|
|
(6 intermediate revisions by 3 users not shown) |
Line 4: |
Line 4: |
| |DPA-BG-Color=background-color:#ffffff; | | |DPA-BG-Color=background-color:#ffffff; |
| |DPAlogo=LogoLT.png | | |DPAlogo=LogoLT.png |
| |DPA_Abbrevation=ADA | | |DPA_Abbrevation=VDAI |
| |DPA_With_Country=ADA (Lithuania) | | |DPA_With_Country=VDAI (Lithuania) |
|
| |
|
| |Case_Number_Name=VĮ Registrų centras | | |Case_Number_Name=VĮ Registrų centras |
Line 56: |
Line 56: |
| }} | | }} |
|
| |
|
| In February 2021, the Lithuanian State Data Protection Inspectorate (VDAI) imposed a fine of 15.000 Eur on the Center of Registers (VĮ Registrų centras) for improper implementation of technical and organizational data security measures.
| | The Lithuanian State Data Protection Inspectorate (VDAI) imposed a fine of €15,000 on the Center of Registers (VĮ Registrų centras) for improper implementation of technical and organizational data security measures. |
|
| |
|
| == English Summary == | | ==English Summary== |
|
| |
|
| === Facts === | | ===Facts=== |
| Starting in July 2020, the VDAI was investigating the incident of a data breach in the systems maintained by the State Enterprise Center of Registers. The data affected by the data breach was stored in: | | Starting in July 2020, the VDAI was investigating the incident of a data breach in the systems maintained by the State Enterprise Center of Registers. The data affected by the data breach was stored in: |
| | Electronic health services and collaboration infrastructure information system; |
| | Real estate register; |
| | Real estate cadastre; |
| | Register of Legal Entities; |
| | Population Register of the Republic of Lithuania; |
| | Register of seizure deeds; |
| | Mortgage Register of the Republic of Lithuania; |
| | Register of wills; |
| | Register of marriage contracts; |
| | Register of credentials; |
| | Register of incapacitated and restricted persons; |
| | Register of contracts; |
| | Information system for participants of legal entities; |
| | Bailiffs information system; |
| | License information system; |
| | Money Restriction Information System; |
| | Legal aid services information system; |
| | Registration service information system; |
| | Electronic signature and timestamp service; |
| | Register center document management system; |
| | Personnel administration system of the Register Center; |
| | Accounting software of the Register Center. |
| | |
| | ===Dispute=== |
| | ===Holding=== |
| | The fine of 15000 EUR was imposed for infringements of Article 32(1) (b) and (c) of the BDAR, ie failure to ensure the integrity, availability and resilience of data processing systems and services as well as failure to restore the conditions and access to personal data in the event of a physical or technical incident within the legal deadline. |
| | |
| | In determining the amount of the administrative fine, the VDAI took into account the factors mitigating the violation committed by the Center of Registers listed in Article 83(2) (b), (c), (e), (f) and (h) GDPR, i. e. the absence of intent, the efforts made to restore the damaged data, the absence of facts about the material damage suffered by the data subjects, the close cooperation with the VDAI and the absence of previous violations of a similar nature. The VDAI also took into account that the Center of Registers, when implementing security measures, is dependent on both the data controller, the Ministry of Health of the Republic of Lithuania, and other institutions dealing with the consolidation of state IT resources, and ruled that the proposed fine was a proportionate sanction to ensure future compliance with the provisions of the GDPR. |
| | |
| | ==Comment== |
| | ''Share your comments here!'' |
| | |
| | ==Further Resources== |
| | ''Share blogs or news articles here!'' |
| | |
| | ==English Machine Translation of the Decision== |
| | The decision below is a machine translation of the Lithuanian original. Please refer to the Lithuanian original for more details. |
| | |
| | <pre> |
| | After 2020 July 20 The State Data Protection Inspectorate (SDPI), having conducted an investigation under the General Data Protection Regulation (BDAR), in 2021. February. imposed a fine for improper implementation of technical and organizational data security measures. |
| | |
| | SE Register Center 15 thousand. A fine of EUR 1 million was imposed for infringements of Article 32 (1) (b) and (c) of the BDAR, ie failure to ensure the integrity, availability and resilience of data processing systems and services and failure to restore access to personal data in the event of a physical or technical incident within the legal deadline. |
| | |
| | Registers and state information systems maintained by the State Enterprise Center of Registers that were affected during the personal data security breach: |
|
| |
|
| Electronic health services and collaboration infrastructure information system; | | Electronic health services and collaboration infrastructure information system; |
Line 86: |
Line 130: |
| Accounting software of the Register Center. | | Accounting software of the Register Center. |
|
| |
|
| | Considering that the State Enterprise Center of Registers is the data processor and / or data controller of these 22 registers and information systems, taking into account the level of development of technical possibilities, implementation costs and the nature, scope, context and objectives of data processing, as well as data processing costs. various risks and seriousness risks to the rights and freedoms of natural persons without appropriate technical and organizational measures to ensure a level of security commensurate with the risks, in breach of Article 32 (1) (b) and (c) BDAR and Article 83 (2) (a), (d) and The factors listed in points (g) (related to the nature, gravity, duration and scope of the data), which are to be recognized as aggravating the infringement of the State Enterprise Center of Registers, have been decided to impose an administrative fine on the State Enterprise Center of Registers. |
|
| |
|
| === Dispute ===
| | Pursuant to the Law on the Legal Protection of Personal Data, an authority or body that violates the provisions of Article 83 (4) (a), (b) and (c) of the BDAR has the right to impose an administrative fine of up to 0.5 per cent of the authority or body's current year's budget and other gross annual income, but not more than thirty thousand euros. |
| | |
| | |
| === Holding ===
| |
| The fine of 15.000 Eur was imposed for infringements of Article 32 (1) (b) and (c) of the BDAR, ie failure to ensure the integrity, availability and resilience of data processing systems and services as well as failure to restore the conditions and access to personal data in the event of a physical or technical incident within the legal deadline.
