Tietosuojavaltuutetun toimisto (Finland) - 2437/161/22
Tietosuojavaltuutetun toimisto (Finland) - 2437/161/22 | |
---|---|
Authority: | Tietosuojavaltuutetun toimisto (Finland) |
Jurisdiction: | Finland |
Relevant Law: | Article 33 GDPR Article 34 GDPR Article 58(2)(b) GDPR |
Type: | Investigation |
Outcome: | Violation Found |
Started: | |
Decided: | 23.03.2022 |
Published: | |
Fine: | None |
Parties: | Finnish Ministry of Foreign Affairs |
National Case Number/Name: | 2437/161/22 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Finnish |
Original Source: | Finlex (in FI) |
Initial Contributor: | ea |
The Finnish DPA issued a reprimand against the Ministry of Foreign Affairs for the late notification of a data breach to both the DPA and the data subjects under Articles 33 and 34 GDPR. The DPA held that although controllers can investigate potential data breaches before the 72-hour time limit in Article 33 GDPR starts running, the Ministry failed to do so after it concluded its investigation without providing justified reasons.
English Summary
Facts
During the autumn and winter of 2021–2022, the Finnish Ministry of Foreign Affairs (the controller) noticed and investigated a data breach in respect of personal data of seconded Finnish staff working abroad. On 24 January 2022, the controller notified the Finnish DPA of the data breach. The controller also notified the affected data subjects.
On 9 March 2022, the Finnish DPA asked the controller for further clarification on the timing of the notifications under Article 33 GDPR and Article 34 GDPR. The controller claimed that the main reasons for the late notifications were the investigation of the data breach and related national security considerations, alongside the division of responsibilities between authorities.
Holding
The Finnish DPA held that the controller had failed to comply with Article 33 GDPR and Article 34 GDPR. Consequently, it issued a reprimand to the controller in accordance with Article 58(2)(b) GDPR.
First, the DPA held that the controller did not comply with the 72-hour time limit to notify a supervisory authority set out in Article 33(1) GDPR. The DPA held that the 72-hour time limit only starts running after a controller finishes its investigation of the potential data breach and obtains reasonable assurances that the data breach truly occurred. It is only then that the controller must notify the DPA of the breach within 72 hours. However, the DPA held that the controller notified it longer than 72 hours after its investigation was finished and hence violated Article 33(1) GDPR.
Second, the DPA held that the controller did not provide reasons for the delay within the meaning of Article 33(1) GDPR. The explanations given did not demonstrate that the controller could not comply with the 72-hour time limit for submitting the notification to the supervisory authority in accordance with the GDPR.
Third, the DPA held that the controller did not comply with Article 34(1) GDPR, which requires that the controller notifies the data subject of the data breach without undue delay. The controller should therefore have reported the personal data breach to the data subject without undue delay which it failed to do.
Comment
According to Section 25 of the Data Protection Act (1050/2018), this decision can be appealed to the Administrative Court in accordance with the provisions of the Act on Legal Proceedings in Administrative Matters (808/2019). The decision is not final.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Finnish original. Please refer to the Finnish original for more details.
Delays in reporting security breaches and restrictions on reporting obligations under national law Keywords: Security breach notification obligation Legal basis: Decision in accordance with the EU General Data Protection Regulation Diary number: 2437/161/22 Thing Delays in notifications under Articles 33 and 34 of the EU General Data Protection Regulation and restrictions on the obligation to notify under Article 34 in national law. Registrar State Department Background The Office of the Data Protection Commissioner received a notification from the Ministry of Foreign Affairs (hereinafter the Registrar) of a personal data breach on 24 January 2022. According to the data controller, the security breach was caused by NSO Group's Pegasus spyware. According to the notification made to the Office of the Data Protection Supervisor, the controller has investigated the data breach and its causes with various authorities and stakeholders during the autumn and winter of 2021–2022. The breach of security has targeted posted personnel working abroad in Finland. The data controller has been notified of the security breach by the data subjects who were the subject of the breach. On 09.03.2022, the EDPS requested further clarification from the Data Protection Officer on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 / EC (hereinafter the General Data Protection Regulation). the dates of the notifications. Statement received from the controller The data controller reported to the Office of the Data Protection Officer on the date of the security breach notifications on 16.03.2022. According to the report provided by the controller, the main reasons for the delay in the notification were related to the investigation of the security breach and the related aspects of national security. Part of the reasons for the delay have also been related to the division of information responsibilities between the authorities related to the security breach and the nature of the controller's activities. Legal question The matter must be resolved: 1. Has the controller exceeded the 72-hour time limit under Article 33 of the General Data Protection Regulation to report a personal data breach to the supervisory authority? 2. If the controller has exceeded the time limit under the General Data Protection Regulation, has the controller provided a reasoned explanation to the supervisory authority? 3. Has the controller complied with the obligation under Article 34 (1) of the General Data Protection Regulation to notify data subjects of a security breach without undue delay? 