HDPA (Greece) - 18/2024: Difference between revisions
mNo edit summary |
No edit summary |
||
(One intermediate revision by one other user not shown) | |||
Line 58: | Line 58: | ||
|Party_Name_1=the Municipality of Alimos | |Party_Name_1=the Municipality of Alimos | ||
|Party_Link_1=https://www.alimos.gov.gr/en/ | |Party_Link_1=https://www.alimos.gov.gr/en/αρχικη-english/ | ||
|Party_Name_2= | |Party_Name_2= | ||
|Party_Link_2= | |Party_Link_2= | ||
Line 73: | Line 73: | ||
}} | }} | ||
The DPA fined a municipality €15,000 for a lack of technical and organizational security measures that led to the unauthorised | The DPA fined a municipality €15,000 for a lack of technical and organizational security measures that led to the unauthorised availability of personal data on the municipality’s website. The municipality’s processor was fined €5,000. | ||
== English Summary == | == English Summary == |
Latest revision as of 12:24, 2 October 2024
HDPA - 18/2024 | |
---|---|
Authority: | HDPA (Greece) |
Jurisdiction: | Greece |
Relevant Law: | Article 5(1)(f) GDPR Article 25(1) GDPR Article 28(3) GDPR Article 32(1) GDPR Article 33(4) GDPR Article 34(1) GDPR Article 34(2) GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | 05.07.2024 |
Published: | |
Fine: | 15,000 EUR |
Parties: | the Municipality of Alimos |
National Case Number/Name: | 18/2024 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Greek |
Original Source: | HDPA (Greece) (in EL) |
Initial Contributor: | wp |
The DPA fined a municipality €15,000 for a lack of technical and organizational security measures that led to the unauthorised availability of personal data on the municipality’s website. The municipality’s processor was fined €5,000.
English Summary
Facts
Files containing personal data of citizens of the Municipality of Alimos (the controller) were accessible to any visitor of a specific website. To get access to those files, visitors had to change the last five-digit number appearing of the website’s URL.
An individual (the data subject) complained about the abovementioned functionality with the Greek DPA (HDPA). For the data subject the functionality was a data breach.
The DPA informed the controller about the complaint. In response, the controller notified the DPA of the data breach in accordance with Article 33 GDPR.
The controller argued that they relied on services provided by third party (the processor). Nevertheless, the controller immediately implemented appropriate measures and the data were no longer publicly accessible. The controller stated that out of 45,000 available files, only 1,200 files were accessed and the access was made from two specific IP addresses.
The data subject informed the DPA twice that despite update of the website it was still possible to access the personal data. Then, each time, the controller implemented additional updates and new measures.
Regarding the data breach, the controller emphasised that it lasted for a short time, affected a small number of files, containing the data of simple nature and corrective measures were applied. As a result, the breach was assessed by the controller as posing a low risk.
Holding
The DPA upheld the complaint. The DPA found the controller violated Article 5(1)(f), Article 25(1), Article 28(3), Article 32(1), Article 33(4), Article 34(1), Article 34(2) GDPR.
The controller failed to implement appropriate technical and organizational security measures to preserve the confidentiality of the personal data, as well to verify the accuracy of implemented measures. That led to the data breach.
The data breach caused unauthorised access to personal data of citizens of the Municipality of Alimos, for example copies of identity cards, driving licenses.
The DPA noted the controller didn’t implement measures detecting the breach in a timely manner. That allowed the breach to repeat twice after the complaint was filed, even after the update of the website. At the same time, the controller didn’t assess the risk posed by the breach properly, especially because it failed to verify in detail the exact data disclosed.
Furthermore, the controller didn’t implement procedures referring to controller-processor relations. The contract merely mentioned that the controller and processor complied with the applicable law and lacked the information to be included under Article 28(3) GDPR.
Consequently, the controller was:
•Fined €10,000 for a violation of data security (Article 5(1)(f), Article 32(1) GDPR).
•Fined €5,000 for a violation regarding the data breach management and the controller-processor contract content (Article 28(3), Article 33(4), Article 34(1), Article 34(2) GDPR).
•Reprimanded for a violation of data protection by design principle (Article 25(1) GDPR).
The processor was fined €5,000 for a violation of both, the data security and the controller-processor contract content (Article 28(3) GDPR, Article 32(1)(b) GDPR).
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.
