| APD/GBA - 05/2021 | |
|---|---|
 | |
| Authority: | APD/GBA (Belgium) |
| Jurisdiction: | Belgium |
| Relevant Law: | Article 5(1)(f) GDPR Article 5(2) GDPR Article 24 GDPR Article 32 GDPR Article 33 GDPR Article 34(1) GDPR Art. 126 WEC Art. 127 WEC Art. 122 WEC |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | |
| Decided: | 01/2021 |
| Published: | 01/2021 |
| Fine: | 25000 EUR |
| Parties: | n/a Cellphone number provider |
| National Case Number/Name: | 05/2021 |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | Dutch |
| Original Source: | Betreft : klacht wegens toekennen telefoonnummer klager aan een derde (in NL) |
| Initial Contributor: | Enzo Marquet |
The Belgian DPA (APD/GBA) held that sharing a phone number poses a high risk to a data subject and that this must be classified as a critical data breach, even if it concerns just one person and for a very short time.
English Summary
Facts
A third party visited a shop of the defendant (a provider of cellphone services) to change their mobile phone subscription. This third party used the phone and sim card number of the complaint. During this process, the mobile phone number of the complaint was transferred to a third party so that the complaint could not use its mobile phone number. The SIM of complaint was deactivated for the complaint and the third party had the possibility to access personal conversation data as well as linked accounts (PayPal, WhatsApp, Facebook) for three days.
Dispute
If a third party has access to a phone number, does this classify as a critical data breach?
Holding
One of the first arguments of the defendant is that it couldn't have known the identity of the third party as they are forbidden from collecting identification data for commercial purposes (article 127 WEC) when migrating from a prepaid to a postpaid abonnement.
However, the Dispute Chamber states that according to article 122 WEC, that this is possible when sending invoices or to protect the private life of the clients. The defendant had to check the identity of the third party, it is a legitimate purpose to prevent identity fraud with phone numbers as the impact on a data subject can be drastic.Not checking this is marked as grave negligence.
The defendant states that the impact on the personal life of the complaint is minimal which the Dispute Chamber dismisses as conversations are very personal and it is easy to access WhatsApp because only a phone number is required. SMS is also used for very personal things such as reminder of meetings (e.g. hospital, special categories of data) or it can be used to impersonate someone. The possession of a phone number creates a significant risk to the personal life of the data subject.
The Dispute Chamber states that defendant failed to respect the data breach notification deadline under Article 33(1) as this data breach poses a high risk to the data subject.
To determine the risks, the Dispute Chamber used the Guidance of WP29 250rev.01[1]. Possible damages for the usage of a phone number are discrimination, identity theft- and fraud, financial loss and reputation damage.The fact that it concerns one person and for a very short time are irrelevant as the risk is very high.
The controller must always implement the necessary technical and organisational measures to be in compliance with the GDPR and be able to demonstrate said compliance (Article 5(2) and Article 24 GDPR). It is one of the corner stones of the GDPR.
The defendant, as such, failed to take proactive measures: there was no verification of the identity of the third party and the data breach was not notified nor was it justified why this data breach was not necessary nor were there any logs on the data breach which is a breach of Article 33(5).
And even if a data breach poses no risks, it must still be logged internally.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.
1/22
Litigation chamber
Decision on the merits 05/2021 of 22 January 2021
File number: DOS-2019-04867
Concerns: complaint about attributing the complainant's telephone number to a third party
The Disputes Chamber of the Data Protection Authority, composed of Mr Hielke
Hijmans, chairman and Messrs Jelle Stassijns and Frank De Smet, members;
Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016
on the protection of natural persons with regard to the processing of
personal data and on the free movement of such data and repealing Directive
95/46 / EC (General Data Protection Regulation), hereinafter GDPR;
In view of the law of 3 December 2017 establishing the Data Protection Authority, hereinafter
WOG;
Having regard to the rules of internal procedure, as approved by the Chamber of
Representatives on December 20, 2018 and published in the Belgian Official Gazette on
January 15, 2019;
Considering the documents in the file;
has taken the following decision regarding:
.
- the complainant: Mr X,.
.
- the defendant: Y Decision on the merits 05/2021 - 2/22
1. Facts and procedure
1. The complainant files a complaint against Y with the Data Protection Authority on 20 September 2019.
The complaint was declared admissible by the Primary Care Service on September 30, 2019. The complaint
implies that the complainant's mobile phone number would have been assigned to Y by his provider
a third, as a result of which the complainant no longer had access to his number. The complainant's SIM card
was deactivated and the third party could therefore have become aware of the personal GSM
the complainant's traffic and calls, as well as linked accounts (such as Paypal, WhatsApp and
Facebook) from 16 to 19 September 2019.
2. Since the complaint is directed against Y with its head office in Member State Z, the
Data protection authority contacted the supervisory authority in this Member State
in order to determine whether or not the complaint should be considered as cross-border.
That communication led to the handling of the complaint and the data processing
according to the national procedure of the Belgian data protection authority (art.56.2 GDPR) 1
with Y as defendant.
3. On April 15, 2020, the Disputes Chamber decided that the complaint is ready for handling
on the merits and notified to both the complainant and the defendant by registered mail
this decision. The parties were also informed of the provisions mentioned in
Article 98 of the WOG and the deadlines for submitting their defenses. The deadline
it was determined on 27 May 2020 for receipt of the defendant's statement of defense; the
deadline for receipt of the complainant's reply on 17 June 2020 and the
deadline for receipt of the defendant's reply on 8 July 2020.
