APD/GBA - 05/2021
|APD/GBA - 05/2021|
|Relevant Law:||Article 5(1)(f) GDPR|
Article 5(2) GDPR
Article 24 GDPR
Article 32 GDPR
Article 33 GDPR
Article 34(1) GDPR
Art. 126 WEC
Art. 127 WEC
Art. 122 WEC
Cellphone number provider
|National Case Number/Name:||05/2021|
|European Case Law Identifier:||n/a|
|Original Source:||Betreft : klacht wegens toekennen telefoonnummer klager aan een derde (in NL)|
|Initial Contributor:||Enzo Marquet|
The Belgian DPA (APD/GBA) held that sharing a phone number poses a high risk to a data subject and that this must be classified as a critical data breach, even if it concerns just one person and for a very short time.
English Summary[edit | edit source]
Facts[edit | edit source]
A third party visited a shop of the defendant (a provider of cellphone services) to change their mobile phone subscription. This third party used the phone and sim card number of the complaint. During this process, the mobile phone number of the complaint was transferred to a third party so that the complaint could not use its mobile phone number. The SIM of complaint was deactivated for the complaint and the third party had the possibility to access personal conversation data as well as linked accounts (PayPal, WhatsApp, Facebook) for three days.
Dispute[edit | edit source]
If a third party has access to a phone number, does this classify as a critical data breach?
Holding[edit | edit source]
One of the first arguments of the defendant is that it couldn't have known the identity of the third party as they are forbidden from collecting identification data for commercial purposes (article 127 WEC) when migrating from a prepaid to a postpaid abonnement.
However, the Dispute Chamber states that according to article 122 WEC, that this is possible when sending invoices or to protect the private life of the clients. The defendant had to check the identity of the third party, it is a legitimate purpose to prevent identity fraud with phone numbers as the impact on a data subject can be drastic.Not checking this is marked as grave negligence.
The defendant states that the impact on the personal life of the complaint is minimal which the Dispute Chamber dismisses as conversations are very personal and it is easy to access WhatsApp because only a phone number is required. SMS is also used for very personal things such as reminder of meetings (e.g. hospital, special categories of data) or it can be used to impersonate someone. The possession of a phone number creates a significant risk to the personal life of the data subject.
The Dispute Chamber states that defendant failed to respect the data breach notification deadline under Article 33(1) as this data breach poses a high risk to the data subject.
To determine the risks, the Dispute Chamber used the Guidance of WP29 250rev.01. Possible damages for the usage of a phone number are discrimination, identity theft- and fraud, financial loss and reputation damage.The fact that it concerns one person and for a very short time are irrelevant as the risk is very high.
The controller must always implement the necessary technical and organisational measures to be in compliance with the GDPR and be able to demonstrate said compliance (Article 5(2) and Article 24 GDPR). It is one of the corner stones of the GDPR.
The defendant, as such, failed to take proactive measures: there was no verification of the identity of the third party and the data breach was not notified nor was it justified why this data breach was not necessary nor were there any logs on the data breach which is a breach of Article 33(5).
And even if a data breach poses no risks, it must still be logged internally.
Comment[edit | edit source]
Share your comments here!
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.
1/22 Litigation chamber Decision on the merits 05/2021 of 22 January 2021 File number: DOS-2019-04867 Concerns: complaint about attributing the complainant's telephone number to a third party The Disputes Chamber of the Data Protection Authority, composed of Mr Hielke Hijmans, chairman and Messrs Jelle Stassijns and Frank De Smet, members; Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 / EC (General Data Protection Regulation), hereinafter GDPR; In view of the law of 3 December 2017 establishing the Data Protection Authority, hereinafter WOG; Having regard to the rules of internal procedure, as approved by the Chamber of Representatives on December 20, 2018 and published in the Belgian Official Gazette on January 15, 2019; Considering the documents in the file; has taken the following decision regarding: . - the complainant: Mr X,. . - the defendant: Y Decision on the merits 05/2021 - 2/22 1. Facts and procedure 1. The complainant files a complaint against Y with the Data Protection Authority on 20 September 2019. The complaint was declared admissible by the Primary Care Service on September 30, 2019. The complaint implies that the complainant's mobile phone number would have been assigned to Y by his provider a third, as a result of which the complainant no longer had access to his number. The complainant's SIM card was deactivated and the third party could therefore have become aware of the personal GSM the complainant's traffic and calls, as well as linked accounts (such as Paypal, WhatsApp and Facebook) from 16 to 19 September 2019. 2. Since the complaint is directed against Y with its head office in Member State Z, the Data protection authority contacted the supervisory authority in this Member State in order to determine whether or not the complaint should be considered as cross-border. That communication led to the handling of the complaint and the data processing according to the national procedure of the Belgian data protection authority (art.56.2 GDPR) 1 with Y as defendant. 3. On April 15, 2020, the Disputes Chamber decided that the complaint is ready for handling on the merits and notified to both the complainant and the defendant by registered mail this decision. The parties were also informed of the provisions mentioned in Article 98 of the WOG and the deadlines for submitting their defenses. The deadline it was determined on 27 May 2020 for receipt of the defendant's statement of defense; the deadline for receipt of the complainant's reply on 17 June 2020 and the deadline for receipt of the defendant's reply on 8 July 2020. 4. By letter of 20 April 2020, defendant's counsel submitted to the file, copy of the file and indicated that he wishes to be heard at a hearing on the basis of Article 98, 2 ° WOG. 5. On 27 May 2020 the respondent filed a statement of defense. 6. Neither the complainant nor the defendant have made use of the option of submitting a conclusion submit a reply. The complainant did not wish to make use of the opportunity to be heard to become. 