| |
| | |
| In determining the amount of the administrative fine, the VDAI took into account the factors mitigating the violation committed by the Center of Registers listed in Article 83 (2) (b), (c), (e), (f) and (h) GDPR, i. e. the absence of intent, the efforts made to restore the damaged data, the absence of facts about the material damage suffered by the data subjects, the close cooperation with the VDAI and the absence of previous violations of a similar nature. The VDAI also took into account that the Center of Registers, when implementing security measures, is dependent on both the data controller, the Ministry of Health of the Republic of Lithuania, and other institutions dealing with the consolidation of state IT resources, and ruled that the proposed fine was a proportionate sanction to ensure future compliance with the provisions of the GDPR.
| |
| | |
| == Comment ==
| |
| ''Share your comments here!''
| |
|
| |
|
| == Further Resources ==
| | In determining the amount of the administrative fine, VDAI took into account the mitigating factors listed in Article 83 (2) (b), (c), (e), (f) and (h) of the BDAR, ie lack of intent, efforts to close cooperation with the SDPI and the absence of previous violations of a similar nature. The SDPI also took into account that the State Enterprise Center of Registers, when implementing security measures, is dependent both on the data controller, the Ministry of Health of the Republic of Lithuania, and other institutions dealing with consolidation of state IT resources, and decided that the fine is a proportionate measure to to ensure compliance with the provisions of the BDAR in the future. |
| ''Share blogs or news articles here!''
| |
|
| |
|
| == English Machine Translation of the Decision ==
| | VDAI points out that ensuring the security of personal data is not only the duty of the data controller, but also the direct responsibility of the data processor provided for in Article 32 of the BDAR. The controller is directly liable for non-compliance or improper performance of this obligation. |
| The decision below is a machine translation of the Lithuanian original. Please refer to the Lithuanian original for more details.
| |
| | |
| <pre>
| |
| <!DOCTYPE html><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="lt" lang="lt"><head><title> Fine imposed for breaches of the General Data Protection Regulation in the Center of Registers State Data Protection Inspectorate </title><meta charset="UTF-8" /><meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="keywords" content="data, registers, register ;, system ;, information" /><meta name="description" content="After 2020 July 20 The State Data Protection Inspectorate (VDAI), having carried out an investigation in accordance with the General Regulation of the State Register of Incidents, which disrupted the operation of state registers and state information systems managed by the State Enterprise Center of Registers," /><meta name="robots" content="all" /><!--[if IE]>
| |
| <meta http-equiv="imagetoolbar" content="false" />
| |
| <meta name="MSSmartTagsPreventParsing" content="true" />
| |
| <![endif]--><meta property="og:url" content="http://vdai.lrv.lt/lt/naujienos/skirta-bauda-del-bendrojo-duomenu-apsaugos-reglamento-pazeidimu-registru-centre"><meta property="og:title" content="A fine has been imposed for breaches of the General Data Protection Regulation in the Center of Registers"><meta property="og:image" content="http://vdai.lrv.lt/uploads/vdai/news/images/267_1f8b031415a579c0c0281cf144b17b1d.png"><link rel="canonical" href="//vdai.lrv.lt/lt/naujienos/skirta-bauda-del-bendrojo-duomenu-apsaugos-reglamento-pazeidimu-registru-centre" /><link rel="shortcut icon" href="//vdai.lrv.lt/favicon.ico" type="image/vnd.microsoft.icon" /><link rel="icon" href="//vdai.lrv.lt/favicon.ico" type="image/vnd.microsoft.icon" /><link href="//fonts.googleapis.com/css?family=Ubuntu:300,400" rel="stylesheet" type="text/css" /><link rel="stylesheet" type="text/css" href="/assets/scripts/lightslider/lightSlider.css?1614947813" /><link rel="stylesheet" type="text/css" href="/Project/Modules/Gpdr/assets/styles.css?1614947813" /><link rel="stylesheet" type="text/css" href="/assets/scripts/jquery_ui/jquery-ui.theme.min.css?1614947813" /><link rel="stylesheet" type="text/css" href="/assets/vendors/bootstrap_3.3.2/css/bootstrap.min.css?1614947813" /><link rel="stylesheet" type="text/css" href="/assets/scripts/vendors/font-awesome/css/font-awesome.min.css?1614947813" /><link rel="stylesheet" type="text/css" href="/Framework/assets/vendors/fancybox_2.1.5/jquery.fancybox.css?1614947813" /><link rel="stylesheet" type="text/css" href="/Framework/assets/vendors/jquery/plugins/ui-1.10.3/themes/base/jquery.ui.all.css?1614947813" /><link rel="stylesheet" type="text/css" href="/Framework/assets/node_modules/select2/dist/css/select2.min.css?1614947813" /><link rel="stylesheet" type="text/css" href="/Framework/assets/scss/cms-select2.css?1614947813" /><link rel="stylesheet" href="/assets/scripts/AudioPlayer/css/audioplayer.css" type="text/css" media="screen,print" /><link rel="stylesheet" href="/assets/css/screen.css?1614947813" type="text/css" media="screen,print" /><link rel="stylesheet" href="/assets/css/print.css?1614947813" type="text/css" media="print" /><script type="text/javascript"> var baseHref = "//vdai.lrv.lt/lt/" </script><script type="text/javascript" src="/Framework/assets/node_modules/jquery/dist/jquery.min.js?1614947813"></script></head><body id="module_news"><script>
| |
| $(document).ready(function () {
| |
| var browser_version = parseInt($.browser.version.split('.')[0]);
| |
| if(
| |
| ($.browser.msie && browser_version < 10)
| |
