APD/GBA (Belgium) - 56/2021: Difference between revisions
(→Facts) |
(→Facts) |
||
Line 63: | Line 63: | ||
Employees at the financial institution could access the CCR via one of two systems. The first system, which was for regular staff, kept a record of each employee that used it. The second system, which was for managers, did not register employees. The financial institution states that only five employees had access to the CCR via the second system, and that they used a shared password. | Employees at the financial institution could access the CCR via one of two systems. The first system, which was for regular staff, kept a record of each employee that used it. The second system, which was for managers, did not register employees. The financial institution states that only five employees had access to the CCR via the second system, and that they used a shared password. | ||
A file in the CCR which concerned the complainant was accessed at least 20 times between 2016 and 2018 via the second system. Whilst it was not possible to identify exactly which employee was responsible on account of the lack of record keeping, one of the five relevant employees is the defendant's ex-husband. According to the defendant, her ex-husband used his access to the CCR to obtain information which unfairly assisted him in proceedings concerning the liquidation of | A file in the CCR which concerned the complainant was accessed at least 20 times between 2016 and 2018 via the second system. Whilst it was not possible to identify exactly which employee was responsible on account of the lack of record keeping, one of the five relevant employees is the defendant's ex-husband. According to the defendant, her ex-husband used his access to the CCR to obtain information which unfairly assisted him in proceedings concerning the liquidation of his joint estate with the defendant following their divorce. | ||
Whilst the complaint which the present decision regards was filed against the financial institution, the defendant has also filed a separate complaint against her ex-husband, which is pending. | Whilst the complaint which the present decision regards was filed against the financial institution, the defendant has also filed a separate complaint against her ex-husband, which is pending. |
Revision as of 16:56, 3 May 2021
APD/GBA - 56/2021 | |
---|---|
Authority: | APD/GBA (Belgium) |
Jurisdiction: | Belgium |
Relevant Law: | Article 5(2) GDPR Article 24 GDPR Article 25 GDPR Article 32 GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | 26.04.2021 |
Published: | |
Fine: | 100000 EUR |
Parties: | n/a |
National Case Number/Name: | 56/2021 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | French |
Original Source: | Belgian Data Protection Authority (in FR) |
Initial Contributor: | n/a |
Fine for violation of Article 32 GDPR.
English Summary
Facts
The decision concerns access by employees within an unnamed financial institution to the Central Credit Register ('CCR') operated by the Belgian National Bank.
Employees at the financial institution could access the CCR via one of two systems. The first system, which was for regular staff, kept a record of each employee that used it. The second system, which was for managers, did not register employees. The financial institution states that only five employees had access to the CCR via the second system, and that they used a shared password.
A file in the CCR which concerned the complainant was accessed at least 20 times between 2016 and 2018 via the second system. Whilst it was not possible to identify exactly which employee was responsible on account of the lack of record keeping, one of the five relevant employees is the defendant's ex-husband. According to the defendant, her ex-husband used his access to the CCR to obtain information which unfairly assisted him in proceedings concerning the liquidation of his joint estate with the defendant following their divorce.
Whilst the complaint which the present decision regards was filed against the financial institution, the defendant has also filed a separate complaint against her ex-husband, which is pending.
Dispute
Did the financial institution take appropriate measures to ensure a level of security appropriate to the risk, as outlined in Article 32 GDPR?
Holding
In progress
Comment
In progress
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the French original. Please refer to the French original for more details.