NAIH - NAIH / 2020/66/21 | |
---|---|
Authority: | NAIH (Hungary) |
Jurisdiction: | Hungary |
Relevant Law: | Article 25(1) GDPR Article 25(2) GDPR Article 32(1)(b) GDPR Article 34(1) GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | 09.12.2020 |
Published: | 16.12.2020 |
Fine: | 20500000 HUF |
Parties: | „ROBINSON-TOURS” Tourism and Service Ltd. Next Time Media Agency Ltd. |
National Case Number/Name: | NAIH / 2020/66/21 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Hungarian |
Original Source: | NAIH (Hungary) (in HU) |
Initial Contributor: | n/a |
The Hungarian DPA (NAIH) fined a travel agency €55,000 for not implementing appropriate technical and organisational measures, leading to the exposure of the personal data of its customers on a website and a search engine.
English Summary
Facts
While browsing on the Internet, a complainant typed his father's name into Google search and through one of the results managed to open a database without any authorization check. The DPA initiated an investigation. It concluded that the database included personal data of clients of a travel agency Robinson-Tours, such as names, dates of booking, reservation status, address, ID card details, passport numbers with date of issue and expiry, date of conclusion of the travel contract. On the website, it was also possible to filter people by destination and date. In some of the cases, it was possible to upload a passport photo or freely download individual customers' travel contracts.
As it turned out during the investigation, Robinson-Tours assigned Next Time Media Agency as a data processor with a task to implement appropriate security measures: firewall, anti-virus, multi-level authentication and access control, strong use and forced exchange of passwords, daily backup. Exposed data came from a test database which was filled with data of 781 real customers. They were available to anyone from November 13, 2019 to February 4, 2020.
The controller did not communicate data breach to data subjects. It did not carry out regular checks for security risks.
Dispute
What constitutes appropriate technical and organizational measures to ensure data protection by design and by default (Article 25 GDPR)?
Holding
The DPA held that Robinsons-Tour and Next Time Media Agency did not implement appropriate technical and organisational measures to ensure security of personal data of its customers. Hence, they failed to comply with provisions of Article 25 GDPR introducing a principle of data protection by default and by design. Robinsons-Tour and Next Time Media Agency were fined respectively 20 000 000 HUF and 500 000 HUF .
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Hungarian original. Please refer to the Hungarian original for more details.
Case number: NAIH / 2020/66/21 Subject: Ex officio decision data protection authority Clerk: pending H A T Á R O Z A T The National Data Protection and Freedom of Information Authority (hereinafter: the Authority) a „ROBINSON-TOURS” Tourism and Service Ltd. „f.a.” (registered office: 8230 Balatonfüred, Gombás köz 5., company registration number: 19-09-501812) (hereinafter: Customer 1 or data controller) (represented by: ECONO-GROUP Pénzügyi és Gazdasági Szakértő Kft., […] liquidator, address: 8200 Veszprém, Házgyári út 22 / B.) And Next Time Media Agency Ltd. (registered office: 1202 Budapest, Fiume u. 17., company registration number: 01-09-294227) (hereinafter: Customer 2. or data processing incident) on 30 January 2020. due to the circumstances revealed during the official inspection initiated on 2 April 2020 ex officio data protection authority proceedings I. Customer 1. as a data controller (1) finds that: a) Customer 1. did not comply with the natural persons processing of personal data the free movement of such data and Directive 95/46 / EC Regulation (EU) 2016/679 repealing Directive general data protection regulation) in Article 25 (1) to (2) and default privacy principle, as the design of your website is not appropriate entrusted a selected data controller, which is serious, in principle infringing and not led to deficiencies in secure data management planning. The design, design shortcomings directly allowed the confidentiality of the data to be kept high-risk privacy incident. (b) Customer 1. has not complied with Article 32 (1) (b) of the General Data Protection Regulation when it comes to the travel services it offers used and stored its personal data storage system and website operated to allow anyone to access the Internet through a vulnerability due to its existence. Due to this shortcoming, the confidentiality of the data is severely compromised damaged, which directly allowed the high-risk privacy incident occurrence. (c) Customer 1. has not complied with Article 34 (1) of the General Data Protection Regulation with the existing data protection incident when you did not report the high-risk privacy incident to stakeholders. 2) instructs Client 1 to comply with this decision within 15 days of becoming final inform the data subject of the fact and circumstances of the incident, the data subject on the scope of personal data and the measures taken for the elimination, 3) due to the above violation, the Client received 1 day 30 days from the becoming final of this decision within HUF 20,000,000, ie HUF twenty million order to pay a data protection fine; II. Customer 2. as a data processor 1) finds that Customer 2. has not complied with Article 32 (1) of the General Data Protection Regulation; paragraph (b) when anyone accesses the database affected by the incident could access the Internet due to the existence of a vulnerability, so the data the confidentiality of its processing has been seriously compromised. This is because Customer 2 is the website has not broken the link between the test and live databases concerned during its operation, in addition, the website has not been subjected to proper security checks for vulnerabilities tests. The omission directly allowed access to personal data and thus the occurrence of a data protection incident. 