DPC (Ireland) - IN-19-7-2

From GDPRhub
DPC (Ireland) - IN-19-7-2
LogoIE.png
Authority: DPC (Ireland)
Jurisdiction: Ireland
Relevant Law: Article 5(1)(d) GDPR
Article 5(2) GDPR
Article 24(1) GDPR
Article 25(1) GDPR
Article 26 GDPR
DPC Case Reference: IN-19-7-2
Type: Complaint
Outcome: Upheld
Started:
Decided: 23.03.2021
Published:
Fine: 90000 EUR
Parties: n/a
National Case Number/Name: IN-19-7-2
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): English
Original Source: Decision of the Data Protection Commission made pursuant to Section 111 of the Data Protection Act 2018 (in EN)
Initial Contributor: Tara Taubman-Bassirian

The Irish DPA fined the Irish Credit Bureau (ICB) €90,000 regarding a technical error in its database which lead to the disclosure of incorrect account records. The ICB violated Article 25(1) GDPR by failing to take measures designed to implement the accuracy principle in the database, and Articles 5(2) and 24(1) GDPR by failing to undertake appropriate testing of coding changes.

English Summary

Facts

A complaint was filed against the ICB, a credit agency, for misinforming their members -financial institutions- about the performance of credit agreements, resulting in incorrect credit scores for borrowers. This 'data breach' of the principle of accuracy, was due to a technical error following a 'code change'. Between 28 June 2018 and 30 August 2018 15,120 accounts were inaccurately closed. This issue was fixed on 31 August after the ICB was made aware of it on 29 August.

the ICB responded rather promptly to rectify the errors and contacted financial institutions and the Irish Data Protection Commissioner ('DPC'). The ICB notified 3 of its members whose updates accounted 98% of incorrect account records. The remaining 20 of its members, whose updates accounted 2% of incorrect records, were contacted on 4 and 5 September 2018. The ICB argued its change management process complied with ISO27001 and that they faced challenges in ensuring the accuracy of their data directly taken from their members.

Holding

The DPC found the ICB had infringed Article 25(1) by failing to implement appropriate technical and organisational measures designed to implement the principle of accuracy in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of the GDPR and protect the rights of data subjects. It also found the ICB had infringed article 5(2), and 24(1) of the GDPR for failure to demonstrate compliance with Article 25(1) GDPR.

The DPC highlighted that the appropriate technical and organisational measures that the ICB ought to have implemented include a technical measure to prevent payment profile updates to closed accounts. It ought also to have implemented a comprehensive documented change management process that made express provision for, amongst other things, the testing of coding changes and a formal approval procedure for proposed coding changes.

The DPC highlighted that Articles 5(2) and 24(1) GDPR are crucial to the oversight and enforcement actions of supervisory authorities, and noted in this regard that the ICB's failure to document the testing of coding changes had prevented the DPC from analysing the adequacy of that testing.

The DPC issued the ICB with a reprimand in respect of its infringements of Articles 25(1), 5(2), and 24(1) of the GDPR in addition to the administrative fine in order to give full effect to the obligations in Articles 25(1), 5(2), and 24(1) and to formally recognise the seriousness of the infringements found in this decision. The DPC found that the ICB’s infringement of Article 25(1) of the GDPR warrants the imposition of an administrative fine pursuant to Article 58(2)(i) GDPR in addition to the reprimand. The reason for that decision and the method for calculating that fine were exposed in detail. Taking account of all the circumstances, the figure of €90,000 amounting to 0.9% of the cap available and 2% of the ICB’s turnover was deemed appropriate.

Comment

This decision stresses the necessity of keeping records to comply with the principle of accountability. Simply stating compliance with ISO 27001 is not sufficient. Inaccuracy of processed data can have serious effects creating high risks for data subjects.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the English original. Please refer to the English original for more details.