CASES, SANCTIONS AND CLAIMS

  • In France, a company successfully argued the reduction of a fine imposed by CNIL by showing that it had taken measures to reduce the impact of a data breach.
  • In Greece an oil company was fined a total of 30,000 EUR by the Data Protection Authority for failing to adopt appropriate security measures after the results of a study containing sensitive data performed for it by a vendor was made available online.
  • The Norwegian Data Protection Authority (Datatilsynet) intends to fine the Oslo municipality’s Education Agency for making available an unsafe app for school-related communications between teachers and parents. The security vulnerability endangered the personal data of 63,000 students.
  • Read here about the steps taken by a Spanish company to minimise the risks following a data breach reported to the Spanish DPA.
  • The Estonian data protection authority announced it launched a data personal breach investigation into Imperal Varad OÜ. Based on the preliminary information, it is known that the e-mail addresses and passwords of 27,000 customers have been leaked from the advertising environment more than a year ago (the article is available only in Estonian).
  • French DPA (CNIL) applies 180,000 Eur sanction to an automobile insurance intermediary for lack of security following a data breach which affected its website users.
  • The Norwegian DPA imposed a fine of 170.000 € on the Bergen Municipality, related to computer files with usernames and passwords to over 35,000 user accounts in the municipality’s computer system.
  • Romania: The Romanian DPA sanctioned Fan Courier Express SRL with 11,000 EUR for not implementing technical and organizational security measures in order prevent data breach.
  • Romania: Royal President S.R.L. has been fined with a 2,500 EUR by the Romanian DPA for not respecting the provisions of art. 5 paragraph (1) letter f) GDPR, art. 12 paragraph (3) and paragraph (5) GDPR, art. 15 GDPR and art. 32 GDPR. At the same time, the data controller has been obliged to implement a data breach procedure within its organization.
  • Romania: A telecommunications company in Romania was fined for violating the principle of accuracy and for lack of technical and organisational measures to prevent the violation of confidentiality. The case refers to invoices which were mistakenly sent to another address.
  • The Bergen Municipality was fined with €170,000 by the Norwegian DPA after files containing the personal data of over 35,000 pupils and employees of the municipality’s primary schools were left unprotected and openly accessible for any system user regardless of type of authorization.
  • The Hungarian Data Protection Authority (NAIH) imposed a fine of HUF 500,000 (approx. €1,450) on a controller due to the infringement of data security obligations and because of the fact that the controller’s internal regulations on data breach management did not contain proper rules on the reporting of incidents to the DPA (available only in Hungarian here).

REPORTS AND ARTICLES FROM OTHER ORGANISATIONS

OFFICIAL GUIDELINES, REPORTS AND STATEMENTS

  • Irish DPC: Quick Guide to GDPR Breach Notifications and full Guide to Personal Data Breach Notifications under the GDPR.
  • Dutch DPA: further guidance on data breaches.
  • Polish DPA (UODO): A new guide on data breaches.
  • ENISA: Annual report on security incidents that took place in 2018 in the telecoms sector.
  • Irish DPC: second annual report including several case studies relating to breach notifications received to the DPC on loss of control of paper files, a ransomware attack and disclosure of CCTV footage via social media.
  • ICO (UK): report regarding data breaches reported to the ICO by the top 150 UK law firms.
  • Irish DPC: Guidance relating to third parties accidentally in receipt of personal data relating to other individuals.
  • Spanish DPA: report on data breach notifications (the Report is available here in Spanish).
  • Guernsey DPA: report on Trends and Insights – two years of personal data breach statistics (read the full report here).
  • The Irish DPA summarizes the data breach trends in the GDPR’s first year.
  • Irish DP (article): e-mail correspondence can be the source of a large number of data protection breaches.
  • The Danish DPA announced that it had itself suffered a personal data breach after finding that some of its paper waste containing confidential and sensitive information about citizens and employees, which should have been shredded, had been disposed of as ordinary paper waste (the press release available in English here and the official announcement available only in Danish here).