HDPA (Greece) - Decision 18/2024
From GDPRhub
| HDPA - Decision 18/2024 | |
|---|---|
 | |
| Authority: | HDPA (Greece) |
| Jurisdiction: | Greece |
| Relevant Law: | Article 5(1)(f) GDPR Article 25(1) GDPR Article 28(3) GDPR Article 32 GDPR Article 33(4) GDPR Article 34(1) GDPR |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | |
| Decided: | |
| Published: | 01.08.2024 |
| Fine: | 20,000 EUR |
| Parties: | Municipality of Alimos |
| National Case Number/Name: | Decision 18/2024 |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | Greek |
| Original Source: | HDPA (in EL) |
| Initial Contributor: | lm |
The DPA found that a controller and processor had an inadequate contract and security measures after a webpage vulnerability breached thousands of files to unauthorised internet users. The DPA fined the controller €20,000.
English Summary
Facts
A data subject filed a complaint with the Greek DPA (HDPA) concerning a data breach by the Municipality of Alimos (the controller). Files containing personal data of citizens of the municipality were easily accessible by any internet user that changed the last five-digit number in the website’s URL address.
The HDPA’s investigation confirmed the accessibility of the files. It found that out of the 45,000 files made available, 1200 were accessed by unauthorised third parties. The vulnerability existed from 12 June 2023 until the day of the breach notification.
The controller serviced a processor for implementation of the webpage and its online services. The controller claimed that the vulnerability was created because the processor activated an incorrect version of the web application. The processor traced the issue to a software upgrade, but noted that no other municipalities implementing the same processing approach were affected. The controller also stated that during its initial investigation, the processor failed to respond to its requests for clarification.
The controller informed the HDPA that it had taken corrective measures and removed the files. However, the same issue recurred three times, every time the application was ‘corrected’ and reset. Following numerous defective tests of the application, an order was issued to shut down the application, which was finally reopened on 3 November 2023 after the data subject’s hearing and after the verification of necessary corrections by the processor were completed. The processor also completed an audit of affected data subjects, which the controller subsequently used to inform the data subjects individually.
Holding
The HDPA held that the controller infringed Articles Article 5(1)(f), 32, 25(1), 28(3), 33(4) and 34(1) GDPR. The processor violated Articles 32 and 28(3) GDPR. It fined the controller €20,000.
The HDPA began by finding that there were not sufficient steps in place to detect a personal data breach in a timely manner, such as with regular monitoring. Indeed, neither the controller nor processor learned of the breach until they were informed by the HDPA following the data subject’s complaint. Given the recurrence of the breach incident on three separate occasions, the HDPA also found that there was no immediately effective response to the incident. As a result of these shortcomings, the HDPA found that the controller and processor both infringed Article 32 GDPR due to inadequate security measures. It also found that the controller violated Article 5(1)(f) GDPR.
The HDPA inspected the contract between the controller and processor in detail, and found it inadequate under Article 28 GDPR. The contract did not detail the processor’s obligations towards the controller concerning the processing of personal data in the application. It also did not require a management policy to ensure that changes to applications do not create security vulnerabilities. The HDPA noted that the processor was delayed in responding to the controller’s requests for information concerning the breach, but it also considered that the controller failed to provide evidence showing the steps it took to obtain the information from the processor as soon as possible. It held that both the controller and processor thus violated Article 28(3) GDPR. In addition, the HDPA held that the controller infringed Article 25(1) GDPR because it lacked measures to address various risks to personal data from the planning stage.
The HDPA found that the controller’s notification of the breach to data subjects infringed Article 33(4) GDPR. First, the controller erred in its initial assessment that the communication of the incident to data subjects was not required. While the controller’s data protection officer recommended notification of the incident to affected persons in July 2023 upon discovery of the breach, the controller did not inform data subjects until October 2023. Furthermore, the information it provided to data subjects failed to list the types of personal data affected. The controller also didn’t update the HDPA concerning the details of the notification, as required by Article 34(1) GDPR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.