4. By letter of 20 April 2020, defendant's counsel submitted to the file, copy
of the file and indicated that he wishes to be heard at a hearing
on the basis of Article 98, 2 ° WOG.
5. On 27 May 2020 the respondent filed a statement of defense.
6. Neither the complainant nor the defendant have made use of the option of submitting a conclusion
submit a reply. The complainant did not wish to make use of the opportunity to be heard
to become.
1 Article 56.2 reads: By way of derogation from paragraph 1, any supervisory authority is competent a complaint submitted to it or a
to deal with any breach of this Regulation if the subject-matter of that case relates only to an establishment
in its Member State or only for data subjects in its Member State. Decision on the merits 05/2021 - 3/22
7. On November 9, 2020, the defendant shall be declared in accordance with Article 53 of the Rules of Procedure of
internal order heard by the Disputes Chamber.
8. On November 19, 2020, the minutes of the hearing will be presented to the parties.
The parties did not respond to this.
9. On December 7, 2020, the intention to impose a fine was transferred to the
defendant. Respondent responded extensively to this intention on 22 December 2020.
2. Legal basis
Article 5.1.f GDPR
1 Personal data must:
f) by taking appropriate technical or organizational measures in such a way
processed to ensure adequate security, including protection
are against unauthorized or unlawful processing and against accidental loss, destruction or
damage (“integrity and confidentiality”).
Article 5.2 GDPR
The controller is responsible for and can demonstrate compliance with paragraph 1
(“Accountability”).
Article 24 GDPR
1. Taking into account the nature, scope, context and purpose of the processing, as well
with the different likelihood and severity risks to the rights and freedoms of
natural persons, the controller shall take appropriate technical and
organizational measures to guarantee and be able to demonstrate that the processing in
in accordance with this Regulation. Those measures are being evaluated and
updated if necessary.
2. When proportionate to processing activities, include those referred to in paragraph 1
measures an appropriate data protection policy adopted by the controller
is carried out. Decision on the merits 05/2021 - 4/22
3. Adherence to approved codes of conduct as referred to in Article 40 or approved ones
certification mechanisms as referred to in Article 42 can be used as an element to indicate
show that the obligations of the controller have been fulfilled.
Article 32 GDPR
1. Taking into account the state of the art, the implementation costs, as well as the nature, the
scope, context and purposes of the processing and the likelihood and severity
various risks to the rights and freedoms of individuals affect the
controller and processor appropriate technical and organizational
measures to ensure a level of security appropriate to the risk, which, where appropriate,
include the following:
a) the pseudonymisation and encryption of personal data;
(b) the ability to maintain confidentiality, integrity, availability and
ensure resilience of processing systems and services
(c) the ability, in the event of a physical or technical incident, to ensure the availability of and access to
to restore the personal data in a timely manner; (d) a procedure for regular testing,
assess and evaluate the effectiveness of the technical and organizational
security measures for processing.
2. In assessing the appropriate level of security, particular account shall be taken of
the processing risks, especially as a result of the destruction, loss, alteration or
unauthorized disclosure of or unauthorized access to forwarded, stored or
otherwise processed data, either accidentally or unlawfully.
3. Adherence to an approved code of conduct as referred to in Article 40 or an approved one
certification mechanism as referred to in Article 42 can be used as an element to demonstrate
that the requirements referred to in paragraph 1 of this Article are complied with.
4. The controller and processor shall take measures to ensure that
any natural person acting under the authority of the controller or of
the processor and has access to personal data, this only on behalf of the
the controller, unless he is under Union or Member State law to do so
held Decision on the merits 05/2021 - 5/22
Article 33 GDPR
1 If a personal data breach has occurred, the
controller without unreasonable delay and, if possible, no later than 72 hours
after taking note of it, to the competent person in accordance with Article 55
supervisory authority, unless it is unlikely that the breach is related to
personal data poses a risk to the rights and freedoms of natural persons. In the event that
the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by
a justification for the delay.
2. The processor shall inform the controller as soon as possible without unreasonable delay
he is aware of a personal data breach.
3. The notification referred to in paragraph 1 shall describe or communicate at least the following:
(a) the nature of the personal data breach, specifying where possible
the categories of data subjects and personal data registers in question and, approximately, the
number of data subjects and personal data registers concerned;
b) the name and contact details of the data protection officer or other person
contact point where more information can be obtained;
c) the likely consequences of the personal data breach;
(d) the measures proposed or taken by the controller to remedy the breach
in connection with personal data, including, where appropriate, the
measures to limit any adverse consequences thereof.
4. If and insofar as it is not possible to provide all information simultaneously, the
information is provided in stages without unreasonable delay.
5. The controller documents all breaches related to
personal data, including the facts about the breach in connection with
personal data, the consequences thereof and the corrective measures taken. That
documentation enables the supervisory authority to verify compliance with this Article
Article 34.1 GDPR Decision on the substance 05/2021 - 6/22
34.1 When the personal data breach is likely to pose a high risk
for the rights and freedoms of natural persons, the controller shares the
the data subject immediately notify the breach in connection with personal data.
3. Justification
3.1 Defenses and analysis of the Dispute Chamber
The procedure followed
10. Respondent has responded to the intention to impose a fine. The response keeps
among other things in that defendant is of the opinion that the rights of defense are
violated by the Dispute Chamber. According to the defendant, the disputes chamber
established infringements have little or no connection with the complainant's initial complaint.
