APD/GBA (Belgium) - 170/2023: Difference between revisions
mNo edit summary |
m (Ar moved page APD/GBA (Belgium) - DOS-2019-04346 to APD/GBA (Belgium) - 170/2023) |
||
(2 intermediate revisions by the same user not shown) | |||
Line 68: | Line 68: | ||
=== Facts === | === Facts === | ||
An investigation was started on 20 December 2019 over the practices of the controller | An investigation was started on 20 December 2019 over the practices of the controller. The controller owned a platform which allowed data subjects to access their data and loyalty points and use them to benefit from promotions offered by different shops that posted their offers on the platform. | ||
The investigation was suggested after a data leak occurred on the platform of the processor. | The investigation was suggested after a data leak occurred on the platform of the processor, which was notified, in accordance with [[Article 33 GDPR]] to the Belgian DPA. Nonetheless, there were suspicions that the controller did not comply with [[Article 32 GDPR]]. Especially considering the high number of data subjects, 89,429 data subjects, and the nature of the data disclosed, including the card number, e-mail address and telephone number. | ||
The DPA held a hearing on the matter on 1 December 2023. | |||
=== Holding === | === Holding === |
Latest revision as of 15:29, 26 January 2024
APD/GBA - DOS-2019-04346 | |
---|---|
Authority: | APD/GBA (Belgium) |
Jurisdiction: | Belgium |
Relevant Law: | Article 24 GDPR Article 32 GDPR Article 33 GDPR |
Type: | Investigation |
Outcome: | No Violation Found |
Started: | |
Decided: | 20.12.2023 |
Published: | |
Fine: | n/a |
Parties: | n/a |
National Case Number/Name: | DOS-2019-04346 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | French |
Original Source: | Autorité de protection des données (in FR) |
Initial Contributor: | ar |
The Belgian DPA investigated the controller’s practices following a data breach involving almost 90,000 data subjects. No violation was found since the data breach was an isolated incident and the controller complied with Article 33 GDPR.
English Summary
Facts
An investigation was started on 20 December 2019 over the practices of the controller. The controller owned a platform which allowed data subjects to access their data and loyalty points and use them to benefit from promotions offered by different shops that posted their offers on the platform.
The investigation was suggested after a data leak occurred on the platform of the processor, which was notified, in accordance with Article 33 GDPR to the Belgian DPA. Nonetheless, there were suspicions that the controller did not comply with Article 32 GDPR. Especially considering the high number of data subjects, 89,429 data subjects, and the nature of the data disclosed, including the card number, e-mail address and telephone number.
The DPA held a hearing on the matter on 1 December 2023.
Holding
The DPA commented that the information provided by the controller following the data leak indicated that the controller’s practices could have been not complying with the GDPR.
In this context, the DPA affirmed that it was important to consider not only the impact of the data leak on the large number of people involved but also the nature of the data, which potentially consisted of financial data. According to the DPA, in fact, there could have been a risk for the payment details to have been leaked as well.
However, based on the information provided by the controller, the DPA noted that in the circumstances of the data leak, the incident was limited and did not impact the payment details of the data subjects. Moreover, the DPA acknowledged that the controller had also, out of prudence, informed the data subjects concerned on 22 August 2019 of the data leak so that they could take possible precautionary measures, if necessary. Thus, the controller acted in accordance with Article 33 GDPR and Article 34 GDPR. In addition, considering that the controller did not present a history of repeated data breaches indicating systematic failures on the part of the controller, it also fulfilled its obligations under Article 24 GDPR and Article 32 GDPR. Furthermore, the documents provided by the controller allowed the DPA to understand the approach adopted by the controller to avoid future data breaches, such as its commitment to review and improve future data security measures and carry out audits.
Therefore, the DPA found no breach of the GDPR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the French original. Please refer to the French original for more details.