Athens, July 5, 2024 No. Prot. 1828 DECISION 18/2024 The Personal Data Protection Authority met at the invitation of its President through a conference, on 23/01/2024, postponing the meetings from 05/12/2023 and 19/12/2023, in order to consider the case, mentioned below in the history of this decision. The President of the Authority, Konstantinos Menudakos, and the regular members of the Authority, Konstantinos Lambrinoudakis as speaker, Spyridon Vlachopoulos, Charalambos Anthopoulos, Christos Kalloniatis, Aikaterini Iliadou and Grigorios Tsolias were present. Present without the right to vote were Konstantinos Limniotis and Aikaterini Hatzidiakou, IT auditors, as assistant rapporteurs and Irini Papageorgopoulou, employee of the administrative affairs department, as secretary. The Authority took into account the following: With the no. prot. C/EIS/4615/20-06-2023 complaint, A (hereinafter "complainant") reported to the Authority an incident of data breach concerning the unauthorized access by internet users to easily accessible files with personal data of citizens of the Municipality of Alimos . Specifically, according to the complaint, files with personal data of citizens of the Municipality of Alimos were easily accessible by any user through the website "...", by changing the last five-digit number that appears in the relevant electronic (URL) address. The Authority found that the above complaint is well-founded and for confirmation, the Authority's auditors, in the context of investigating the complaint, "downloaded" a large number of files with personal data of citizens of the Municipality of Alimos from 1-3 Kifisias Ave., 11523 Athens T: 210 6475 600 E: contact@dpa.gr www.dpa.more link. The Authority informed on 06-21-2023 by e-mail the Municipality of Alimos (hereinafter "controller") about the above incident of violation and then the controller submitted to the Authority, based on Regulation (EU) 2016/679 (General Regulation) of Data Protection – hereinafter GDPR), the no. prot. C/EIS/4715/23-06-2023 notification of an incident of violation and the no. prot. C/EIS/4749/26-06-2023 his response to the incident. The Authority, after examining the above relevant notification and the relevant reply document, sent the no. prot. C/EXE/1649/27-06-2023 document to the controller, requesting a more detailed description of the incident of violation with any relevant information regarding the actions taken from the moment of notification and from now on, the security measures, any notification of the incident to the affected data subjects, the period of time for which this vulnerability existed in the system, as well as the risk assessment on the part of the controller. With the above document, the Authority requested the data controller to send the complete contract with the company "TEST INFORMATION SYSTEMS O.E." (hereinafter "processor") with which the controller was contracted for the implementation and support of the relevant online services. On 03-07-2023, and while the data controller had already informed the Authority that he had taken corrective actions and therefore the files of the data controller were no longer easily accessible by unauthorized users (something which the Authority had also established), the complainant informed the Authority, with the no. prot. C/EIS/4916/03-07-2023 document, that the vulnerability continued to exist and essentially the same problem reappeared, even though it initially seemed to have been addressed. Due to this, the Authority immediately contacted, by telephone, the data controller, who was informed about this in order to take immediate action to deal with the incident of infringement (as it did, after the relevant websites from which they were unauthorized access to data is possible). Subsequently, the data controller responded with the document No. C/EIS/5144/12-207-2023 which includes the following: The application in which the vulnerability was detected is located at the electronic address (url) "...", while access to the citizen files of the Municipality of Alimos is via the electronic address (url) "...". Due to an upgrade of the application to a new version of the software, which had been put into test mode in the production environment, a security gap was created which was the cause of the incident in question. As can be seen from the log file of the accesses to the files of the Municipality of Alimos ("..."), increased access to the files of the Municipality of Alimos from two specific IP addresses was found and the application was closed. By checking the above log, it was found that 1200 files were accessed out of the total 45000 available in the application. A total of approximately 3800 unauthorized access attempts were made, most of which failed or involved the same file. The vulnerability existed for the period from 12-06-2023 when the test function of the new version of the application was implemented until 21-06-2023, the day of the notification of the data breach incident. After various technical implementations to make the application functional and secure, the controller finally ended up using tokens. Through this process a user in order to be able to access and / or "download" a file must either be their own and therefore have uploaded it to the application themselves, or be a user of the application from the Municipality's side Alimos. Through the token controlled by the application, the user is identified and the roles assigned to him are checked. 