APD/GBA (Belgium) - 33/2022
|APD/GBA (Belgium) - 33/2022|
|Relevant Law:||Article 5(1)(f) GDPR|
Article 5(2) GDPR
Article 12(3) GDPR
Article 12(4) GDPR
Article 15(1) GDPR
Article 24 GDPR
Article 25 GDPR
Article 32 GDPR
Article 33 GDPR
Article 58(2)(a) GDPR
Article 58(2)(c) GDPR
Y1 and Y2
|National Case Number/Name:||33/2022|
|European Case Law Identifier:||n/a|
|Original Source:||APD/GBA (in FR)|
|Initial Contributor:||Solène Tobler|
The Belgian DPA held that a car dealership violated Articles 12 and 15 GDPR by not complying with an access request, as well as Articles 5(1)(f), 5(2), 24 and 32 GDPR due to a lack security measures which led to a data breach.
English Summary[edit | edit source]
Facts[edit | edit source]
After contracting for the purchase of a vehicle, the data subject received two consecutive emails from an employee of the controller, a car dealership. The first email contained the amount that the data subject still had to pay, as well as the bank account number that the transaction had to be issued to. The second email, sent from the same email address, contained a rectification, giving another bank account number to issue the transaction to.
It was only after the data subject issued the transaction to the bank account number given in the second email, that the data subject found out that the computer system of the controller had been hacked, and that the they had been the victim of a fraud, due to the usurping of the employee’s email address. The data subject reported the fraud to the police, whilst the controller also filed a report with the police for fraud and computer hacking.
On 4 May 2021, the data subject sent a subject access request to the controller, in order to know which of their personal data was being processed by the controller, and which personal data had been subjected to the computer hacking. The controller ignored the request and left it unanswered. Hence, on 8 July 2021, the data subject lodged a complaint with the Belgium DPA, for the lack of response to the access request, and for a violation of the obligation of security after a hack.
Holding[edit | edit source]
Some weeks after the events, the data subject received the report from a hired sworn-in expert stating that the server system used by the controller had indeed been subject to a cyberattack. The DPA stated that, in order to establish the existence of this cyberattack with full certainty, a judicial warrant would be necessary. However, in the opinion of the DPA, the police complaint filed by the controller for computer hacking suggests that the controller implicitly acknowledged having been a victim of a computer hacking.
The DPA noted that the data subject filed a subject access request under Article 15 GDPR, respecting the conditions set out in Article 12 GDPR. The DPA then clarified that it is the duty of the controller to provide the requested information to the data subject without undue delay, and in any case, within one month. The DPA considered that, by ignoring the access request, the controller violated Articles 12(3), 12(4), and 15(1) GDPR. Hence, it ordered the controller to provide them with a copy of all personal data held on them, specifying which data had been the subject of the computer hacking.
Firstly, the DPA emphasised that the controller is subject to the principle of integrity and confidentiality enshrined in Articles 5(1)(f) and 32 GDPR. According to this principle, the controller should ensure the security, integrity and confidentiality of the personal data held by them using appropriate technical and organisational measures, in particular against unauthorised or unlawful processing and against accidental loss, destruction or alteration of the data. Second, the DPA held that Article 32 GDPR should be read in combination with Articles 5(2), 24 and 25 GDPR. The principle of accountability, along with Article 24(1) and Article 24(2), aims at ensuring that the controller implements appropriate data protection policies proportional to the context of the data processing and the level of the potential risk.
The DPA reiterated that the controller sells luxury cars and that this involves financial transactions of relatively high value. According to the DPA, it was clear that the technical and organisational measures taken by the controller were not sufficient considering the level of the potential risk. The DPA stated that, for example, the controller could have taken measures that protect employees' e-mail addresses to prevent hacking, and consider methods that strengthen payment security or improve the communication of bank information. In conclusion, the DPA concluded that the controller violated Articles 5(1)(f), 5(2), 24 and 32 GDPR. Moreover, the DPA noted that the controller violated Article 33 GDPR by not notifying the DPA of the data breach.