1/9 Litigation Chamber Decision on merits 170/2023 of December 20, 2023 File number: DOS-2019-04346 Subject: Data leak as part of a loyalty program The Litigation Chamber of the Data Protection Authority, made up of Mr. Hielke HIJMANS, president, and Mr. Dirk Van Der Kelen and Christophe Boeraeve, members; Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 relating to the protection of natural persons with regard to the processing of personal data and to the free movement of these data, and repealing Directive 95/46/EC (General Regulation on the data protection), hereinafter “the GDPR”; Having regard to the Law of December 3, 2017 establishing the Data Protection Authority (hereinafter “the LCA”); Considering the internal regulations as approved by the House of Representatives on December 20, 2018 and published in the Belgian Official Gazette on January 15, 2019; Considering the documents in the file; Has taken the following decision regarding: The defendant: Y, represented by Maître Cédric Burton and Maître Laura Brodahl, hereinafter "the defendant" Decision on the merits 170/2023 — 2/9 I. Facts and procedure A. Investigation by the Inspection Service 1. On December 20, 2019, the Board of Directors of the Data Protection Authority (hereinafter "the APD") has decided to refer a case to the APD Inspection Service on the basis of article 63, 1° of the LCA, considering that there seemed to be serious indications that the defendant did not comply with the obligations arising from Article 32 of the GDPR. The elements taken into consideration in this regard by the Steering Committee were the extent of the data leak, the number of people affected amounting to 89,429, distributed in 27 EU Member States, as well as the nature of the data that was disclosed, know the card number, the name of the person concerned, their date of birth, their sex, his address, his e-mail address, his telephone number, his mobile number and a unique identification number. 2. Following the processing by the APD General Secretariat of the data leak that occurred to the defendant on August 19, 2019 and to the complaints lodged with the Service of Front Line of ODA by people in Germany in their capacity as individuals concerned affected by the data leak, the file was examined by the Secretariat General and transmitted to the Management Committee under Article 63, 1° of the LCA, with a view to refer to the Inspection Service, and individual complaints from German citizens, after having been declared admissible by the Front Line Service, were also transmitted to the Inspection Service pursuant to article 96, §1 of the LCA in conjunction with article 63, 2° of the LCA. 3. The reason for the above-mentioned referral was a specific data leak at the level of a subcontractor of the defendant. This subcontractor manages the program platform (..) on which cardholders can enroll in a loyalty program based on points they earn for using their card to make purchases. This platform allowed cardholders to access their data, including their points balance, and then use them to benefit from promotions offered by merchants participants who posted their offers on the platform. The subcontractor did it himself in turn calling on a subcontractor for external hosting/logging. 4. On July 20, 2023 the investigation by the Inspection Service is closed, the report is attached to the file and it is transmitted by the Inspector General to the President of the Chamber Contentious (art. 91, § 1 and § 2 of the LCA), which gave rise to referral to the Chamber Litigation under article 92.3° of the LCA. In its report, the Inspection Service had come to the conclusion that the large number of affected people affected by the data leak and compliance with the obligation to notify the DPA were not sufficient in itself to conclude that there is an indication of a practice likely to give rise to a Decision on the merits 170/2023 — 3/9 violation of the fundamental principles of personal data protection within the meaning of article 63, 1° of the LCA. For the rest, the inspection report does not include no finding of any violation of the GDPR on the part of the defendant. B. Procedure before the Litigation Chamber er 5. On September 27, 2023 the Litigation Chamber decides, under Article 95, § 1, 1° and of article 98 of the LCA, that the case can be processed on its merits. The defendant is informed by registered mail of the provisions as set out in article 95, § 2 as well as than in section 98 of the LCA. It is also informed, under article 99 of the LCA, of the deadline for transmitting the conclusion. The deadline for receipt of conclusions in The defendant's response was initially set for October 30, 2023, but was extended to November 15, 2023. 6. On October 6, 2023, the defendant requested a copy of the file (art. 95, §2, 3° LCA), which is sent to him on October 18, 2023, and completed on October 25, 2023. The defendant also agrees to receive all communications relating to the case by electronic means, in accordance with article 98 of the LCA. 7. On November 10, 2023, the parties are informed that the hearing will take place on November 1, 2023. December 2023. 8. On November 15, 2023, the Litigation Chamber receives the conclusions in response from the defendant. In addition to the defense on the merits which mainly concerns the report technical aspects of the Inspection Service, these conclusions also include some procedural defenses relating to the manner in which the Inspection Service was seized and carried out the investigation. 9. On December 1, 2023, the defendant was heard by the Litigation Chamber. The defendant is therefore heard and has the opportunity to present its arguments. Then, the case is deliberated by the Litigation Chamber. 10. On December 8, 2023, the minutes of the hearing are submitted to the defendant, in accordance with article 54 of the internal regulations. The defendant sees herself thus offer the opportunity to add any comments in this regard as an annex to the minutes, without this implying a reopening of the debates. 