1 One of the two IP addresses that appear to have gained extensive unauthorized access to the files of the citizens of the Municipality of Alimos corresponds to a computer used by an Authority auditor in the context of investigating the above complaint 3 He did not notify the affected persons of the data breach incident , taking into account the following criteria: o The application was in test mode after the upgrade. o The time period in which the vulnerability was detected was short. o The number of files affected was small. o The data of the files hosted in the specific application are considered simple in nature. o Immediate corrective action was taken. o The risks arising from the specific incident of breach are characterized as small. Also, the controller submitted a contract between him and the processor, in article 11 of which reference is made to the obligations of the contracting parties in order to comply with the applicable legislation and relevant decisions of the Personal Data Protection Authority in relation to the protection of personal data, while in article 5 of this it is stated that the processor takes the appropriate measures to preserve the confidentiality of the information that has been classified as such. Subsequently, the Authority, after examining the above response, requested with the no. prot. C/EXE/1783/13-07-2023 document additional clarifications and a more detailed description regarding the security gap that was created, the way in which the above security incident occurred, the way to monitor the newest version of the application during the trial in question period, the policy, which is generally followed to ensure the changes that occur in the information systems, the reason for the reactivation of the application (which the complainant indicated in his second document) without the necessary measures for the protection of personal data having been taken, as well as a description of the way of investigating the due to a breach incident. In addition, with the above document, the Authority requested clarifications regarding the issue of access characterized as unauthorized, whether the interruption of the use of the application raises issues of availability of files and related services to citizens and, finally, whether and how the subjects are affected of the 4data from the breach in question and therefore whether they need to be informed. In addition, the Authority with no. prot. C/EXE/1785/13-07-2023 document, requested clarifications from the processor regarding the policy followed in cases of upgrading existing software, in which environment the changes take place, if the specific security gap affects others controllers to whom the executor offers similar services and what are its actions in case of an affirmative answer. Subsequently, with the no. prot. C/EIS/5330/19-07-2023 his document, the complainant again informed the Authority that the records of the Municipality of Alimos were again easily accessible by unauthorized users in exactly the same way (as well as the Authority also found). Following this, the Authority issued the no. Decision 28/2023 (Individual Body) by which it imposed a temporary order that the data controller take any necessary action to limit the free access of internet users to files of the controller's application and that the files with personal data of application users are available only to properly authorized users or the data subjects without being easily accessible by other unauthorized users. As established by the Authority, after receiving the temporary injunction, the data controller disabled the possibility of unlawful access to personal data (the relevant websites were disabled). Subsequently, the data controller replied with the no. prot. C/EIS/5840/10- 08-2023 document on some of the clarifications requested by the Authority with its above document as follows: A security gap was created by activating the incorrect version of the application, which is due to the internal configuration management procedures of the operator processing. In particular, the code of the previous version had been preserved with elements of the newer software developed. The interruption of the operation of the application affected only the electronic services and not the version of the files hosted by the application through requests with the physical presence of the citizens. 5 In relation to the remaining clarifications, the controller expected assistance from the processor. Subsequently, after a period of more than a month, during which there was no other response to the Authority, the Authority sent the no. prot. C/EXE/2378/21-09-2023 and no. prot. C/EXE/2379/21-09-2023 documents to remind the controller and the processor, respectively. Following this, the processor responded with document no. Γ/EIS/6731/25-09-2023, which states the following: There is no recorded change management policy for the software developed by the company. In case of changes, the following steps are informally followed: o Inform the customer that the application is down (usually during non-productive hours) o Shut down the application o Install a new version of the application o Run a new application o Check for correct operation Testing of changes is usually carried out on internal servers, while in more complex cases related to security issues these are done directly in a production environment. Most of the applications developed by the company are later and more secure than the application used by the data controller to request and issue digital certificates. This application also works in the Municipality of Keratsini and in the Municipality of Voula - Vari - Vouliagmeni. The software upgrade does not appear to have affected these controllers. In addition, the storage space of the files and the settings of the application are different in each case. The processor continues to carry out tests to ensure that the above municipalities have not been affected. Finally, the processor replied with the no. prot.G/EIS/6875/02-10-2023 document with which he provided additional clarifications, regarding the volume of 6 files to which unauthorized access was obtained and from which web addresses this was done. Also, the processing manager reiterates that the relevant functionality, which finally allowed the non- authorized access to data, was enabled for testing done as part of an app upgrade, while also pointing out that anyone