2) due to the above violation, Customer 2 shall be granted 30 days from the date on which this decision became final within HUF 500,000, five hundred thousand forints order to pay a data protection fine; III. order the final decision by publishing Customer ID 1 and Customer ID 2 disclosure. The fine is the Authority's forint collection account for the collection of centralized revenues (10032000-01040425-00000000 Centralized direct debit account IBAN: HU83 1003 2000 0104 0425 0000 0000) must be paid by bank transfer. When transferring the amount, NAIH / 2020/66 JUDGE. should be referred to. Client 1 took the taking of the measures provided for in point I./2) from the taking of the measure You must provide proof in writing within 15 days, together with supporting evidence to the Authority. If Customer 1 and Customer 2 fail to meet their penalty payment deadline shall be required to pay a late payment allowance. The rate of default interest is the statutory interest, which is a the central bank base rate valid on the first day of the calendar half-year affected by the delay. THE the Authority's centralized revenue collection forint account (10032000-01040425-00000000 Centralized direct debit account). Failure to comply with the obligation under point I./2) and failure to pay the fine and the late payment allowance in the event of payment, the Authority shall order enforcement of the decision, the fine and the penalty payment. There is no administrative appeal against this decision, but it has been available since its notification Within 30 days of the application addressed to the Metropolitan Court in an administrative lawsuit 2subjectable. The emergency does not affect the time limit for bringing an action. The application to the Authority shall be submitted electronically, which shall forward it to the court together with the case file. The trial The application for maintenance must be indicated in the application. During the emergency, the court is hearing acting outside. For those who do not receive full personal tax exemption, the administrative lawsuit its fee is HUF 30,000, the lawsuit is subject to the right to record material fees. In the proceedings before the Metropolitan Court, legal representation is mandatory. EXPLANATORY STATEMENT I. Background and clarification of the facts 1) The Authority received a public interest notification on 29 December 2019 calling on the attention to the website https://www.lastminute.robinsontours.hu/partnerkapu_ Reservation the personal data of the Client's 1. natural person's clients are available to anyone through such as passengers' names, contact details, address details, identity cards and passport numbers, booking and travel, destination, accommodation and contracting related data. The data is https://www.robinsontours.hu/partnerkapu_ Occupied were also available through. According to the announcement, the applicant realized this on the Internet while browsing, type your father's name into Google search and then through one of the results, managed to open a database without any authorization check. The Authority has verified the above links and NAIH / 2020/66/2., NAIH / 2020/66/3. and NAIH / 2020/66/5. in its file number notes, it found that the links were held by it in a web browser entered, any authentication, or other IT security measures without the intervention of the notifier, on the website, as claimed by the notifier, a database containing personal data of various natural person customers. The based on the data in the database, it is likely that most of them are as travel agents Operating Customer 1. Customers using the travel services. The Authority is also satisfied that that the data stored in the database is searched in Google search engine (eg a passenger 's name search) can also be reached. So the content was also crawled by and in Google’s search engine made them available with a keyword search. The personal data available is as follows: - name of "guide", - number and names of passengers, - date of departure and arrival, date of booking, - reservation status (final / canceled / pending), - reservation number, - address details (country, postcode, town, street, house number, floor, door with precision), - identity card number with date of issue and expiry, - passport number with date of issue and expiry, - e-mail address, telephone number, - date of conclusion of the travel contract. On the website, it was also possible to filter people by destination and date. In the database of this in addition, for each customer, anyone has the option to upload a passport photo or write a comment next to each booking. By choosing the passport photo upload option, you can not only take pictures, but virtually any file format could be selected for upload. 3The table, which can be viewed via links, contained a total of 375 records. These were among them also likely to be fictitious persons (eg “TEST TEST”, “TEST IVÁN”, etc.), but most of them covered existing natural person customers. Based on the number and names of fellow travelers however, the data of many more than a thousand people were also available through the website. From the database available through the links, it was also possible to connect with individual customers travel contracts are free for anyone to download in pdf format. From each contract five copies downloaded as evidence by the acting administrator of the Authority and an e-mail booking certificate. The downloadable contracts were detailed for all contracted passengers personal data, the destination, the date of travel, the details of the accommodation booked and the gross price broken down by person. In view of the above, the Authority launched an official control on 30 January 2020, as a the available data were not sufficient to assess that Client 1. has fully complied with its obligations under the General Data Protection Regulation, thus in particular 32-34. provided for in Article 2) NAIH / 2020/66/7 in the following days (3 February 2020). with note no according to documented re-verification, the publicly available database is constantly updated records, including personal data and related contracts, for uploading. The update of the customer database could thus be followed live on the website in this