4. Is there a need to provide a notice to the controller in accordance with Article 58 (2) (b) of the General Data Protection Regulation? Decision and reasons of the Assistant Data Protection Supervisor 1. Exceeding the 72-hour time limit under the General Data Protection Regulation The EDPS considers that the controller has not complied with the time limit of 72 hours in accordance with Article 33 (1) of the General Data Protection Regulation. Reasoning Applicable laws and regulations According to the first sentence of Article 33 (1) of the General Data Protection Regulation, if a personal data breach occurs, the controller shall notify the competent supervisory authority in accordance with Article 55 without undue delay and if possible within 72 hours, unless the personal data breach is likely to affect the rights and freedoms of natural persons. risk. According to recital 85 of the General Data Protection Regulation, failure to address a personal data breach may result in physical, material or intangible harm to natural persons, such as loss of control or limitation of personal data, discrimination, identity theft or fraud, financial loss, unauthorized revocation of pseudonymisation, damage to reputation, loss of confidentiality of personal data subject to professional secrecy, or other significant economic or social damage. Therefore, the controller should notify the personal data breach to the supervisory authority without undue delay as soon as it becomes known to the controller and, if possible, within 72 hours, unless the controller can demonstrate, in accordance with the principle of accountability, that the personal data breach is unlikely to be compromised. If such notification cannot be made within 72 hours, the notification should be accompanied by an explanation of the reasons for the delay and the information may be provided in stages without further undue delay. According to recital 87 of the General Data Protection Regulation, it should be verified that all appropriate technical and organizational safeguards have been put in place to immediately detect whether a personal data breach has occurred and to inform the supervisory authority and the data subject without delay. The fact that the notification was made without undue delay should be clarified, taking into account in particular the nature and severity of the personal data breach and the consequences and adverse consequences for the data subject. Such notification may result in the Authority intervening in accordance with its tasks and powers under this Regulation. The WP29 Working Party Guidelines on the Reporting of a Personal Data Breach under Regulation (EU) 2016/679 state that the controller should be deemed to have become aware of the breach when it has reasonable assurance that a personal data breach has occurred. Exactly when a particular security breach can be considered to have “come to light” depends on the circumstances of each security breach. According to the guidelines, once the controller has been informed of a possible breach of security by an individual, a media organization or other source, or if it has itself identified a security breach, it may for a short period of time investigate whether the breach has actually taken place. In the course of this investigation, a breach of security cannot be considered to have “become apparent” to the controller. However, a preliminary investigation is required to begin as soon as possible and should determine with reasonable certainty whether a security breach has occurred; a more detailed investigation can then be carried out. Legal assessment and reasoning Based on the report received, the controller has obtained reasonable assurance that a security breach has occurred well before the notification to the supervisory authority. The Assistant EDPS considers that the controller has not complied with the obligation under Article 33 (1) of the Data Protection Regulation to report a personal data breach to the Supervisory Authority within 72 hours of the breach. 2. Explanation by the controller for not reporting the breach The EDPS considers that the controller has not provided a reasoned explanation for the delay in notifying the supervisory authority of the personal data breach within the meaning of Article 33 (1) of the General Data Protection Regulation. Reasoning Applicable laws and regulations According to the second sentence of Article 33 (1) of the General Data Protection Regulation, if the notification is not made within 72 hours, the controller shall provide a reasoned explanation to the supervisory authority. According to paragraph 4 of that Article, if and to the extent that it is not possible to provide the information at the same time, the information may be provided in stages without undue delay. Legal assessment and reasoning Although the General Data Protection Regulation allows for some delays in notification, this should not be considered a regular practice. The explanation for the delay in the breach cannot be considered as an alternative to reporting the breach within the 72-hour time limit, but must be considered as an obligation for the controller to be taken into account when considering the exercise of powers under the General Data Protection Regulation. If the controller becomes aware of the breach but is unable to provide all the information on the breach within the 72-hour time limit, it may provide the step to the supervisory authority in accordance with Article 33 (4) of the General Data Protection Regulation. In the present case, the controller has not provided an explanation which would have prevented phased notification. The EDPS considers that the explanations provided by the controller for the delay in notifying the breach of security have not shown that the controller would not have been able to comply with the 72-hour time limit under the General Data Protection Regulation. 3. The obligation under Article 34 (1) of the General Data Protection Regulation to notify data subjects of a security breach without undue delay The EDPS considers that the controller has not complied with Article 34 (1) of the General Data Protection Regulation, which requires the controller to notify the data subject of the breach without undue delay. Reasoning Applicable laws and regulations According to Article 34 (1) of the General Data Protection Regulation, where a personal data breach is likely to pose a high risk to the rights and freedoms of natural persons, the controller shall notify the data subject of the breach without undue delay. According to recital 86 of the General Data Protection Regulation, the controller should notify the data subject of a personal data breach without delay if this breach is likely to pose a significant risk to the rights and freedoms of the natural person so that the data subject can take the necessary precautions. The notification should describe the nature of the personal data breach and make recommendations on how the natural person concerned can mitigate its possible adverse effects. Such notification to the data subject should be made as soon as reasonably possible and in close cooperation with the supervisory authority, following instructions from the supervisory authority or other relevant authorities (such as law enforcement authorities). For example, the need to mitigate the risk of immediate harm requires that data subjects be notified without delay, while the need to take appropriate measures to prevent