looking at the source code of the app's website could guess how unauthorized access to data would be gained. Additionally, it was found that the breach ultimately exposed data controller records such as police ID cards which can be easily used in identity theft incidents in online environments. Finally, the controller repeats the claims he made in no. prot. C/EIS/5144/12-07-2023 his document regarding the technical solution adopted to deal with the vulnerability in question, as well as that despite continuous complaints to the processor, all the clarifications about the incident in question had not yet been received by the time the above document was sent. It is also pointed out that all the responses of the controller to the Authority, as described above, were submitted by the Data Protection Officer (DPO) of the Municipality. In the last document, it is also stated that the DPO recommended the data controller to announce the incident in question to the data subjects. Following the examination of the information in the file, the Authority sent documents no. prot. C/EXE/2554/12-10-2023 and C/EXE/2553/12-10-2023 calls to the person in charge of the processing and the processor respectively in order to discuss the case in question before the Plenary Session of the Authority on Tuesday, October 24, 2023. said meeting, which took place via video conference, was present on behalf of the data controller, B, General Secretary of the Municipality, Maria Marioli, lawyer with AMDSA ..., Advisor to the Mayor, on behalf of the company KaPa Data Consulting, which performs DPO duties of the data controller processor, Konstantina Ithakisiou, lawyer, with AMDSA ..., and C, external partner of the company, and on behalf of the processor, the legal representatives of the company D and E in order to provide clarifications on the case in question 7. After the meeting, the controller and the processor were given a deadline to submit a memorandum. Subsequently, the data controller submitted, within the set deadline, the no. prot. C/EIS/7936/07-11-2023 memorandum, after supplementary no. prot. G/EIS/7983/09-11-2023 and G/EIS/8105/14-11-2023 documents. With his memorandum, the data controller essentially repeated the allegations he raised before the Authority. Specifically in the memorandum it is stated that, from 12-09-2022, a contract has been concluded between the data controller and the processor for the purpose of maintaining the online digital platform related to the management of digital certificates for the data controller's citizens and businesses, taking, among other things, appropriate technical measures to safeguard the confidentiality of the information. It is further stated that upon the discovery of unauthorized access to the data controller's records, an investigation into the incident was immediately initiated. Following faulty tests to restart the application, the order was given to stop the operation of the application, which finally restarted on 03-11-2023 (i.e. after the hearing of the data controller before the Authority), after the control and the necessary corrections by the part of the processor were completed. In addition, in the same memorandum the data controller states that the data processor has provided it with the control data concerning all the data subjects affected by the data breach in question, with the aim of informing them on a personal level and not on a general basis update/notice, giving priority to data subjects for whom there has been unauthorized access to police ID or passport data. In particular, the data controller sent an e-mail message to the affected persons informing them of the incident – while the template of such an information letter was subsequently submitted to the Authority with no. prot. G/EIS/7983/09-11-2023 document. As can be seen from the document in question, the data controller informed the data subjects of an incident of cyber attack and breach of the security of the Municipality's information systems by unauthorized users during which an attempt was made to extract random files in bulk, which also contained files with their personal data. The above information also includes the information that the controller has taken the necessary actions to correct the above incident, as well as that he has also informed the Authority. Furthermore, according to no. prot. C/EIS/8105/14-11-2023 document, the unauthorized access to files concerned approximately nine hundred (900) data subjects – users of the controller's services. Of the above files, 150 related to identity cards or passports of a total of 148 subjects, who were informed by a letter sent to them via e-mail on 03-11-2023 by the data controller. Finally, in this document it is stated that the process of informing the rest of the affected subjects is ongoing. The processor did not submit a special memorandum after the hearing. It is noted, however, as above under no. C/EIS/7936/07-11-2023 memorandum of the controller, describes the changes to the software that took place by the processor on the platform to ensure and safeguard the data so that it is not possible for a user to "download" files another person. The Authority, after examining the elements of the file and those resulting from the hearing before it and the memorandum of the data controller, with its supplementary documents, after hearing the rapporteur and the clarifications from the assistant rapporteurs, who were present without the right to vote, after a thorough discussion, CONSIDERED ACCORDING TO THE LAW 1. Of the provisions of articles 51 and 55 of the GDPR and article 9 of law 4624/2019 (Government Gazette A' 137) it follows that the Authority has the authority to supervise the implementation of the provisions of the GDPR, this law and other regulations concerning the protection of the individual from the processing of personal data. 2. According to point 12 of Article 4 of the GDPR, "9 personal data breach: the breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access of personal data transmitted, stored or submitted otherwise processed". 