way across. However, on 4 February 2020, the database was no longer available in this way. The Authority's NAIH / 2020/66/4. By order no., he called for a statement and the provision of documents Customer 1, which, as evidenced by the returned return receipt, was received on February 4, 2020. The Client 1. sent it together with the statement sent for the above order in due time a data protection incident report completed on the basis of a sample downloaded from the Authority's website. Based on the incident report and the responses to the order, Customer 1. stated that the the details of your customers who actually use your travel agency services via those links were available. In addition to real natural persons, they were included in the database for testing also created, fictitious persons. Customer 1. The purpose of recording data for each trip seizure as well as the identification of the persons actually traveling, for which he is needs to be able to trace the agreements between the data subject and the Customer 1. and a you can contact stakeholders about performance. For the database only Representatives of partners contracted with Customer 1 could enter, with whom Customer 1 is valid had a contract. The data in the database is 1. Client on a dedicated server, structured, in SQL format stored. Client 1. Client 2 has been assigned as a data processor by the hosting provider, programmer, with administrator and IT service provider tasks. The data was stored on the Client's 2nd servers, the exact location of which is 1143 Budapest, Ilka u. Located in the 31 Invitech server room. The data security in the interests of Customer 2. as a data processor the following measures implemented: firewall, anti-virus, multi-level authentication and access control, strong use and forced exchange of passwords, daily backup of the database, logging of data operations. Client 1. stated that it did not have the Authority's NAIH / 2020/66/4. order no prior to receiving it, be aware of the privacy incident as he was not notified of any business 4partners, nor its data processor or any other stakeholders, nor in the course of its own operations he noticed it. However, upon becoming aware of the incident, it shall be immediately investigated and Article 33 (1) of the General Data Protection Regulation has been notified to the Authority as Customer 1. after investigating the incident considered it to be at risk rights and freedoms of data subjects. Customer 1. the privacy incident is the general also registered under Article 33 (5) of the Data Protection Regulation. The cause of the incident was indicated by Customer 1 in the website made by Customer 2 a test environment was created during development that was not removed from the final version. As a result, real, sharp data was also included in the data set used for testing. This test environment, which is constantly updated with real data, has not been protected. Customer 1 he was unaware of this test environment, he did not even use it. As Customer's 1st website there was no direct reference to the test environment, so it was only used by could be reached by invoking a specific URL. Based on this, Customer 1 is likely to only few had unauthorized access to the data. Based on Customer's 1st incident report, the vulnerability is from November 13, 2019 to February 4, 2020 stood up through the website. The vulnerability affected a total of 781 people, for a total of approx. 2506 pieces personal data, which are: name, address, date of birth, passport number and expiry date, ID card number and expiration date, email address, phone number, departure and arrival date of each travel contract in pdf format and the data contained therein (eg contract value). The database affected by the incident also included data on minors. The the personnel of the stakeholders at Customer 1 in the period from 13 November 2019 to 4 February 2020 It included Hungarian passengers and tour guides who booked trips. Upon receipt of the Authority's order, Client 1. immediately notified Client 2 by telephone a vulnerability, who immediately took action to prevent the use of URLs to further achieve a test environment that is updated with live data. Customer's 1st assessment is data protection incident vulnerability overall Customer 2. not prudent, careful resulted from its procedure. Client 1. further informed the Authority that the incident was due to regulatory review its material. Customer 1. also stated that it plans to inform stakeholders a the outcome of the official procedure after its conclusion. 3) The Authority's NAIH / 2020/66/10. to make further declarations and documents called Customer 1, which he met within the deadline. According to his replies, the contractual partners had access to the database affected by the incident were travel agents signing a travel agency contract. A sample of the contract with them Customer 1. attached to your answer. The database was accessed by a total of 307 travel agents who however, they could not enter or modify data there. Each travel agent is just their own he had access to his reservations. Only Customer 1. was entitled to enter data into the database. Client 1. informed the Authority that he was not in the database affected by the incident an authorization control system has been set up, which has led to the occurrence of a data protection incident. However, Customer 1. has since ordered the use of a username and password in the system, a henceforth, the database is only accessible to authorized personnel. Its password management policy was described by the Customer in his / her reply. 