Athens, July 5, 2024 No. Prot. 1828 DECISION 18/2024 The Personal Data Protection Authority met at the invitation of its President through a conference, on 23/01/2024, postponing the meetings from 05/12/2023 and 19/12/2023, in order to consider the case, mentioned below in the history of this decision. The President of the Authority, Konstantinos Menudakos, and the regular members of the Authority, Konstantinos Lambrinoudakis as speaker, Spyridon Vlachopoulos, Charalambos Anthopoulos, Christos Kalloniatis, Aikaterini Iliadou and Grigorios Tsolias were present. Present without the right to vote were Konstantinos Limniotis and Aikaterini Hatzidiakou, IT auditors, as assistant rapporteurs and Irini Papageorgopoulou, employee of the administrative affairs department, as secretary. The Authority took into account the following: With the no. prot. C/EIS/4615/20-06-2023 complaint, A (hereinafter "complainant") reported to the Authority an incident of data breach concerning the unauthorized access by internet users to easily accessible files with personal data of citizens of the Municipality of Alimos . Specifically, according to the complaint, files with personal data of citizens of the Municipality of Alimos were easily accessible by any user through the website "...", by changing the last five-digit number that appears in the relevant electronic (URL) address. The Authority found that the above complaint is well founded and for confirmation the Authority's auditors, in the context of investigating the complaint, "downloaded" a large number of files with personal data of citizens of the Municipality of Alimos from 1-3 Kifisias Ave., 11523 Athens T: 210 6475 600 E: contact@dpa.gr www.dpa.more link. The Authority informed on 06-21-2023 by e-mail the Municipality of Alimos (hereinafter "controller") about the above incident of violation and then the controller submitted to the Authority, based on Regulation (EU) 2016/679 (General Regulation) of Data Protection – hereinafter GDPR), the no. prot. C/EIS/4715/23-06-2023 notification of an incident of violation and the no. prot. C/EIS/4749/26-06-2023 his response to the incident. The Authority, after examining the above relevant notification and the relevant reply document, sent the no. prot. C/EXE/1649/27-06-2023 document to the controller, requesting a more detailed description of the incident of violation with all relevant information regarding the actions taken from the moment of notification and from now on, the security measures, any notification of the incident to the affected data subjects, the period of time for which this vulnerability existed in the system, as well as the risk assessment on the part of the controller. With the above document, the Authority requested the data controller to send the full contract with the company "TEST INFORMATION SYSTEMS O.E." (hereinafter "processor") with which the controller was contracted for the implementation and support of the relevant online services. On 03-07-2023, and while the data controller had already informed the Authority that he had taken corrective actions and therefore the files of the data controller were no longer easily accessible by unauthorized users (something which the Authority had also established), the complainant informed the Authority, with the no. prot. C/EIS/4916/03-07-2023 document, that the vulnerability continued to exist and essentially the same problem reappeared, even though it initially seemed to have been addressed. Due to this, the Authority immediately contacted, by telephone, the person in charge of the data processing, who was informed about this in order to take immediate action to deal with the incident of violation (as it did, after the relevant websites from which they were unauthorized access to data is possible). Subsequently, the data controller responded with the document number C/EIS/5144/12-207-2023 which includes the following: The application in which the vulnerability was detected is located at the electronic address (url) "...", while access to the citizen files of the Municipality of Alimos is via the electronic address (url) "...". Due to an upgrade of the application to a new version of the software, which had been put into test mode in the production environment, a security gap was created which was the cause of the incident in question. As can be seen from the log file of the accesses to the files of the Municipality of Alimos ("..."), increased access to the files of the Municipality of Alimos from two specific IP addresses was found and the application was closed. By checking the above log, it was found that 1200 files were accessed out of the total 45000 available in the application. A total of approximately 3800 unauthorized access attempts were made, most of which failed or involved the same file. The vulnerability existed for the period from 12-06-2023 when the test function of the new version of the application was implemented until 21-06-2023, the day of the notification of the data breach incident. After various technical implementations to make the application functional and secure, the controller finally decided to use tokens. Through this process a user in order to be able to access and/or "download" a file must either be their own and therefore have uploaded it themselves to the application, or be a user of the application from the Municipality's side Alimos. Through the token controlled by the application, the user is identified and the roles assigned to him are checked. 