Respondent argues that the complainant merely stated in his complaint that this was the case
violation of his privacy without specifying which violations were involved.
Respondent considers that it was the task of the Disputes Chamber to legalize that complaint
qualify and notify the defendant from the outset. Defendant argues that it is first
was notified on 7 December 2020, i.e. through the intention to impose the fine
of the specific infringements and has therefore not been able to defend itself effectively against
the charge. Moreover, in the present case, according to the defendant, it was necessary for the
Disputes Chamber would have arrested the Inspectorate. That did not happen and the Dispute Chamber
has qualified the facts legally after the debates have closed, according to the defendant.
11. The Disputes Chamber generally wishes to draw attention to the fact that the submission
of a complaint for the data subjects whose personal data are processed, uncomplicated
should be. The complaints procedure as provided for in Article 77 GDPR and detailed in the WOG is
intended as an alternative to recourse to a civil or administrative court. It
The right to complain to the GBA must remain easy and accessible for citizens. For example, the
For example, the legislator did not want parties to be always assisted by a lawyer. 2
Article 60 of the WOG sets low requirements for the admissibility of a complaint. For receptive
statement is only required that a complaint must be drawn up in one of the national languages, a
should contain a statement of the facts as well as the necessary indications for identifying
the processing to which it relates and must fall under the authority of the GBA.
The article does not require the complaint to be an alleged violation of a legal provision
must contain.
2
See, for example, Management Plan 2021 of the GBA, p. 18. Decision on the merits 05/2021 - 7/22
12. The Disputes Chamber will therefore not verify the validity of the complaint
whether the complainants in the complaint formally submitted to the GBA have the correct legal provision
invoked in support of their request, but whether the facts involved are an infringement
forms on one of the legal provisions with which the DPA must check compliance. The
The Disputes Chamber also points out that monitoring compliance with the GDPR is the main task
belongs to this body of a supervisor.
13. In an earlier decision, the Disputes Chamber considered as follows:
Likewise, the complainants do not have to provide all the pertinent facts of the alleged infringement in their complaint
to feed. The Disputes Chamber must be able to help them by asking specific questions about a
to obtain a good understanding in fact and in law of the possible infringement of a fundamental right for which
her attention is sought. The Disputes Chamber can also take into account any grievances
be set out later by the complainant in conclusion, provided that it concerns facts or
legal arguments related to the alleged infringement presented in the complaint, and with
observance of the rights of the defense. "
“During the procedure following the complaint, the Disputes Chamber therefore has the option to
to change the legal classification of the facts presented to it, or to create new facts
related to the complaint, without necessarily invoking the
intervention of the Inspectorate, more specifically by asking questions to the parties or by
to take into account new facts or qualifications invoked by conclusion, and this
within the limits of the adversarial debate, namely to the extent that the parties have the opportunity
have gotten to argue about these facts or legal qualifications in a manner that in
is in accordance with the rights of the defense. If necessary, it is on the
Litigation chamber to instigate this debate, either in its letter requesting conclusions in
to be submitted on the basis of Article 98 of the WOG, or later in the context of a reopening of
the debates. In this context, the fact that is taken into account does a new legal
qualification invoked by the complainant does not prejudice the fairness of the proceedings
and the equality of arms, a fortiori as the decisions of the Dispute Chamber
are admissible for an appeal procedure at the Marktenhof. ” 3
14. The Disputes Chamber finds - unlike the respondent - that the respondent fully and
has been able to defend against all alleged infringements and there has been no question of this
new facts that became known afterwards that the defendant was unable to challenge
3 Decision 17/2020 of the Dispute Chamber
https://www.dataprotectionautoriteit.be/publications/beslissing-ten-gronde-nr.-17-2020.pdf Decision on the merits 05/2021 - 8/22
to defend. After all, the respondent has answered by means of the statement of defense submitted by it
on 27 May 2020 we discussed in detail all (possible) violations and defended the
complaint and charges. The respondent argued in its conclusion - in short -
that all necessary technical and organizational measures and other precautions are taken
they were affected in order to prevent invasion of privacy. According to the defendant
therefore acted in accordance with Articles 5.1.f, 5.2, 24, 32, 33 and 34 GDPR. In addition
respondent acknowledges that there has been a data breach. However, she has disputed that there
of a data breach that is likely to be a high risk associated with the
personal data and which had been reported to the Data Protection Authority
(Article 33 GDPR). Another reason for not reporting was according to
respondent that the Data Protection Authority is more likely in a similar case of a
data breach in which a report was made, had not taken any further measures against
defendant. 4
The content of the case
15. The complainant has been a customer of the defendant since 11 June 2015 and purchases (prepaid) mobile telephone services.
The complainant's telephone number is for a period of four days, from 15 to 19
September 2019, awarded to a third party with the complainant's SIM card deactivated.
16. During these proceedings, the Disputes Chamber has attempted to gain insight into the progress of
the events leading to the attribution of the complainant's telephone number
a third. From this decision it becomes clear that there are a few things about the actual course
cannot be fully clarified. According to the defendant, the third is in one on September 11, 2019
of the defendant's stores in order to transfer the complainant's prepaid subscription
into a postpaid subscription (with accompanying smartphone device that after 24 months
subscription is paid off). According to the respondent, both the telephone number and the
SIM card number of the complainant provided by the third party. It changed from September 11th
The complainant's subscription therefore changes from prepaid to postpaid. The third does have its own
Identity information that linked it to the postpaid subscription
so that all costs from then on were billed in the name of the third party. The third
however, did not yet have a SIM card associated with the mobile number on 11 September
of the complainant, so that the complainant could continue to use the services of the
subscription. Four days later, on 15 September, the third party is again sent to the defendant
been a Y-shop and asked for a new SIM card connected to the same mobile
number. At that point, he was therefore given access to the complainant's mobile number and the
4
see further marginal number [37]. Decision on the merits 05/2021 - 9/22
the complainant's SIM card. The complainant had no more contact with the network from that on
moment.
