VDAI - VDAI vs VĮ Registrų centras
ADA - VĮ Registrų centras | |
---|---|
Authority: | ADA (Lithuania) |
Jurisdiction: | Lithuania |
Relevant Law: | Article 32(1)(b) GDPR Article 32(1)(c) GDPR Article 83(2)(a) GDPR Article 83(2)(d) GDPR Article 83(2)(g) GDPR |
Type: | Investigation |
Outcome: | Violation Found |
Started: | |
Decided: | |
Published: | 02.03.2021 |
Fine: | 15000 EUR |
Parties: | VĮ Registrų centras |
National Case Number/Name: | VĮ Registrų centras |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Lithuanian |
Original Source: | Valstybinė duomenų apsaugos inspekcija (in LT) |
Initial Contributor: | n/a |
The Lithuanian State Data Protection Inspectorate (VDAI) imposed a fine of €15,000 on the Center of Registers (VĮ Registrų centras) for improper implementation of technical and organizational data security measures.
English Summary
Facts
Starting in July 2020, the VDAI was investigating the incident of a data breach in the systems maintained by the State Enterprise Center of Registers. The data affected by the data breach was stored in:
Electronic health services and collaboration infrastructure information system; Real estate register; Real estate cadastre; Register of Legal Entities; Population Register of the Republic of Lithuania; Register of seizure deeds; Mortgage Register of the Republic of Lithuania; Register of wills; Register of marriage contracts; Register of credentials; Register of incapacitated and restricted persons; Register of contracts; Information system for participants of legal entities; Bailiffs information system; License information system; Money Restriction Information System; Legal aid services information system; Registration service information system; Electronic signature and timestamp service; Register center document management system; Personnel administration system of the Register Center; Accounting software of the Register Center.
Dispute
Holding
The fine of 15000 EUR was imposed for infringements of Article 32(1) (b) and (c) of the BDAR, ie failure to ensure the integrity, availability and resilience of data processing systems and services as well as failure to restore the conditions and access to personal data in the event of a physical or technical incident within the legal deadline.
In determining the amount of the administrative fine, the VDAI took into account the factors mitigating the violation committed by the Center of Registers listed in Article 83(2) (b), (c), (e), (f) and (h) GDPR, i. e. the absence of intent, the efforts made to restore the damaged data, the absence of facts about the material damage suffered by the data subjects, the close cooperation with the VDAI and the absence of previous violations of a similar nature. The VDAI also took into account that the Center of Registers, when implementing security measures, is dependent on both the data controller, the Ministry of Health of the Republic of Lithuania, and other institutions dealing with the consolidation of state IT resources, and ruled that the proposed fine was a proportionate sanction to ensure future compliance with the provisions of the GDPR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Lithuanian original. Please refer to the Lithuanian original for more details.
After 2020 July 20 The State Data Protection Inspectorate (SDPI), having conducted an investigation under the General Data Protection Regulation (BDAR), in 2021. February. imposed a fine for improper implementation of technical and organizational data security measures. SE Register Center 15 thousand. A fine of EUR 1 million was imposed for infringements of Article 32 (1) (b) and (c) of the BDAR, ie failure to ensure the integrity, availability and resilience of data processing systems and services and failure to restore access to personal data in the event of a physical or technical incident within the legal deadline. Registers and state information systems maintained by the State Enterprise Center of Registers that were affected during the personal data security breach: Electronic health services and collaboration infrastructure information system; Real estate register; Real estate cadastre; Register of Legal Entities; Population Register of the Republic of Lithuania; Register of seizure deeds; Mortgage Register of the Republic of Lithuania; Register of wills; Register of marriage contracts; Register of credentials; Register of incapacitated and restricted persons; Register of contracts; Information system for participants of legal entities; Bailiffs information system; License information system; Money Restriction Information System; Legal aid services information system; Registration service information system; Electronic signature and timestamp service; Register center document management system; Personnel administration system of the Register Center; Accounting software of the Register Center. Considering that the State Enterprise Center of Registers is the data processor and / or data controller of these 22 registers and information systems, taking into account the level of development of technical possibilities, implementation costs and the nature, scope, context and objectives of data processing, as well as data processing costs. various risks and seriousness risks to the rights and freedoms of natural persons without appropriate technical and organizational measures to ensure a level of security commensurate with the risks, in breach of Article 32 (1) (b) and (c) BDAR and Article 83 (2) (a), (d) and The factors listed in points (g) (related to the nature, gravity, duration and scope of the data), which are to be recognized as aggravating the infringement of the State Enterprise Center of Registers, have been decided to impose an administrative fine on the State Enterprise Center of Registers. Pursuant to the Law on the Legal Protection of Personal Data, an authority or body that violates the provisions of Article 83 (4) (a), (b) and (c) of the BDAR has the right to impose an administrative fine of up to 0.5 per cent of the authority or body's current year's budget and other gross annual income, but not more than thirty thousand euros. In determining the amount of the administrative fine, VDAI took into account the mitigating factors listed in Article 83 (2) (b), (c), (e), (f) and (h) of the BDAR, ie lack of intent, efforts to close cooperation with the SDPI and the absence of previous violations of a similar nature. The SDPI also took into account that the State Enterprise Center of Registers, when implementing security measures, is dependent both on the data controller, the Ministry of Health of the Republic of Lithuania, and other institutions dealing with consolidation of state IT resources, and decided that the fine is a proportionate measure to to ensure compliance with the provisions of the BDAR in the future. VDAI points out that ensuring the security of personal data is not only the duty of the data controller, but also the direct responsibility of the data processor provided for in Article 32 of the BDAR. The controller is directly liable for non-compliance or improper performance of this obligation.