1 One of the two IP addresses that appear to have gained extensive unauthorized access to the files of the citizens of the Municipality of Alimos corresponds to a computer used by an Authority auditor in the context of investigating the above complaint 3 He did not notify the affected persons of the data breach incident , taking into account the following criteria: o The application was in test mode after the upgrade. o The time period in which the vulnerability was detected was short. o The number of files affected was small. o The data of the files hosted in the specific application are considered simple in nature. o Immediate corrective action was taken. o The risks arising from the specific incident of breach are characterized as small. Also, the controller submitted a contract between him and the processor, in article 11 of which reference is made to the obligations of the contracting parties in order to comply with the applicable legislation and relevant decisions of the Personal Data Protection Authority in relation to the protection of personal data, while in article 5 of this it is stated that the processor takes the appropriate measures to preserve the confidentiality of the information that has been classified as such. Subsequently, the Authority, after examining the above response, requested with the no. prot. C/EXE/1783/13-07-2023 document additional clarifications and a more detailed description regarding the security gap that was created, the way in which the above security incident occurred, the way to monitor the newest version of the application during the trial in question period, the policy, which is generally followed to ensure the changes that occur in the information systems, the reason for the reactivation of the application (which the complainant indicated in his second document) without the necessary measures for the protection of personal data having been taken, as well as a description of the way of investigating the due to a breach incident. In addition, with the above document, the Authority requested clarifications regarding the issue of access characterized as unauthorized, whether the interruption of the use of the application raises issues of availability of files and related services to citizens and, finally, if and how the subjects are affected of the 4data from the breach in question and therefore whether they need to be informed. In addition, the Authority with no. prot. C/EXE/1785/13-07-2023 document, requested clarifications from the processor regarding the policy followed in cases of upgrading existing software, in which environment the changes take place, if the specific security gap affects others controllers to whom the executor offers similar services and what their actions are in case of an affirmative answer. Subsequently, with the no. prot. C/EIS/5330/19-07-2023 his document, the complainant again informed the Authority that the records of the Municipality of Alimos were again easily accessible by unauthorized users in exactly the same way (as well as the Authority also found). Following this, the Authority issued the no. Decision 28/2023 (Individual Body) by which it imposed a temporary order that the data controller take any necessary action to limit the free access of internet users to files of the controller's application and that the files with personal data of application users are available only to properly authorized users or the data subjects without being easily accessible by other unauthorized users. As established by the Authority, after receiving the temporary injunction, the data controller disabled the possibility of unlawful access to personal data (the relevant websites were disabled). Subsequently, the data controller replied with the no. prot. C/EIS/5840/10- 08-2023 document on some of the clarifications requested by the Authority with its above document as follows: A security gap was created by activating the incorrect version of the application, which is due to the internal configuration management procedures of the operator processing. In particular, the code of the previous version had been preserved with elements of the newer software developed. The interruption of the operation of the application affected only the electronic services and not the version of the files hosted by the application through requests with the physical presence of the citizens. 5 In relation to the remaining clarifications, the controller expected assistance from the processor. Subsequently, after a period of more than a month, during which there was no other response to the Authority, the Authority sent the no. prot. G/EXE/2378/21-09-2023 and no. prot. C/EXE/2379/21-09-2023 documents to remind the controller and the processor, respectively. Following this, the processor responded with document no. Γ/ΕΙΣ/6731/25-09-2023, in which the following are mentioned: There is no recorded change management policy for the software developed by the company. In case of changes, the following steps are informally followed: o Inform the customer that the application is down (usually during non-productive hours) o Shut down the application o Install a new version of the application o Run a new application o Check for correct operation Testing of changes is usually carried out on internal servers, while in more complex cases related to security issues these are done directly in a production environment. Most of the applications developed by the company are later and more secure than the application used by the data controller to request and issue digital certificates. This application also works in the Municipality of Keratsini and in the Municipality of Voula - Vari - Vouliagmeni. The software upgrade does not appear to have affected these controllers. In addition, the storage space of the files and the settings of the application are different in each case. The processor continues to carry out tests to ensure that the above municipalities have not been affected. Finally, the processor replied with the no. prot.G/EIS/6875/02-10-2023 document with which he provided additional clarifications, regarding the volume of 6 files to which unauthorized access was obtained and from which web addresses this was done. Also, the processing manager reiterates that the relevant functionality, which finally allowed the non- authorized access to data, was enabled for testing done as part of an app upgrade, and also points out that anyone looking at the source code of the app's website could guess how they would gain unauthorized access to the data. In addition, it was found that the breach eventually exposed data controller records such as police ID cards which can be easily used in identity theft incidents in online environments. Finally, the