CASES, SANCTIONS AND CLAIMS
- (2019, Mar) The Bergen Municipality was fined with €170,000 by the Norwegian DPA after files containing the personal data of over 35,000 pupils and employees of the municipality’s primary schools were left unprotected and openly accessible for any system user regardless of type of authorization.
- (2019, Apr) In France, a company successfully argued the reduction of a fine imposed by CNIL by showing that it had taken measures to reduce the impact of a data breach.
- (2019, Apr) In Greece an oil company was fined a total of 30,000 EUR by the Data Protection Authority for failing to adopt appropriate security measures after the results of a study containing sensitive data performed for it by a vendor was made available online.
- (2019, Jul) The Norwegian Data Protection Authority (Datatilsynet) intends to fine the Oslo municipality’s Education Agency for making available an unsafe app for school-related communications between teachers and parents. The security vulnerability endangered the personal data of 63,000 students.
- (2019, Jul) French DPA (CNIL) applies 180,000 Eur sanction to an automobile insurance intermediary for lack of security following a data breach which affected its website users.
- (2019, Nov) Romania: The Romanian DPA sanctioned Fan Courier Express SRL with 11,000 EUR for not implementing technical and organizational security measures in order prevent data breach.
- (2019, Nov) Romania: Royal President S.R.L. has been fined with a 2,500 EUR by the Romanian DPA for not respecting the provisions of art. 5 paragraph (1) letter f) GDPR, art. 12 paragraph (3) and paragraph (5) GDPR, art. 15 GDPR and art. 32 GDPR. At the same time, the data controller has been obliged to implement a data breach procedure within its organization.
- (2019, Dec) Romania: A telecommunications company in Romania was fined for violating the principle of accuracy and for lack of technical and organisational measures to prevent the violation of confidentiality. The case refers to invoices which were mistakenly sent to another address.
- (2020, Jan) The Hungarian Data Protection Authority (NAIH) imposed a fine of HUF 500,000 (approx. €1,450) on a controller due to the infringement of data security obligations and because of the fact that the controller’s internal regulations on data breach management did not contain proper rules on the reporting of incidents to the DPA (available only in Hungarian here).
- (2020, Feb) Read here about the steps taken by a Spanish company to minimise the risks following a data breach reported to the Spanish DPA.
- (2020, Aug) The Estonian data protection authority announced it launched a data personal breach investigation into Imperal Varad OÜ. Based on the preliminary information, it is known that the e-mail addresses and passwords of 27,000 customers have been leaked from the advertising environment more than a year ago (the article is available only in Estonian).
- (2020, Oct) The Norwegian Data Protection Authority has given Bergen municipality a final decision on an administrative fine of approximately EUR 276,000 (3 million NOK). Personal information in the communication system between school and home was not secure enough.
- (2020, Oct) ICO fined British Airways £20m for data breach affecting more than 400,000 customers.
REPORTS AND ARTICLES FROM OTHER ORGANISATIONS
- (2019, Jun) Revision/Legal: Data Breach Litigation: Theories of Damages in Data Breach Cases.
- (2020, Jul) IBM Security published a Report on Cost of a Data Breach.
- (2020, Aug) Kirsten Whitfield: What are the latest GDPR security breach enforcement trends?
- (2020, Oct) Juridice: Data breach notification under E-privacy Directive and General Data Protection Regulation.
OFFICIAL GUIDELINES, REPORTS AND STATEMENTS
- (2019, Jun) NISA: Annual report on security incidents that took place in 2018 in the telecoms sector.
- (2019, Jun) Polish DPA (UODO): A new guide on data breaches.
- (2019, Jul) Dutch DPA: further guidance on data breaches.
- (2019, Aug) Irish DPC: Quick Guide to GDPR Breach Notifications and full Guide to Personal Data Breach Notifications under the GDPR.
- (2019, Oct) The Irish DPA summarizes the data breach trends in the GDPR’s first year.
- Irish DPC: second annual report including several case studies relating to breach notifications received to the DPC on loss of control of paper files, a ransomware attack and disclosure of CCTV footage via social media.
- (2020, Mar) ICO (UK): report regarding data breaches reported to the ICO by the top 150 UK law firms.
- (2020, May) Irish DP (article): e-mail correspondence can be the source of a large number of data protection breaches.
- (2020, Jul) Spanish DPA: report on data breach notifications (the Report is available here in Spanish).
- (2020, Aug) Irish DPC: Guidance relating to third parties accidentally in receipt of personal data relating to other individuals.
- (2020) Guernsey DPA: report on Trends and Insights – two years of personal data breach statistics (read the full report here).
- (2020, Aug) The Danish DPA announced that it had itself suffered a personal data breach after finding that some of its paper waste containing confidential and sensitive information about citizens and employees, which should have been shredded, had been disposed of as ordinary paper waste (the press release available in English here and the official announcement available only in Danish here).
- (2020, Oct) ENISA published a report on Data Breach from January 2019 to April 2020 (ENISA Threat Landscape).
