HDPA (Greece) - 28/2023
HDPA - 28/2023 | |
---|---|
Authority: | HDPA (Greece) |
Jurisdiction: | Greece |
Relevant Law: | Article 58(2) GDPR National Law 4624/2019 (Article 15) Paragraph 8 |
Type: | Other |
Outcome: | n/a |
Started: | 20.06.2023 |
Decided: | 24.07.2023 |
Published: | |
Fine: | n/a |
Parties: | Municipality X (To ensure the confidentiality of the specific municipality, the term "X" is employed as a placeholder.) |
National Case Number/Name: | 28/2023 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Greek |
Original Source: | HDPA (in EL) |
Initial Contributor: | Inder-kahlon |
The HDPA ordered a city council in Greece to cease their processing activities, under Article 58(2) GDPR and Article 15(8) of Law 4624/2019, because of an unresolved data breach, which allowed unauthorised users to access citizens' personal data via URL manipulation.
English Summary
Facts
On 20 June 2023, an individual reported a data breach on city council X's website, because citizens' personal data was easily accessible on the controller's website by modifying the last five digits of the permalink (URL). On 21 June 2023, the HDPA communicated orally with the city council regarding the breach. In response, the controller promptly ceased the website's operations and officially notified the HDPA of the breach in accordance with Article 33 GDPR. Corrective measures to fix the issue were also implemented. Despite this, the website remained vulnerable, leading to continued exposure of personal data.
Holding
Due to the ongoing unresolved data breach and the substantial risks it posed for a large number of persons, the HDPA issued a temporary order under Article 58(2) GDPR and Article 15(8) of Law 4624/2019. The interim order instructed the city council to take immediate action to restrict access to personal data files on its website and to cease all processing operations. The HDPA noted that the order was to stay in place until it could be ensured that the files containing user personal data could only be accessed by authorized users or the data subjects themselves. These restrictions will remain in effect until the SA issues a new decision, allowing processing operations to begin again.
Comment
Link to Article 15(8) of Law 4624/2019 which is referred to in the decision. The law is in Greek, therefore we have provided a translation of it below.
This provision notes:
'8. Where the protection of the individual against the processing of personal data concerning him or her requires an immediate decision, the President may, at the request of the person concerned or ex officio, issue an interim order for the immediate total or partial temporary restriction of the processing or the operation of the file. The order shall remain in force until the Authority has taken a final decision.'
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.
Athens, 24-07-2023 Prot. No.: 1973 Decision of the President of the Authority no. 28/2023 (Single person body – Temporary Order) The President of the Authority as a one-person body according to articles 17 par. 1 of Law 4624/2019 (Government Gazette A' 137), in the context of the powers provided for in articles, 4 par. 3 para. a' and 10 par. 4 of Regulation of the Authority's Operation (Government Gazette B΄879/25.02.2022) and the powers provided for in article 15 par. 8 of Law 4624/2019 in conjunction with article 58 par. 2 f of Regulation (EU) 2016/679 (GDPR), considered the case mentioned below in the history of this decision. The Authority took into account the following: 1. Because with the complaint No. G/EIS/4615/20-06-2023, A (hereinafter complainant) informed the Authority about an incident of violation of personal data of Municipality X. According to the above complaint, files with personal data of citizens of Municipality X were easily accessible by any user through the "..." website, changing the last five-digit number that appears in the relevant electronic (URL) address. Following an oral notification of Municipality X by the Authority on 21-06-2023, the Municipality proceeded to immediately stop the operation of the website and subsequently submitted the notification No. C/EIS/4715/23-06-2023 incident of personal data breach to the Authority, while also with his document No. C/EIS/4747/26-06-2023 he provided the Authority with some clarifications on the incident in question, stating among other things that, in order to deal with the problem, the ID that each file has will no longer be required to download it from the site but the GUID. 2. Because the Authority examines both the said complaint and ex officio the personal data breach incident and the related processing of personal data. In this context, the Authority sent to the Municipality the document numbered prot. C/EXE/1649/27-06-2023, with which it requested more clarifications on the incident in question. 3. Because on 03-07-2023, despite the corrective actions that had been taken according to the claims of the Municipality, the above website became available again and the files were again easily accessible in exactly the same way, as pointed out by the complainant with his latest document (prot. no. C/EIS/4916/03-07-2023) and confirmed by the Authority. Following a new telephone update of the Municipality by the Authority on the matter in question, Municipality X again shut down the operation of the above website on 07-03-2023. Subsequently, the Municipality once again provided its views to the Authority with its document number C/EIS/5144/12-07-2023, giving answers to some of the questions that had been raised with the above-mentioned C /EXE/1649/27-06-2023 document of the Authority. 4. Because after the latest clarifications from Municipality X, and given that several important aspects of the incident in question still remain unclear, the Authority sent a new document to the Municipality with new, in particular, questions (prot. no. C/ EXE/1783/13-07-2023), on which he has not yet received answers. 5. Because on 07-19-2023, and while the additional clarifications from Municipality X are still pending, the website became available again and despite the corrective actions he states that he already received from his document of 06-26-2023, the files are again - as was also the case on 03-07-2023 - easily accessible in exactly the same way. 6. Because the Authority has, based on article 15 par. 8 of Law 4624/2019 in combination with article 58 par. 2 of the GDPR, the authority to issue ex officio a temporary order for immediate total or partial, temporary limitation of the processing. 7. Because the collection, storage, use, dissemination or any other form of disposal of personal data is a form of processing based on Article 4 para. 2 of the GDPR. 8. Because in this particular case, from the above incident of violation, which has the consequence of files with personal data of citizens of this Municipality becoming easily accessible by any user of the website of Municipality X, high risks arise for a large number of persons. FOR THESE REASONS THE AUTHORITY Orders Municipality X to take any necessary action to limit the free access of internet users to the files with personal data of the above website and to ensure that, as long as the relevant application is working, files with personal data of its users are only available in properly authorized users or the subjects of the data without being easily accessible by other Internet users in the manner described in the present history, until a new decision is issued by the Authority.