5Customer 1. explained that during the period of the vulnerability (13 November 2019 - 1 February 4, 2020) external, unauthorized access from a total of two IP addresses 28 reservations for a total of 30 documents, four times (30 and 31 January 2020 and 1 February and days 3). A detectable privacy incident is thus actually associated with these occasions materialized. Customer 1. explained that the test environment created during the development and the associated test database - given that the testing was not done with sharp data - was not protected. At the end of testing however, the data file was not deleted and remained associated with the separate, now sharp system and database. Personal data entered by the Customer into the live system 1. a they were also transferred to a test database as a data connection remained between the two systems. THE through the vulnerability, a constantly updated test database was also available with live data (see figure below). In the database available through the vulnerability for a total of 309 travel contracts could be accessed. As previously described, these involved a total of 781 stakeholders, for a total of approx. They contained 2506 pieces of personal data. A total of 46 of those affected were children (18 under one year). 1On the IP address […] identified by Client 1, the Authority's acting administrator found that it was the Authority's Internet the IP address of your subscription. Database accesses that can be associated with this IP address are therefore subject to official control are likely to be linked to inquiries documented in official records between NAIH / 2020/66/13. s. recording). 6Customer 1. also stated that through the available interface the "passport copy upload" it was not possible to upload data from the outside via the option as it was only into the live system were able to upload Customer 1. staff in pdf or jpeg format. The sharp system had virus protection. Client 1. Attached to the response to the Authority's call, Customer 2's data processors (‘data processing agreement’, […]). He signed the contract on April 10, 2019 with each other Customer 1 and Customer 2. According to clause 4 of the contract for the security of data processing guarantee and take measures proportionate to the risks, as well as the data controller support is the task and duty of the data processor (Customer 2). The task of the data processor is a accidental or unlawful destruction or modification of personal data without permission unauthorized access to or unauthorized access. To this end, it is obliged to take organizational and technical measures proportionate to the risks to do. The data controller is obliged to have access to the data by unauthorized persons intentional or negligent breach of this obligation responsibility. The data processor is obliged to constantly monitor the data measures taken to ensure compliance with data protection law. 4) The Authority's NAIH / 2020/66/12. to make further declarations and documents called Customer 1, which he met within the deadline. Attached to the response Customer 1. sent an unauthorized access detail statement a table showing that 26 out of all document accesses In this case, documents were downloaded from the Authority's IP address as part of an official control (30 and 31 January 2020 and 1 and 3 February). The remaining four documents access may not be linked to the IP address of the Authority. In addition to the above, Customer 1. sent the “Complex IT system” concluded with Customer 2 a copy of the agreement dated 10 April 2019 on the development of also the "data processing agreement" already referred to with this date. The contract based on this developed by Customer 2. for the registration of travel bookings and the system and database involved in the incident. The developed system and its under the purpose of the database was to be included in it by partners contracted with Customer 1 personal data of persons using mediated travel services (identification data, contact details, destination and travel details, contracts, documents, etc.) be stored and handled. 5) In addition to further clarification of the facts, the case is covered by the General Data Protection Regulation due to the necessary further investigation of the alleged breach of obligations by the Customer Act CXII of 2011 on the right to information self-determination and freedom of information. Act (a hereinafter: Infotv.) with regard to Section 60 (1), the Authority is included in the operative part decided to initiate a data protection authority procedure. The Authority dated 2 April 2020 NAIH / 2020/66/14. notified Client 1 by file dated 6 April 2020. took over. 6) The Authority's NAIH / 2020/66/16. notified Customer 2 by order No. dated 11 May 2020 to involve the general data protection authority in the data protection authority proceedings as a customer due to an investigation into an alleged breach of the obligations under this Regulation declaration and service of documents. Customer 2. responded to the order on time. 7According to the customer's statement 2, the test database affected by the incident - through which a personal data has become available over the internet - in the meantime it has been deleted. The affected In addition, Customer 2. has relocated the system to a more closed, secure system. This is the operation it was still in progress at the time of the response. "Authentication checks" previously related to system security based on Customer's statement 2 they occurred only around the point of entry. The Authority's question is whether the system concerned the frequency with which it is reviewed for security purposes, Customer 2. has only provided that the protection of the website affected by the incident is fixed, otherwise “news from the web world and whether the protection measures need to be updated. To the Authority's question as to why the test version of the booking database behind the website is not previously deleted, Customer 2. replied that in his opinion the deletion did not makes sense because at some point you may need to ‘something needs to be improved’, ‘something needs to be solved’ so "Testing never ends". The connection point between the test and the live database In connection with the termination of Customer 2. stated that in his opinion it is not an important issue as the lack of authorization (source) was the source of the error. 