17. The complainant describes in his complaint that he has several telephone contact with the defendant
and to have been in the defendant's shops in order to dispose again
about his phone number. It was not until 19 September that the complainant could dispose of it again
about his phone number.
18. At the request of the Disputes Chamber, the respondent gave an explanation about the
standard procedure used in cases similar to these. Defendant argues -
as already stated in conclusion - that in principle only the user of a mobile
telephone number should know the associated SIM card number. It
SIM card number is therefore used to verify that the applicant is the actual
is the user of the telephone number that is given. The seller would therefore be in the store
have requested and received both the telephone number and the SIM card number from the third party.
The migration was then carried out and the third party therefore has its own identification data
specified, according to defendant. The identification data of the third party was according to
defendant checked by comparing the identity card data with the declared
name, address and place of residence of the third party. These identity data were according to defendant
however not compared with the identity details of the prepaid customer to whom the
SIM card number and mobile phone number was allocated first, namely the complainant. Latter
According to the defendant, control did not take place because identity data may not be used
used for commercial applications based on the Electronic Communication Act and the
Report to the King by Royal Decree implementing this Act. 6
19. Respondent finds it incomprehensible that the third party could find out the SIM card number.
According to the defendant, the SIM card number can only be retrieved via the systems of
defendant where it is stored or if these have been notified by the complainant himself. In order
to obtain both the telephone number and the SIM card number would be the third - according to
defendant - either had the cooperation of the complainant or that of a Y employee.
5
Article 127 in conjunction with Article 126 § 2.7 ° Law on electronic communications of 13 June 2005, entered into force
June 30, 2005.
Report to the King by Royal Decree of 27 November 2016 on the identification of the end user of
mobile public electronic communications services provided on the basis of a prepaid card, BS 7
December 2016. Decision on the merits 05/2021 - 10/22
20. During the hearing, the respondent indicated that entering the
SIM card number by the employee of a Y shop a mandatory field (“mandatory”) is a
migration from prepaid to postpaid. The employee must therefore provide the data for this
field to be requested from the customer and effectively completed to form the contract for the postpaid paid
to be able to take out a subscription, according to the defendant. The employee of a Y-shop can according to
the respondent also does not query prepaid databases to retrieve the SIM card number
questions based on the mobile number. According to the respondent, the employee could do it
SIM card number - if the third party would not have provided this itself - only have it obtained
by calling other Y employees to request this. The chance that an employee will use the
third would have helped defendant, however, small, especially because the employee there
could not get a commission for it. In addition, the defendant states that in the days and
hours around the migration application no consultation of the data of the
complainant.
21. On the basis of the defendant's statement that the store employees obligated it
SIM card number must be requested from the customer and entered to perform a migration
bring about from prepaid to postpaid, and there is no option for the employee to
requesting the SIM card number in the database on the basis of the mobile number, the
the question arises how the third party obtained the combination mobile phone number - SIM card number.
22. To the question of the Disputes Chamber during the hearing whether this may have occurred
of a problem of confidentiality of data at the level or in the systems of Y -
for example, through unauthorized access to the online customer portal causing the
SIM card number could be obtained - the defendant replied in the negative. On
the customer portal of Y (both via the web browser and the mobile application) is according to
defendant does not state a SIM card number. In addition, defendant indicates at the hearing
know that no reports have been received by defendant from other customers regarding
possible instances of unauthorized access to their SIM card number.
23. According to the defendant, another scenario is that the third party has malicious fraud
committed by some (unknown) way to the combination of telephone and
SIM card number of the complainant. However, the Disputes Chamber finds that the third is
has given your own name, address and place of residence, which means that all invoices from 11 September
ended up with him (and the complainant between 11 and 15 September even in principle at the expense of
the third could use the services of Y). This makes fraud on the part of the third party
less likely. During the hearing, the respondent argues that the third party does
had passed on his own personal data to the defendant, but that does not alter that
could still be a case of fraud. According to the defendant, the third received Decision on the merits 05/2021 - 11/22
a mobile telephone when taking out the postpaid subscription. The principle is
that after paying two years of subscription costs the device would also have been paid off. According to
defendant has given the third party the invoices that were charged for the postpaid
subscription never paid. Respondent indicates that it has started proceedings against the
third for not paying the invoices. The Disputes Chamber understands this scenario, however
not why it was necessary for the third party to take over the complainant's telephone number. It
In this case, the smartphone device could also easily be obtained by a postpaid
apply for a subscription with a new mobile number.
24. The Disputes Chamber considers this fraud hypothesis with the intention of using a smartphone
obtaining by taking over the complainant's mobile number in this case is therefore quite unlikely,
all the more now that the third party provided its own personal data and entered into an agreement for it
mobile subscription. This means that from September 11, the costs are also ahead
bill came.