The DPA issued a warning pursuant to 58(2)(a) GDPR, and ordered the controller to ordered the controller to comply with the data subject's access request by giving the requested information within 14 days, pursuant to 58(2)(c) GDPR.
Comment[edit | edit source]
Share your comments here!
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the French original. Please refer to the French original for more details.
File number: DOS-2021-05171 Subject: Complaint relating to the lack of reaction on the part of the controller to a request for access and to the insufficiency of security measures, following a computer hacking The Litigation Chamber of the Data Protection Authority, made up of Mr. Hielke Hijmans, President, sitting alone; Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), hereinafter GDPR; Having regard to the Law of 3 December 2017 establishing the Data Protection Authority (hereinafter LCA); Having regard to the Law of 30 July 2018 relating to the protection of natural persons with regard to the processing of personal data (hereinafter LTD); Having regard to the Rules of Procedure as approved by the House of Representatives on December 20, 2018 and published in the Belgian Official Gazette on January 15, 2019; Considering the documents in the file; Made the following decision regarding: The plaintiff: X, hereinafter "the plaintiff", represented by Maître Geert Coene; The defendants: Y1 and Y2, hereinafter “the defendants”; I. Facts and procedure 1. On July 8, 2021, the plaintiff filed a complaint with the Data Protection Authority (hereinafter "DPA") against the defendants, for failure to react to a request for access, as well as for breach of the security obligation, following a computer hacking. 2. On December 7, 2020, the plaintiff ordered a vehicle (..) worth (.. EUR) and paid a deposit of (..EUR) to the defendants. 3. On February 4, 2021, an employee of the defendants sent an email to the plaintiff with the bank account number to which the outstanding balance was to be paid. On February 5, 2021, the plaintiff received a new email, sent from the email address of the defendants' employee, which stated that the bank account initially communicated was "bad" and informed of the new account number to which the transfer should be performed. 4. On February 8, 2021, the plaintiff informed the employee of the defendants by email that the transfer in the amount of (..EUR) had been ordered. The plaintiff's account was debited on February 9, 2021. On February 11, 2021, the defendants' employee indicated in an email that the outstanding amount had not been collected and requested proof of payment. This was attached by the complainant in an email dated February 12, 2021. 5. On March 15, 2021, the Complainant learned that he had been the victim of an online scam, the email address of the Defendants' employee having probably been spoofed. According to the complainant, the employee in question and an executive of the company admitted to having been victims of computer hacking. 6. On March 17, 2021, the complainant filed a complaint for Internet fraud with the Brussels Capital Ixelles police zone. On the same date, the director of the company lodged a complaint for fraud and piracy (hacking) on the Internet (“hoofde van oplichting met internet en hacking”)1 to the Zaventem police zone. 7. On April 28, 2021, the Complainant received a report from a sworn IT expert he had hired for this purpose: the report states that the server used by the company suffered a “major breach [...] at the beginning of 2021", that this breach "would allow, among other things, identity theft" but that in order to be able to conclude with certainty of a hacking, additional checks are required for which a judicial warrant is necessary. 8. On May 4, 2021, the plaintiff gave the defendants formal notice to communicate all the personal data concerning him at their disposal, specifying which data had been the subject of the hack. According to the plaintiff, the defendants did not respond to this formal notice. 9. On July 17, 2021, the APD's Front Line Service (SPL) declared the complaint admissible on the basis of Articles 58 and 60 of the LCA and forwarded it, pursuant to Article 62, § 1st of the LCA, in the Litigation Chamber. II. Motivation 10. Pursuant to Article 4, § 1 of the LCA, the DPA is responsible for monitoring the data protection principles contained in the GDPR and other laws containing provisions relating to the protection of the processing of personal data. 11. Pursuant to Article 33, §1 of the LCA, the Litigation Chamber is the administrative litigation body of the DPA. It receives complaints that the Service de Première Ligne (SPL) forwards to it pursuant to Article 62, § 1 of the LCA, i.e. admissible complaints. In accordance with Article 60 paragraph 2 of the LCA, complaints are admissible if they are written in one of the national languages, contain a statement of the facts and the indications necessary to identify the processing of personal data to which they relate. and which fall within the competence of the ODA. 12. Pursuant to articles 51 and s. of the GDPR and Article 4, § 1 of the LCA, it is up to the Litigation Chamber, as the DPA's administrative litigation body, to exercise effective control of the application of the GDPR and to protect the fundamental rights and freedoms of natural persons with regard to processing and to facilitate the free flow of personal data within the Union. 