1 Article 56.2 reads: By way of derogation from paragraph 1, any supervisory authority is competent a complaint submitted to it or a to deal with any breach of this Regulation if the subject-matter of that case relates only to an establishment in its Member State or only for data subjects in its Member State. Decision on the merits 05/2021 - 3/22 7. On November 9, 2020, the defendant shall be declared in accordance with Article 53 of the Rules of Procedure of internal order heard by the Disputes Chamber. 8. On November 19, 2020, the minutes of the hearing will be presented to the parties. The parties did not respond to this. 9. On December 7, 2020, the intention to impose a fine was transferred to the defendant. Respondent responded extensively to this intention on 22 December 2020. 2. Legal basis Article 5.1.f GDPR 1 Personal data must: f) by taking appropriate technical or organizational measures in such a way processed to ensure adequate security, including protection are against unauthorized or unlawful processing and against accidental loss, destruction or damage (“integrity and confidentiality”). Article 5.2 GDPR The controller is responsible for and can demonstrate compliance with paragraph 1 (“Accountability”). Article 24 GDPR 1. Taking into account the nature, scope, context and purpose of the processing, as well with the different likelihood and severity risks to the rights and freedoms of natural persons, the controller shall take appropriate technical and organizational measures to guarantee and be able to demonstrate that the processing in in accordance with this Regulation. Those measures are being evaluated and updated if necessary. 2. When proportionate to processing activities, include those referred to in paragraph 1 measures an appropriate data protection policy adopted by the controller is carried out. Decision on the merits 05/2021 - 4/22 3. Adherence to approved codes of conduct as referred to in Article 40 or approved ones certification mechanisms as referred to in Article 42 can be used as an element to indicate show that the obligations of the controller have been fulfilled. Article 32 GDPR 1. Taking into account the state of the art, the implementation costs, as well as the nature, the scope, context and purposes of the processing and the likelihood and severity various risks to the rights and freedoms of individuals affect the controller and processor appropriate technical and organizational measures to ensure a level of security appropriate to the risk, which, where appropriate, include the following: a) the pseudonymisation and encryption of personal data; (b) the ability to maintain confidentiality, integrity, availability and ensure resilience of processing systems and services (c) the ability, in the event of a physical or technical incident, to ensure the availability of and access to to restore the personal data in a timely manner; (d) a procedure for regular testing, assess and evaluate the effectiveness of the technical and organizational security measures for processing. 2. In assessing the appropriate level of security, particular account shall be taken of the processing risks, especially as a result of the destruction, loss, alteration or unauthorized disclosure of or unauthorized access to forwarded, stored or otherwise processed data, either accidentally or unlawfully. 3. Adherence to an approved code of conduct as referred to in Article 40 or an approved one certification mechanism as referred to in Article 42 can be used as an element to demonstrate that the requirements referred to in paragraph 1 of this Article are complied with. 4. The controller and processor shall take measures to ensure that any natural person acting under the authority of the controller or of the processor and has access to personal data, this only on behalf of the the controller, unless he is under Union or Member State law to do so held Decision on the merits 05/2021 - 5/22 Article 33 GDPR 1 If a personal data breach has occurred, the controller without unreasonable delay and, if possible, no later than 72 hours after taking note of it, to the competent person in accordance with Article 55 supervisory authority, unless it is unlikely that the breach is related to personal data poses a risk to the rights and freedoms of natural persons. In the event that the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by a justification for the delay. 2. The processor shall inform the controller as soon as possible without unreasonable delay he is aware of a personal data breach. 3. The notification referred to in paragraph 1 shall describe or communicate at least the following: (a) the nature of the personal data breach, specifying where possible the categories of data subjects and personal data registers in question and, approximately, the number of data subjects and personal data registers concerned; b) the name and contact details of the data protection officer or other person contact point where more information can be obtained; c) the likely consequences of the personal data breach; (d) the measures proposed or taken by the controller to remedy the breach in connection with personal data, including, where appropriate, the measures to limit any adverse consequences thereof. 4. If and insofar as it is not possible to provide all information simultaneously, the information is provided in stages without unreasonable delay. 5. The controller documents all breaches related to personal data, including the facts about the breach in connection with personal data, the consequences thereof and the corrective measures taken. That documentation enables the supervisory authority to verify compliance with this Article Article 34.1 GDPR Decision on the substance 05/2021 - 6/22 34.1 When the personal data breach is likely to pose a high risk for the rights and freedoms of natural persons, the controller shares the the data subject immediately notify the breach in connection with personal data. 3. Justification 3.1 Defenses and analysis of the Dispute Chamber The procedure followed 10. Respondent has responded to the intention to impose a fine. The response keeps among other things in that defendant is of the opinion that the rights of defense are violated by the Dispute Chamber. According to the defendant, the disputes chamber established infringements have little or no connection with the complainant's initial complaint. Respondent argues that the complainant merely stated in his complaint that this was the case violation of his privacy without specifying which violations were involved. Respondent considers that it was the task of the Disputes Chamber to legalize that complaint qualify and notify the defendant from the outset. Defendant argues that it is first was notified on 7 December 2020, i.e. through the intention to impose the fine of the specific infringements and has therefore not been able to defend itself effectively against the charge. Moreover, in the present case, according to the defendant, it was necessary for the Disputes Chamber would have arrested the Inspectorate. That did not happen and the Dispute Chamber has qualified the facts legally after the debates have closed, according to the defendant. 