25. Respondent stated both at the conclusion and during the hearing that it was not
it was possible to identify the third party and that of the holder of the number associated with it
compare the prepaid subscription. As the cause of this, respondent points to the
prohibitions imposed by Article 127 of the Electronic Communication Act and the
executive Royal Decree. The executive order contains further rules regarding identification
8
of the end users of prepaid (prepaid) cards. According to the defendant, the
law and the decrees that identification data may not be used for commercial purposes
purposes. The respondent states that: “Due to the strict application of the above
Legislation allows employees in the concluent's points of sale when requesting the
migration from a prepaid to a postpaid subscription just the phone number and the
SIM card number. "
26. The part of the preamble to the Royal Decree quoted by the defendant reads: “The
operators and the providers referred to in Article 126, § 1, first paragraph, may therefore use the
identification data collected under Article 127 of the ECA and becoming
retained under Article 126 ECA do not use for commercial purposes ……. ”. The
The Dispute Chamber points out that the aforementioned article, however, is continued as follows: “but they
may collect and store identification data of users of prepaid cards
for commercial purposes in accordance with Article 122 (applicable when a
7 Law on electronic communications of 13 June 2005, entered into force on 30 June 2005 and implementing
Royal Decree
8
Royal Decree of November 27, 2016 on the identification of the end user of mobile public
electronic communications services that are provided on the basis of a prepaid card, BS December 7, 2016. Decision on the substance 05/2021 - 12/22
invoice is sent) or the general legislation on the protection of the personal
privacy. "
27. During the hearing, the respondent, when asked, regarding the aforementioned Article 127 EC,
read in conjunction with the executive Royal Decree and the Report to the King accompanying that
decision, indicated that the provision has given rise to all telecom operators
discussion, namely whether the article should be read strictly or not. Defendant interprets it
section of the law strictly. Since the present case would concern the sale of subscriptions, this becomes
considered a commercial objective by the defendant.
28. The defendant's assertion that the performance of an identity check (i.e. in this case the
comparing the identity data of the complainant and the third party) in the context of a conversion
from prepaid to a postpaid subscription, was not allowed to take place because of the legal
The Disputes Chamber does not consider the prohibition of use for commercial purposes to be correct.
29. The Disputes Chamber asks whether this is indeed a commercial purpose,
given the use of the identity data of a prepaid customer in this case only the occurrence
would be aimed at abuse by someone who might present himself incorrectly in a Y shop
as the user of the telephone number associated with a prepaid card. It
The purpose is therefore to prevent the wrongful copying of a telephone number from a
prepaid customer by a third party, which would also give him access to his mobile traffic and
possibly also other services linked to the telephone number (see further below) with so
access to his personal data. Therefore, the respondent had the data of the third and the
must unambiguously compare data of the complainant known to him (and therefore
not just based on a SIM card number which is anything but a strong means of authentication).
After all, this is a legitimate purpose, namely the detection of possible
fraud with telephone numbers which can have enormous consequences for those involved.
30. The Disputes Chamber also refers to the Report to the King to the Executive Royal
Decision. The report states: “It is not the intention of the legislator here
has been to impose a blanket ban on identity verification but strict
subject to regulations in order to ensure a good level of protection of personal data
can guarantee. ” By not carrying out an inspection, the defendant is, according to the Disputes Chamber
also ignored the will of the legislator, namely to offer a good
level of protection of personal data to data subjects. In a case like this, the -
9 Report to the King by Royal Decree of 27 November 2016 on the identification of the end user of
mobile public electronic communications services provided on the basis of a prepaid card, BS 7
December 2016. Decision on the merits 05/2021 - 13/22
limited - processing of personal data to verify identity precisely allows misuse
of personal data.
31. The Disputes Chamber is of the opinion that the respondent in the present case could simply have checked whether the
data on the identity card of the third party (after verification of the photo on the identity card)
corresponded with the known data of the holder of the telephone number of the advance
paid card. After all, the defendant had access to the identity card of the third party
has failed to compare the personal data with that of the holder of the mobile number,
in the present case, the complainant. By performing a verification, it would turn out to be two
several persons went. Defendant has failed to make such little effort
required verification, while the defendant as a telecom operator had to be aware
of the tremendous consequences that such negligence could entail.
The Disputes Chamber considers this negligence disproportionate.
32. Respondent added the Safety Working Method in its statement of defense. This internal
piece for employees describes how personal data should be handled
of customers and provides guidelines for the confidentiality of the data within the organization
of the defendant.
33. Several points in the working method indicate that a full
identity check (name, first name, telephone number, if there is one; customer number, date of birth,
identity card number, address, amount of the last invoice and where and when the activation
is requested) is required for “Any questions in light of contract change, such as; change
of the tariff plan, change of address, P2P, PPP, activation or deactivation of a service, question
for a copy of an invoice and ask for confidential information ”.
34. In the present case, the third party who (later) obtained the complainant's telephone number requested the
conversion of his prepaid card to a postpaid subscription. He therefore asked for activation
of a new service. This means that the defendant also had according to its own working method
must ask for additional information with the aim of establishing the identity of the
person in question. By failing to establish the identity of the third party with certainty,
the respondent acted culpably negligently according to the Dispute Chamber.
35. Respondent argues that the infringement had very limited consequences for the complainant. The third
According to the defendant, the person could not have access to the profiles of the complainant on several
platforms such as WhatsApp and Paypal because those platforms use the two-step verification
in order to be able to log in or register on their profiles. According to the complainant, the third had Decision on the merits 05/2021 - 14/22
furthermore, no access to all communications the complainant had in the past
occurred. Therefore, according to the defendant, there is no infringement in any way
of the complainant's privacy. There are only practical inconveniences that the complainant would have
have experienced.