13. The Litigation Chamber notes that the complainant raises the lack of response from the controller to the request to exercise his right of access in accordance with Article 15 of the GDPR. 14. The Litigation Chamber recalls that the data controller must respond to the request made pursuant to Articles 15 to 22 of the GDPR by the complainant, in this case a request for access provided for in Article 15 of the GDPR (exercise of the right of access), in compliance with the conditions set out in article 12 of the GDPR2. 15. The Litigation Chamber also emphasizes that it is the responsibility of the controller to provide the complainant with information on the measures taken following a request made pursuant to Articles 15 to 22 of the GDPR, as soon as possible and in all status within one month of receipt of the request. Article 12.3 of the GDPR provides that this period may, if necessary, be extended by two months, taking into account the complexity and the number of requests3. In such a case, the controller shall inform the complainant of this extension and the reasons for the postponement within one month of receipt of the request 4. 16. In the event that the controller does not comply with the request made by the complainant, he shall inform the latter without delay and at the latest within one month of receipt of the request from the reasons for its inaction and the possibility of lodging a complaint with a supervisory authority and bringing a judicial remedy5. 17. On the basis of the documents supporting the complaint, the Litigation Chamber notes that the complainant exercised his right of access in accordance with Article 15 of the GDPR, but that the controller did not respond to the request of the complainant. 18. The Litigation Chamber considers that the data controller did not, prima facie, comply with Articles 12.3 and 12.4 of the GDPR, as well as Article 15.1 of the GDPR, which in this case justifies taking a decision on the basis of article 95, § 1, 5° of the LCA. 19. The Litigation Chamber orders the controller to comply with the complainant's request to exercise the right of access, and therefore to provide him with a copy of all the personal data he holds, specifying which data has is the subject of hacking. 20. Secondly, the Litigation Chamber notes the insufficiency of the security measures on the part of the defendants, pointed out by the complainant. 21. The Litigation Chamber recalls that the controller is subject to the principle of security and confidentiality enshrined in Articles 5.1.f and 32 of the GDPR. 22. Pursuant to Articles 5.1.f) and 32 of the GDPR, the controller must ensure the security, integrity and confidentiality of the personal data it holds by means of appropriate technical and organizational measures, in particular against unauthorized or unlawful processing and against accidental loss, destruction or alteration of data. 23. Recital 83 of the GDPR envisages that “[...] the controller [...] assesses the risks inherent in the processing and [implements] measures to mitigate them [...]. These measures should ensure an appropriate level of security, including confidentiality, taking into account the state of knowledge and the costs of implementation in relation to the risks and the nature of the personal data to be protected. As part of the data security risk assessment, account should be taken of the risks posed by the processing of personal data, such as destruction, loss or alteration, unauthorized disclosure of personal data transmitted, stored or processed in any other way or unauthorized access to such data, accidentally or unlawfully, which is likely to cause physical or material damage or moral damage. ". 24. Recital 85 of the GDPR adds that "a breach of personal data risks, if we do not intervene in time and in an appropriate manner, to cause the natural persons concerned physical, material or moral damage such as loss of control over their personal data or limitation of their rights, discrimination, identity theft or theft, financial loss, unauthorized reversal of the pseudonymisation procedure, violation of the reputation, loss of confidentiality of personal data. ". Thus, recital 87 of the GDPR invites the controller to check "whether all appropriate technical and organizational protection measures have been implemented to immediately establish whether a personal data breach has occurred and to promptly inform the supervisory authority and the data subject. » 25. Recital 39 of the GDPR reinforces the idea that “data subjects should be informed of the risks, rules, safeguards and rights related to the processing of personal data and the modalities for exercising their rights with regard to this processing [...]