11. The Disputes Chamber generally wishes to draw attention to the fact that the submission of a complaint for the data subjects whose personal data are processed, uncomplicated should be. The complaints procedure as provided for in Article 77 GDPR and detailed in the WOG is intended as an alternative to recourse to a civil or administrative court. It The right to complain to the GBA must remain easy and accessible for citizens. For example, the For example, the legislator did not want parties to be always assisted by a lawyer. 2 Article 60 of the WOG sets low requirements for the admissibility of a complaint. For receptive statement is only required that a complaint must be drawn up in one of the national languages, a should contain a statement of the facts as well as the necessary indications for identifying the processing to which it relates and must fall under the authority of the GBA. The article does not require the complaint to be an alleged violation of a legal provision must contain. 2 See, for example, Management Plan 2021 of the GBA, p. 18. Decision on the merits 05/2021 - 7/22 12. The Disputes Chamber will therefore not verify the validity of the complaint whether the complainants in the complaint formally submitted to the GBA have the correct legal provision invoked in support of their request, but whether the facts involved are an infringement forms on one of the legal provisions with which the DPA must check compliance. The The Disputes Chamber also points out that monitoring compliance with the GDPR is the main task belongs to this body of a supervisor. 13. In an earlier decision, the Disputes Chamber considered as follows: Likewise, the complainants do not have to provide all the pertinent facts of the alleged infringement in their complaint to feed. The Disputes Chamber must be able to help them by asking specific questions about a to obtain a good understanding in fact and in law of the possible infringement of a fundamental right for which her attention is sought. The Disputes Chamber can also take into account any grievances be set out later by the complainant in conclusion, provided that it concerns facts or legal arguments related to the alleged infringement presented in the complaint, and with observance of the rights of the defense. " “During the procedure following the complaint, the Disputes Chamber therefore has the option to to change the legal classification of the facts presented to it, or to create new facts related to the complaint, without necessarily invoking the intervention of the Inspectorate, more specifically by asking questions to the parties or by to take into account new facts or qualifications invoked by conclusion, and this within the limits of the adversarial debate, namely to the extent that the parties have the opportunity have gotten to argue about these facts or legal qualifications in a manner that in is in accordance with the rights of the defense. If necessary, it is on the Litigation chamber to instigate this debate, either in its letter requesting conclusions in to be submitted on the basis of Article 98 of the WOG, or later in the context of a reopening of the debates. In this context, the fact that is taken into account does a new legal qualification invoked by the complainant does not prejudice the fairness of the proceedings and the equality of arms, a fortiori as the decisions of the Dispute Chamber are admissible for an appeal procedure at the Marktenhof. ” 3 14. The Disputes Chamber finds - unlike the respondent - that the respondent fully and has been able to defend against all alleged infringements and there has been no question of this new facts that became known afterwards that the defendant was unable to challenge 3 Decision 17/2020 of the Dispute Chamber https://www.dataprotectionautoriteit.be/publications/beslissing-ten-gronde-nr.-17-2020.pdf Decision on the merits 05/2021 - 8/22 to defend. After all, the respondent has answered by means of the statement of defense submitted by it on 27 May 2020 we discussed in detail all (possible) violations and defended the complaint and charges. The respondent argued in its conclusion - in short - that all necessary technical and organizational measures and other precautions are taken they were affected in order to prevent invasion of privacy. According to the defendant therefore acted in accordance with Articles 5.1.f, 5.2, 24, 32, 33 and 34 GDPR. In addition respondent acknowledges that there has been a data breach. However, she has disputed that there of a data breach that is likely to be a high risk associated with the personal data and which had been reported to the Data Protection Authority (Article 33 GDPR). Another reason for not reporting was according to respondent that the Data Protection Authority is more likely in a similar case of a data breach in which a report was made, had not taken any further measures against defendant. 4 The content of the case 15. The complainant has been a customer of the defendant since 11 June 2015 and purchases (prepaid) mobile telephone services. The complainant's telephone number is for a period of four days, from 15 to 19 September 2019, awarded to a third party with the complainant's SIM card deactivated. 16. During these proceedings, the Disputes Chamber has attempted to gain insight into the progress of the events leading to the attribution of the complainant's telephone number a third. From this decision it becomes clear that there are a few things about the actual course cannot be fully clarified. According to the defendant, the third is in one on September 11, 2019 of the defendant's stores in order to transfer the complainant's prepaid subscription into a postpaid subscription (with accompanying smartphone device that after 24 months subscription is paid off). According to the respondent, both the telephone number and the SIM card number of the complainant provided by the third party. It changed from September 11th The complainant's subscription therefore changes from prepaid to postpaid. The third does have its own Identity information that linked it to the postpaid subscription so that all costs from then on were billed in the name of the third party. The third however, did not yet have a SIM card associated with the mobile number on 11 September of the complainant, so that the complainant could continue to use the services of the subscription. Four days later, on 15 September, the third party is again sent to the defendant been a Y-shop and asked for a new SIM card connected to the same mobile number. At that point, he was therefore given access to the complainant's mobile number and the 4 see further marginal number . Decision on the merits 05/2021 - 9/22 the complainant's SIM card. The complainant had no more contact with the network from that on moment. 