3. According to Article 5 para. 1 point f of the GDPR, "personal data are processed in a way that guarantees the appropriate security of personal data, including their protection against unauthorized or illegal processing and accidental loss, destruction or damage, using appropriate technical or organizational measures ("integrity and confidentiality")." 4. According to the definitions of Article 24 of the GDPR: "1. Taking into account the nature, scope, context and purposes of the processing, as well as the risks of varying probability of occurrence and severity for the rights and freedoms of natural persons, the controller applies appropriate technical and organizational measures to ensure and be able to demonstrate that the processing is carried out in accordance with this regulation. These measures are reviewed and updated when deemed necessary. 2. Where justified in relation to processing activities, the measures referred to in paragraph 1 shall include the implementation of appropriate data protection policies by the controller.' 5. According to the definitions of Article 25 of the GDPR: "1. Taking into account the latest developments, the costs of implementation and the nature, scope, context and purposes of the processing, as well as the risks of different probability of occurrence and severity to the rights and freedoms of natural persons from the processing, the controller effectively implements, both at the time of determining the means of processing and at the time of processing, appropriate technical and organizational measures, such as pseudonymization, designed to implement data protection principles, such as data minimization, and the integration of the necessary guarantees in the processing in such a way as to meet the requirements of this regulation and to protect the rights of the data subjects. 6. According to the definitions of Article 28 of the GDPR: "1. Where the processing is to be carried out on behalf of a controller, the controller shall only use processors who provide sufficient assurances for the implementation of appropriate technical and organizational measures, in such a way that the processing meets the requirements of this Regulation and ensures the protection of data subjects. rights of the data subject. 2. (…) 3. The processing by the processor is governed by a contract or other legal act governed by Union or Member State law, which binds the processor in relation to the controller and determines the subject and duration of the processing, the nature and purpose of the processing, the type of personal data and the categories of data subjects and the obligations and rights of the controller. The said contract or other legal act provides in particular that the processor: (…) c) takes all the necessary measures pursuant to article 32 (…) f) assists the controller in ensuring compliance with the obligations arising from the articles 32 to 36, taking into account the nature of the processing and the information available to the processor (…), h) makes available to the data controller all necessary information to demonstrate compliance with the obligations established in this article and allows and facilitates audits, including inspections, carried out by the controller or another controller commissioned by the controller. 7. According to the definitions of Article 31 of the GDPR: "The controller and the processor and, where appropriate, their representatives shall cooperate, upon request, with the supervisory authority in the exercise of its duties." 8. According to the definitions of article 32 of the GDPR: "1. Taking into account the latest developments, the costs of implementation and the nature, scope, context and purposes of the processing, as well as the risks of different probability of occurrence and severity for the rights and 11 freedoms of natural persons, the controller and the executor the processing implement appropriate technical and organizational measures in order to ensure the appropriate level of security against risks, including, among others, as appropriate: a) the pseudonymization and encryption of personal data, b) the ability to ensure confidentiality, integrity, availability and reliability of processing systems and services on an ongoing basis, c) the possibility of restoring the availability and access to personal data in a timely manner in the event of a physical or technical event, d) a procedure for the regular testing, assessment and evaluation of effectiveness of the technical and organizational measures to ensure the security of the processing. 2. When assessing the appropriate level of security, particular consideration shall be given to the risks arising from processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access to personal data transmitted, stored or otherwise processed . 3. (…) 4. The controller and the processor shall take measures to ensure that any natural person acting under the supervision of the controller or the processor who has access to personal data only processes it on instructions of the controller, unless required to do so by Union or Member State law." 9. According to the definitions of article 33 of the GDPR: "1. In the event of a personal data breach, the data controller shall notify the supervisory authority competent in accordance with Article 55 without delay and, if possible, within 72 hours of becoming aware of the personal data breach, unless the personal data breach may not cause a risk to the rights and freedoms of natural persons. Where notification to the supervisory authority is not made within 72 hours, it shall be accompanied by a justification for the delay. 