data controller repeats the claims he made in no. prot. C/EIS/5144/12-07-2023 his document regarding the technical solution adopted to deal with the disputed vulnerability, as well as that despite continuous complaints to the processor, all the clarifications about the incident in question had not yet been received by the time the above document was sent. It is also pointed out that all the responses of the controller to the Authority, as described above, were submitted by the Data Protection Officer (DPO) of the Municipality. In the last document, it is also stated that the DPO recommended the data controller to announce the incident in question to the data subjects. Following the examination of the information in the file, the Authority sent documents no. prot. C/EXE/2554/12-10-2023 and C/EXE/2553/12-10-2023 calls to the data controller and the processor respectively in order to discuss the case in question before the Plenary Session of the Authority on Tuesday, October 24, 2023. said meeting, which took place via video conference, was present on behalf of the data controller, B, General Secretary of the Municipality, Maria Marioli, lawyer with AMDSA ..., Advisor to the Mayor, on behalf of the company KaPa Data Consulting, which performs DPO duties of the data controller processor, Konstantina Ithakisiou, lawyer, with AMDSA ..., and C, external partner of the company, and on behalf of the processor, the legal representatives of the company D and E in order to provide clarifications on the case in question 7. After the meeting, the controller and the processor were given a deadline to submit a memorandum. Subsequently, the data controller submitted, within the set deadline, the no. prot. C/EIS/7936/07-11-2023 memorandum, after supplementary no. prot. G/EIS/7983/09-11-2023 and G/EIS/8105/14-11-2023 documents. With his memorandum, the data controller essentially repeated the allegations he raised before the Authority. Specifically in the memorandum it is stated that, from 12-09-2022, a contract has been concluded between the data controller and the processor for the purpose of maintaining the online digital platform related to the management of digital certificates for the data controller's citizens and businesses, taking, among other things, appropriate technical measures to safeguard the confidentiality of the information. It is further stated that upon the discovery of the unauthorized access to the data controller's records, an investigation into the incident was immediately initiated. Following faulty tests to restart the application, the order was given to stop the operation of the application, which finally restarted on 03-11-2023 (i.e. after the hearing of the data controller before the Authority), after the control and the necessary corrections by the part of the processor were completed. In addition, in the same memorandum the data controller states that the data processor has provided it with the data of the control concerning all the data subjects affected by the data breach in question, with the aim of informing them on a personal level and not on a general basis update/notice, giving priority to data subjects for whom there has been unauthorized access to police ID or passport data. In particular, the data controller sent an e-mail message to the affected persons informing them of the incident – while the template of such an information letter was subsequently submitted to the Authority with no. prot. G/EIS/7983/09-11-2023 document. As can be seen from the document in question, the data controller informed the data subjects of an incident of cyber-attack and breach of the security of the Municipality's information systems by unauthorized users during which an attempt was made to extract random files in bulk, which also contained files with their personal data. The above information also includes the information that the controller has taken the necessary actions to correct the above incident, as well as that he has also informed the Authority. Furthermore, according to no. prot. C/EIS/8105/14-11-2023 document, the unauthorized access to files concerned approximately nine hundred (900) data subjects – users of the controller's services. Of the above files, 150 related to identity cards or passports of a total of 148 subjects, who were informed by a letter sent to them via email on 03-11-2023 by the data controller. Finally, in this document it is stated that the process of informing the rest of the affected subjects is ongoing. The processor did not submit a special memorandum after the hearing. It is noted, however, as above under no. C/EIS/7936/07-11-2023 memorandum of the controller, describes the changes to the software that took place by the processor on the platform to ensure and safeguard the data so that it is not possible for a user to "download" files another person. The Authority, after examining the elements of the file and those resulting from the hearing before it and the memorandum of the data controller, with its supplementary documents, after hearing the rapporteur and the clarifications from the assistant rapporteurs, who were present without the right to vote, after a thorough discussion, CONSIDERED ACCORDING TO THE LAW 1. Of the provisions of articles 51 and 55 of the GDPR and article 9 of law 4624/2019 (Government Gazette A' 137) it follows that the Authority has the authority to supervise the implementation of the provisions of the GDPR, this law and other regulations concerning the protection of the individual from the processing of personal data. 2. According to point 12 of Article 4 of the GDPR, "9 personal data breach: the breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access of personal data transmitted, stored or submitted otherwise processed". 3. According to Article 5 para. 1 point f of the GDPR, "personal data are processed in a way that guarantees the appropriate security of personal data, including their protection against unauthorized or illegal processing and accidental loss, destruction or damage, using appropriate technical or organizational measures ("integrity and confidentiality")." 