17. The complainant describes in his complaint that he has several telephone contact with the defendant and to have been in the defendant's shops in order to dispose again about his phone number. It was not until 19 September that the complainant could dispose of it again about his phone number. 18. At the request of the Disputes Chamber, the respondent gave an explanation about the standard procedure used in cases similar to these. Defendant argues - as already stated in conclusion - that in principle only the user of a mobile telephone number should know the associated SIM card number. It SIM card number is therefore used to verify that the applicant is the actual is the user of the telephone number that is given. The seller would therefore be in the store have requested and received both the telephone number and the SIM card number from the third party. The migration was then carried out and the third party therefore has its own identification data specified, according to defendant. The identification data of the third party was according to defendant checked by comparing the identity card data with the declared name, address and place of residence of the third party. These identity data were according to defendant however not compared with the identity details of the prepaid customer to whom the SIM card number and mobile phone number was allocated first, namely the complainant. Latter According to the defendant, control did not take place because identity data may not be used used for commercial applications based on the Electronic Communication Act and the Report to the King by Royal Decree implementing this Act. 6 19. Respondent finds it incomprehensible that the third party could find out the SIM card number. According to the defendant, the SIM card number can only be retrieved via the systems of defendant where it is stored or if these have been notified by the complainant himself. In order to obtain both the telephone number and the SIM card number would be the third - according to defendant - either had the cooperation of the complainant or that of a Y employee. 5 Article 127 in conjunction with Article 126 § 2.7 ° Law on electronic communications of 13 June 2005, entered into force June 30, 2005. Report to the King by Royal Decree of 27 November 2016 on the identification of the end user of mobile public electronic communications services provided on the basis of a prepaid card, BS 7 December 2016. Decision on the merits 05/2021 - 10/22 20. During the hearing, the respondent indicated that entering the SIM card number by the employee of a Y shop a mandatory field (“mandatory”) is a migration from prepaid to postpaid. The employee must therefore provide the data for this field to be requested from the customer and effectively completed to form the contract for the postpaid paid to be able to take out a subscription, according to the defendant. The employee of a Y-shop can according to the respondent also does not query prepaid databases to retrieve the SIM card number questions based on the mobile number. According to the respondent, the employee could do it SIM card number - if the third party would not have provided this itself - only have it obtained by calling other Y employees to request this. The chance that an employee will use the third would have helped defendant, however, small, especially because the employee there could not get a commission for it. In addition, the defendant states that in the days and hours around the migration application no consultation of the data of the complainant. 21. On the basis of the defendant's statement that the store employees obligated it SIM card number must be requested from the customer and entered to perform a migration bring about from prepaid to postpaid, and there is no option for the employee to requesting the SIM card number in the database on the basis of the mobile number, the the question arises how the third party obtained the combination mobile phone number - SIM card number. 22. To the question of the Disputes Chamber during the hearing whether this may have occurred of a problem of confidentiality of data at the level or in the systems of Y - for example, through unauthorized access to the online customer portal causing the SIM card number could be obtained - the defendant replied in the negative. On the customer portal of Y (both via the web browser and the mobile application) is according to defendant does not state a SIM card number. In addition, defendant indicates at the hearing know that no reports have been received by defendant from other customers regarding possible instances of unauthorized access to their SIM card number. 23. According to the defendant, another scenario is that the third party has malicious fraud committed by some (unknown) way to the combination of telephone and SIM card number of the complainant. However, the Disputes Chamber finds that the third is has given your own name, address and place of residence, which means that all invoices from 11 September ended up with him (and the complainant between 11 and 15 September even in principle at the expense of the third could use the services of Y). This makes fraud on the part of the third party less likely. During the hearing, the respondent argues that the third party does had passed on his own personal data to the defendant, but that does not alter that could still be a case of fraud. According to the defendant, the third received Decision on the merits 05/2021 - 11/22 a mobile telephone when taking out the postpaid subscription. The principle is that after paying two years of subscription costs the device would also have been paid off. According to defendant has given the third party the invoices that were charged for the postpaid subscription never paid. Respondent indicates that it has started proceedings against the third for not paying the invoices. The Disputes Chamber understands this scenario, however not why it was necessary for the third party to take over the complainant's telephone number. It In this case, the smartphone device could also easily be obtained by a postpaid apply for a subscription with a new mobile number. 