| || ($.browser.mozilla && browser_version < 24)
| |
| || ($.browser.chrome && browser_version < 30)
| |
| || ($.browser.opera && browser_version < 20)
| |
| || ($.browser.safari && browser_version < 7)
| |
| || false
| |
| ){
| |
| $.get("//vdai.lrv.lt/lt/general/oldbrowser?ajax=1").done(function(r) {
| |
| if(r){
| |
| $('body').append(r);
| |
| }
| |
| });
| |
| }
| |
| });
| |
| </script><section id="ccc" class="closed" style="z-index: 214748364" data-domain="lrv.lt"><div id="ccc-overlay"></div><div id="ccc-icon"><div class="triangle"><img src="/Project/Modules/Gpdr/assets/images/BDAR.svg" alt="BDAR"/></div></div><div id="ccc-module"><div id="ccc-content"><div id="ccc-close"><svg xmlns="http://www.w3.org/2000/svg" height="24" viewBox="0 0 24 24" width="24"><path d="M19 6.41L17.59 5 12 10.59 6.41 5 5 6.41 10.59 12 5 17.59 6.41 19 12 13.41 17.59 19 19 17.59 13.41 12z"></path></svg></div><p> To ensure the best browsing experience, we use cookies on this website. You can revoke your consent at any time by changing your web browser settings and deleting the saved cookies.</p><p class="ccc-policy-links"> <a href="https://ivpk.lrv.lt/slapuku-naudojimo-taisykles" class="ccc-notify-button ccc-button-solid" target="_blank">Read the cookie</a> <a href="https://vdai.lrv.lt/lt/asmens-duomenu-apsauga" class="ccc-notify-button ccc-button-solid">privacy policy</a> </p><hr><div id="ccc-optional-categories"><div data-index="0" class="optional-cookie"><h3 id="ccc-necessary-title"> Cookies are required</h3><div class="checkbox-toggle"> <label class="checkbox-toggle-label"><input class="checkbox-toggle-input" type="checkbox" name="gpdr-necessary-cookies" checked="checked" disabled="disabled"> <span class="checkbox-toggle-on">On</span> <span class="checkbox-toggle-off">Off</span><span class="checkbox-toggle-toggle" data-index="0"></span></label></div><p id="ccc-necessary-description"> Necessary cookies enable the basic functions of the website. The website cannot function properly without these cookies, they can only be disabled by changing your browser settings. </p><div class="ccc-alert"></div><hr/></div><div data-index="1" class="optional-cookie"><h3 class="optional-cookie-header"> Statistics cookies</h3><div class="checkbox-toggle"> <label class="checkbox-toggle-label"><input class="checkbox-toggle-input" type="checkbox" name="gpdr-stats-cookies" /><span class="checkbox-toggle-on">On</span> <span class="checkbox-toggle-off">Off</span><span class="checkbox-toggle-toggle" data-index="0"></span></label></div><p> Analytical cookies help us to improve our website by collecting and providing information about its use. </p><div class="ccc-alert"></div><hr/></div><div data-index="2" class="optional-cookie"><h3 class="optional-cookie-header"> Language selection cookies</h3><div class="checkbox-toggle"> <label class="checkbox-toggle-label"><input class="checkbox-toggle-input" type="checkbox" name="gpdr-language-cookies"><span class="checkbox-toggle-on">On</span> <span class="checkbox-toggle-off">Off</span><span class="checkbox-toggle-toggle" data-index="0"></span></label></div><p> The language selection cookies remember the language you have selected.</p><div class="ccc-alert"></div><hr/></div><div class="buttons-wrap"> <button class="btn btn-outline-primary close-window"><span class="text-uppercase">Confirm</span><br></button> <button class="btn btn-primary accept-all-cookies"><span class="text-uppercase">Confirm</span></button> <button class="btn btn-outline-primary close-window">selected cookies</button> <button class="btn btn-primary accept-all-cookies"><br>All cookies</button> </div></div><div id="ccc-info"></div></div></div></section><main><div class="wrapper"><div class="header"><div class="header_links"><div class="inner_wrap"><div class="center clearfix"><div id="mobile-header"><div class="first"> <button type="button" class="navbar-open collapsed" data-toggle="collapse" data-target="#navbar" aria-label="Navigacija" title="Navigation"><span class="sr-only">Navigation</span><span class="icon-bar"></span><span class="icon-bar"></span><span class="icon-bar"></span></button></div><div class="center"> <a href="http://lrv.lt/lt" class="title">My government is <span class="beta_title">BETA</span></a></div><div class="last text-nowrap"> <a class="sitemap_link to_right" href="//vdai.lrv.lt/lt/svetaines-medis" title="Site map"><i class="fa fa-sitemap" aria-hidden="true"></i></a> <a class="language to_right" href="//vdai.lrv.lt/en/" aria-label="en language">en</a></div></div><div class="right-header"> <a class="sitemap_link to_right" href="//vdai.lrv.lt/lt/svetaines-medis" title="Structure"><i class="fa fa-sitemap" aria-hidden="true"></i></a> <a class="language to_right" href="//vdai.lrv.lt/en/" aria-label="en language">en</a> <a accesskey="n" href="//vdai.lrv.lt/lt/?disabilities_action=enable" class="disabilities_icon to_right"></a></div><ul class="head_nav to_right"><li> <a href="http://ministraspirmininkas.lrv.lt/lt/">Prime Minister</a></li><li> <a href="http://lrvk.lrv.lt/lt">Government Office</a></li><li> <a href="http://lrv.lt/lt/ministerijos">Ministries</a></li><li> <a href="http://lrv.lt/lt/istaigos">Institutions</a></li><li> <a href="//epilietis.lrv.lt/">E. citizen</a></li><li class="disabilities_link"> <a accesskey="n" href="//vdai.lrv.lt/lt/?disabilities_action=enable">For the disabled</a> </li></ul></div></div></div><div class="inst_name_logo"><div class="inner_wrap"><div class="main_logo"><img src="/assets/images/lr_logo.png" alt="LR"></div><div class="name"> State Data Protection Inspectorate </div><div class="clear"><!-- clear --></div></div></div><div></div><nav id="datails-menu" class="navbar-default"><div class="datails-menu-top"></div> <button type="button" class="navbar-open collapsed"