36. In this context, the Disputes Chamber points out that - unlike the defendant
claimed - for the use of, for example, the WhatsApp application in principle that is sufficient
someone has the phone number. The two-step verification that according to the defendant serves
must be explicitly activated via the WhatsApp settings and is not enabled
default on. The standard security setting is therefore that only the telephone number is sufficient
to take over the use of the Whatsapp application. The user executes it
telephone number through which he wishes to use the communication via the application, then
an SMS message will be sent to that number. After the code contained in the text message
is entered, communication can take place directly via WhatsApp. There is - if the
two-step verification has not been activated - so nothing is needed other than access to the mobile
phone number to which the verification code will be sent.
37. Moreover, by having a telephone number, there is a considerable chance that
access to various types of personal data can be obtained. Various
remind authorities - such as hospitals - of appointments through the
sending SMS messages. In addition, it converts a phone number to one
others leave the door wide open for fraud and scams (for example, because there are
potential conversations and messages can be conducted on behalf of the injured party or
sent. The Disputes Chamber therefore disagrees with the defendant's assertion that there is no
there would be a breach of privacy in any way.
38. The Court of Justice emphasized the importance of telecom data in the following terms
in its judgment in Digital Rights Ireland of 8 April 2014: “From these data, in their entirety
considered, very precise conclusions can be drawn about the private life of the
persons whose data is retained, such as their daily habits, their permanent
or temporary residence, their daily or other movements, the activities they
10
exercise, their social relationships and the social circles in which they find themselves. ” Notwithstanding the
third in the present case may not have had access to all the information referred to in the judgment, is the
The litigation chamber believes that by having the complainant's phone number
there is a significant risk of violation of his privacy rights.
10 Court of Justice of the EU, Digital Rights Ireland and Seitlinger and others, Joined cases C-293/12 and C-594/12, ECLI: EU: C: 2014: 238,
r.o. 27. Decision on the merits 05/2021 - 15/22
39. Article 33 (1) of the GDPR states: “If there is a personal data breach
occurred, the controller shall notify it without unreasonable delay and,
if possible, no later than 72 hours after becoming aware of it, to the corresponding
Article 55 competent supervisory authority, unless the infringement is unlikely to occur in
connection with personal data poses a risk to the rights and freedoms of natural
persons. If the notification to the supervisory authority is not made within 72 hours,
it shall be accompanied by a justification for the delay. "
40. The respondent argues in its conclusions that there was no obligation to report the data leak
to the Data Protection Authority. According to the defendant, the reason for this is the fact
that the data leak concerned one data subject, it was of very short duration and according to the defendant
no sensitive data was involved. The Disputes Chamber points out the above
to the above consideration, namely that it can be considered plausible that there are
for example SMS messages are received which would contain special personal data
can contain.
41. In assessing whether an infringement poses a likely high risk to the
rights and freedoms of natural persons according to the Guidelines of the Working Party 29
to be taken into account the answer to whether the infringement can lead to
physical, material or immaterial damage to the persons whose data is the subject of
the offense. Examples of such damage are discrimination, identity theft or fraud,
financial loss and reputation damage. 11 By assigning the complainant's telephone number to
a third, the complainant is exposed to the risk of performing fraudulent acts
under his name, using his telephone number. Also exists - other than
defendant seems to argue - a risk that sensitive data (such as health data) in
hands come from third parties. Respondent argues that there was no duty to report for her, under
others because it concerns a data breach of only one person. The Dispute Chamber
points out, however, that a breach can have serious consequences even for one person, entirely
depending on the nature of the personal data and the context in which they are
compromised. Again, it comes down to looking at the likelihood and severity of this
the consequences. 12 Moreover, according to the Disputes Chamber, this concerns a risk of structural nature
nature where potentially all prepaid card users could be exposed. It's possible
It cannot be ruled out that there are other cases of which the Disputes Chamber is not aware
is hit.
11
Guidelines for reporting personal data breaches under Regulation 2016/679,
wp250rev.01, Workgroup 29, p. 26.
12 Idem, p. 30 Decision on the merits 05/2021 - 16/22
42. Respondent submits an earlier notification dated 11 March 2019 to the Data Protection Authority
13
of a similar data leak about. It is also stated that another reason for the in
In this case no mention of the leak was the following: “The Data Protection Authority
has not followed up this file any further, which shows the limited importance that the
Data Protection Authority indicates such (small) data leak. For that reason
the suspicion of the conclusion that there would be no obligation to report in the present case has been confirmed. "
The Disputes Chamber hereby points to the accountability of the defendant that arises from
Article 5.2 and Article 24 GDPR where it is up to the defendant to demonstrate that they also
acts in accordance with article 5.1. f GDPR namely: ”by taking appropriate technical or
organizational measures are processed in such a way that an appropriate
their security is ensured, including protection against unauthorized or
unlawful processing and against accidental loss, destruction or damage (“integrity
and confidentiality ”).” The allegation that a previous report was not addressed by the
Data protection authority does not affect the accountability obligation.
43. The Disputes Chamber points out once again that accountability under the articles
5 (2), Art.24 and Art.32 GDPR implies that the controller the
takes the necessary technical and organizational measures to ensure that the
processing is in accordance with the GDPR. The foregoing obligation is part of it
properly fulfilling the responsibility of the defendant under Article 5 (2), 24 and 32
AVG. The Disputes Chamber points out that the accountability of article 5 paragraph 2 and article 24
GDPR is one of the central pillars of the GDPR. This means that on the
controller has the obligation to, on the one hand, take proactive
measures to ensure compliance with the requirements of the GDPR and, on the other hand,
being able to demonstrate that he has taken such measures.