7) The Authority's NAIH / 2020/66/19. By order No 1, he again called for a statement and Customer 2, who responded to the order within the time limit. Based on Customer Statement 2, it does not currently have an IT Security Policy and Privacy Policy. Customer 2. the system involved in the incident (the website), referred to by him as “authentication does not have a record, they have not documented them. Customer 2. further stated that access to the database affected by the incident was unauthorized access log data is overwritten at 30-day intervals. By Customer 2. received the request (from Customer 1) that they are needed, only on January 24, 2020 - You were able to save the access log between February 10, 2020. This was sent by Customer 1, which it forwarded to the Authority in accordance with NAIH / 2020/66/12. to the previous order no attached to your reply. As a result, Client 1. informed the Authority that external accesses took place only on 30 and 31 January 2020 and on 1 and 3 February database. 8) The Authority's NAIH / 2020/66/18. invited Customer 1 to make a statement by order no. in which he requested, inter alia, a statement of the amount for the 2019 business year amount was the net sales revenue. From the Customer's 1st registered office, the above order may be re-mailed twice Returned to the Authority with the word "not sought". The Authority, meanwhile, is on the register of companies has been informed from the data contained in that the Customer is in liquidation as of June 1, 2020. Customer 1. Data on its management in 2019 and 2020 will be published in the meantime were posted on the Electronic Reporting Portal. 8II. Applicable legal provisions CL of 2016 on General Administrative Procedure. Section 99 of the Act (hereinafter: the Act) the authority, within the limits of its competence, monitors the provisions of the law compliance with the provisions of this Regulation and with the provisions of the enforceable decision. Pursuant to Article 2 (1) of the General Data Protection Regulation, he or she is involved in a data protection incident the general data protection regulation applies to data processing. Article 4 (12) of the General Data Protection Regulation defines what constitutes data protection "data protection incident" means a breach of security which accidental or unlawful destruction of personal data stored or otherwise processed, loss, alteration, unauthorized disclosure or unauthorized disclosure results in access. According to Article 5 (1) (f) of the General Data Protection Regulation, personal data shall be managed in such a way that appropriate technical or organizational measures are taken ensure the adequate security of personal data unauthorized or unlawful handling, accidental loss, destruction or including protection against damage (‘integrity and confidentiality’). According to Article 25 (1) of the General Data Protection Regulation, the controller is a science and the state of the art and the costs of implementation, as well as the nature and scope of data circumstances and objectives of the Union and the rights and freedoms of natural persons, taking into account both the probability and severity of the risk and the way in which the data are handled as well as the appropriate technical and organizational arrangements for data management implement measures, such as pseudonymisation, aimed at complying with data protection principles, such as the effective implementation of data saving, on the one hand, and the provisions of this Regulation, on the other guarantees necessary to meet the requirements and to protect the rights of data subjects integration into the data management process. According to Article 25 (2) of the General Data Protection Regulation, the controller is the appropriate technical and implements organizational measures to ensure that by default only personal data that is specific to that data processing should be processed necessary for the purpose. This obligation applies to personal information collected the extent of their handling, the duration of their storage and their availability. These are measures in particular need to ensure that personal data is defaulted cannot be accessed without the intervention of the natural person for an indefinite number of persons. Pursuant to Article 32 (1) of the General Data Protection Regulation, the controller is the state of science and technology and the cost of implementation, and the nature, scope, circumstances and purposes of the processing and the rights of natural persons; and taking into account the varying degrees of probability and severity of the implement appropriate technical and organizational measures to address the risk guarantees an adequate level of data security, including, inter alia, (under (b)) the systems and services used to handle personal information are kept confidential integrity, availability and resilience. 9Security is adequate under Article 32 (2) of the General Data Protection Regulation In determining the level of risks, in particular personal data transmitted, stored or otherwise handled accidental or unlawful destruction, loss, alteration, unauthorized from unauthorized disclosure or unauthorized access. According to Article 33 (1) and (2) of the General Data Protection Regulation, the data protection incident the controller without undue delay and, if possible, no later than 72 hours after the data protection incident has come to its notice shall be reported to the supervisory authority competent under Article 55 authority, unless the data protection incident is not likely to pose a risk to the the rights and freedoms of natural persons. If the notification is not made 72 within one hour, it shall be accompanied by the reasons justifying the delay. The data processor without undue delay after becoming aware of the data protection incident notifies the controller. Pursuant to Article 34 (1) of the General Data Protection Regulation, if the data protection incident is likely to pose a high risk to the rights and freedoms of natural persons the controller shall, without undue delay, inform the data subject of the data protection incident. Pursuant to Article 34 (4) of the General Data Protection Regulation, if the controller has not already done so notified the data subject of the data protection incident, the supervisory authority, after considering that whether the data protection incident is likely to involve a high risk, the data