPR

Background information
Date of final decision 10 January 2020

LSA: UK

CSAs: AT, BE, CY, CZ, DE, DK, EE, EL, ES, FI, FR, IE, IT, HU, LT, LU, LV, MT, NL, PL, PT, SE, SI, SK

Legal Reference: Personal Data Breach (Articles 33 and 34)

Decision: No infringement of the GDPR

Key words: Data breach notification

Summary of the Decision

Origin of the case
The controller reported a data breach notification involving 643 of their customers in the EU. The former ex-employee accessed the customers data and exported them with the intention of extracting money from the controller.

Findings
In the course of its investigation, the LSA found that the controller had a relevant contract in place with the service provider, as a processor. The contract provided sufficient guarantees for their processing activities. There has been no damage or distress to any of the data subjects involved in this incident and the controller did not receive any complaints as a result of the infringement.

The controller implemented two remedial measures, by taking down the portals for which vulnerabilities were found, and by informing the data subjects about the data breach and possible phishing attempts.

Decision
Although no infringement to the GDPR was found, the LSA issued two recommendations to the controller.
First, to implement more regular reviews of any third parties to ensure that they are meeting their contractual agreements in relation to compliance with data protection legislation including having appropriate technical and organisational measures, confidentiality and the processing of data only on the documented instructions of the controller to ensure the protection of data subjects rights.
Second, to improve password management with their service providers.

—
This text has been converted automatically from the PDF available via
https://edpb.europa.eu/our-work-tools/consistency-findings/register-for-article-60-final-decisions_en
using Apache Tika to allow for a better search. This might result in some characters being mangled.
Please see the original file for the official wording at
https://edpb.europa.eu/sites/edpb/files/article-60-final-decisions/summary/publishable_uk_2020-01_personal_data_breach_summarypublic.pdf

Please see also EDPB Copyright page

Summary Final Decision Art 60
Data breach notification

No violation

Background information
Date of final decision: 25 January 2019
LSA: DE (Berlin)
CSAs: AT, DE (Lower Saxony), FI, FR, IT, SE, NO
Controller: Delivery Hero SE
Legal Reference: Personal data breach (Articles 33 and 34), Security of processing (Article 32

Decision: No infringement
Key words: Data Breach Notification

Summary of the Decision
Origin of the case
The controller was informed about a flaw in their service for exporting a user’s personal data. This flaw allowed a specific user to export the data of some additional users (30) of in total seven member states. To prevent further data leakage, the function for exporting a user’s personal data was temporarily disabled until the problem could be fixed. The controller notified the SA of the data breach within due time.

Findings
The controller provided all the required information and acted promptly. Following a general recommendation given by the LSA, contained in an automatic reply after receiving a breach notification, the affected data subjects were notified despite the initial reasoning provided by the controller where it deemed that the requirements of Art. 34.1 GDPR are not met.

Decision
Taking into account that only one data recipient received the data and that the breach was properly notified, the case was closed without any corrective measures being imposed on the controller.

Tag: Data breach notification

publishable_uk_2020-01_personal_data_breach_summarypublic.pdf

publishable_de_berlin_2019-01_databreach_summarypublic.pdf