11. On December 15, 2023, the Litigation Chamber received some remarks relating to the minutes which it decides to include in its deliberations. Decision on merits 170/2023 — 4/9 II. Motivation A. Procedure 12. The defendant argues that an investigation by the Management Committee or the Service Inspection can be opened on their own initiative only if there are serious indications of lack of conformity. According to the defendant, neither of these two bodies established the existence of such indices. They would therefore have both illegally conducted a investigation relating to the processing activities of the defendant. 13. In this regard, the Litigation Chamber must point out that the note sent by the General Secretariat to the Steering Committee following the notification of the data leak by the defendant, which served as the basis for the decision of the Management Committee to transmit the file to the Inspection Service, clearly mentions that sufficient elements in the note indicate a practice which results in a violation of the fundamental principles of the protection of personal data (article 63.1° of the ACL). The note in question explicitly highlights the large number of people affected by this leak data, distributed across 27 EU Member States. Lanote also points out that ODA has already received seven complaints from German citizens and that the state supervisory authority German state of Hesse itself received around three hundred complaints regarding this leak of data that could still be transferred to the ODA. 14. The Litigation Chamber notes that on the basis of the note, there were indeed serious indicators that may indicate a practice leading to violations of the protection of data. In this context, it was a question of taking into account not only the impact of data leak on the large number of people concerned, but also the nature of the data, which potentially consisted of financial data. According to the Chamber Contentious, these indices constituted at least sufficient justification to examine if the defendant's statement, as mentioned in the note, that the payments network is separated from the platform where the data is collected personal character of clients within the framework of the program (..) was accurate. 15. Obviously, it is only after an investigation by the Inspection Service that it can be established that, where applicable, there is no practice within the meaning of article 63, 1° of the LCA. This finding of the Inspection Service does not prejudice the lawfulness of the decision of the Management Committee according to which, on the basis of the elements available at that time and therefore before the investigation by the Inspection Service, there were serious indications requiring an investigation by the Inspection Service. The Litigation Chamber therefore considers that the Inspection Service has been in compliance with article 63.1° of the LCA and validly carried out his investigation. Decision on merits 170/2023 — 5/9 16. The defendant further argues that the APD makes no allegation of failure to compliance. The defendant refers for this to the inspection report in which no violation was noted, as well as to the letter of the Litigation Chamber in which the defendant is invited to comment on the measures it has taken, in accordance in articles 24 et seq. of the GDPR. 17. The Contentious Chamber explains that it has been established that a data leak occurred in 2019, but that in its decision, it wishes to take into account the evolution that has occurred between time to obtain an overall view of the current situation to arrive at an opinion balance. It is only from this perspective that the Litigation Chamber has proceeded to examine this case as to its merits and that, within the framework of this procedure, she asked the defendant to provide explanations on the technical measures and organizational measures taken. B. Technical and organizational measures 18. According to the information submitted by the latter, upon becoming aware of the leak of data, the defendant immediately suspended the program website (..) and removed all access to data stored on the platform. The defendant assessed the impact of the incident and concluded that it did not pose a high risk to people. The incident was limited to the program and in no way impacted the payment network of the defendant.Nevertheless, out of an abundance of caution, the defendant also informed the persons concerned on August 22, 2019 so that they can take possible precautionary measures, if these prove necessary. 19. With regard to the data leak which gave rise to the present decision, the Chamber Litigation must therefore note that the defendant notified this leak of data to the APD within the framework prescribed by article 33 of the GDPR, despite the leak of data has been assessed by the defendant as presenting little risk to the persons concerned. With regard specifically to the notification of the leak of data to the DPA, the defendant acted in compliance with the GDPR. 20. Furthermore, the factual elements of the file show that there were no data leaks repeated indicating systematic failures on the part of the defendant following which she would have failed to fulfill the obligations imposed by article 24 juncton article 32 of GDPR. On the contrary, the data leak constitutes a completely isolated event. 21. Furthermore, the documents placed in the file by the defendant allowed the Chamber Glad to understand in depth the defendant's prospective approach in order to avoid a repetition of the facts as they occurred. These measures were subject to of an evaluation by the Litigation Chamber, which reached the following conclusions. Decision on merits 170/2023 — 6/9 22. The defendant continues to successfully develop its processes with regard to suppliers. These developments include a number of initiatives that will beyond legal requirements. In the context of its commitment to ensuring security continues, the defendant reviews and improves its data security measures in taking into account the technological progress available on the market, and following "the state of art" which is constantly evolving. In particular, the defendant: - updated its due diligence questionnaires with regard to suppliers as well as its supplier risk assessment policies and processes; - carried out audits