2. The processor informs the controller immediately, as soon as it becomes aware of a breach of 12 personal data. 3. The notification referred to in paragraph 1 shall at least: a) describe the nature of the personal data breach, including, where possible, the categories and approximate number of affected data subjects, as well as the categories and the approximate number of affected personal data files, b) announces the name and contact details of the data protection officer or other point of contact from which more information can be obtained, c) describes the potential consequences of the personal data breach, d) describes received or proposed to taking measures by the data controller to deal with the breach of personal data, as well as, where appropriate, measures to mitigate any adverse consequences thereof. 4. In the event that it is not possible to provide the information at once, it may be provided gradually without undue delay. 5. The data controller documents each personal data breach, consisting of the facts concerning the personal data breach, the consequences and the corrective measures taken. Such documentation shall enable the supervisory authority to verify compliance with this Article. 10. According to the definitions of article 34 of the GDPR: "1. When the personal data breach may put the rights and freedoms of natural persons at high risk, the controller shall immediately notify the data subject of the personal data breach. 2. The notification to the data subject referred to in paragraph 1 of this article clearly describes the nature of the personal data breach character and contain at least the information and measures referred to in Article 33 paragraph 3 items b), c) and d). 3. The notification to the data subject referred to in paragraph 1 is not required if any of the following conditions are met: a) the controller has implemented appropriate technical and organizational measures 13 of protection, and these measures have been applied to the data affected by the breach of a personal nature, in particular measures that make the personal data unintelligible to those not authorized to access it, such as encryption, b) the controller has subsequently taken measures that ensure that the high referred to in paragraph 1 is no longer likely to occur risk to the rights and freedoms of the data subjects, c) requires disproportionate efforts. In this case, a public announcement is made instead or there is a similar measure by which the data subjects are informed in an equally effective way. 4. If the controller has not already communicated the personal data breach to the data subject, the supervisory authority may, having considered the possibility of a high risk arising from the personal data breach, ask him to do so or may decide that any of the conditions referred to in paragraph 3 are met." 11. In this case, from the data in the case file, it appears that for the processing in question, sufficient security measures were not taken from the beginning by design in relation to the corresponding risks to the rights and freedoms of natural persons, but neither were they in place procedures for checking the effectiveness of existing security measures. Specifically: Appropriate technical and organizational measures had not been put in place in order to ensure the confidentiality of the personal data affected by the data breach incident in question and which concern citizen requests to the data controller for various issues. As it follows from the description of the incident of violation, unauthorized users could obtain and / or obtained access to personal data of citizens of the controller, which includes, among others, copies of police identifications, responsible declarations of natural persons with completed 14 all fields with personal data requested by responsible declaration form (such as full name, patronymic, matronly, date of birth, postal/e-mail address, VAT number, etc.), driving licenses, etc. As can also be seen from the present history, unauthorized access was quite easy, since a user with basic technical knowledge of creating web pages could easily "recognize" that this particular vulnerability exists. There do not appear to have been sufficient control points to detect this type of personal data breach in time, such as regular monitoring, evaluation and assessment of the files where accesses to files with personal data of citizens of the specific application (logs) are recorded, in order to detect non-"suspicious » behaviors (i.e. user actions that could be interpreted as unauthorized access or attempted unauthorized access). This is also confirmed by the fact that the breach of personal data was not noticed by the data controller, nor by the processor, even when he was first informed by the Authority following a complaint. This actually happened on all three (3) different occasions when the relevant vulnerability existed and, therefore, a corresponding incident of data breach took place. The same breach occurred three (3) times, each time a new version of the application was activated. Therefore, there was no immediate effective response to the incident. In particular, its treatment was temporary, since it consisted in the complete deactivation of the relevant website, which did not allow the citizens of the controller to make use of the said online service: however, each new activation of the website still carried the same vulnerability – and this happened , as mentioned above, for two more times. Furthermore, it appears that effective change management mechanisms were not in place, 15 nor mechanisms for identifying a security gap leading to a data breach incident. 