Garante per la protezione dei dati personali (Italy) - 9817058
|Garante per la protezione dei dati personali - 9817058|
|Authority:||Garante per la protezione dei dati personali (Italy)|
|Relevant Law:||Article 5(1)(f) GDPR|
Article 25(1) GDPR
Article 32 GDPR
Article 58(2)(i) GDPR
Article 83(3) GDPR
|Parties:||Servizio Idrico Integrato S.c.p.a.|
|National Case Number/Name:||9817058|
|European Case Law Identifier:||n/a|
|Original Source:||GARANTE PER LA PROTEZIONE DEI DATI PERSONALI (in IT)|
The Italian DPA imposed a €15,000 fine on a company providing water services for the use of an insecure network protocol and the lack of encryption on its website.
English Summary[edit | edit source]
Facts[edit | edit source]
A company providing water services (the controller) used a website without secure network protocols ("http"; hypertext transfer protocol). A customer of the company (the data subject), who visited the website, complained about this fact to the Italian DPA. In particular, the data subject expressed concerns about the fact that contacts and invoices were managed without encryption. According to the data subject, such measures would be necessary considering the existing personal data authentication processes and transit of said data. Following the complaint, the DPA started an investigation into the controller.
During the investigation, the controller argued that there have never been any allegations concerning data breaches as a result of the situation under dispute made by users. In addition, the controller stated that it adjusted the security profile of the website, which was now up to recognised standards. The controller stated that the transition to a more secure protocol was already in motion long before the DPA's investigation. Moreover, the controller argued that the data that were potentially exposed to an infringement did not contain any special categories of personal data.
Holding[edit | edit source]
First, the DPA recalled that Article 5(1)(f) GDPR provides for processing of personal data to be carried out in accordance with the principle of integrity and confidentiality. Based on this principle, Article 32 GDPR states that the controller must implement suitable technical and organisational measures to ensure a level of security appropriate to the risk, including encryption. Furthermore, the controller must ensure appropriate means to effectively implement data protection principles and integrate the necessary safeguards pursuant to Article 25(1) GDPR (data protection by design).
The DPA noted that in the case at hand, the controller dedicated a website to provide online services. However, it failed to implement a network protocol that would guarantee the confidentiality and integrity of the data exchanged between the user's browser and the server hosting the controller's website. The DPA found that the lack of safeguards also did not allow users to verify the authenticity of the website displayed. The DPA held that the controller should have put appropriate technical measures (such as such the 'https' protocol) in place from the beginning. Thus, the moment of designing the website.
The DPA concluded that the lack of encryption on it's website to transfer personal data constituted a breach of Articles 5(1)(f) and 32 GDPR. Additionally, the controller violated Article 25(1) GDPR because it failed to implement a secure network protocol from the moment of designing the website. Pursuant to Articles 58(2)(i) and 83(3) GDPR, the DPA fined the controller €15,000 for the aforementioned violations. The DPA did take account of the fact that the controller swiftly adjusted its security protocol because of the investigation as a mitigating circumstance.
Comment[edit | edit source]
Share your comments here!
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.
Order injunction against the Water Service Integrated S.c.p.a. - 6 October 2022  SEE ALSO NEWSLETTER OF 24 OCTOBER 2022 [doc. web n. 9817058] Order injunction against Integrated Water Service S.c.p.a. - October 6, 2022 Record of measures n. 328 of 6 October 2022 THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA IN today's meeting, which was attended by prof. Pasquale Stanzione, president, the prof.ssa Ginevra Cerrina Feroni, vice president, dr. Agostino Ghiglia and the lawyer. Guido Scorza, components, and the cons. Fabio Mattei, general secretary; HAVING REGARD to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, relating to the protection of individuals with regard to the processing of personal data, as well as to the free circulation of such data and which repeals Directive 95/46 / EC, “General Regulation on data protection "(hereinafter," Regulation "); GIVEN the legislative decree 30 June 2003, n. 196 containing "Code regarding the protection of personal data, laying down provisions for the adaptation of national law to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals physical with regard to the processing of personal data, as well as the free circulation of such data e which repeals Directive 95/46 / EC (hereinafter the "Code"); GIVEN the Regulation n. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor for protection of personal data, approved with resolution no. 98 of 4 April 2019, published in G.U. n. 106 of 8 May 2019 and in www.gpdp.it, doc. web n. 9107633 (hereinafter "Regulation of the Guarantor n. 1/2019 "); GIVEN the documentation in the deeds; HAVING REGARD to the observations made by the Secretary General pursuant to art. 15 of the Regulation of Guarantor n. 1/2000 on the organization and functioning of the office of the Guarantor for protection of personal data, doc. web n. 1098801; SPEAKER Attorney Guido Scorza; WHEREAS 1. Introduction. With a complaint of the XX, submitted pursuant to art. 77 of the Regulations, a company user Integrated Water Service S.c.p.a. (hereinafter, the "Company") complained that on the site The Company's web would contain "a user area [...] where contacts and invoices are managed [in the absence of an] encryption system (SSL certificate) [, which, as is known, is necessary as there is authentication and personal data transit ". The complainant, who reported such circumstance also to the Company "twice by certified e-mail on XX and previously in date XX ", without having received a reply, believes that" Article 32 of the [Regulation] (Security of treatment) in particular paragraph 2 ". The use of an insecure network protocol (such as the "http" protocol) on the website in question is been ascertained by the Guarantor's Office with service report of the twentieth century. 2. The preliminary investigation. With a note of the XX (prot. No. XX), the Office, on the basis of the elements acquired, from the checks carried out and of the facts that emerged as a result of the investigation, notified the Company, pursuant to art. 166, paragraph 5 of the Code, the initiation of the procedure for the adoption of the measures referred to in art. 58, par. 2, of the Regulation, concerning the alleged violations of articles 5, par. 1, lett. f), 25, par. 1, and 32 of the Regulations, inviting the aforementioned holder to produce defensive writings to the Guarantor or documents or to ask to be heard by the Authority (Article 166, paragraphs 6 and 7, of the Code, as well as art. 18, paragraph 1, from l. November 24, 1981, n. 689). With a note from the twentieth century, the Company, through its lawyer, presented a brief defensive, declaring, in particular, that: "Within the site there is [...] a reserved area dedicated only to users who have a contract of service provision with the company who have previously registered with the ark itself. Once the user has provided the necessary personal data and the data of the user concerned, login credentials consisting of a username and password are provided. With these codes, the user can directly, confidentially and exclusively check and monitor the information concerning the supply connected to the user contract and can view e print the bills issued, the service provided, the rates applied, the type of user assigned, as well as communicate the self-reading "; "No relief was raised about any violations of personal data that occurred as a result of the disputed situation such as to result in actual damage to integrity, to the confidentiality and availability of personal data processed through the site "; “The security profile of the site itself is perfectly adequate to the current standard recognized, as the migration under the "https" protocol (Ayper text transfer protocol over secure socket layer) [in date XX (see Annex A to the memory)] "; “SII immediately adjusted the security level of the site. Among other things, it is noted that i certificates used for the transition to the "https" protocol were purchased long before the communication from the Guarantor, this as an indication of the alignment action that the company intended to achieve "; "There are around 13,000 writings in the restricted area, including over 2,000 companies compared to a catchment area represented by the inhabitants of the 32 municipalities where the service is provided that they can be quantified in over 220,000 "; "The dispute relates to negligent conduct since the factual circumstances exclude no awareness and intentionality of the violation "; "An analysis was made of the accesses that returned, with reference to the period covered by verification, a trend without anomalies and such as to suggest that there have been no attempts or consumed events of personal data breach [...; also] the registration passwords are encrypted "; "Following analyzes carried out on the personal data processing activities carried out in the company, SII has adopted a system of technical and organizational measures suitable for risk management for the rights and freedoms of natural persons relating to the processing activities carried out in agency"; "The personal data potentially exposed to violation are not included among those belonging to special categories as they consist exclusively of name, surname or company name, tax code or VAT number, e-mail and telephone number, billing prospectuses, as well to the SII user identifier "; “No financial or other benefits derived to SII from the conduct subject to dispute. From it, then, no damage has arisen to the complainant or to the person concerned other interested parties and, with the described adjustment intervention, the risk of personal injury physical in relation to the data circulating and transported by the site www.siiato2.it has been knocked down in line with the probability and severity of the same, with reference to the state of art and costs ". At the hearing, required pursuant to art. 166, paragraph 6, of the Code and held on XX (protocol no. XX of the XX), the Company stated, in particular, that: "In the reserved area there is no data relating to economic transactions, as it is not possible, for example, pay bills online or activate bank domiciles "; "The company also acts as a monopoly and, therefore, the website has no purpose commercial or advertising, being only aimed at providing useful information to users "; "The company therefore promptly acknowledged the findings of the Guarantor's Office in during the investigation, providing, in particular, to encrypt all the connections of the users to the institutional website and to the reserved area. Even following the adoption of these measures, no security incidents have been detected in relation to the personal data in question ". 