4. According to the definitions of Article 24 of the GDPR: "1. Taking into account the nature, scope, context and purposes of the processing, as well as the risks of varying probability of occurrence and severity for the rights and freedoms of natural persons, the controller applies appropriate technical and organizational measures in order to ensure and be able to demonstrate that the processing is carried out in accordance with this regulation. These measures are reviewed and updated when deemed necessary. 2. Where justified in relation to the processing activities, the measures referred to in paragraph 1 shall include the implementation of appropriate data protection policies by the controller.' 5. According to the definitions of Article 25 of the GDPR: "1. Taking into account the latest developments, the costs of implementation and the nature, scope, context and purposes of the processing, as well as the risks of different probability of occurrence and severity to the rights and freedoms of natural persons from the processing, the controller effectively implements, both at the time of determining the means of processing and at the time of processing, appropriate technical and organizational measures, such as pseudonymization, designed to implement data protection principles, such as data minimization, and the integration of the necessary guarantees in the processing in such a way as to meet the requirements of this regulation and to protect the rights of the data subjects. 6. According to the definitions of Article 28 of the GDPR: "1. Where the processing is to be carried out on behalf of a controller, the controller shall only use processors who provide sufficient assurances for the implementation of appropriate technical and organizational measures, in such a way that the processing meets the requirements of this Regulation and ensures the protection of data subjects. rights of the data subject. 2. (…) 3. The processing by the processor is governed by a contract or other legal act governed by Union or Member State law, which binds the processor in relation to the controller and determines the subject and duration of the processing, the nature and purpose of the processing, the type of personal data and the categories of data subjects and the obligations and rights of the controller. The said contract or other legal act provides in particular that the processor: (…) c) takes all the necessary measures pursuant to article 32 (…) f) assists the controller in ensuring compliance with the obligations arising from the articles 32 to 36, taking into account the nature of the processing and the information available to the processor (…), h) makes available to the data controller all necessary information to demonstrate compliance with the obligations established in this article and allows and facilitates audits, including inspections, carried out by the controller or another controller commissioned by the controller. 7. According to the definitions of Article 31 of the GDPR: "The controller and the processor and, where appropriate, their representatives shall cooperate, upon request, with the supervisory authority in the exercise of its duties." 8. According to the definitions of article 32 of the GDPR: "1. Taking into account the latest developments, the costs of implementation and the nature, scope, context and purposes of the processing, as well as the risks of different probability of occurrence and severity for the rights and 11 freedoms of natural persons, the controller and the executor the processing implement appropriate technical and organizational measures in order to ensure the appropriate level of security against risks, including, among others, as appropriate: a) the pseudonymization and encryption of personal data, b) the ability to ensure confidentiality, integrity, availability and reliability of processing systems and services on an ongoing basis, c) the possibility of restoring the availability and access to personal data in a timely manner in the event of a physical or technical event, d) a procedure for the regular testing, assessment and evaluation of effectiveness of the technical and organizational measures to ensure the security of the processing. 2. When assessing the appropriate level of security, particular consideration shall be given to the risks deriving from processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access to personal data transmitted, stored or otherwise processed . 3. (…) 4. The controller and the processor shall take measures to ensure that any natural person acting under the supervision of the controller or the processor who has access to personal data only processes it on instructions of the controller, unless required to do so by Union or Member State law." 9. According to the definitions of article 33 of the GDPR: "1. In the event of a personal data breach, the data controller shall notify the supervisory authority competent in accordance with Article 55 without delay and, if possible, within 72 hours of becoming aware of the personal data breach, unless the personal data breach may not cause a risk to the rights and freedoms of natural persons. Where notification to the supervisory authority is not made within 72 hours, it shall be accompanied by a justification for the delay. 2. The processor informs the controller immediately, as soon as it becomes aware of a breach of 12 personal data. 3. The notification referred to in paragraph 1 shall at least: a) describe the nature of the personal data breach, including, where possible, the categories and approximate number of affected data subjects, as well as the categories and the approximate number of affected personal data files, b) announces the name and contact details of the data protection officer or other point of contact from which more information can be obtained, c) describes the possible consequences of the personal data breach, d) describes received or proposed to taking measures by the data controller to deal with the breach of personal data, as well as, where appropriate, measures to mitigate any adverse consequences thereof. 