24. The Disputes Chamber considers this fraud hypothesis with the intention of using a smartphone obtaining by taking over the complainant's mobile number in this case is therefore quite unlikely, all the more now that the third party provided its own personal data and entered into an agreement for it mobile subscription. This means that from September 11, the costs are also ahead bill came. 25. Respondent stated both at the conclusion and during the hearing that it was not it was possible to identify the third party and that of the holder of the number associated with it compare the prepaid subscription. As the cause of this, respondent points to the prohibitions imposed by Article 127 of the Electronic Communication Act and the executive Royal Decree. The executive order contains further rules regarding identification 8 of the end users of prepaid (prepaid) cards. According to the defendant, the law and the decrees that identification data may not be used for commercial purposes purposes. The respondent states that: “Due to the strict application of the above Legislation allows employees in the concluent's points of sale when requesting the migration from a prepaid to a postpaid subscription just the phone number and the SIM card number. " 26. The part of the preamble to the Royal Decree quoted by the defendant reads: “The operators and the providers referred to in Article 126, § 1, first paragraph, may therefore use the identification data collected under Article 127 of the ECA and becoming retained under Article 126 ECA do not use for commercial purposes ……. ”. The The Dispute Chamber points out that the aforementioned article, however, is continued as follows: “but they may collect and store identification data of users of prepaid cards for commercial purposes in accordance with Article 122 (applicable when a 7 Law on electronic communications of 13 June 2005, entered into force on 30 June 2005 and implementing Royal Decree 8 Royal Decree of November 27, 2016 on the identification of the end user of mobile public electronic communications services that are provided on the basis of a prepaid card, BS December 7, 2016. Decision on the substance 05/2021 - 12/22 invoice is sent) or the general legislation on the protection of the personal privacy. " 27. During the hearing, the respondent, when asked, regarding the aforementioned Article 127 EC, read in conjunction with the executive Royal Decree and the Report to the King accompanying that decision, indicated that the provision has given rise to all telecom operators discussion, namely whether the article should be read strictly or not. Defendant interprets it section of the law strictly. Since the present case would concern the sale of subscriptions, this becomes considered a commercial objective by the defendant. 28. The defendant's assertion that the performance of an identity check (i.e. in this case the comparing the identity data of the complainant and the third party) in the context of a conversion from prepaid to a postpaid subscription, was not allowed to take place because of the legal The Disputes Chamber does not consider the prohibition of use for commercial purposes to be correct. 29. The Disputes Chamber asks whether this is indeed a commercial purpose, given the use of the identity data of a prepaid customer in this case only the occurrence would be aimed at abuse by someone who might present himself incorrectly in a Y shop as the user of the telephone number associated with a prepaid card. It The purpose is therefore to prevent the wrongful copying of a telephone number from a prepaid customer by a third party, which would also give him access to his mobile traffic and possibly also other services linked to the telephone number (see further below) with so access to his personal data. Therefore, the respondent had the data of the third and the must unambiguously compare data of the complainant known to him (and therefore not just based on a SIM card number which is anything but a strong means of authentication). After all, this is a legitimate purpose, namely the detection of possible fraud with telephone numbers which can have enormous consequences for those involved. 30. The Disputes Chamber also refers to the Report to the King to the Executive Royal Decision. The report states: “It is not the intention of the legislator here has been to impose a blanket ban on identity verification but strict subject to regulations in order to ensure a good level of protection of personal data can guarantee. ” By not carrying out an inspection, the defendant is, according to the Disputes Chamber also ignored the will of the legislator, namely to offer a good level of protection of personal data to data subjects. In a case like this, the - 9 Report to the King by Royal Decree of 27 November 2016 on the identification of the end user of mobile public electronic communications services provided on the basis of a prepaid card, BS 7 December 2016. Decision on the merits 05/2021 - 13/22 limited - processing of personal data to verify identity precisely allows misuse of personal data. 31. The Disputes Chamber is of the opinion that the respondent in the present case could simply have checked whether the data on the identity card of the third party (after verification of the photo on the identity card) corresponded with the known data of the holder of the telephone number of the advance paid card. After all, the defendant had access to the identity card of the third party has failed to compare the personal data with that of the holder of the mobile number, in the present case, the complainant. By performing a verification, it would turn out to be two several persons went. Defendant has failed to make such little effort required verification, while the defendant as a telecom operator had to be aware of the tremendous consequences that such negligence could entail. The Disputes Chamber considers this negligence disproportionate. 32. Respondent added the Safety Working Method in its statement of defense. This internal piece for employees describes how personal data should be handled of customers and provides guidelines for the confidentiality of the data within the organization of the defendant. 33. Several points in the working method indicate that a full identity check (name, first name, telephone number, if there is one; customer number, date of birth, identity card number, address, amount of the last invoice and where and when the activation is requested) is required for “Any questions in light of contract change, such as; change of the tariff plan, change of address, P2P, PPP, activation or deactivation of a service, question for a copy of an invoice and ask for confidential information ”. 34. In the present case, the third party who (later) obtained the complainant's telephone number requested the conversion of his prepaid card to a postpaid subscription. He therefore asked for activation of a new service. This means that the defendant also had according to its own working method must ask for additional information with the aim of establishing the identity of the person in question. By failing to establish the identity of the third party with certainty, the respondent acted culpably negligently according to the Dispute Chamber. 35. Respondent argues that the infringement had very limited consequences for the complainant. The third According to the defendant, the person could not have access to the profiles of the complainant on several platforms such as WhatsApp and Paypal because those platforms use the two-step verification in order to be able to log in or register on their profiles. According to the complainant, the third had Decision on the merits 05/2021 - 14/22 furthermore, no access to all communications the complainant had in the past occurred. Therefore, according to the defendant, there is no infringement in any way of the complainant's privacy. There are only practical inconveniences that the complainant would have have experienced. 