| |
| aria-controls="navbar"><span class="icon"><span class="icon-bar"></span><span class="icon-bar"></span><span class="icon-bar"></span></span></button><div id="navbar" class="collapse"> <button type="button" class="navbar-close collapsed" aria-expanded="false" aria-controls="navbar"><i></i></button><div class="top_links"> <a href="#" class="to_left home"><i></i>Home</a> <a href="#" class="to_right newsletter">News subscription</a> <div class="clear"><!-- clear --></div></div><div id="nawbar-first-scroll"><div class="scroll"><ul class="nav first"><li class="active "> <a
| |
| href="//vdai.lrv.lt/lt/naujienos">News</a></li><li class=" dropdown-submenu"> <a
| |
| href="//vdai.lrv.lt/lt/struktura-ir-kontaktai">Structure and contacts</a><div class="second-nawbar"><div class="scroll"><ul class="nav second"><li class=" "> <a href="//vdai.lrv.lt/lt/struktura-ir-kontaktai/struktura">Structure</a></li><li class=" "> <a href="//vdai.lrv.lt/lt/struktura-ir-kontaktai/kontaktai-1">Contacts</a></li><li class=" "> <a href="//vdai.lrv.lt/lt/struktura-ir-kontaktai/kaip-mus-rasti">How to find us</a></li></ul></div></div></li><li class=" dropdown-submenu"> <a
| |
| href="//vdai.lrv.lt/lt/teisine-informacija">Legal information</a><div class="second-nawbar"><div class="scroll"><ul class="nav second"><li class=" "> <a href="//vdai.lrv.lt/lt/teisine-informacija/teises-aktai">Legislation</a></li><li class=" "> <a href="//vdai.lrv.lt/lt/teisine-informacija/teises-aktu-projektai">Draft legislation</a></li><li class=" "> <a href="//vdai.lrv.lt/lt/teisine-informacija/teisine-praktika">Legal practice</a></li><li class=" "> <a href="//vdai.lrv.lt/lt/teisine-informacija/tyrimai-ir-analizes">Research and analysis</a></li><li class=" "> <a href="//vdai.lrv.lt/lt/teisine-informacija/teises-aktu-pazeidimai">Violations of legislation</a></li><li class=" "> <a href="//vdai.lrv.lt/lt/teisine-informacija/teisinio-reguliavimo-stebesena">Monitoring of legal regulation</a></li></ul></div></div></li><li class=" dropdown-submenu"> <a
| |
| href="//vdai.lrv.lt/lt/veiklos-sritys-1">Areas of activity</a><div class="second-nawbar"><div class="scroll"><ul class="nav second"><li class=" "> <a href="//vdai.lrv.lt/lt/veiklos-sritys-1/prevenciniai-tikrinimai">Preventive inspections</a></li><li class=" "> <a href="//vdai.lrv.lt/lt/veiklos-sritys-1/isankstines-konsultacijos">Prior consultation</a></li><li class=" "> <a href="//vdai.lrv.lt/lt/veiklos-sritys-1/auditai">Audits</a></li><li class=" "> <a href="//vdai.lrv.lt/lt/veiklos-sritys-1/skundu-nagrinejimas">Complaints handling</a></li><li class=" "> <a href="/asmens-duomenu-apsaugos-reforma/pranesimas-apie-duomenu-saugumo-pazeidima">Data security breaches</a></li><li class=" "> <a href="//vdai.lrv.lt/lt/veiklos-sritys-1/tarptautinis-bendradarbiavimas">International cooperation</a></li><li class=" "> <a href="//vdai.lrv.lt/lt/veiklos-sritys-1/visuomenes-informavimas">Informing the public</a></li></ul></div></div></li><li class=" "> <a
| |
| href="//vdai.lrv.lt/lt/korupcijos-prevencija">Corruption prevention</a></li><li class=" dropdown-submenu"> <a
| |
| href="//vdai.lrv.lt/lt/administracine-informacija">Administrative information</a><div class="second-nawbar"><div class="scroll"><ul class="nav second"><li class=" "> <a href="//vdai.lrv.lt/lt/administracine-informacija/nuostatai">Regulations</a></li><li class=" "> <a href="//vdai.lrv.lt/lt/administracine-informacija/planavimo-dokumentai">Planning documents</a></li><li class=" "> <a href="//vdai.lrv.lt/lt/administracine-informacija/praneseju-apsauga">Protection of whistleblowers</a></li><li class=" "> <a href="//vdai.lrv.lt/lt/administracine-informacija/darbo-uzmokestis">Wage</a></li><li class=" "> <a href="//vdai.lrv.lt/lt/administracine-informacija/paskatinimai-ir-apdovanojimai">Incentives and awards</a></li><li class=" "> <a href="//vdai.lrv.lt/lt/administracine-informacija/viesieji-pirkimai">Procurement</a></li><li class=" "> <a href="//vdai.lrv.lt/lt/administracine-informacija/biudzeto-vykdymo-ataskaitu-rinkiniai">Budget implementation report sets</a></li><li class=" "> <a href="//vdai.lrv.lt/lt/administracine-informacija/finansiniu-ataskaitu-rinkiniai">Sets of financial statements</a></li><li class=" "> <a href="//vdai.lrv.lt/lt/administracine-informacija/ukio-subjektu-prieziura">Supervision of economic operators</a></li><li class=" "> <a href="//vdai.lrv.lt/lt/administracine-informacija/tarnybiniai-lengvieji-automobiliai">Official passenger cars</a></li><li class=" "> <a href="//vdai.lrv.lt/lt/administracine-informacija/veiklos-ataskaitos">Activity reports</a></li></ul></div></div></li><li class=" "> <a
| |
| href="//vdai.lrv.lt/lt/paslaugos">Services</a></li><li class=" "> <a
| |
| href="//vdai.lrv.lt/lt/nuorodos">Links</a></li><li class=" dropdown-submenu"> <a
| |
| href="//vdai.lrv.lt/lt/dsp-ir-dap">DSP and DAP</a><div class="second-nawbar"><div class="scroll"><ul class="nav second"><li class=" "> <a href="//vdai.lrv.lt/lt/dsp-ir-dap/pranesimas-apie-duomenu-saugumo-pazeidima">Data breach notification</a></li><li class=" "> <a href="//vdai.lrv.lt/lt/dsp-ir-dap/duomenu-apsaugos-pareigunas">Data Protection Officer</a></li></ul></div></div></li><li class=" "> <a
| |
| href="//vdai.lrv.lt/lt/asmens-duomenu-apsauga">Protection of personal data</a></li><li class=" dropdown-submenu"> <a
| |