4. In the event that it is not possible to provide the information at once, it may be provided gradually without undue delay. 5. The data controller documents each personal data breach, consisting of the facts concerning the personal data breach, the consequences and the corrective measures taken. Such documentation shall enable the supervisory authority to verify compliance with this Article. 10. According to the definitions of Article 34 of the GDPR: "1. When the personal data breach may put the rights and freedoms of natural persons at high risk, the data controller shall immediately notify the data subject of the personal data breach. 2. The notification to the data subject referred to in paragraph 1 of this article clearly describes the nature of the personal data breach character and contain at least the information and measures referred to in Article 33 paragraph 3 items b), c) and d). 3. The notification to the data subject referred to in paragraph 1 is not required if any of the following conditions are met: a) the controller has implemented appropriate technical and organizational measures 13 of protection, and these measures have been applied to the data affected by the breach of a personal nature, in particular measures that make the personal data unintelligible to those not authorized to access it, such as encryption, b) the controller has subsequently taken measures that ensure that the high referred to in paragraph 1 is no longer likely to occur risk to the rights and freedoms of the data subjects, c) requires disproportionate efforts. In this case, a public announcement is made instead or there is a similar measure by which the data subjects are informed in an equally effective way. 4. If the controller has not already communicated the personal data breach to the data subject, the supervisory authority may, having considered the possibility of a high risk arising from the personal data breach, ask him to do so or may decide that any of the conditions referred to in paragraph 3 are met." 11. In this case, it appears from the data in the case file that for the processing in question, sufficient security measures were not taken from the beginning by design in relation to the corresponding risks to the rights and freedoms of natural persons, but neither were they in place procedures for checking the effectiveness of existing security measures. Specifically: Appropriate technical and organizational measures had not been put in place in order to ensure the confidentiality of the personal data affected by the said incident of data breach and which concern citizen requests of the data controller for various issues. As it follows from the description of the incident of violation, unauthorized users could obtain and / or obtained access to personal data of citizens of the data controller, which includes, among others, copies of police identifications, responsible declarations of natural persons with completed 14 all fields with personal data requested by responsible declaration form (such as full name, patronymic, matronly name, date of birth, postal/e-mail address, VAT number, etc.), driving licenses, etc. As can also be seen from the present history, unauthorized access was quite easy, since a user with basic technical knowledge of creating web pages could easily "recognize" that this particular vulnerability exists. There do not appear to have been sufficient control points to detect this type of personal data breach in time, such as regular monitoring, evaluation and assessment of the files where accesses to files with personal data of citizens of the specific application (logs) are recorded, in order to detect non-"suspicious » behaviors (i.e. user actions that could be interpreted as unauthorized access or attempted unauthorized access). This is also confirmed by the fact that the breach of personal data was not noticed by the data controller, nor by the person performing the processing, even when he was first informed by the Authority following a complaint. This actually happened on all three (3) different occasions when the relevant vulnerability existed and, therefore, a corresponding incident of data breach took place. The same breach occurred three (3) times, each time a new version of the application was activated. Therefore, there was no immediate effective response to the incident. In particular, its treatment was temporary, since it consisted in the complete deactivation of the relevant website, which did not allow the citizens of the controller to use the said online service: however, each new activation of the website still carried the same vulnerability – and this happened , as mentioned above, for two more times. Furthermore, it appears that effective change management mechanisms were not in place, 15 nor mechanisms for identifying a security gap leading to a data breach incident. 12. The controller does not have effective procedures for the control and evaluation of the processor. Firstly, the contract between the person in charge and the processor does not cover in detail the obligations of the processor towards the controller in relation to the access and processing of the personal data kept in the application, as prescribed in Article 28 of the GDPR, independent contract in this regard, there is only a general reference to the observance of existing legislation, without specifying the elements prescribed in article 28 par. 3 of the GDPR (see also Thought 6 of this). In addition, the processing manager states that during the initial investigation of the incident, the executor did not fully respond to his requests regarding receiving clarifications about the incident. Further, the details of the incident appear to have been provided by the executor to the controller in October 2023, approximately three (3) months after the incident occurred. It is noted, however, that the controller did not submit any evidence demonstrating the actions he took in order to receive the necessary information from the processor as soon as possible. 