36. In this context, the Disputes Chamber points out that - unlike the defendant claimed - for the use of, for example, the WhatsApp application in principle that is sufficient someone has the phone number. The two-step verification that according to the defendant serves must be explicitly activated via the WhatsApp settings and is not enabled default on. The standard security setting is therefore that only the telephone number is sufficient to take over the use of the Whatsapp application. The user executes it telephone number through which he wishes to use the communication via the application, then an SMS message will be sent to that number. After the code contained in the text message is entered, communication can take place directly via WhatsApp. There is - if the two-step verification has not been activated - so nothing is needed other than access to the mobile phone number to which the verification code will be sent. 37. Moreover, by having a telephone number, there is a considerable chance that access to various types of personal data can be obtained. Various remind authorities - such as hospitals - of appointments through the sending SMS messages. In addition, it converts a phone number to one others leave the door wide open for fraud and scams (for example, because there are potential conversations and messages can be conducted on behalf of the injured party or sent. The Disputes Chamber therefore disagrees with the defendant's assertion that there is no there would be a breach of privacy in any way. 38. The Court of Justice emphasized the importance of telecom data in the following terms in its judgment in Digital Rights Ireland of 8 April 2014: “From these data, in their entirety considered, very precise conclusions can be drawn about the private life of the persons whose data is retained, such as their daily habits, their permanent or temporary residence, their daily or other movements, the activities they 10 exercise, their social relationships and the social circles in which they find themselves. ” Notwithstanding the third in the present case may not have had access to all the information referred to in the judgment, is the The litigation chamber believes that by having the complainant's phone number there is a significant risk of violation of his privacy rights. 10 Court of Justice of the EU, Digital Rights Ireland and Seitlinger and others, Joined cases C-293/12 and C-594/12, ECLI: EU: C: 2014: 238, r.o. 27. Decision on the merits 05/2021 - 15/22 39. Article 33 (1) of the GDPR states: “If there is a personal data breach occurred, the controller shall notify it without unreasonable delay and, if possible, no later than 72 hours after becoming aware of it, to the corresponding Article 55 competent supervisory authority, unless the infringement is unlikely to occur in connection with personal data poses a risk to the rights and freedoms of natural persons. If the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by a justification for the delay. " 40. The respondent argues in its conclusions that there was no obligation to report the data leak to the Data Protection Authority. According to the defendant, the reason for this is the fact that the data leak concerned one data subject, it was of very short duration and according to the defendant no sensitive data was involved. The Disputes Chamber points out the above to the above consideration, namely that it can be considered plausible that there are for example SMS messages are received which would contain special personal data can contain. 41. In assessing whether an infringement poses a likely high risk to the rights and freedoms of natural persons according to the Guidelines of the Working Party 29 to be taken into account the answer to whether the infringement can lead to physical, material or immaterial damage to the persons whose data is the subject of the offense. Examples of such damage are discrimination, identity theft or fraud, financial loss and reputation damage. 11 By assigning the complainant's telephone number to a third, the complainant is exposed to the risk of performing fraudulent acts under his name, using his telephone number. Also exists - other than defendant seems to argue - a risk that sensitive data (such as health data) in hands come from third parties. Respondent argues that there was no duty to report for her, under others because it concerns a data breach of only one person. The Dispute Chamber points out, however, that a breach can have serious consequences even for one person, entirely depending on the nature of the personal data and the context in which they are compromised. Again, it comes down to looking at the likelihood and severity of this the consequences. 12 Moreover, according to the Disputes Chamber, this concerns a risk of structural nature nature where potentially all prepaid card users could be exposed. It's possible It cannot be ruled out that there are other cases of which the Disputes Chamber is not aware is hit. 11 Guidelines for reporting personal data breaches under Regulation 2016/679, wp250rev.01, Workgroup 29, p. 26. 12 Idem, p. 30 Decision on the merits 05/2021 - 16/22 42. Respondent submits an earlier notification dated 11 March 2019 to the Data Protection Authority 13 of a similar data leak about. It is also stated that another reason for the in In this case no mention of the leak was the following: “The Data Protection Authority has not followed up this file any further, which shows the limited importance that the Data Protection Authority indicates such (small) data leak. For that reason the suspicion of the conclusion that there would be no obligation to report in the present case has been confirmed. " The Disputes Chamber hereby points to the accountability of the defendant that arises from Article 5.2 and Article 24 GDPR where it is up to the defendant to demonstrate that they also acts in accordance with article 5.1. f GDPR namely: ”by taking appropriate technical or organizational measures are processed in such a way that an appropriate their security is ensured, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage (“integrity and confidentiality ”).” The allegation that a previous report was not addressed by the Data protection authority does not affect the accountability obligation. 