| href="//vdai.lrv.lt/lt/naudinga-informacija">useful information</a><div class="second-nawbar"><div class="scroll"><ul class="nav second"><li class=" "> <a href="klausimai-duk">Frequently Asked Questions (FAQ)</a></li><li class=" "> <a href="//vdai.lrv.lt/lt/naudinga-informacija/rekomendacijos-gaires-ir-kt">Recommendations, guidelines, etc.</a></li><li class=" "> <a href="//vdai.lrv.lt/lt/naudinga-informacija/covid-19-ir-bdar">COVID-19 and BDAR</a></li><li class=" "> <a href="//vdai.lrv.lt/lt/naudinga-informacija/patikrinimu-rezultatu-apibendrinimai">Summaries of inspection results</a></li><li class=" "> <a href="//vdai.lrv.lt/lt/naudinga-informacija/teismu-sprendimai-pagal-vdai-skundus">Court decisions (according to VDAI complaints)</a></li><li class=" "> <a href="//vdai.lrv.lt/lt/naudinga-informacija/2018-m-duomenu-apsaugos-reforma-1">2018 data protection reform</a></li><li class=" "> <a href="//vdai.lrv.lt/lt/naudinga-informacija/viesosios-konsultacijos-iki-bdar">Public consultation before BDAR</a></li><li class=" "> <a target="_blank" href="//vdai.lrv.lt/lt/naudinga-informacija/solpripa-2-work-projektas">SolPriPa 2 WORK project</a></li><li class=" "> <a href="//vdai.lrv.lt/lt/naudinga-informacija/solpripa-projektas">SOLPriPa PROJECT</a></li><li class=" dropdown-submenu"> <a href="//vdai.lrv.lt/lt/naudinga-informacija/projektai">Projects</a><ul class="nav thrid"><li class=" "> <a href="//vdai.lrv.lt/lt/naudinga-informacija/projektai/es-dvyniu-projektas-nr-ua-47b-ukrainos-parlamento-vyriausiojo-zmogaus-teisiu-komisaro">EU twinning project no. UA / 47b "Strengthening the institutional capacity of the High Commissioner for Human Rights of the Parliament of Ukraine to protect human rights and freedoms in line with European best practice"</a></li><li class=" "> <a href="//vdai.lrv.lt/lt/naudinga-informacija/projektai/valstybines-duomenu-apsaugos-inspekcijos-valstybes-tarnautoju-ir-darbuotoju-kvalifikacijos-tobulinimas">Improving the qualification of civil servants and employees of the State Data Protection Inspectorate</a></li><li class=" "> <a href="//vdai.lrv.lt/lt/naudinga-informacija/projektai/informaciniu-sistemu-susiejimo-ir-modernizavimo-projektas">Information systems interconnection and modernization project</a></li><li class=" "> <a href="//vdai.lrv.lt/lt/naudinga-informacija/projektai/projektas-valstybines-duomenu-apsaugos-inspekcijos-ir-lietuvos-bibliotekininku-draugijos-bendradarbiavimo-didinimas-igyvendinant-asmens-duomenu-apsaugos-politika">Project “Increasing the cooperation between the State Data Protection Inspectorate and the Lithuanian Librarians' Association in implementing the personal data protection policy”</a></li></ul></li><li class=" "> <a href="//vdai.lrv.lt/lt/naudinga-informacija/vaikams-ir-jaunimui">For children and young people</a></li><li class=" "> <a href="//vdai.lrv.lt/lt/naudinga-informacija/atviri-duomenys-1">Open data</a></li><li class=" "> <a href="https://vdai.lrv.lt/forms/ada-vdai-2020">Surveys</a></li><li class=" "> <a href="events">Events archive</a></li><li class=" "> <a href="https://vdai.lrv.lt/lt/skelbimai">Advertisements</a> </li></ul></div></div></li></ul></div></div><ul class="head_nav"></ul></div></nav></div><div class="main_content clearfix"><div class="inner_wrap"></div><div class="inner_wrap"><h1> A fine has been imposed for breaches of the General Data Protection Regulation in the Center of Registers</h1><ol class="breadcrumb"><li> <a href="//vdai.lrv.lt/lt/" aria-label="home">Home</a></li><li class=""> <a href="//vdai.lrv.lt/lt/naujienos"
| |
| >News</a></li><li class="active"> A fine has been imposed for breaches of the General Data Protection Regulation in the Center of Registers</li></ol><div class="top_line"> <a href="javascript:window.print()" class="print_link nodeco">Print<i class="fa fa-print fa-fw" aria-hidden="true"></i></a> <div class="clear"><!-- clear --></div></div><div class="clear"><!-- clear --></div><div class="content text to_left"><div class="event_startDate single"><div class="row startDate_wrap"><div class="col-xs-12 col-sm-5"><div class="col-xs-6 col-sm-5"><h5> Data</h5></div><div class="col-xs-6 col-sm-7"><p> 2021 03 02</p></div></div><div class="col-xs-12 col-sm-7"><div class="col-xs-6 col-sm-5 col-md-4"><h5> Evaluation</h5></div><div class="col-xs-6 col-sm-7 col-md-8"> <span class="ratingContainter"><a href="#" data-like_url="//vdai.lrv.lt/lt/ratings/like?ajax=1&entity=News.Ratings&itemId=177&style=star" class="rating_action star_icon "><span class="counter"><i></i></span>5</a></span> </div></div></div></div><div class="news_photo_wrapper"><img class="news_photo" src="//vdai.lrv.lt/uploads/vdai/news/images/852x536_crop/267_1f8b031415a579c0c0281cf144b17b1d.png" alt="Registry center bauda.png" style="max-width: 1920px; max-height: 1080px;"></div><p style="text-align: justify;"><br /> After 2020 July 20 The State Data Protection Inspectorate (VDAI), having conducted an investigation under the General Data Protection Regulation (BDAR), in 2021, carried out an incident of the State Enterprise Center of Registers that disrupted the operation of state registers and state information systems managed by the State Enterprise Center of Registers. February. imposed a fine for improper implementation of technical and organizational data security measures.</p><p style="text-align: justify;"> SE Register Center 15 thousand. A fine of EUR 1 million was imposed for infringements of Article 32 (1) (b) and (c) of the BDAR, ie failure to ensure the integrity, availability and resilience of data processing systems and services and failure to restore access to personal data in the event of a physical or technical incident within the legal deadline.