44. The Working Party 29 has indicated in the Opinion on the “principle of accountability”
that two aspects are important in the interpretation of this principle:
(i) “the need for a controller to provide appropriate and
take effective action to enforce the principles for
implement data protection; and
(ii) the need to be able to demonstrate upon request that appropriate and effective
measures have been taken. The controller should therefore
14
provide evidence of (i) above ”.
13 As document 5 to her conclusions.
14 Opinion 3/2010 on the “accountability principle” adopted on July 13, 2010 by the Group 29, p. 10 - 14
https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp173_en.pdf. Decision on the merits 05/2021 - 17/22
45. The Disputes Chamber is of the opinion that the respondent has not succeeded in the present case
Demonstrate that proactive measures have been taken to ensure compliance with the GDPR. The
defendant's employees first of all failed to carry out a verification between the
identities of the third party and that of the complainant and Y subsequently failed to resolve the data breach
to report to the Data Protection Authority. Respondent has not submitted any documents
from which it appears that the documentation obligation imposed on the defendant has been met. The only
document submitted by defendant regarding a data breach was a report
dating from another data breach by the defendant to the data protection authority
the year 2019. From the documents in the file, which was put forward at the hearing and the
The fact that defendant has not submitted documentation of the data breach proves defendant
nor does it meet the obligation of article 33, paragraph 5, which states that:
“The controller documents all breaches related to
personal data, including the facts about the breach in connection with
personal data, the consequences thereof and the corrective measures taken. That
documentation enables the supervisory authority to verify compliance with this Article
to check."
46. The Disputes Chamber pointed out earlier in decision 2020/22 that: “accountability
applied to data breaches means that it relates to a controller
It is not only the obligation to these data leaks, if necessary, accordingly
Articles 33 and 34 GDPR to report to the supervisory authority and the data subjects, however
whereas the latter must also be able to demonstrate at all times that he has taken the necessary measures
taken to be able to comply with this obligation ”15 The Disputes Chamber is of the opinion that
this cannot be demonstrated in the present case.
47. In a non-exhaustive list that data controllers can contact in order to comply with the
The Group 29 refers to, inter alia, the
next measures to be taken: the implementation and supervision of
control procedures to ensure that all measures exist not only on paper but
also be implemented and function in practice, establishing internal
procedures, the drawing up of a written and binding policy
data protection, developing internal procedures for effective management and
reporting security breaches.
15
Decision 22/2020 of 8 May 2020 of the Disputes Chamber, p. 12 Decision on the merits 05/2021 - 18/22
48. The Disputes Chamber also points to a form that is enclosed with the claim and in which
A similar data breach was reported, namely the phone number of a
customer who switched to another operator This phone number was incorrectly as
seen freely and assigned to a new customer. In the form the respondent has the question “What
is the degree or severity of the data breach for data subjects
assessing the risks to the rights and freedoms of data subjects? ”, please note
answered with “critical” data breach. According to the Disputes Chamber, this clearly shows that
Respondent understands the seriousness of such a data breach.
49. The Disputes Chamber therefore finds violations of Article 33, paragraphs 1 and 5, and 34, paragraphs 1 and 2,
AVG. The Dispute Chamber points out that there is a
is obliged to document any data breach, whether risky or not, in order to
to be able to provide information to the GBA. After all, the processing of personal data is
a core activity of the defendant. In addition, personal data can be of great importance
have sensitivity to those involved, in part because they are regular and systematic
make observation possible. 16 The complainant had also informed in accordance with Article 34.1
should be the data breach. Notwithstanding the fact that complainant has already been informed
was of the data leak by calling his own number, the defendant had said
of these as yet and without delay, in accordance with the requirements of article 34 paragraph 2. The aforementioned article
namely that the communication; the nature of the breach; the contact details of the
data protection officer or other contact point where more information can be obtained
are obtained and the measures proposed by the controller or
genomes.
50. The Disputes Chamber concludes from the non-submission of a notice in the sense of
Article 34 GDPR reasonably declines by the respondent that this is not a communication to the complainant
done. The defendant therefore failed to inform the complainant after he became aware himself
by means of a notification in accordance with article 34 paragraph 2 of the allocation of
the telephone number to a third party. The Disputes Chamber rejects the defendant's argument
that a notification to the person concerned was not necessary in this case as it would not be a
high risk. In this context, the Disputes Chamber refers to the following example in the recent
published “Guideline on Examples regarding Data Breach Notification” from the EDPB in which
the contact center of a telecommunications company is called by a person who says one
be a customer and request that his email address be changed to allow the accounts
will be sent to that new email address from now on. The caller gives the correct one
personal data of the customer, after which the invoices from now on to the new email address
16
Decision 18/2020 of April 28, 2020 of the Disputes Chamber Decision on the merits 05/2021 - 19/22
are sent. When the actual customer calls the company to ask why he isn't
receives more invoices, the company realizes that the invoices are being sent to another person.
51. The EDPB considers the following regarding the above example:
This case serves as an example on the importance of prior measures. The breach, from a risk
aspect, presents a high level of risk, as billing data can give information about the data subjects
private life (e.g. habits, contacts) and could lead to material damage (e.g. stalking, risk to
physical integrity). The personal data obtained during this attack can also be used in order to
facilitate account takeover in this organization or exploit further authentication measures in
other organizations. Considering these risks, the “appropriate” authentication measure should
meet a high bar, depending on what personal data can be processed as a result of
authentication.