subject may order one of the conditions referred to in paragraph 3 fulfillment. Act CXII of 2011 on the right to information self-determination and freedom of information. law (hereinafter: the Information Act) pursuant to Section 2 (2) of the General Data Protection Decree there shall apply with the additions set out in the provisions set out in The Acre. Pursuant to Section 101 (1) (a), if the authority has committed an infringement during the official inspection experience, initiates its official proceedings. Infotv. Section 38 (3) and Section 60 (1) pursuant to the Authority’s Infotv. Personal data within the scope of its duties under Section 38 (2) and (2a) ex officio in order to enforce the right to protection of personal data. The Acre. Pursuant to Section 103 (1) of the Act on Proceedings provisions of the Act. It shall apply with the exceptions provided for in Sections 103 and 104. Infotv. Pursuant to Section 61 (1) (a), the Authority in Section 2 (2) and (4) in the context of specific data processing operations in the General Data Protection Regulation may apply specific legal consequences. Pursuant to Article 58 (2) (b) and (i) of the General Data Protection Regulation, the supervisory the authority, acting in the corrective capacity of the authority, condemns the controller or processor if breached the provisions of the Regulation or Article 83 impose an administrative fine accordingly, depending on the circumstances of the case in addition to or instead of the measures referred to in Paragraph 2 of the same Article (d), the supervisory authority, acting in its corrective capacity, shall instruct the controller or the data processor to carry out its data processing operations, where appropriate in a specified manner and within the time limit laid down in this Regulation. 10The conditions for the imposition of an administrative fine are set out in Article 83 of the General Data Protection Regulation. contained in Article. In the event of a breach of Article 5 of the General Data Protection Regulation, it may be imposed under Article 83 (5) (a) of the General Data Protection Regulation 000 000 (EUR) or, in the case of undertakings, the full financial year of the previous financial year up to 4% of its worldwide turnover. Infotv. Pursuant to Section 61 (2), the Authority may order its decision - the data controller or disclosure of the identity of the processor, if the This decision affects a wide range of persons through the activities of a body performing a public function or the gravity of the infringement justifies disclosure. The decision is otherwise based on Ákr. Sections 80 and 81 shall apply. III. Decision 1. Management, high risk classification and reporting of the data protection incident About the vulnerability that triggered the data protection incident, Customer 1. first said that a Authority NAIH / 2020/66/4. obtained from a fact-finding order on 4 February 2020 note. He was previously unaware of the vulnerability and the privacy incident. Customer 1. access to a database containing data on data subjects using their travel services access could not be detected by Client 1 itself, thus about the incident and enabling it only on the basis of an indication from the Authority. Pursuant to Article 4 (12) of the General Data Protection Regulation, a breach of security resulting in unauthorized access to the personal data processed results. In terms of the concept, thus, the relationship with the security event is a key element considered. The Authority shall grant several accesses on the basis of the information provided by the notifier of public interest made to the database through the vulnerability, and later Customer 1. he also acknowledged the vulnerability in an incident report. Through a website maintained by Customer 1 exploiting an available vulnerability, it was therefore possible to access the data concerned access. Unauthorized access to personal information is therefore an IT security this could have been exploited, which in several cases led to a data protection incident resulted. Of these unauthorized accesses, the Authority has several cases documented in his referenced notes. Pursuant to Article 33 (1) of the General Data Protection Regulation, a data protection incident is without undue delay and, if possible, no later than 72 hours after data protection incident, he must report it to the supervisory authority. The incident notification may be waived only if the incident is not likely to pose a risk to the rights and freedoms of natural persons. Assessing the risks associated with the incident the task of the data controller. Recital 75 of the General Data Protection Regulation deals with the processing of data which may result in identity theft or misuse of identity, and in particular the processing of children's data with regard to the rights and freedoms of the persons concerned considered fundamentally risky data management. The Authority also highlights that travel data contained in contracts, such as the time and time of travel, and the contract From its value 11, further conclusions can be drawn regarding the financial circumstances of the given passenger. On this in addition, compared to the address data also available, the residence of the person concerned a conclusion can be drawn. The joint management of these data compared to the incident circumstances, the Authority considers that there is a high-risk data protection incident resulted. In terms of the high risk to the privacy of the natural persons concerned another important circumstance is that according to the Client's 2nd (data processor) statement the data subject External illegal access to the database shall be restricted to the period from 24 January 2020 to 10 February 2020. he was able to save his diary between. Total duration of the vulnerability (13 November 2019 - The exact number of unauthorized accesses under February 4, 2020) is thus unknown. based on the content of the public interest notification sent to the Authority on 29 December has already been made, at least by the public interest notifier. The vulnerability lasts longer its existence also increased the risks. In