. ". To this end, recital 86 of the GDPR provides that "the controller [communicates] a personal data breach to the data subject without undue delay when this breach is likely to create a high risk for the rights and freedoms of the natural person so that he can take the necessary precautions. The communication should describe the nature of the personal data breach and make recommendations to the individual concerned to mitigate the potential negative effects. » 26. Recital 88 of the GDPR states that “when laying down detailed rules concerning the form and procedures applicable to the notification of personal data breaches, due account should be taken of the circumstances of such breach, including the whether or not the personal data was protected by appropriate technical protection measures, effectively limiting the likelihood of identity theft or other forms of misuse. ". 27. Next, the Litigation Chamber recalls that Article 32 GDPR must be read in conjunction with Articles 5.2, 24 and 25 of the GDPR, subjecting the controller to the principle of responsibility. 28. According to Article 24.1 of the GDPR, it is the responsibility of the controller to implement “appropriate technical and organizational measures to ensure and be able to demonstrate that the processing is carried out in accordance with the [GDPR]. These measures are reviewed and updated if necessary. ". Then, article 24.2 of the GDPR stipulates that “where this is proportionate with regard to the processing activities, the measures [mentioned in article 24.1. of the GDPR] include the implementation of appropriate data protection policies by the data controller”. 29. Recital 74 of the GDPR adds that “it is important, in particular, that the controller is required to implement appropriate and effective measures and is able to demonstrate the compliance of processing activities with the [GDPR] , including the effectiveness of the measures. These measures should take into account the nature, scope, context and purposes of the processing as well as the risk it presents to the rights and freedoms of natural persons”. 30. It is also the responsibility of the data controller, pursuant to Article 25 of the GDPR, to integrate the necessary compliance with the rules of the GDPR upstream of his acts and procedures (for example, to provide for measures which protect the electronic address of employees in order to avoid computer hacking; consider methods that reinforce the security of payments or the communication of bank details; etc.). 31. Ultimately, the data controller is required, on the basis of Article 32 of the GDPR, to ensure the security of the processing, "taking into account the state of knowledge, the costs of implementation and the nature , the scope, context and purposes of the processing as well as the risks, the degree of likelihood and severity of which vary, for the rights and freedoms of natural persons”. In the absence of appropriate measures to secure the personal data of the persons concerned, the effectiveness of the fundamental rights to privacy and to the protection of personal data cannot be guaranteed, a fortiori in view of the crucial role played by information and communication technologies in our society. 32. Based on the factual elements present in the file, the Litigation Division finds that: at. the controller organized the communication of bank details by sending an e-mail so that the complainant could finalize his purchase; b. the complainant was the victim of an online scam, the email address of the employee of the controller having probably been usurped; vs. the report of a sworn IT expert indicates that the server used by the controller was the subject of a "major breach [...] at the start of 2021", that this breach "would allow, among others, identity theft” although in order to be able to conclude with certainty of hacking, additional checks are required for which a judicial warrant is necessary; d. the complaint filed by the data controller for fraud and hacking on the Internet suggests that the data controller implicitly acknowledges having been the victim of computer hacking; e. the usurpation of the email address of the employee of the controller caused the complainant material damage which resulted in a financial loss of a value of (.. EUR).33. The Litigation Chamber notes a failure to respect the principles of security and responsibility on the part of the data controller. Indeed, the Litigation Chamber underlines the absence of sufficient technical and organizational measures envisaged by the controller to regulate the secure communication of bank details and thus guarantee secure payment. As a reminder, the data controller sells sports and luxury cars, which involves financial transactions of a relatively high value; that appropriate and effective measures should be implemented by the data controller to ensure the security of the processing. In addition, the data controller must also be able to demonstrate the compliance of the processing activities. 