As a result, both a notification to the SA and a communication to the data subject are needed
from the controller. The prior client validation process is clearly to be refined in light of this case.
The methods used for authentication were not sufficient. The malicious party was able to
pretend to be the intended user by the use of publicly available information and information that
they otherwise had access to. The use of this type of static knowledge-based authentication
(where the answer does not change, and where the information is not “secret” such as would be
the case with a password) is not recommended. ” 17
52. Reporting of breaches should be seen as a way of ensuring compliance
on the protection of personal data. When there is an infringement in connection
with personal data takes place or has taken place, this can lead to material or
immaterial damage to natural persons or any other economic, physical or social
damage to the person concerned. Therefore, the controller must, as soon as he
becomes aware of a breach of personal data with a risk to rights
and freedoms of data subjects, the supervisory authority without undue delay and,
if possible, notify the breach within 72 hours. This allows the
supervisory authority to exercise its duties and powers, as set out in the GDPR
properly.
4. Breaches of the GDPR
17EDPB Guideline on Examples regarding Data Breach Notification, 01/2021, p. 30
Underline by the Dispute Chamber Decision on the merits 05/2021 - 20/22
53. The Disputes Chamber considers that the defendant has infringed the following provisions:
a. Articles 5.1.f, 5.2, 24 and 32 GDPR,; given defendant insufficient
took precautions to prevent the data breach
b. Articles 33.1 and 33.5 and 34.1 GDPR, given that defendant did not mention it
data breach to the GBA and the data subject.
54. The Disputes Chamber considers it appropriate to impose an administrative fine in the amount
of 25,000 euros (Article 83, paragraph 2 GDPR; Article 100, §1, 13 ° WOG and Article 101 WOG).
18
55. Taking into account article 83 GDPR and the case law of the Marktenhof, the
Disputes Chamber imposing an administrative fine in concrete terms:
a) The seriousness of the breach: the Disputes Chamber has determined that the data leak was, among other things, too
due to negligence on the part of the defendant. In addition, defendant
failed to report the leak to the Data Protection Authority and both by conclusion
if it was indicated during the hearing that in this case there is no
likely high risk to the rights and obligations of the complainant resulting in no
Reporting obligation would exist for the defendant. The fact that in this case it concerns telecom data
from which precise information about a person's private life can be derived
as well as the potential risk of committing fraudulent acts in their name
person make a serious infringement.
b) Duration of the infringement: the infringement lasted for four days, which is a considerable time frame
is in the light of the potential hazard identified above.
c) The fine to be imposed and the order to reconcile the processing are
according to the Dispute Chamber such a deterrent to such violations in the
future.
56. The Disputes Chamber points out that the other criteria of art. 83.2. In this case, GDPR is not in nature
are that they lead to a different administrative fine than that which the Disputes Chamber enters
the framework of this decision.
57. In its response to the intention to impose a fine, the defendant has objected
against the amount of the intended fine. This file is according to the Dispute Chamber
however, it appeared that there was negligence and negligence to protect
personal data of the person concerned. After all, the processing of personal data makes one
18
Brussels Court of Appeal (section Marktenhof), X t. GBA, Judgment 2020/1471 of 19 February 2020. Decision on the merits 05/2021 - 21/22
core activity of the defendant, so it is of overriding importance that the
personal data is processed in accordance with the GDPR.
58. The facts, circumstances and infringements established therefore justify a fine
meets the need to have a sufficiently deterrent effect, whereby the
defendant are sanctioned sufficiently strongly to prevent practices involving such violations
would not be repeated.
59. Considering the importance of transparency with regard to the decision-making of the
Disputes Chamber, this decision will be published on the website of
the Data Protection Authority. However, it is not necessary for the
identification data of the parties are disclosed directly.
60. In its response to the proposed fine, the defendant requested that the decision not be upheld
publishing, even in anonymous form. The Disputes Chamber rejected this request, with
reference to the memorandum published on the GBA website about the publication of
decisions, in which it is stated that: “The Dispute Chamber is based on the principle that all its
decisions, with few exceptions, are published on its website, with a view to
19
the overall goal of transparency, but also visibility and accountability. ”
FOR THESE REASONS,
the Disputes Chamber of the Data Protection Authority decides, after deliberation,
to the defendants:
- Pursuant to Article 100, §1, 9 ° WOG, to order processing in accordance
with Articles 5.1.f, 5.2, 24 and 32 GDPR, in particular the policy on
regarding the identification and verification of prepaid customers in accordance with the
AVG is brought. The Disputes Chamber gives the defendant a period of three for this
19 https://www.gegevensbeschermingsautoriteit.be/publications/beleid-van-de-geschillenkamer-inzake-de-publicatie-van-de-
decisions.pdf Decision on the merits 05/2021 - 22/22
months and the Disputes Chamber expects the defendant to report it within
the same period for bringing the processing into line with
aforementioned provisions.
- an administrative fine on the basis of Article 83 GDPR and Articles 100, 13 ° and 101 WOG
of EUR 25,000 to be imposed on the defendants for infringements of the articles
5.1.f, 5.2, 24, 32, 33.1 and 5, 34.1 GDPR.
Against this decision on the basis of art. 108, §1 WOG, appeals are lodged within one
term of thirty days, from the notification, at the Marktenhof, with the
Data protection authority as defendant
(get.) Hielke Hijmans
Chairman of the Disputes Chamber
