ADA - VĮ Registrų centras

From GDPRhub
ADA - VĮ Registrų centras
LogoLT.png
Authority: ADA (Lithuania)
Jurisdiction: Lithuania
Relevant Law: Article 32(1)(b) GDPR
Article 32(1)(c) GDPR
Article 83(2)(a) GDPR
Article 83(2)(d) GDPR
Article 83(2)(g) GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided:
Published: 02.03.2021
Fine: 15000 EUR
Parties: VĮ Registrų centras
National Case Number/Name: VĮ Registrų centras
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Lithuanian
Original Source: Valstybinė duomenų apsaugos inspekcija (in LT)
Initial Contributor: n/a

The Lithuanian State Data Protection Inspectorate (VDAI) imposed a fine of €15,000 on the Center of Registers (VĮ Registrų centras) for improper implementation of technical and organizational data security measures.

English Summary[edit | edit source]

Facts[edit | edit source]

Starting in July 2020, the VDAI was investigating the incident of a data breach in the systems maintained by the State Enterprise Center of Registers. The data affected by the data breach was stored in:

  Electronic health services and collaboration infrastructure information system;
  Real estate register;
  Real estate cadastre;
  Register of Legal Entities;
  Population Register of the Republic of Lithuania;
  Register of seizure deeds;
  Mortgage Register of the Republic of Lithuania;
  Register of wills;
  Register of marriage contracts;
  Register of credentials;
  Register of incapacitated and restricted persons;
  Register of contracts;
  Information system for participants of legal entities;
  Bailiffs information system;
  License information system;
  Money Restriction Information System;
  Legal aid services information system;
  Registration service information system;
  Electronic signature and timestamp service;
  Register center document management system;
  Personnel administration system of the Register Center;
  Accounting software of the Register Center.

Dispute[edit | edit source]

Holding[edit | edit source]

The fine of 15000 EUR was imposed for infringements of Article 32(1) (b) and (c) of the BDAR, ie failure to ensure the integrity, availability and resilience of data processing systems and services as well as failure to restore the conditions and access to personal data in the event of a physical or technical incident within the legal deadline.

In determining the amount of the administrative fine, the VDAI took into account the factors mitigating the violation committed by the Center of Registers listed in Article 83(2) (b), (c), (e), (f) and (h) GDPR, i. e. the absence of intent, the efforts made to restore the damaged data, the absence of facts about the material damage suffered by the data subjects, the close cooperation with the VDAI and the absence of previous violations of a similar nature. The VDAI also took into account that the Center of Registers, when implementing security measures, is dependent on both the data controller, the Ministry of Health of the Republic of Lithuania, and other institutions dealing with the consolidation of state IT resources, and ruled that the proposed fine was a proportionate sanction to ensure future compliance with the provisions of the GDPR.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Lithuanian original. Please refer to the Lithuanian original for more details.

After 2020 July 20 The State Data Protection Inspectorate (SDPI), having conducted an investigation under the General Data Protection Regulation (BDAR), in 2021. February. imposed a fine for improper implementation of technical and organizational data security measures.

SE Register Center 15 thousand. A fine of EUR 1 million was imposed for infringements of Article 32 (1) (b) and (c) of the BDAR, ie failure to ensure the integrity, availability and resilience of data processing systems and services and failure to restore access to personal data in the event of a physical or technical incident within the legal deadline.

Registers and state information systems maintained by the State Enterprise Center of Registers that were affected during the personal data security breach:

    Electronic health services and collaboration infrastructure information system;
    Real estate register;
    Real estate cadastre;
    Register of Legal Entities;
    Population Register of the Republic of Lithuania;
    Register of seizure deeds;
    Mortgage Register of the Republic of Lithuania;
    Register of wills;
    Register of marriage contracts;
    Register of credentials;
    Register of incapacitated and restricted persons;
    Register of contracts;
    Information system for participants of legal entities;
    Bailiffs information system;
    License information system;
    Money Restriction Information System;
    Legal aid services information system;
    Registration service information system;
    Electronic signature and timestamp service;
    Register center document management system;
    Personnel administration system of the Register Center;
    Accounting software of the Register Center.

Considering that the State Enterprise Center of Registers is the data processor and / or data controller of these 22 registers and information systems, taking into account the level of development of technical possibilities, implementation costs and the nature, scope, context and objectives of data processing, as well as data processing costs. various risks and seriousness risks to the rights and freedoms of natural persons without appropriate technical and organizational measures to ensure a level of security commensurate with the risks, in breach of Article 32 (1) (b) and (c) BDAR and Article 83 (2) (a), (d) and The factors listed in points (g) (related to the nature, gravity, duration and scope of the data), which are to be recognized as aggravating the infringement of the State Enterprise Center of Registers, have been decided to impose an administrative fine on the State Enterprise Center of Registers.

Pursuant to the Law on the Legal Protection of Personal Data, an authority or body that violates the provisions of Article 83 (4) (a), (b) and (c) of the BDAR has the right to impose an administrative fine of up to 0.5 per cent of the authority or body's current year's budget and other gross annual income, but not more than thirty thousand euros.

In determining the amount of the administrative fine, VDAI took into account the mitigating factors listed in Article 83 (2) (b), (c), (e), (f) and (h) of the BDAR, ie lack of intent, efforts to close cooperation with the SDPI and the absence of previous violations of a similar nature. The SDPI also took into account that the State Enterprise Center of Registers, when implementing security measures, is dependent both on the data controller, the Ministry of Health of the Republic of Lithuania, and other institutions dealing with consolidation of state IT resources, and decided that the fine is a proportionate measure to to ensure compliance with the provisions of the BDAR in the future.

VDAI points out that ensuring the security of personal data is not only the duty of the data controller, but also the direct responsibility of the data processor provided for in Article 32 of the BDAR. The controller is directly liable for non-compliance or improper performance of this obligation.