</p><p style="text-align: justify;"> Registers and state information systems maintained by the State Enterprise Center of Registers that were affected during the personal data security breach:</p><ul><li style="text-align: justify;"> Electronic health services and collaboration infrastructure information system;</li><li style="text-align: justify;"> Real estate register;</li><li style="text-align: justify;"> Real estate cadastre;</li><li style="text-align: justify;"> Register of Legal Entities;</li><li style="text-align: justify;"> Population Register of the Republic of Lithuania;</li><li style="text-align: justify;"> Register of seizure deeds;</li><li style="text-align: justify;"> Mortgage Register of the Republic of Lithuania;</li><li style="text-align: justify;"> Register of wills;</li><li style="text-align: justify;"> Register of marriage contracts;</li><li style="text-align: justify;"> Register of credentials;</li><li style="text-align: justify;"> Register of Inactive and Limited Persons;</li><li style="text-align: justify;"> Register of contracts;</li><li style="text-align: justify;"> Information system for participants of legal entities;</li><li style="text-align: justify;"> Bailiffs information system;</li><li style="text-align: justify;"> License information system;</li><li style="text-align: justify;"> Money Restriction Information System;</li><li style="text-align: justify;"> Legal aid services information system;</li><li style="text-align: justify;"> Registration service information system;</li><li style="text-align: justify;"> Electronic signature and timestamp service;</li><li style="text-align: justify;"> Register center document management system;</li><li style="text-align: justify;"> Personnel administration system of the Register Center;</li><li style="text-align: justify;"> Accounting software of the Register Center.</li></ul><p style="text-align: justify;"> Considering that the State Enterprise Center of Registers is the data processor and / or data controller of these 22 registers and information systems, taking into account the level of development of technical possibilities, implementation costs and the nature, scope, context and objectives of data processing, as well as data processing costs. various risks and seriousness risks to the rights and freedoms of natural persons without appropriate technical and organizational measures to ensure a level of security commensurate with the risks, in breach of Article 32 (1) (b) and (c) BDAR and Article 83 (2) (a), (d) and The factors listed in points g) (related to the nature, gravity, duration and scope of the data), which are to be recognized as aggravating the infringement of the SE Center of Registers, it was decided to impose an administrative fine on the SE Center of Registers.</p><p style="text-align: justify;"> Pursuant to the Law on the Legal Protection of Personal Data, a supervisory authority may impose an administrative fine on an authority or institution that violates the provisions of Article 83 (4) (a), (b) and (c) of the BDAR up to 0.5 per cent of the authority's or institution's current year's budget and other gross annual income, but not more than thirty thousand euros.</p><p style="text-align: justify;"> In determining the amount of the administrative fine, VDAI took into account the mitigating factors listed in Article 83 (2) (b), (c), (e), (f) and (h) of the BDAR, ie lack of intent, efforts to close cooperation with the SDPI and the absence of previous violations of a similar nature. The SDPI also took into account that the State Enterprise Center of Registers, when implementing security measures, is dependent on both the data controller, the Ministry of Health of the Republic of Lithuania, and other institutions dealing with the consolidation of state IT resources, and decided that the fine is a proportionate measure to to ensure compliance with the provisions of the BDAR in the future.</p><p style="text-align: justify;"> VDAI points out that ensuring the security of personal data is not only the duty of the data controller, but also the direct responsibility of the data processor provided for in Article 32 of the BDAR. The controller is directly liable for non-compliance or improper performance of this obligation.</p><p style="text-align: justify;"></p><p style="text-align: justify;"> Related information:<br /> <a href="https://vdai.lrv.lt/lt/naujienos/del-valstybes-imoneje-registru-centras-ivykusio-incidento" target="_blank">Due to an incident in the State Enterprise Center of Registers >></a></p><p style="text-align: justify;"></p><div class="clear"><!-- clear --></div><div class="share"> <span class="title to_left" aria-label="Share">Share</span><ul class="soc_icons to_left"><li> <a href="http://www.facebook.com/sharer/sharer.php?u=http%3A%2F%2Fvdai.lrv.lt%2Flt%2Fnaujienos%2Fskirta-bauda-del-bendrojo-duomenu-apsaugos-reglamento-pazeidimu-registru-centre" title="Facebook" target="_blank"><i class="fa fa-facebook" aria-hidden="true"></i></a></li><li> <a href="https://www.linkedin.com/sharing/share-offsite/?url=http%3A%2F%2Fvdai.lrv.lt%2Flt%2Fnaujienos%2Fskirta-bauda-del-bendrojo-duomenu-apsaugos-reglamento-pazeidimu-registru-centre" title="Linkedin" target="_blank"><i class="fa fa-linkedin" aria-hidden="true"></i></a> </li></ul><div class="clear"><!-- clear --></div></div></div><div id="sidebar" class="to_right"><div class="also_read"><h4> Also read</h4> <a href="//vdai.lrv.lt/lt/naujienos/valstybine-duomenu-apsaugos-inspekcija-iesko-it-skyriaus-vyriausiojo-specialisto">The State Data Protection Inspectorate is looking for a chief specialist of the IT department in</a> <a href="//vdai.lrv.lt/lt/naujienos/2021-m-kovo-4-d-9-12-val-solpripa-2-work-projekto-pristatymo-konferencija-internete-1">2021. March 4 9-12 SolPriPa 2 WORK project presentation conference online in</a> <a href="//vdai.lrv.lt/lt/naujienos/2020-m-asmens-duomenu-apsaugos-srities-teismu-sprendimu-apibendrinimas">2020 Summary of court decisions in the field of personal data protection in</a> <a href="//vdai.lrv.lt/lt/naujienos/2021-m-kovo-4-d-9-12-val-solpripa-2-work-projekto-pristatymo-konferencija-internete">2021 March 4 9-12 SolPriPa 2 WORK Project Presentation Conference Online</a> <a href="//vdai.lrv.lt/lt/naujienos/skirta-bauda-del-bendrojo-duomenu-apsaugos-reglamento-pazeidimu-programeleje-karantinas">Fined for Violations of the General Data Protection Regulation in the Quarantine App</a></div></div><div class="clear"><!