13. With reference to the incomplete fulfillment of the conditions of article 28 paragraph 3 of the GDPR regarding the contract between the controller and the processor, it is pointed out that, as expressly stated in the Guidelines 7/2020 of the European Data Protection Board (hereinafter, GDPR ) regarding the concepts of controller and processor, "since the Regulation establishes a clear obligation to conclude a written contract, if no other relevant legal act is in force, the lack of a contract constitutes a violation of the GDPR. Both the controller and the processor are responsible for ensuring that a contract or other legal act governing the processing is entered into. Without prejudice to the 2 Available on the website https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-072020- concepts-controller-and-processor-gdpr_en 16 provisions of Article 83 of the GDPR , the competent supervisory authority has the possibility to impose an administrative fine against both the controller and the processor, taking into account the circumstances of each specific case.' Consequently, the non-fulfillment of the conditions of article 28, paragraph 3 of the GDPR constitutes a violation for both the data controller and the executor, while there may be, at the discretion of the Authority, the imposition of an administrative fine for the violation in question on both parties. 14. The controller initially assessed that the notification of the incident to the data subjects is not required, in accordance with Article 34 of the GDPR, taking into account the following criteria: The application was in test mode after the upgrade The time period during which the vulnerability was detected was small The number of files affected was small The data of the files hosted in the specific application are considered to be of a simple nature Immediate corrective measures were taken The risks arising from the specific incident of violation are characterized as small As mentioned above in the history of the present, the DPO after re-evaluation of the criteria, made in July 2023 a recommendation to the controller to inform the affected data subjects. The data controller stated that he received all the detailed information with the data subjects who appear to have been affected by the above incident of breach in early October, at which time the process of personalized information to citizens was initiated, which is ongoing. The above claim contradicts in principle the initial assessment that, based on the information available to the data controller, the files were of minor importance and therefore no information was needed for the subjects, in addition to the fact that this initial assessment was not sufficiently documented, taking into account the type and number of files with personal data that were breached. Furthermore, the 17 controller does not mention any relevant action during the period July-October 2023, i.e. from the time when the Office of the Ombudsman recommended the notification of the incident to the affected persons until receiving the detailed information sent to him by the processor incident in order to take care of its effective treatment, since the correct evaluation was finally made almost three (3) months after his arrival. Besides, the information that the data controller finally provided, with a delay, to the affected persons is not correct, on the one hand, because it refers to a cyber attack, while the incident is not related to a cyber attack, which means any malicious action that takes place via electronic computer or network for the purpose of modification, destruction, theft, eavesdropping 3 or unauthorized access to the owner's information, and on the other hand because the personal data leaked to unknown third parties are not listed in detail. In addition, the data controller did not update the details of the notification of the incident to the Authority, as it should have.
15. The processor, as stated, does not have an official and
documented change management policy to ensure that the
changes to existing applications do not create security holes. Not
it also emerged that the controller had placed such a demand on
performing the processing. Furthermore, as the existing informality emerges
process changes the processor does not follow
optimal, from a security point of view, approach so that the changes, and especially those
are also related to security issues to be carried out in an environment
testing before they are deployed in the production environment. Besides, as to
this issue, it does not appear that the controller had raised any
special requirement to the processor.
16. Therefore, based on the above, the Authority finds the following violations for
3
See in this regard, Regulation (EU) 2019/881 (Cybersecurity Act) in which the term cyber attack
used in relation to "perpetrators" who carry them out
18 controller:
a. Violation of article 5 par. 1 item f' in conjunction with article 32 par.
1 of the GDPR regarding the security of the processing (see above Thought
11, Thought 12 as to the ineffectiveness of its control
processing by the controller, but also Thought
15 as to the part of the lack of setting minimum requirements for the
security, on the part of the controller, for the executor
processing.)
b. Violation of article 25 par. 1 of the GDPR regarding the protection of
data already by design, since they were not taken by design
measures to deal with various risks regarding personal data
(see above Thought 11).
c. Violation of article 28 par. 3 of the GDPR regarding the data that
must be included in the contract between the controller and
processor (see above Reason 12 and Reason 13).
d. Violation of article 33 par. 4 of the GDPR if they were not provided to the Authority,
without delay, new information about the incident (see
above Thought 14).
e. Violation of article 34 par. 1 and 2 of the GDPR, since it was not done with the proper
way to assess the seriousness of the incident in order to
the affected persons are informed without delay, while the information that finally
provided was not absolutely correct according to the provisions in said
provisions (see above Opinion 14).