12. The controller does not have effective procedures for the control and evaluation of the processor. Firstly, the contract between the controller and the processor does not cover in detail the obligations of the processor towards the controller in relation to the access and processing of the personal data kept in the application, as stipulated in Article 28 of the GDPR, independent contract in this regard, there is only a general reference to the observance of existing legislation, without specifying the elements prescribed in article 28 par. 3 of the GDPR (see also Opinion 6 of this). In addition, the processing manager reports that during the initial investigation of the incident, the executor did not fully respond to his requests regarding receiving clarifications about the incident. Further, the details of the incident appear to have been provided, by the executor to the controller, in October 2023, approximately three (3) months after the incident occurred. It is noted, however, that the controller did not submit any evidence demonstrating the actions he took in order to receive the necessary information from the processor as soon as possible. 13. With reference to the incomplete fulfillment of the conditions of article 28 paragraph 3 of the GDPR regarding the contract between the controller and the processor, it is pointed out that, as expressly stated in the Guidelines 7/2020 of the European Data Protection Board (hereinafter, GDPR ) regarding the concepts of controller and processor, "since the Regulation establishes a clear obligation to conclude a written contract, if no other relevant legal act is in force, the lack of a contract constitutes a violation of the GDPR. Both the controller and the processor are responsible for ensuring that a contract or other legal act governing the processing is entered into. Without prejudice to the 2 Available on the website https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-072020- concepts-controller-and-processor-gdpr_en 16 provisions of Article 83 of the GDPR , the competent supervisory authority has the possibility to impose an administrative fine against both the controller and the processor, taking into account the circumstances of each specific case.' Consequently, the non-fulfillment of the conditions of article 28, paragraph 3 of the GDPR constitutes a violation for both the data controller and the executor, while there may be, at the discretion of the Authority, the imposition of an administrative fine for the said violation on both parties. 14. The controller initially assessed that the notification of the incident to the data subjects is not required, in accordance with Article 34 of the GDPR, taking into account the following criteria: The application was in test mode after the upgrade The time period during which the vulnerability was detected was small The number of files affected was small The data of the files hosted in the specific application are considered to be of a simple nature Immediate corrective measures were taken The risks arising from the specific incident of violation are characterized as small As mentioned above in the history of the present, the DPO after re-evaluation of the criteria, made in July 2023 a recommendation to the processor to inform the affected data subjects. The data controller stated that he received all the detailed information with the data subjects who appear to have been affected by the above incident of breach in early October, at which time the process of personalized information to citizens was initiated, which is ongoing. The above claim contradicts in principle the initial assessment that, based on the information available to the data controller, the files were of minor importance and therefore no information was needed for the subjects, in addition to the fact that this initial assessment was not sufficiently documented, taking into account the type and number of files with personal data that were breached. Furthermore, the 17 controller does not mention any relevant action during the period July-October 2023, i.e. from the time the Office of the Ombudsman recommended the notification of the incident to the affected persons until receiving the detailed information sent to him by the processor incident in order to take care of its effective treatment, since the correct evaluation was finally made almost three (3) months after his arrival. Besides, the information that the data controller finally provided, with a delay, to the affected persons is not correct, on the one hand, because it refers to a cyber attack, while the incident is not related to a cyber attack, which means any malicious action that takes place via electronic computer or network for the purpose of modification, destruction, theft, interception 3 or unauthorized access to the owner's information, and on the other hand because the personal data leaked to unknown third parties are not listed in detail. In addition, the data controller did not update the details of the notification of the incident to the Authority, as it should. 15. The processor, as stated, does not have an official and documented change management policy to ensure that the changes to existing applications do not create security holes. Not it also emerged that the controller had placed such a demand on performing the processing. Furthermore, as the existing informality emerges process changes the processor does not follow optimal, from a security point of view, approach so that the changes, and especially those are also related to security issues to be carried out in an environment testing before they are deployed in the production environment. Besides, as to this issue, it does not appear that the controller had raised any special requirement to the processor. 