43. The Disputes Chamber points out once again that accountability under the articles 5 (2), Art.24 and Art.32 GDPR implies that the controller the takes the necessary technical and organizational measures to ensure that the processing is in accordance with the GDPR. The foregoing obligation is part of it properly fulfilling the responsibility of the defendant under Article 5 (2), 24 and 32 AVG. The Disputes Chamber points out that the accountability of article 5 paragraph 2 and article 24 GDPR is one of the central pillars of the GDPR. This means that on the controller has the obligation to, on the one hand, take proactive measures to ensure compliance with the requirements of the GDPR and, on the other hand, being able to demonstrate that he has taken such measures. 44. The Working Party 29 has indicated in the Opinion on the “principle of accountability” that two aspects are important in the interpretation of this principle: (i) “the need for a controller to provide appropriate and take effective action to enforce the principles for implement data protection; and (ii) the need to be able to demonstrate upon request that appropriate and effective measures have been taken. The controller should therefore 14 provide evidence of (i) above ”. 13 As document 5 to her conclusions. 14 Opinion 3/2010 on the “accountability principle” adopted on July 13, 2010 by the Group 29, p. 10 - 14 https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp173_en.pdf. Decision on the merits 05/2021 - 17/22 45. The Disputes Chamber is of the opinion that the respondent has not succeeded in the present case Demonstrate that proactive measures have been taken to ensure compliance with the GDPR. The defendant's employees first of all failed to carry out a verification between the identities of the third party and that of the complainant and Y subsequently failed to resolve the data breach to report to the Data Protection Authority. Respondent has not submitted any documents from which it appears that the documentation obligation imposed on the defendant has been met. The only document submitted by defendant regarding a data breach was a report dating from another data breach by the defendant to the data protection authority the year 2019. From the documents in the file, which was put forward at the hearing and the The fact that defendant has not submitted documentation of the data breach proves defendant nor does it meet the obligation of article 33, paragraph 5, which states that: “The controller documents all breaches related to personal data, including the facts about the breach in connection with personal data, the consequences thereof and the corrective measures taken. That documentation enables the supervisory authority to verify compliance with this Article to check." 46. The Disputes Chamber pointed out earlier in decision 2020/22 that: “accountability applied to data breaches means that it relates to a controller It is not only the obligation to these data leaks, if necessary, accordingly Articles 33 and 34 GDPR to report to the supervisory authority and the data subjects, however whereas the latter must also be able to demonstrate at all times that he has taken the necessary measures taken to be able to comply with this obligation ”15 The Disputes Chamber is of the opinion that this cannot be demonstrated in the present case. 47. In a non-exhaustive list that data controllers can contact in order to comply with the The Group 29 refers to, inter alia, the next measures to be taken: the implementation and supervision of control procedures to ensure that all measures exist not only on paper but also be implemented and function in practice, establishing internal procedures, the drawing up of a written and binding policy data protection, developing internal procedures for effective management and reporting security breaches. 15 Decision 22/2020 of 8 May 2020 of the Disputes Chamber, p. 12 Decision on the merits 05/2021 - 18/22 48. The Disputes Chamber also points to a form that is enclosed with the claim and in which A similar data breach was reported, namely the phone number of a customer who switched to another operator This phone number was incorrectly as seen freely and assigned to a new customer. In the form the respondent has the question “What is the degree or severity of the data breach for data subjects assessing the risks to the rights and freedoms of data subjects? ”, please note answered with “critical” data breach. According to the Disputes Chamber, this clearly shows that Respondent understands the seriousness of such a data breach. 49. The Disputes Chamber therefore finds violations of Article 33, paragraphs 1 and 5, and 34, paragraphs 1 and 2, AVG. The Dispute Chamber points out that there is a is obliged to document any data breach, whether risky or not, in order to to be able to provide information to the GBA. After all, the processing of personal data is a core activity of the defendant. In addition, personal data can be of great importance have sensitivity to those involved, in part because they are regular and systematic make observation possible. 16 The complainant had also informed in accordance with Article 34.1 should be the data breach. Notwithstanding the fact that complainant has already been informed was of the data leak by calling his own number, the defendant had said of these as yet and without delay, in accordance with the requirements of article 34 paragraph 2. The aforementioned article namely that the communication; the nature of the breach; the contact details of the data protection officer or other contact point where more information can be obtained are obtained and the measures proposed by the controller or genomes. 50. The Disputes Chamber concludes from the non-submission of a notice in the sense of Article 34 GDPR reasonably declines by the respondent that this is not a communication to the complainant done. The defendant therefore failed to inform the complainant after he became aware himself by means of a notification in accordance with article 34 paragraph 2 of the allocation of the telephone number to a third party. The Disputes Chamber rejects the defendant's argument that a notification to the person concerned was not necessary in this case as it would not be a high risk. In this context, the Disputes Chamber refers to the following example in the recent published “Guideline on Examples regarding Data Breach Notification” from the EDPB in which the contact center of a telecommunications company is called by a person who says one be a customer and request that his email address be changed to allow the accounts will be sent to that new email address from now on. The caller gives the correct one personal data of the customer, after which the invoices from now on to the new email address 16 Decision 18/2020 of April 28, 2020 of the Disputes Chamber Decision on the merits 05/2021 - 19/22 are sent. When the actual customer calls the company to ask why he isn't receives more invoices, the company realizes that the invoices are being sent to another person. 