-- clear --></div></div><div class="back_top"> <a href="javascript:history.go(-1);" class="back_button" style="display: none;"><i class="fa fa-angle-left" aria-hidden="true"></i>Back</a><a href="#" class="up_button" aria-label="Go up"><i></i></a> <div class="clear"><!-- clear --></div></div></div><div class="footer clearfix"><div class="inner_wrap"><div class="footer_table"><div class="footer_cell credentials"><p> L.Sapiegos st. 17, 10312 Vilnius (Entrance from the left), tel. (8 5) 271 28 04, (8 5) 279 1445, fax. (8 5) 261 9494, el. p. ada@ada.lt</p><p> Data on the State Data Protection Inspectorate are collected and stored in the Register of Legal Entities. Code 188607912</p><p> <strong>Consultation tel. (8 5) 212 7532, Monday to Thursday, 9 a.m. to 11 a.m. and 1pm to 3pm</strong></p><div class="credentials main_copyright"> © Government of the Republic of Lithuania</div></div><div class="footer_cell logos"><div> <a href="ES banerio nuoroda" target="_blank" title="The name of the EU banner"><img src="/assets/images/es_banner.jpg" width="150" height="60" alt="The name of the EU banner"></a></div><div class="copyright"> <a href="http://www.kryptis.lt" target="_blank" title="www.kryptis.lt"><img src="/assets/images/copyright.png" alt="Direction"></a> </div></div></div></div><div class="clear"><!-- clear --></div></div></div></main><script>$(function() {
| |
| $('.ck_toggle_text').each(function() { $(this).before('<a class="ck_href ck_expand_href">'+(typeof $(this).attr('title') != "undefined" && $(this).attr('title') != '' ? $(this).attr('title') : 'Išskleisti') + '</a>').append('<a class="ck_href ck_collapse_href">Suskleisti</a>'); } );
| |
| $('body').on('click','a.ck_expand_href',function() { $(this).hide(); $(this).next('.ck_toggle_text').toggleClass('ck_hide_text'); } );
| |
| $('body').on('click','a.ck_collapse_href',function() { $(this).parent('.ck_toggle_text').prev('.ck_expand_href').show(); $(this).parent('.ck_toggle_text').toggleClass('ck_hide_text'); } )} );</script><script type="text/javascript" src="/assets/scripts/jquery.touchSwipe.min.js?1614947813"></script><script type="text/javascript" src="/assets/scripts/vendors/jquery/jquery-migrate-3.1.0.min.js?1614947813"></script><script type="text/javascript" src="/assets/scripts/jquery.fracs-0.15.0.min.js?1614947813"></script><script type="text/javascript" src="/assets/scripts/imgLiquid-min.js?1614947813"></script><script type="text/javascript" src="/assets/scripts/lightslider/jquery.lightSlider.js?1614947813"></script><script type="text/javascript" src="/Project/Modules/Gpdr/assets/ccc-script.js?1614947813"></script><script type="text/javascript" src="/assets/scripts/gallery.js?1614947813"></script><script type="text/javascript" src="/Framework/assets/vendors/jquery/plugins/browser/jquery.browser.min.js?1614947813"></script><script type="text/javascript" src="/assets/scripts/jquery_ui/jquery-ui.min.js?1614947813"></script><script type="text/javascript" src="/Framework/assets/node_modules/popper.js/dist/umd/popper.min.js?1614947813"></script><script type="text/javascript" src="/assets/vendors/bootstrap_3.3.2/js/bootstrap.min.js?1614947813"></script><script type="text/javascript" src="/Framework/assets/vendors/fancybox_2.1.5/jquery.fancybox.pack.js?1614947813"></script><script type="text/javascript" src="/assets/scripts/jquery.nicescroll.min.js?1614947813"></script><script type="text/javascript" src="/assets/scripts/jquery-scrolltofixed-min.fix.js?1614947813"></script><script type="text/javascript" src="/Framework/assets/vendors/jquery/plugins/ui-1.10.3/jquery.ui.core.min.js?1614947813"></script><script type="text/javascript" src="/Framework/assets/vendors/jquery/plugins/ui-1.10.3/jquery.ui.widget.min.js?1614947813"></script><script type="text/javascript" src="/Framework/assets/vendors/jquery/plugins/ui-1.10.3/jquery.ui.mouse.min.js?1614947813"></script><script type="text/javascript" src="/Framework/assets/vendors/jquery/plugins/ui-1.10.3/jquery.ui.sortable.min.js?1614947813"></script><script type="text/javascript" src="/Framework/assets/node_modules/select2/dist/js/select2.min.js?1614947813"></script><script type="text/javascript" src="/Framework/assets/node_modules/select2/dist/js/i18n/lt.js?1614947813"></script><script type="text/javascript" src="/Framework/assets/js/cms-select2.js?1614947813"></script><script type="text/javascript" src="/Framework/assets/vendors/jquery/plugins/ui-1.10.3/jquery.ui.datepicker.min.js?1614947813"></script><script type="text/javascript" src="/Framework/assets/vendors/jquery/plugins/ui-1.10.3/i18n/jquery.ui.datepicker-lt.min.js?1614947813"></script><script type="text/javascript" src="/Framework/assets/js/cms-datepicker.js?1614947813"></script><script type="text/javascript" src="/assets/vendors/jcarousel/jquery.jcarousel.min.js?1614947813"></script><script type="text/javascript" src="/assets/scripts/jquery.cycle2.min.js?1614947813"></script><script type="text/javascript" src="/assets/scripts/AudioPlayer/js/audioplayer.fix.js"></script><script type="text/javascript" src="/assets/scripts/scripts.js?1614947813"></script></body></html>
| |
| </pre> | | </pre> |
The Lithuanian State Data Protection Inspectorate (VDAI) imposed a fine of €15,000 on the Center of Registers (VĮ Registrų centras) for improper implementation of technical and organizational data security measures.