16. Therefore, based on the above, the Authority finds the following violations for 3 See in this regard, Regulation (EU) 2019/881 (Cybersecurity Act) in which the term cyber attack used in relation to "perpetrators" who carry them out 18 controller: a. Violation of article 5 par. 1 item f' in conjunction with article 32 par. 1 of the GDPR regarding the security of the processing (see above Thought 11, Reason 12 as to the ineffectiveness of its control processing by the controller, but also Thought 15 as to the part of the lack of setting minimum requirements for the security, on the part of the controller, for the executor processing.) b. Violation of article 25 par. 1 of the GDPR regarding the protection of data already by design, since they were not taken by design measures to deal with various risks regarding personal data (see above Thought 11). c. Violation of article 28 par. 3 of the GDPR regarding the data that must be included in the contract between the controller and processor (see above Reason 12 and Reason 13). d. Violation of article 33 par. 4 of the GDPR if they were not provided to the Authority, without delay, new information about the incident (see above Thought 14). e. Violation of article 34 par. 1 and 2 of the GDPR, since it was not done with the proper way to assess the seriousness of the incident in order to the affected persons are informed without delay, while the information that finally provided was not absolutely correct according to the provisions in said provisions (see above Opinion 14). 17. Furthermore, based on the above, the Authority finds the following violations for the processing: a. Violation of article 32 par. 1 of the GDPR regarding its security processing (see above Opinion 11 and Opinion 15). b. Violation of article 28 par. 3 of the GDPR regarding the data that must be included in the contract between the controller and processor (see above Reason 12 and Reason 13). 18. Based on the above, the Authority considers that there is a case of exercise of the article 58 par. 2 GDPR corrective powers and enforcement in relation to 19 violations found. 19. The Authority further considers that it should, based on the violations found, to be imposed, pursuant to the provision of article 58 par. 2 sec. i GDPR, effective, proportionate and dissuasive administrative fine, in accordance with articles 83 GDPR and 39 of Law 4624/2019, both to the responsible processing as well as to the processor. 20. Furthermore, the Authority took into account the criteria for measuring the fine which are defined in article 83, paragraph 2 of the GDPR, paragraph 4 of this article applies to the controller for the violation of Article 5 par. 1 item f of the GDPR and paragraph 5 of the same article 83 it has application for the other violations of the controller and for the violations of the processor, article 39 par. 1 and 2 of the 4624/2019 concerning the imposition of administrative sanctions on its bodies public sector and the Guidelines 04/2022 of the European Data Protection Council 4 for the calculation of administrative of fines under the GDPR, which were approved on 24/5/2023, as well as the factual data of the case under consideration and in particular the following: i) The established violation of article 5 par. 1 item in the GDPR by the data controller, according to the provisions of article 83 par. 5 sec. 2nd GDPR, to the highest extent provided category of the grading system of administrative fines ("significant" violations with a maximum amount of 20,000,000 euros). ii) The activity is related to its main activities controller, if the granting of copies of certificates to the citizens is included in his responsibilities controller exercised on a daily basis. iii) The number of data subjects who appear to affected cannot be considered small as it seems to nine hundred (900) data subjects were affected who are users of the services of the controller, while 4 https://edpb.europa.eu/system/files/2023-06/edpb_guidelines_042022_calculationofadministrativefines_en.pdf 20 the fact that it was not adequately addressed resulting in the same incident occurs three (3) times, potentially it could affect a greater number of affected subjects of data. iv) The processing mainly concerns "simple" personal data, at which, however, also includes data, such as police records identity cards or passports which can easily used in identity theft incidents (in online, e.g. environments) and are therefore considered data whose breach can result in serious 5 risks. v) The controller showed difficulty in working with the Authority, failing to provide timely the information that were asked of him. vi) Although the violation did not last long, neither did the person responsible immediately stopped its operation website, but there were multiple failed tests reboot with the same security gap, which it wasn't perceived neither by the controller nor by the processor and therefore potentially could to have a longer duration. vii) No material damage occurs to the data subjects. viii) No previous corresponding violation by him has been established controller or processor. ix) The fact that the nature of the processor's company is small as it is a Limited Partnership. 21. The Authority considers that, based on the circumstances established and the above criteria, the sanctions mentioned in the operative part of the decision are the effective, proportional and deterrent measure both to restore it compliance, as well as to punish illegal behavior. 5 See in this regard, and Opinion 57 of Guidelines 4/2022 of the ESPD 21 FOR THESE REASONS The Authority taking into account the above: a) Enforces based on article 58 par. 2 sec. i' of the GDPR, administrative fine to the Municipality Fine of a total amount of 10,000 euros, for the violation of article 5 par. 1 item. at. in conjunction with article 32 par. 1 of Regulation (EU) 2016/679. b) Enforces based on article 58 par. 2 sec. i' of the GDPR, administrative fine to the Municipality Fine of a total amount of 5,000 euros, for the violation of articles 28 par. 3, 33 par. 4 and 34 par. 1 and par. 2 of Regulation (EU) 2016/679. c) Addresses based on article 58 par. 2 sec. i' of the GDPR, a reprimand to the Municipality of Alimos for the violation of article 25 par. 1 of Regulation (EU) 2016/679. d) Enforces based on article 58 par. 2 sub. i' of the GDPR administrative fine to company with the name "TEST INFORMATION SYSTEMS O.E." total amount 5,000 euros, for the violation of articles 32 par. 1 and 28 par. 3 of the Regulation (EU) 2016/679. The President The Secretary Konstantinos Menudakos Irini Papageorgopoulou 22