of suppliers active in Europe; - carried out a verification of the certifications of suppliers active in Europe; - provided training to employees from different departments on the roles and responsibilities for managing supplier risks; - immediately integrated the supplier management program into the other company processes; - added a new risk level to its risk assessment model; - updated its monitoring tools to make this control and monitoring of suppliers more efficient and more flexible tools to manage; - expanded its supplier evaluation team; - updated its reassessment questionnaire; - friends is implementing a new standardized list of security measures to which all suppliers must comply; - refined its risk assessment process in order to distribute resources between departments more efficiently; And - ensures ongoing awareness of the program towards suppliers, including understood through the training of executives and the involvement of the highest level of management; and widely communicating the email address to Business Owners so that they can easily contact the team for help or in case of problems with the suppliers. 23. It appears from all of these elements that (i) the defendant quickly made the necessary as soon as the data leak occurs; (ii) the Inspection Service did not finding indicating that a violation had been committed on the part of the defendant; (iii) the defendant demonstrated in a detailed manner that measures thorough investigations had been taken and that these measures are subject to an update Decision on the merits 170/2023 — 7/9 permanent in order to prevent such events in the future. This leads the Litigation Chamber to conclude that no violation of the GDPR was committed by the defendant. Decision on merits 170/2023 — 8/9 III. Publication of the decision 24. Given the importance of transparency regarding the decision-making process of the Chamber Contentious, this decision is published on the website of the Authority of Data protection. In accordance with its Policy regarding the publication of its decisions, the Litigation Chamber publishes each of its decisions with the aim of administrative transparency, which transparency is required for emissions as a data protection supervisory authority (article 57.1. b) and d) read jointly with Article 51 of the GDPR) as well as its capacity as an administrative authority subject to the principles of good administration. It is for this reason that this decision is published. 25. However, it is not necessary for this purpose that the identification data of the parties are directly communicated 26. In addition, in reaching the decision regarding publication, account was also taken of due to the fact that seven complaints had been lodged by German citizens wishing know what security measures had been taken by the defendant in order to prevent data leaks. These complaints are directly linked to the data leak being the subject of this decision. These complainants are not only entitled to a decision from the Litigation Chamber which must necessarily take up the same considerations as in this decision but furthermore, one cannot ignore the fact that by the nature of the facts on which their complaint is based and which target the defendant in this decision, the plaintiff is aware of the identity of the defendant. The Litigation Chamber has not however, not the power to prohibit these complainants from making known the decision taken by the Litigation Chamber nor to prohibit its publication. This is why the Chamber Litigation considers that it is not possible to accede to the request of the defendant of not proceed with publication due to the fact that publication of this decision could potentially affect the defendant in its daily functioning by an influx of questions from customers would have been wrongly alarmed. 27. The Litigation Chamber considers, however, that this decision demonstrates on the other hand that the defendant has made every effort to carry out the processing of the data personal character of customers in compliance with the GDPR, in particular with regard to concerns data security, and constitutes an example for its sector of activity for regarding data protection as well as continued attention and actions taken to constantly adapt to developments in this area. 1Data Protection Authority, Litigation Chamber, Publication policy of Chamber decisions litigation of December 23, 2020: https://www.autoriteprotectiondonnees.be/publications/politique-de-publication-des- decisions-de-la-chambre-contentieuse.pdf Decision on the merits 170/2023 — 9/9 FOR THESE REASONS , the Litigation Chamber of the Data Protection Authority decides, after deliberation, to classify this complaint without further action under article 100, § 1, 1° of the st LCA, since no violation of the GDPR can be found in this regard. In accordance with article 108, § 1 of the LCA, an appeal against this decision may be lodged, within thirty days from its notification, to the Court of Markets (Brussels Court of Appeal), with the Data Protection Authority as defendant. Such an appeal may be introduced by means of an interlocutory request which must contain the 2 information listed in article 1034ter of the Judicial Code. The interlocutory request must be filed with the registry of the Court of Markets in accordance with article 1034quinquies of the C. jud. , or 3 via the e-Deposit information system of the Ministry of Justice (article 32ter of the C. judic.). (sé). Hielke H IJMANS President of the Litigation Chamber 2The request contains barely any nullity: 1° indication of the day, month and year; 2° the surname, first name, domicile of the applicant, as well as, where applicable, his qualifications and his national register number or Business Number; 3° the surname, first name, address and, where applicable, the status of the person to be summoned; 4° the object and summary of the grounds of the request; 5° indication of the judge who is seized of the request; 6° the signature of the applicant or his lawyer. 3 The request, accompanied by its annex, is sent, in as many copies as there are parties involved, by letter recommended to the court clerk or filed with the court registry.