HDPA (Greece) - 28/2023

From GDPRhub
HDPA - 28/2023
LogoGR.jpg
Authority: HDPA (Greece)
Jurisdiction: Greece
Relevant Law: Article 58(2) GDPR
National Law 4624/2019 (Article 15) Paragraph 8
Type: Other
Outcome: n/a
Started: 20.06.2023
Decided: 24.07.2023
Published:
Fine: n/a
Parties: Municipality X (To ensure the confidentiality of the specific municipality, the term "X" is employed as a placeholder.)
National Case Number/Name: 28/2023
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Greek
Original Source: HDPA (in EL)
Initial Contributor: Inder

An individual reported a breach of personal data from Municipality X's website, revealing unauthorized access to citizens' data via URL manipulation. Despite Municipality X's corrective efforts, the breach persisted, posing high risks to individuals. Pending clarifications, the Authority issued an interim order, invoking GDPR Article 58(2) and National Law 4624/2019 Article 15(8), restricting data access until further notice.

English Summary

Facts

An individual reported a breach of personal data from Municipality X's website ("Χ" is used for anonymisation by HDPA). The complaint unveiled that personal data of Municipality X's citizens was easily accessible to any user, constituting an unauthorized breach of personal data. This unauthorized access was accomplished by modifying the last five digits of the permalink (URL).

The Hellenic Data Protection Authority (HDPA) promptly intervened, seeking clarification. On 21-06-2023, the HDPA communicated orally with Municipality X regarding the breach. In response, Municipality X promptly ceased the website's operations and notified about the incident of personal data breach to the Authority. Furthermore, Municipality X offered clarification regarding this incident and the corrective measures which were implemented.

Holding

Despite corrective actions taken by Municipality X, the website remained vulnerable, leading to continued exposure of personal data. The website's access to personal data was not adequately restricted, posing a high risk to numerous individuals.

Considering the persistent ambiguity surrounding several key aspects of the incident, the Authority has forwarded a new document to Municipality X. This document contains specific and additional questions for clarification. As of now, the Authority is yet to receive responses to these inquiries.

In the midst of pending clarifications from Municipality X, the website became available again and despite the corrective actions taken the files was again easily accessible in exactly the same way as in the original complaint on 20-06-2023.

Due to the ongoing unresolved issues and the substantial risks it poses for a large number of persons, the Authority has invoked its regulatory authority as stipulated in GDPR Article 58(2) and the National Law 4624/2019 Article 15(8). Issuing an interim order to Municipality X, instructing them to take immediate action to restrict access to personal data files on their website. This order is to ensures that, as long as the relevant web application is operational, the files containing personal data of its users can only be accessed by authorized users or the data subjects themselves, preventing easy accessibility by other unauthorised users as described in the case history. These restrictions will remain in effect until the Authority issues a new decision.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.

Athens, 24-07-2023
Prot. No.: 1973

Decision of the President of the Authority no. 28/2023 (Single person body – Temporary Order)

The President of the Authority as a one-person body according to articles 17 par. 1 of Law 4624/2019 (Government Gazette A' 137), in the context of the powers provided for in articles, 4 par. 3 para. a' and 10 par. 4 of Regulation of the Authority's Operation (Government Gazette B΄879/25.02.2022) and the powers provided for in article 15 par. 8 of Law 4624/2019 in conjunction with article 58 par. 2 f of Regulation (EU) 2016/679 (GDPR), considered the case mentioned below in the history of this decision.

The Authority took into account the following:

1. Because with the complaint No. G/EIS/4615/20-06-2023, A (hereinafter complainant) informed the Authority about an incident of violation of personal data of Municipality X. According to the above complaint, files with personal data of citizens of Municipality X were easily accessible by any user through the "..." website, changing the last five-digit number that appears in the relevant electronic (URL) address. Following an oral notification of Municipality X by the Authority on 21-06-2023, the Municipality proceeded to immediately stop the operation of the website and subsequently submitted the notification No. C/EIS/4715/23-06-2023 incident of personal data breach to the Authority, while also with his document No. C/EIS/4747/26-06-2023 he provided the Authority with some clarifications on the incident in question, stating among other things that, in order to deal with the problem, the ID that each file has will no longer be required to download it from the site but the GUID.

2. Because the Authority examines both the said complaint and ex officio the personal data breach incident and the related processing of personal data. In this context, the Authority sent to the Municipality the document numbered prot. C/EXE/1649/27-06-2023, with which it requested more clarifications on the incident in question.

3. Because on 03-07-2023, despite the corrective actions that had been taken according to the claims of the Municipality, the above website became available again and the files were again easily accessible in exactly the same way, as pointed out by the complainant with his latest document (prot. no. C/EIS/4916/03-07-2023) and confirmed by the Authority. Following a new telephone update of the Municipality by the Authority on the matter in question, Municipality X again shut down the operation of the above website on 07-03-2023. Subsequently, the Municipality once again provided its views to the Authority with its document number C/EIS/5144/12-07-2023, giving answers to some of the questions that had been raised with the above-mentioned C /EXE/1649/27-06-2023 document of the Authority.

4. Because after the latest clarifications from Municipality X, and given that several important aspects of the incident in question still remain unclear, the Authority sent a new document to the Municipality with new, in particular, questions (prot. no. C/ EXE/1783/13-07-2023), on which he has not yet received answers.

5. Because on 07-19-2023, and while the additional clarifications from Municipality X are still pending, the website became available again and despite the corrective actions he states that he already received from his document of 06-26-2023, the files are again - as was also the case on 03-07-2023 - easily accessible in exactly the same way.

6. Because the Authority has, based on article 15 par. 8 of Law 4624/2019 in combination with article 58 par. 2 of the GDPR, the authority to issue ex officio a temporary order for immediate total or partial, temporary limitation of the processing.

7. Because the collection, storage, use, dissemination or any other form of disposal of personal data is a form of processing based on Article 4 para. 2 of the GDPR.

8. Because in this particular case, from the above incident of violation, which has the consequence of files with personal data of citizens of this Municipality becoming easily accessible by any user of the website of Municipality X, high risks arise for a large number of persons.

FOR THESE REASONS THE AUTHORITY

Orders Municipality X to take any necessary action to limit the free access of internet users to the files with personal data of the above website and to ensure that, as long as the relevant application is working, files with personal data of its users are only available in properly authorized users or the subjects of the data without being easily accessible by other Internet users in the manner described in the present history, until a new decision is issued by the Authority.