34. The Litigation Chamber also notes that no data leak notification was made by the defendants to the DPA, in violation of Article 33 of the GDPR. 35. In view of the aforementioned examination, the Litigation Chamber considers that the controller did not, prima facie, comply with Articles 5.1.f and 5.2 of the GDPR, as well as Articles 24 and 32 of the GDPR, which justifies in this case proceeding to take a decision on the basis of Article 95, § 1, 4° of the LCA. The Litigation Chamber warns the defendant within the meaning of Article 58.2.a) of the GDPR, that in the absence of compliance of its IT system with its obligation to ensure the security of processing, it would place itself at odds with its security obligation within the meaning of the GDPR. 36. This decision is a prima facie decision taken by the Litigation Chamber in accordance with article 95 of the LCA on the basis of the complaint lodged by the complainant, within the framework of the "procedure prior to the substantive decision", to be distinguished from a decision on the merits of the Litigation Chamber within the meaning of article 100 of the LCA. 37. The purpose of this decision is to inform the controller of the fact that he may have violated the provisions of the GDPR and to enable him to still comply with the aforementioned provisions. 38. If, however, the data controller does not agree with the content of this prima facie decision and considers that he can put forward factual and/or legal arguments which could lead to another decision, he ci can send the Litigation Chamber a request for processing on the merits of the case via the e-mail address email@example.com, within 14 days of notification of this decision. If necessary, the execution of this decision is suspended for the above-mentioned period. 39. In the event of further processing of the case on the merits, by virtue of articles 98, 2° and 3° juncto article 99 of the LCA, the Litigation Chamber will invite the parties to introduce their conclusions and to attach to the file all the documents they deem useful. If necessary, this decision is definitively suspended. With a view to transparency, the Litigation Chamber finally underlines that a treatment of the case on the merits can lead to the imposition of the measures mentioned in article 100 of the LCA6. 40. If one of the two parties wishes to make use of the possibility of consulting and copying the file (art. 95, § 2, 3° of the LCA), it must contact the secretariat of the Litigation Chamber, preferably via the e-mail address firstname.lastname@example.org, in order to set up an appointment. you. If a copy of the file is requested, the documents will be sent electronically or by ordinary mail if possible7. III. Publication of the decision 41. Given the importance of transparency with regard to the decision-making process and the decisions of the Litigation Chamber, this decision will be published on the website of the Data Protection Authority8. However, it is not necessary for this purpose that the identification data of the parties be directly communicated. FOR THESE REASONS, The Litigation Chamber of the Data Protection Authority decides, subject to the introduction of a request by the controller for processing on the merits, in accordance with Articles 98 e.s. of the ACL: - to order the data controller, pursuant to Article 58.2.c) of the GDPR and Article 95, § 1, 5° of the LCA, to comply with the complainant's request to exercise his rights , more specifically his right of access (art. 15.1 of the GDPR) and to provide the complainant with the information requested ("communicate all the data available to [the controller], specifying which data must have been the subject of the hacking “) also on the basis of article 95, § 1, 6° of the LCA, and this within the period of 14 days from the notification of this decision; - to order the controller to inform the Data Protection Authority (Litigation Chamber) by e-mail of the outcome of this decision within the same period via the e-mail address email@example.com; and - to issue a warning to the data controller pursuant to Article 58.2.a) of the GDPR and Article 95, § 1, 4° of the LCA that he places himself at odds with of the GDPR in the event of non-compliance in the future of its IT system with its security obligation - if the data controller does not comply in good time with what is requested of him above, to deal with the substance of the case ex officio, in accordance with Articles 98 e.s. of the ACL. Under Article 108, § 1 of the LCA, this decision may be appealed to the Court of Markets within thirty days of its notification, with the Data Protection Authority. given as a defendant. (Sé). Hielke Hijmans President of the Litigation Chamber