the continuation of a security breach or similar breaches of personal data may justify a longer notice period. Pursuant to Article 23 (1) (a) of the General Data Protection Regulation, Union law or the law of a Member State applicable to a controller or processor may restrict a legislative measure by Articles 12 to 22 and Article 34 and Article 5, insofar as its provisions correspond to Articles 12 to 22. the scope of the obligations and rights provided for, provided that the restriction in question respects fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to ensure national security. According to point 73 of the General Data Protection Regulation, restrictions on specific principles and the right to be notified of data processing, access to and rectification and erasure of personal data, the right to object to data processing, decisions based on profiling and Union law or the law of a Member State in so far as they are necessary and proportionate to ensure the protection of public security, for the prosecution of criminal offenses or the enforcement of criminal sanctions protection of and prevention of such threats to public security, or for other important public or for the purpose of processing individual data on political activities in the systems of former totalitarian states, or for the protection of the data subject or for the protection of the rights and freedoms of others, including social security, public health and humanitarian purposes. These restrictions should comply with the requirements of the Charter of Fundamental Rights and the European Convention for the Protection of Human Rights and Fundamental Freedoms. The report of the Working Party on the Implementation of the EU General Data Protection Regulation (TATTI) states that Article 23 of the General Data Protection Regulation allows for a restriction of Article 34 by national law regarding the margin of maneuver of the Data Protection Regulation. Due to the requirement of unambiguity and precise regulation laid down in Article 23, it is not possible to provide for a restriction in Article 34 in a general law. Legal assessment and reasoning On the basis of the report received, the controller has provided the data in accordance with Article 34 of the Data Protection Regulation to the data subjects who have been the subject of a data breach. However, on the basis of the investigation received, the notification was not made in accordance with the General Data Protection Regulation without undue delay, mainly due to national security considerations. According to Article 23 of the General Data Protection Regulation, certain rights of the data subject may be restricted, provided that the conditions laid down in the law of the Member State are met, where the restriction is intended to ensure national security. The national security ground raised by the controller could therefore be considered as a relevant ground for postponing the notification to the data subject, provided that the law on the processing of personal data concerning the controller provides for this. The Data Protection Act (1050/2018), which supplements the General Data Protection Regulation, does not provide for an exception to the obligation under Article 34 of the General Data Protection Regulation to notify the data subject of a data breach in order to ensure national security. According to the report of the Working Party on the Implementation of the EU General Data Protection Regulation (TATTI), it is not possible to impose such a restriction in a general law, but in a special law. According to the report received by the Assistant Data Protection Supervisor, there are no restrictions in the special legislation concerning the data controller regarding the notification of a personal data breach to the data subject in order to ensure national security. The controller should therefore have notified the data subject of the personal data breach in accordance with the general rule of Article 34 of the General Data Protection Regulation without undue delay. 4. Consideration of sanctions The EDPS considers that the controller has not complied with Articles 33 and 34 of the Data Protection Regulation on his / her reporting obligations and issues a remark in accordance with Article 58 (2) (b) of the General Data Protection Regulation. Reasoning Applicable laws and regulations Under Article 58 (2) (b) of the General Data Protection Regulation, each supervisory authority has all the following remedial powers: (b) issue a notice to the controller or processor if the processing operations have infringed the provisions of this Regulation. According to recital 148 of the General Data Protection Regulation, in order to strengthen the enforcement of the rules of this Regulation, infringements of its provisions should be subject to sanctions, such as administrative fines, in addition to or instead of appropriate measures imposed by the Authority under this Regulation. In the case of a minor infringement or where the fine to be imposed would be an unreasonable burden on a natural person, a notice may be given instead of a fine. The nature, gravity and duration of the breach, its intent, the steps taken to mitigate the damage, the degree of liability or any similar past breach, the manner in which the breach came to the attention of the controller, the controller or the processor however, pay due attention. The imposition of sanctions, such as administrative fines, should be subject to adequate procedural guarantees in accordance with the general principles of Union law and the Charter of Fundamental Rights, including effective remedies and due process. Legal assessment and reasoning The EDPS has previously considered that the controller has not complied with the deadlines under Articles 33 and 34 of the General Data Protection Regulation for reporting a personal data breach. The EDPS considers that, taking into account the infringed articles, the reasons for the breach, the controller's ability to report the breach in a timely manner, the significance of the breach to the data subject and the effect of the delay on the data subject's Applicable law Mentioned in the decision Appeal According to section 25 of the Data Protection Act (1050/2018), an appeal against this decision may be lodged with an administrative court in accordance with the provisions of the Act on Administrative Proceedings (808/2019). The appeal is made to the administrative court. Service The decision shall be served by post in accordance with section 60 of the Administrative Procedure Act (434/2003) against an acknowledgment of receipt. The decision will be communicated to the Ministry of Foreign Affairs and the Ministry of Justice in order to assess the possible need for regulation in section 3 of the explanatory memorandum. The decision is not final.