Garante per la protezione dei dati personali (Italy) - 9754332
|Garante per la protezione dei dati personali (Italy) - 9754332|
|Authority:||Garante per la protezione dei dati personali (Italy)|
|Relevant Law:||Article 28(2) GDPR|
Article 32 GDPR
|National Case Number/Name:||9754332|
|European Case Law Identifier:||n/a|
|Original Source:||Garante per la Protezione dei Dati Personali (in IT)|
|Initial Contributor:||Cesar Manso-Sayao|
The Italian DPA issued a fine of €10,000 against an IT company due to a data breach and the assignment of a sub-processor without the controller's authorisation, in violation of Articles 32 and 28(2) GDPR respectively.
English Summary[edit | edit source]
Facts[edit | edit source]
This case was initiated by a data breach notification reported by the Tuscany Region authorities to the Italian DPA (Garante per la Protezione dei Dati Personali – Garante) on 30 July 2020. The breach involved the accidental disclosure of personal data belonging to approximately 3500 candidates participating in a public recruitment competition for administrative assistant job positions.
The Tuscany Region carrying out the contest (the data controller in this case) had a processing agreement with IT company Scanshare S.r.l. for the provision of services related to the organisation and management of the pre-selection phase. The IT company was tasked with processing the data necessary for the completion of the recruitment tests, as well as uploading these on to a server that would host the web page in which each candidate could consult their individual scores.
An email was sent by the processor to a candidate asking for information regarding the publication of the results, which mistakenly contained a link to the web application which was uploading the personal data related to the candidates and their scores, instead of the website where each candidate could log on to obtain their individual results.
The mistakenly sent link to the web application which contained the upload of the entire data set was subsequently circulated among other candidates. From this link, it was possible to access and download, inter alia, the name, surname, date of birth, tax code, detailed results of questionnaires, as well as the overall scores of all the participants. This data was exposed for approximately one hour until the data breach was discovered and remedied. The processor, without consulting the controller, then proceeded to subcontract an IT company named Hostinger, in order to provide it with the logs of the IP addresses which had unauthorised access to the data.
During the Garante’s investigation procedures, the processor claimed that this data breach was not of a malicious nature, and was instead due to a mistake by an employee, due to the fact that the link to website for the candidates, and the one to the web app for the upload of the entire data set, had the same name. It also stated the Hostinger, the third party they had subcontracted to investigate the data breach, in the end was not able to communicate the requested logs, and had no access whatsoever to the personal data and test scores contained on their servers, and hence should not be considered a sub-processor.
Holding[edit | edit source]
The Garante held that, in the present case, the personal data breach occurred for reasons mainly attributable to the processor, not the controller. In particular, the Garante noted the technical and organisational measures adopted by the processor were not adequate to the risks involved, which in turn led to the data breach. Therefore, the Garante held that the processor had not carried out its obligations related to the security of data processing under Article 32 GDPR.
Additionally, the Garante held that Hostinger, the third party sub-contracted by the processor to investigate the data breach, should be considered a sub-processor in this case. The Garante explained that although the sub-processor did not directly access the personal data contained in the processor’s website itself, it does however collect, record and store certain personal data such as the IP addresses of the device used by the user and the server hosting the website visited by the user, as well as the date and time of the connection. Therefore, the Garante subsequently held that this agreement was in violation of Article 28(2) GDPR, since it had not been authorised by the controller.
Comment[edit | edit source]
Share your comments here!
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.