English Summary
Facts
Starting in July 2020, the VDAI was investigating the incident of a data breach in the systems maintained by the State Enterprise Center of Registers. The data affected by the data breach was stored in:
Electronic health services and collaboration infrastructure information system;
Real estate register;
Real estate cadastre;
Register of Legal Entities;
Population Register of the Republic of Lithuania;
Register of seizure deeds;
Mortgage Register of the Republic of Lithuania;
Register of wills;
Register of marriage contracts;
Register of credentials;
Register of incapacitated and restricted persons;
Register of contracts;
Information system for participants of legal entities;
Bailiffs information system;
License information system;
Money Restriction Information System;
Legal aid services information system;
Registration service information system;
Electronic signature and timestamp service;
Register center document management system;
Personnel administration system of the Register Center;
Accounting software of the Register Center.
Dispute
Holding
The fine of 15000 EUR was imposed for infringements of Article 32(1) (b) and (c) of the BDAR, ie failure to ensure the integrity, availability and resilience of data processing systems and services as well as failure to restore the conditions and access to personal data in the event of a physical or technical incident within the legal deadline.
In determining the amount of the administrative fine, the VDAI took into account the factors mitigating the violation committed by the Center of Registers listed in Article 83(2) (b), (c), (e), (f) and (h) GDPR, i. e. the absence of intent, the efforts made to restore the damaged data, the absence of facts about the material damage suffered by the data subjects, the close cooperation with the VDAI and the absence of previous violations of a similar nature. The VDAI also took into account that the Center of Registers, when implementing security measures, is dependent on both the data controller, the Ministry of Health of the Republic of Lithuania, and other institutions dealing with the consolidation of state IT resources, and ruled that the proposed fine was a proportionate sanction to ensure future compliance with the provisions of the GDPR.
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Lithuanian original. Please refer to the Lithuanian original for more details.
After 2020 July 20 The State Data Protection Inspectorate (SDPI), having conducted an investigation under the General Data Protection Regulation (BDAR), in 2021. February. imposed a fine for improper implementation of technical and organizational data security measures.
SE Register Center 15 thousand. A fine of EUR 1 million was imposed for infringements of Article 32 (1) (b) and (c) of the BDAR, ie failure to ensure the integrity, availability and resilience of data processing systems and services and failure to restore access to personal data in the event of a physical or technical incident within the legal deadline.
Registers and state information systems maintained by the State Enterprise Center of Registers that were affected during the personal data security breach:
Electronic health services and collaboration infrastructure information system;
Real estate register;
Real estate cadastre;
Register of Legal Entities;
Population Register of the Republic of Lithuania;
Register of seizure deeds;
Mortgage Register of the Republic of Lithuania;
Register of wills;
Register of marriage contracts;
Register of credentials;
Register of incapacitated and restricted persons;
Register of contracts;
Information system for participants of legal entities;
Bailiffs information system;
License information system;
Money Restriction Information System;
Legal aid services information system;
Registration service information system;
Electronic signature and timestamp service;
Register center document management system;
Personnel administration system of the Register Center;
Accounting software of the Register Center.
Considering that the State Enterprise Center of Registers is the data processor and / or data controller of these 22 registers and information systems, taking into account the level of development of technical possibilities, implementation costs and the nature, scope, context and objectives of data processing, as well as data processing costs. various risks and seriousness risks to the rights and freedoms of natural persons without appropriate technical and organizational measures to ensure a level of security commensurate with the risks, in breach of Article 32 (1) (b) and (c) BDAR and Article 83 (2) (a), (d) and The factors listed in points (g) (related to the nature, gravity, duration and scope of the data), which are to be recognized as aggravating the infringement of the State Enterprise Center of Registers, have been decided to impose an administrative fine on the State Enterprise Center of Registers.
Pursuant to the Law on the Legal Protection of Personal Data, an authority or body that violates the provisions of Article 83 (4) (a), (b) and (c) of the BDAR has the right to impose an administrative fine of up to 0.5 per cent of the authority or body's current year's budget and other gross annual income, but not more than thirty thousand euros.
In determining the amount of the administrative fine, VDAI took into account the mitigating factors listed in Article 83 (2) (b), (c), (e), (f) and (h) of the BDAR, ie lack of intent, efforts to close cooperation with the SDPI and the absence of previous violations of a similar nature. The SDPI also took into account that the State Enterprise Center of Registers, when implementing security measures, is dependent both on the data controller, the Ministry of Health of the Republic of Lithuania, and other institutions dealing with consolidation of state IT resources, and decided that the fine is a proportionate measure to to ensure compliance with the provisions of the BDAR in the future.
VDAI points out that ensuring the security of personal data is not only the duty of the data controller, but also the direct responsibility of the data processor provided for in Article 32 of the BDAR. The controller is directly liable for non-compliance or improper performance of this obligation.