view of the above, the Authority also considers high risk to be a factor justifying that the database was accessed by both the notifier in the public interest and the Authority, but that the total number of unauthorized accesses and the identity of the accessors for the duration of the vulnerability cannot be accurately measured in the absence of a complete log file for The identity of the accessors and number of Customer 1. can no longer subsequently assess and identify which is involved in the incident gives a high degree of uncertainty and concern about the further fate of personal data okot. The data controller is of an immeasurable degree and extent, but it has been proven to have happened in the event of a data leak, you can only try to reduce the data subject by informing the parties concerned high risks anyway. The Authority considers that the additional circumstances justifying the high risk are that personal information managed in this database has also been indexed by Google on this search engine they were also available through, making them much easier to access even on the internet you may also come across while browsing, randomly searching for a name. Based on the above, the Authority considers that the data protection incident is high risk therefore, if the controller becomes aware of such a case, it should be reported report to the supervisory authority pursuant to Article 33 (1) of the General Data Protection Regulation authority. The notification was made by the Data Controller by e-mail to the Authority on 6 February 2020, Having become aware of that fact-finding order of the Authority in its opinion of 4 February 2020, upon receipt. The data controller is thus obliged to report the incident within 72 hours of receipt. The Authority shall comply with the notification obligation therefore found no infringement. 2. Informing data subjects about the data protection incident In its 1st incident report, the client stated that it plans to inform the stakeholders a the outcome of the official procedure after its conclusion. This statement or the official on the basis of further statements sent to the Authority during the procedure, the Client 1. this decision did not inform those concerned about the data protection incident by the general under Article 34 of the Data Protection Regulation. According to Article 34 (1) of the General Data Protection Regulation, it is the responsibility of the controller to: inform the data subjects of the data protection incident without undue delay, if any considered a high-risk incident. 12The Authority considers that the incident is of a high risk which justifies Article 34 (1) of the General Data Protection Regulation as there may be spill-over effects on the privacy of those concerned which the controller no longer has any influence over the incident management which he may carry out (see previous section III./1 of this Decision on risk classification). Incident risks - in recitals 85 to 86 of the General Data Protection Regulation can only be effectively mitigated if those concerned do so they are aware of and can take any further action they deem necessary. Customer 1. as data controller is responsible for the occurrence of the data protection incident you can assess your risks. This is because primarily the data controller is aware that what personal data you handle, for what purposes and using data management methods. The the possible high risk classification of the data protection incident and therefore the information to the data subject assessment of the need is the Client's main task, the assessment of this issue cannot be transferred to the "Depending on the outcome of the official procedure" by referring to the supervisory authority. The the controller shall inform the data subjects of the incident without undue delay as soon as possible has become known to him under Article 34 of the General Data Protection Regulation, he cannot wait for the authority until the end of the procedure. The Authority draws attention to Article 34 (3) of the General Data Protection Regulation (c), if the information would require a disproportionate effort, the persons concerned shall be informed by means of publicly available information or a similar measure shall be taken, which ensures similarly effective information to stakeholders. Based on the above, the Authority finds that the Client 1. due to the lack of information and its postponement did not comply with Article 34 (1) of the General Data Protection Regulation, therefore a With regard to Article 34 (4), Client 1 called on the parties concerned to inform them on the high-risk privacy incident. 3. Findings on security of data management The Authority also examined that Client 1 as a data controller and Client 2 as a data processor the extent to which data security directly related to the occurrence of the incident has been complied with requirements for an existing system. Pursuant to Article 32 (1) of the General Data Protection Regulation and guaranteeing the data processor a level of data security commensurate with the degree of risk technical and organizational measures in line with the state of science and technology including the personal data pursuant to Article 32 (1) (b) of the Regulation the continuing confidentiality of the systems and services used to manage the data integrity, availability and resilience. This is confirmed by Article 32 (2) of the General Data Protection Regulation, which states that in determining the appropriate level of security, explicit consideration shall be given to risks arising from the processing of data, in particular those transmitted, stored or otherwise accidental or unlawful destruction or loss of personal data processed in this way, unauthorized disclosure or unauthorized disclosure derive from access. 