3. Outcome of the preliminary investigation. Pursuant to art. 5, par. 1, lett. f) of the Regulations, the processing of personal data must be carried out in accordance with the principle of "integrity and confidentiality", according to which personal data must be treated in a manner that ensures adequate security, including protection, through adequate technical and organizational measures, from unauthorized or unlawful processing and from accidental loss, destruction or damage. Based on this principle, art. 32 of the Regulation provides that the data controller, taking into account the state of the art and the costs of implementation, as well as the nature, object, of the context and purposes of the processing, as well as the risk of varying probability and severity for i rights and freedoms of individuals, must implement technical and organizational measures adequate to ensure a level of safety appropriate to the risk, which include, among others, where applicable, "the encryption of personal data". Furthermore, based on the principle of "data protection by design", formalized by art. 25, par. 1, of the Regulation, the data controller, taking into account the state of the art and the costs of implementation, as well as the nature, scope, context and purpose of the treatment, as well as risks with different probabilities and gravity for the rights and freedoms of natural persons constituted by the treatment, must put in place, both at the time of determining i means of processing both at the time of processing itself, technical and organizational measures adequate, aimed at effectively implementing the principles of data protection and integrating into the processing the necessary guarantees in order to meet the requirements of the Regulation and protect the rights of interested parties. The cons. 78 of the Regulation highlights a specific responsibility of owner, that is to constantly evaluate whether he is using the means at any time appropriate treatment and whether the measures chosen effectively address existing vulnerabilities. Furthermore, the owner should carry out periodic reviews of the security measures put in place and protection of personal data. The obligation to maintain, verify and update, where necessary, the processing also applies to existing systems. This implies that systems designed before the entry into force of Regulations must be subjected to checks and maintenance to ensure the application of measures and guarantees that effectively implement the principles and rights of the data subjects (cf. "Guidelines 4/2019 on article 25 - Data protection by design and by setting default "adopted by the European Data Protection Board on 20 October 2020, spec. points 38 and 84). With particular reference to the principle of "integrity and confidentiality", the owner must (see the cited Guidelines 4/2019 on article 25, spec. point 85): assess the risks to the security of personal data, considering the impact on rights and freedom of interested parties, and effectively counter those identified; protect personal data from unauthorized and accidental changes and access during their transfer. That said, on the basis of the elements acquired and the facts that emerged as a result of the investigation, it was ascertained that access to the Company's website dedicated to "online services" (reachable at the address http: // ...) was done via the "http" network protocol (hypertext transfer protocol). IS it was also ascertained that the main page of the aforementioned website contained the forms for the insertion of the authentication credentials (username and password) of the users. Furthermore, as emerges from the documentation on file, within the "Registry" section of the area personal data on the website in question, the user's personal data, such as the code, can be consulted customer, name and surname, telephone number, tax code, VAT number, if any, the e-mail address, the residential address and the type of service provided. Inside the "Invoices" section it is also possible to view and download the invoices issued by the Company a in front of the services provided to the user. In this regard, the Authority, even under the previous regulatory framework on protection of personal data, stated that the interaction of a user with a website for the purpose of transmission of personal data must be protected with cryptographic protocols SSL (Secure Socket Layer), ensuring better security against the ever-present risks of identity theft in web interaction with normal unencrypted http protocols (see, among others, provisions of 10 June 2021, no. 235, doc. web n. 9685922; 2 December 2021, n. 422, doc. web n. 9734884; 2 December 2021, n. 423, doc. web n. 9734934; January 27, 2022, n. 34, doc. web n. 9746448; 24 March 2022, n. 107, doc. web n. 9767635; 26 May 2022, n. 201, doc. web n. 9790365). The use of cryptographic techniques, at the state of the art, is, in fact, one of the commonly used measures adopted to protect, in particular, the authentication credentials of the users of a online service during their transmission on the Internet; this taking into account the high risks presented by the processing of such data, which may derive from unauthorized access to them or from their disclosure, also due to the habit of many users to reuse the same password, or in any case a very similar password, for accessing various online services. Instead, access to the website in question took place in an insecure way, using the In this context, considering, in any case, that the conduct has exhausted its effects, given that the Company adopted the "https" protocol on XX, the prerequisites for the adoption of are not met further corrective measures pursuant to art. 58, par. 2, of the Regulation. 