EDÖB/PFPDT/IFPDT (Switzerland) - Concevis: Difference between revisions
(Created page with "{{DPAdecisionBOX |Jurisdiction=France |DPA-BG-Color= |DPAlogo=LogoFR.png |DPA_Abbrevation=CNIL |DPA_With_Country=CNIL (France) |Case_Number_Name=Concevis |ECLI= |Original_Source_Name_1=PFPDT |Original_Source_Link_1=https://www.edoeb.admin.ch/edoeb/fr/home/kurzmeldungen/2024/concevis.html |Original_Source_Language_1=French |Original_Source_Language__Code_1=FR |Original_Source_Name_2= |Original_Source_Link_2= |Original_Source_Language_2= |Original_Source_Language__Code_...") |
mNo edit summary |
||
| (6 intermediate revisions by 2 users not shown) | |||
| Line 1: | Line 1: | ||
{{DPAdecisionBOX | {{DPAdecisionBOX | ||
|Jurisdiction= | |Jurisdiction=Switzerland | ||
|DPA-BG-Color= | |DPA-BG-Color= | ||
|DPAlogo= | |DPAlogo= | ||
|DPA_Abbrevation= | |DPA_Abbrevation=EDÖB/PFPDT/IFPDT | ||
|DPA_With_Country= | |DPA_With_Country=EDÖB/PFPDT/IFPDT (Switzerland) | ||
|Case_Number_Name=Concevis | |Case_Number_Name=Concevis | ||
|ECLI= | |ECLI= | ||
|Original_Source_Name_1=PFPDT | |Original_Source_Name_1=EDÖB/PFPDT/IFPDT | ||
|Original_Source_Link_1=https://www.edoeb.admin.ch/edoeb/fr/home/kurzmeldungen/2024/concevis.html | |Original_Source_Link_1=https://www.edoeb.admin.ch/edoeb/fr/home/kurzmeldungen/2024/concevis.html | ||
|Original_Source_Language_1=French | |Original_Source_Language_1=French | ||
| Line 61: | Line 61: | ||
}} | }} | ||
Following a ransomware attack, the Federal Data Protection and Transparency Officer advised | Following a ransomware attack, the Federal Data Protection and Transparency Officer advised a software engineering firm and the Swiss Federal Statistical Office to improve their contracts with services providers and include the life cycle of data in such contracts. | ||
== English Summary == | == English Summary == | ||
=== Facts === | === Facts === | ||
In November 2023, to the software engineering firm Concevis, the controller, was subject to a ransomware attack. In course of this attack, data of the controller's clients, including the Federal Statistical Office, fell into the hands of the attackers. | |||
Subsequently, the Federal Data Protection and Transparency Officer (hereinafter: DPA) started a preliminary investigation against the controller and the Federal Statistical Office. | Subsequently, the Federal Data Protection and Transparency Officer (hereinafter: DPA) started a preliminary investigation against the controller and the Federal Statistical Office. | ||
| Line 73: | Line 73: | ||
The DPA conducted the preliminary investigation and found that there was no ground to continue with a formal investigation under the meaning of Article 49 Loi sur la Protection des Données (LPD). | The DPA conducted the preliminary investigation and found that there was no ground to continue with a formal investigation under the meaning of Article 49 Loi sur la Protection des Données (LPD). | ||
The preliminary investigation revealed that the data was | The preliminary investigation revealed that the data was encrypted and that it was unlikely that the attackers were able to access them. However, the DPA highlighted some element worth of correction, namely the fact that the administrative units of the Federal Statistical Office should concluded contracts with services providers more clearly and should have included in such contracts the life cycle of data, from it being collected to it being deleted. It also highlighted the need for the controller and the Federal Statistical Office to recognize the competence of the DPA to carry out audits and the need to comply with the requirements laid out in the [https://www.edoeb.admin.ch/edoeb/fr/home/kurzmeldungen/nsb_mm.msg-id-100884.html Xplain decision]. | ||
== Comment == | == Comment == | ||
Latest revision as of 17:52, 8 January 2025
| EDÖB/PFPDT/IFPDT - Concevis | |
|---|---|
| [[File:|center|250px]] | |
| Authority: | EDÖB/PFPDT/IFPDT (Switzerland) |
| Jurisdiction: | Switzerland |
| Relevant Law: | Loi fédérale sur la protection des données |
| Type: | Investigation |
| Outcome: | Violation Found |
| Started: | |
| Decided: | |
| Published: | |
| Fine: | n/a |
| Parties: | Concevis |
| National Case Number/Name: | Concevis |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | French |
| Original Source: | EDÖB/PFPDT/IFPDT (in FR) |
| Initial Contributor: | elu |
Following a ransomware attack, the Federal Data Protection and Transparency Officer advised a software engineering firm and the Swiss Federal Statistical Office to improve their contracts with services providers and include the life cycle of data in such contracts.
English Summary
Facts
In November 2023, to the software engineering firm Concevis, the controller, was subject to a ransomware attack. In course of this attack, data of the controller's clients, including the Federal Statistical Office, fell into the hands of the attackers.
Subsequently, the Federal Data Protection and Transparency Officer (hereinafter: DPA) started a preliminary investigation against the controller and the Federal Statistical Office.
Holding
The DPA conducted the preliminary investigation and found that there was no ground to continue with a formal investigation under the meaning of Article 49 Loi sur la Protection des Données (LPD).
The preliminary investigation revealed that the data was encrypted and that it was unlikely that the attackers were able to access them. However, the DPA highlighted some element worth of correction, namely the fact that the administrative units of the Federal Statistical Office should concluded contracts with services providers more clearly and should have included in such contracts the life cycle of data, from it being collected to it being deleted. It also highlighted the need for the controller and the Federal Statistical Office to recognize the competence of the DPA to carry out audits and the need to comply with the requirements laid out in the Xplain decision.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the French original. Please refer to the French original for more details.
20.12.2024 - Closure of an informal preliminary investigation into indications of violations of data protection regulations Closure of an informal preliminary investigation into indications of violations of data protection regulations 20.12.2024 – In November 2023, the software company Concevis was the victim of a ransomware attack. The Federal Statistical Office (FSO) was one of its customers. Both the FSO and Concevis reported the incident to the FDPIC, since FSO data had possibly fallen into the hands of the perpetrators of the attack. The FDPIC then opened an informal preliminary investigation against the FSO and Concevis and informed the public in a brief. The FDPIC’s examination concluded that the opening of a formal investigation within the meaning of Art. 49 LPD was not necessary, as no serious breaches were found. Furthermore, the data affected by the cyberattack were encrypted and it is unlikely that the perpetrators of the attack could have read them. However, the FDPIC found that certain elements relating to the processing of data between the FSO and Concevis should have been defined more clearly. It therefore stressed that contracts concluded by administrative units of the Confederation with service providers must precisely define the life cycle of the data, from their entry to their destruction. It also noted the need to clearly regulate the possibility for the office or external service providers to carry out checks and audits. Finally, the FDPIC reminded the FSO and Concevis of the recommendations issued in the Xplain case, which are of general scope.
