EDÖB/PFPDT/IFPDT (Switzerland) - Xplain: Difference between revisions
mNo edit summary |
mNo edit summary |
||
Line 4: | Line 4: | ||
|DPA-BG-Color= | |DPA-BG-Color= | ||
|DPAlogo= | |DPAlogo= | ||
|DPA_Abbrevation=PFPDT | |DPA_Abbrevation=EDÖB/PFPDT/IFPDT | ||
|DPA_With_Country= | |DPA_With_Country=EDÖB/PFPDT/IFPDT (Switzerland) | ||
|Case_Number_Name=Xplain | |Case_Number_Name=Xplain |
Revision as of 13:05, 8 January 2025
EDÖB/PFPDT/IFPDT - Xplain | |
---|---|
[[File:|center|250px]] | |
Authority: | EDÖB/PFPDT/IFPDT (Switzerland) |
Jurisdiction: | Switzerland |
Relevant Law: | Art.49 Loi fédérale sur la protection des données |
Type: | Investigation |
Outcome: | Violation Found |
Started: | |
Decided: | 16.05.2024 |
Published: | |
Fine: | n/a |
Parties: | Xplain |
National Case Number/Name: | Xplain |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | French |
Original Source: | PFPDT (in FR) |
Initial Contributor: | elu |
Following a ransomware attack involving data from the Federal Government, the Federal Data Protection and Transparency Officer reprimanded a software provider for its lack of appropriate measures to ensure data protection.
English Summary
Facts
The software provider Xplain, the controller, was victim of a ransomware attack, in course of which data stored in the Xplain server were published on the dark web. This data included personal data related to the Federal Government, among which sensitive data. The Federal Data Protection and Transparency Officer (hereinafter: DPA) started an investigation against the Federal Offices of the Federal Police and the Customs and Border Security, as well as the controller.
Holding
Two key elements were considered by the DPA: the circumstances in which the Federal Offices submitted data to the controller and the circumstances in which the controller kept them on its server.
The DPA considered that neither of the two Federal offices clearly agreed with the controller about the modalities behind the data storage in their server. More specifically, no requirement was imposed on the transmission and security of data by the controller. As a result, a disproportionate amount of personal data, among which a collection of “unstructured data from federal offices”.
Therefore, the DPA found that the controller did not take the appropriate measures to ensure data security and protection. The DPA highlighted that the controller violated the principles of purpose limitation and proportionality behind the retention of personal data.
The DPA concluded by giving some recommendations to the controller. Implementing those recommendations aim to reduce the risk of a new data protection breach. The recipients have 30 days to tell the DPA whether they accept its recommendations.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the French original. Please refer to the French original for more details.
Federal Data Protection and Information Commissioner Bern, 01.05.2024 - In all three investigations, the FDPIC found violations of the Data Protection Act due to errors in support processes. The results of the investigations show that, on the one hand, the necessary data protection measures were not taken when personal data were transmitted by the Federal Offices of Police and Customs and Border Security to Xplain and that, on the other hand, this data was subsequently stored by Xplain in violation of data protection and partly in violation of contractual obligations. Following a ransomware attack on the company Xplain in May 2023, a large amount of personal data of the federal administration, including sensitive data, was published on the darknet. This data had been stored on an Xplain server. The FDPIC then opened two investigations on 20 June 2023 against the Federal Offices of Police (fedpol) and Customs and Border Security (FOFD), and then on 13 July 2023 an investigation against the company Xplain. In particular, it examined the circumstances in which the offices subject to the investigations had transmitted data to Xplain and the circumstances in which Xplain had stored them on its server. In its reports, the FDPIC found that neither fedpol nor theFOFD had clearly agreed with Xplain whether, and under what conditions, personal data could be stored on Xplain's server as part of the support. It should have been explicitly provided to what extent personal data could be transmitted to and stored by Xplain. The process in place was organised in such a way that personal data was transmitted to Xplain as part of the support, without any specific requirements having been defined for the transmission and compliance with data security on the company's side. The Xplain server thus contained a collection of unstructured data from federal offices. The FDPIC also found that the amount of personal data transmitted in this context was disproportionate. Xplain did not have access to the fedpol or FODF databases. However, the company should have known that the support functions it had programmed could contain personal data and that, consequently, this data could be processed on its server. As a subcontractor, Xplain did not take appropriate measures to guarantee data security and information protection as required by good practice. From a data protection perspective, the company violated the principles of purpose and proportionality that govern the retention of personal data. It also violated its contractual obligations regarding the retention of this personal data, which nevertheless provided for the occasional deletion of the data. The FDPIC has made recommendations to the OFDF, fedpol and Xplain, the implementation of which is intended to sustainably reduce the risk of further data protection violations. The three recipients have 30 days to inform the FDPIC whether they accept its recommendations. Note: In parallel with the investigation conducted by the FDPIC, as an independent investigating authority in accordance with the Data Protection Act, an administrative investigation was ordered by the Federal Council pursuant to the Government and Administration Organisation Act. The final report of this investigation, which also covers the data flows of Xplain AG, will also be published on 1 May 2024. The two investigations were conducted separately. Address for sending questions Federal Data Protection and Information Commissioner (FDPIC), Tel. +41 58 462 99 31, info@edoeb.admin.ch Author Federal Data Protection and Information Commissioner https://www.edoeb.admin.ch/edoeb/fr/home.html