5. Adoption of the injunction order for the application of the administrative sanction pecuniary and ancillary sanctions (articles 58, paragraph 2, letters i and 83 of the Regulation; article 166, paragraph 7 of the Code). The Guarantor, pursuant to art. 58, par. 2, lett. i) and 83 of the Regulations as well as art. 166 of Code, has the power to "inflict a pecuniary administrative sanction pursuant to Article 83, in addition to the [other] [corrective] measures referred to in this paragraph, or in lieu of such measures, in depending on the circumstances of each individual case "and, in this context," the Board [of the Guarantor] adopts the injunction order, with which it also provides for the application of the sanction administrative accessory of its publication, in whole or in excerpt, on the website of the Guarantor pursuant to Article 166, paragraph 7, of the Code "(Article 16, paragraph 1, of the Regulation of Guarantor n. 1/2019). In this regard, taking into account art. 83, par. 3, of the Regulations, in this case the violation of the aforementioned provisions is subject to the application of a pecuniary administrative sanction provided for by art. 83, par. 5, of the Regulation. The aforementioned administrative pecuniary sanction imposed, according to the circumstances of each individual case, the amount must be determined taking into account the elements provided for by art. 83, par. 2, of the Regulation. In relation to the aforementioned elements, the high number of interested parties registered in the area was taken into account confidentiality of the Company's website, whose personal data are being processed ("in all about 13,000, including over 2,000 companies "). It was also considered that, although the complainant had pointed out to the Company on two occasions that the security measures adopted were insufficient on the aforementioned site, the Company did not promptly take action before the investigation was initiated by of the Guarantor, to put an end to the violation. On the other hand, it was taken into consideration that the Company, once it learned of the procedure started by the Authority, promptly adopted the necessary measures to resolve the criticality of security on its website, providing full cooperation during the investigation. Do not finally, there are previous pertinent violations committed by the data controller or previous ones measures referred to in art. 58 of the Regulation. Based on the aforementioned elements, evaluated as a whole, it is believed to determine the amount of the pecuniary sanction in the amount of € 15,000 (fifteen thousand) for the violation of Articles 5, par. 1, lett. f), 25, par. 1, and 32 of the Regulation, as an administrative pecuniary sanction withheld, pursuant to art. 83, par. 1, of the Regulation, effective, proportionate and dissuasive. Taking into account the high number of interested parties registered in the reserved area of the Company's website, whose data are processed, it is also believed that the ancillary sanction of the publication on the website of the Guarantor of this provision, provided for by art. 166, paragraph 7, of the Code and art. 16 of the Guarantor Regulation n. 1/2019. Finally, it is noted that the conditions set out in art. 17 of Regulation no. 1/2019. WHEREAS, THE GUARANTOR declares, pursuant to art. 57, par. 1, lett. f), of the Regulations, the unlawfulness of the processing carried out by the Integrated Water Service S.c.p.a. for violation of articles 5, par. 1, lett. f), 25, par. 1, and 32 of the Regulations, within the terms set out in the motivation; ORDER to the Integrated Water Service S.c.p.a., in the person of the pro-tempore legal representative, with registered office in Via I Maggio, 65 - 05100 Terni (TR), C.F. 01250250550, to pay the sum of Euro 15,000 (fifteen thousand) as a pecuniary administrative sanction for violations indicated in the motivation. It is represented that the offender, pursuant to art. 166, paragraph 8, of the Code, has the right to settle the dispute by payment, within the term of 30 days, for an amount equal to half of the sanction imposed; INJUNCES to the aforementioned Company, in the event of failure to settle the dispute pursuant to art. 166, paragraph 8, of the Code, to pay the sum of 15,000 (fifteen thousand) according to the modalities indicated in the annex, within 30 days of notification of this provision, under penalty the adoption of the consequent executive acts pursuant to art. 27 of the l. n. 689/1981. HAS pursuant to art. 166, paragraph 7, of the Code, the publication of this provision on website of the Guarantor, considering that the conditions set out in art. 17 of the Regulation of the Guarantor n. 1/2019. Pursuant to art. 78 of the Regulation, 152 of the Code and 10 of Legislative Decree no. 150/2011, against this provision can be used to appeal to the judicial authority ordinary, under penalty of inadmissibility, within thirty days from the date of communication of the provision itself or within sixty days if the applicant resides abroad. Rome, 6 October 2022 PRESIDENT Stanzione THE RAPPORTEUR Peel THE SECRETARY GENERAL Mattei