17. Furthermore, based on the above, the Authority finds the following violations for the
processing:
a. Violation of article 32 par. 1 of the GDPR regarding its security
processing (see above Opinion 11 and Opinion 15).
b. Violation of article 28 par. 3 of the GDPR regarding the data that
must be included in the contract between the controller and
processor (see above Reason 12 and Reason 13).
18. Based on the above, the Authority considers that there is a case of exercise of the
article 58 par. 2 GDPR corrective powers and enforcement in relation to
19 violations found.
19. The Authority further considers that it should, based on the violations found,
to be imposed, pursuant to the provision of article 58 par. 2 sec. i GDPR,
effective, proportionate and dissuasive administrative fine,
in accordance with articles 83 GDPR and 39 of Law 4624/2019, both to the responsible
processing as well as to the processor.
20. Furthermore, the Authority took into account the criteria for measuring the fine which
are defined in article 83, paragraph 2 of the GDPR, paragraph 4 of this article
applies to the controller for the violation of Article 5
par. 1 item f of the GDPR and paragraph 5 of the same article 83 it has
application for the other violations of the controller and for the
violations of the processor, article 39 par. 1 and 2 of the law
4624/2019 regarding the imposition of administrative sanctions on its bodies
public sector and the Guidelines 04/2022 of the European
Data Protection Council 4 for the calculation of administrative
of fines under the GDPR, which were approved on 24/5/2023, as well as the
factual data of the case under consideration and in particular the following:
i) The established violation of article 5 par. 1 item in the GDPR
by the data controller, according to the provisions
of article 83 par. 5 sec. 2nd GDPR, to the highest extent provided
category of the grading system of administrative fines
("significant" violations with a maximum amount of 20,000,000 euros).
ii) The activity is related to its main activities
controller, if the granting of copies
of certificates to the citizens is included in his responsibilities
controller exercised on a daily basis.
iii) The number of data subjects who appear to
affected cannot be considered small as it seems to
nine hundred (900) data subjects were affected who
are users of the services of the controller, while
4
https://edpb.europa.eu/system/files/2023-06/edpb_guidelines_042022_calculationofadministrativefines_en.pdf
20 the fact that it was not adequately addressed resulting in
the same incident occurs three (3) times, potentially it could
affect a greater number of affected subjects of
data.
iv) The processing mainly concerns "simple" personal data, at
which, however, also includes data, such as police records
identity cards or passports which can easily
used in identity theft incidents (in
online, e.g. environments) and are therefore considered
data whose breach can result in serious
5
risks.
v) The controller showed difficulty in working with
the Authority, failing to provide timely the information that
were asked of him.
vi) Although the offense did not last long, neither did the person responsible
immediately stopped its operation
website, but there were multiple failed tests
reboot with the same security gap, which it wasn't
perceived neither by the controller nor by
the processor and therefore potentially could
to have a longer duration.
vii) No material damage occurs to the data subjects.
viii) No previous corresponding violation by him has been established
controller or processor.
ix) The fact that the nature of the processor's company
is small as it is a Limited Partnership.
21. The Authority considers that, based on the circumstances established and the above
criteria, the sanctions mentioned in the operative part of the decision are the
effective, proportional and deterrent measure both to restore it
compliance, as well as to punish illegal behavior.
5 See in this regard, and Opinion 57 of Guidelines 4/2022 of the ESPD
21 FOR THESE REASONS
The Authority taking into account the above:
a) Enforces based on article 58 par. 2 sec. i' of the GDPR, administrative fine to the Municipality
Fine of a total amount of 10,000 euros, for the violation of article 5 par. 1 item at.
in conjunction with article 32 par. 1 of Regulation (EU) 2016/679.
b) Enforces based on article 58 par. 2 sec. i' of the GDPR, administrative fine to the Municipality
Fine of a total of 5,000 euros, for the violation of articles 28 par. 3, 33 par. 4
and 34 par. 1 and par. 2 of Regulation (EU) 2016/679.
c) Addresses based on article 58 par. 2 sec. i' of the GDPR, a reprimand to the Municipality of Alimos for
the violation of article 25 par. 1 of Regulation (EU) 2016/679.
d) Enforces based on article 58 par. 2 sub. i' of the GDPR administrative fine to
company with the name "TEST INFORMATION SYSTEMS O.E." total amount
5,000 euros, for the violation of articles 32 par. 1 and 28 par. 3 of the Regulation (EU)
2016/679.
The President The Secretary
Konstantinos Menudakos Irini Papageorgopoulou
22