51. The EDPB considers the following regarding the above example: This case serves as an example on the importance of prior measures. The breach, from a risk aspect, presents a high level of risk, as billing data can give information about the data subjects private life (e.g. habits, contacts) and could lead to material damage (e.g. stalking, risk to physical integrity). The personal data obtained during this attack can also be used in order to facilitate account takeover in this organization or exploit further authentication measures in other organizations. Considering these risks, the “appropriate” authentication measure should meet a high bar, depending on what personal data can be processed as a result of authentication. As a result, both a notification to the SA and a communication to the data subject are needed from the controller. The prior client validation process is clearly to be refined in light of this case. The methods used for authentication were not sufficient. The malicious party was able to pretend to be the intended user by the use of publicly available information and information that they otherwise had access to. The use of this type of static knowledge-based authentication (where the answer does not change, and where the information is not “secret” such as would be the case with a password) is not recommended. ” 17 52. Reporting of breaches should be seen as a way of ensuring compliance on the protection of personal data. When there is an infringement in connection with personal data takes place or has taken place, this can lead to material or immaterial damage to natural persons or any other economic, physical or social damage to the person concerned. Therefore, the controller must, as soon as he becomes aware of a breach of personal data with a risk to rights and freedoms of data subjects, the supervisory authority without undue delay and, if possible, notify the breach within 72 hours. This allows the supervisory authority to exercise its duties and powers, as set out in the GDPR properly. 4. Breaches of the GDPR 17EDPB Guideline on Examples regarding Data Breach Notification, 01/2021, p. 30 Underline by the Dispute Chamber Decision on the merits 05/2021 - 20/22 53. The Disputes Chamber considers that the defendant has infringed the following provisions: a. Articles 5.1.f, 5.2, 24 and 32 GDPR,; given defendant insufficient took precautions to prevent the data breach b. Articles 33.1 and 33.5 and 34.1 GDPR, given that defendant did not mention it data breach to the GBA and the data subject. 54. The Disputes Chamber considers it appropriate to impose an administrative fine in the amount of 25,000 euros (Article 83, paragraph 2 GDPR; Article 100, §1, 13 ° WOG and Article 101 WOG). 18 55. Taking into account article 83 GDPR and the case law of the Marktenhof, the Disputes Chamber imposing an administrative fine in concrete terms: a) The seriousness of the breach: the Disputes Chamber has determined that the data leak was, among other things, too due to negligence on the part of the defendant. In addition, defendant failed to report the leak to the Data Protection Authority and both by conclusion if it was indicated during the hearing that in this case there is no likely high risk to the rights and obligations of the complainant resulting in no Reporting obligation would exist for the defendant. The fact that in this case it concerns telecom data from which precise information about a person's private life can be derived as well as the potential risk of committing fraudulent acts in their name person make a serious infringement. b) Duration of the infringement: the infringement lasted for four days, which is a considerable time frame is in the light of the potential hazard identified above. c) The fine to be imposed and the order to reconcile the processing are according to the Dispute Chamber such a deterrent to such violations in the future. 56. The Disputes Chamber points out that the other criteria of art. 83.2. In this case, GDPR is not in nature are that they lead to a different administrative fine than that which the Disputes Chamber enters the framework of this decision. 57. In its response to the intention to impose a fine, the defendant has objected against the amount of the intended fine. This file is according to the Dispute Chamber however, it appeared that there was negligence and negligence to protect personal data of the person concerned. After all, the processing of personal data makes one 18 Brussels Court of Appeal (section Marktenhof), X t. GBA, Judgment 2020/1471 of 19 February 2020. Decision on the merits 05/2021 - 21/22 core activity of the defendant, so it is of overriding importance that the personal data is processed in accordance with the GDPR. 58. The facts, circumstances and infringements established therefore justify a fine meets the need to have a sufficiently deterrent effect, whereby the defendant are sanctioned sufficiently strongly to prevent practices involving such violations would not be repeated. 59. Considering the importance of transparency with regard to the decision-making of the Disputes Chamber, this decision will be published on the website of the Data Protection Authority. However, it is not necessary for the identification data of the parties are disclosed directly. 60. In its response to the proposed fine, the defendant requested that the decision not be upheld publishing, even in anonymous form. The Disputes Chamber rejected this request, with reference to the memorandum published on the GBA website about the publication of decisions, in which it is stated that: “The Dispute Chamber is based on the principle that all its decisions, with few exceptions, are published on its website, with a view to 19 the overall goal of transparency, but also visibility and accountability. ” FOR THESE REASONS, the Disputes Chamber of the Data Protection Authority decides, after deliberation, to the defendants: - Pursuant to Article 100, §1, 9 ° WOG, to order processing in accordance with Articles 5.1.f, 5.2, 24 and 32 GDPR, in particular the policy on regarding the identification and verification of prepaid customers in accordance with the AVG is brought. The Disputes Chamber gives the defendant a period of three for this 19 https://www.gegevensbeschermingsautoriteit.be/publications/beleid-van-de-geschillenkamer-inzake-de-publicatie-van-de- decisions.pdf Decision on the merits 05/2021 - 22/22 months and the Disputes Chamber expects the defendant to report it within the same period for bringing the processing into line with aforementioned provisions. - an administrative fine on the basis of Article 83 GDPR and Articles 100, 13 ° and 101 WOG of EUR 25,000 to be imposed on the defendants for infringements of the articles 5.1.f, 5.2, 24, 32, 33.1 and 5, 34.1 GDPR. Against this decision on the basis of art. 108, §1 WOG, appeals are lodged within one term of thirty days, from the notification, at the Marktenhof, with the Data protection authority as defendant (get.) Hielke Hijmans Chairman of the Disputes Chamber