13The resulting vulnerability in the system affected by the data protection incident it has been possible that inadequate security in the handling of personal data settings were applied to the affected system as follows. Customer 2. During the operation of the website, the relationship between the test and live database involved has not terminated, and the website has not been subjected to adequate security or vulnerabilities tests. The test database and already real data Customer 1. uploaded and used sharp database thus maintained a connection channel through which the sharp data were continuously transmitted in real time to the test database. This real-time connection In addition to Client's 1st and Client's 2nd statements, trial downloads documented by the Authority and accesses are also confirmed. The vulnerability, a test database with live data, was therefore available for the vulnerability as its safety was no longer addressed by Customer 2. after the development was completed. The incident would not have occurred if the test database had been deleted by Customer 2. or it was secure relocates to the environment or disconnects from the live database. These are omissions thus, direct access to personal data was made possible. The test database, as defined above, is practically a vulnerable copy of the live database functioned, the size of which increased steadily over time. This is customer data will result in duplication over three months. Extremely for personal information it was easily accessible from the outside without being noticed by Customer 1 or Customer 2. Customer 1. personal data processed in connection with the travel services it offers because of the above, he used and operated his storage system and website in a way that anyone could do could access it over the Internet due to the existence of a vulnerability. In this security due to this deficiency, the confidentiality of the data is severely compromised, which is directly possible made the occurrence of the high-risk privacy incident. Customer 1. also argued that as a data processor, Customer 2. did not act to build the system quite carefully and carefully during the course, and there was no authorization check for the system system built. In view of the above, the Authority concludes that: - Customer 1. loading the data into the system and managing it there, actually a use of the system, - Customer 2. careless operation of the system and inadequate security controls and through testing, infringed Article 32 (1) (b) of the General Data Protection Regulation, as a during the running of the service, its confidential nature is neither data management nor data processing could not guarantee. 4. Findings on the principle of privacy by design and default Article 25 (1) to (2) of the General Data Protection Regulation contains the built-in and the principle of default data protection, according to which the risks of data management appropriate technical and organizational measures must be taken by the controller when defining the method of data management aimed at data protection principles effective implementation. In addition, the controller is also responsible for providing appropriate technical and 14Implement organizational measures to ensure that only the specific purpose necessary data management. These measures must, in particular, ensure that: personal data by default without the intervention of a natural person become accessible to an indefinite number of persons. To the database involved in the incident, originally created for testing purposes (which will later be live data is also constantly updated), via Google search and simple web links held by anyone from 13 November 2019 to 4 February 2020. Managing the data stored in the database as explained in the previous sections alone also resulted in high-risk data management, especially for children and contractual data. The handling of such data is therefore increasingly on the part of data controllers technical and organizational measures proportionate to the high risk are expected already in the planning period of data management in order to guarantee the principles of data management. Guaranteeing the confidentiality of data processing is enshrined in Article 5 (1) of the General Data Protection Regulation. also appears in paragraph (f). According to this, personal data must be processed in this way to be carried out by appropriate technical or organizational measures adequate security and confidentiality of personal data, such as illegal data processing to prevent. Pursuant to Article 25 (1) to (2), data controllers are thus required to plan, process and they must proceed in such a way that, at the start of future data processing, it is principles - e.g. the principles of integrity and confidentiality. Customer 2. explained in connection with guaranteeing the confidentiality of the data management affected by the incident that the whole system developed by him (which is practically the 1st website of the Client) during the development not tested, not tested for safety, only done “around the point of entry” inspections, the error leading to the incident could not be detected earlier. Customer 2. and a nor does it have records of the inspections carried out you could prove. Within the framework of Client's 1st order, Client 2 therefore failed to perform the website and system design and development during those security tests or other measures to eliminate or eliminate the causes of the vulnerability would have been (e.g. website vulnerability scan, test and live database remaining disconnection of the test environment). The lack of the above planning measures allowed both knowing the link to the site, both through Google’s search engine to anyone without any prior authorization checks access personal data and documents stored on the online interface. European Data Protection Board No. 4/2019, built-in and default data protection guidelines on the principle of subsidiarity state that data controllers already have new data processing should take into account the implementation of this principle and its implementation they should check later. The guidelines emphasize that data controller is responsible for the principle of built-in and default data protection data processing operations performed by the data processor (s) for the fulfillment of obligations 15 also. This must be taken into account by the controller when concluding a contract with a data processor. 2 When defining data management, so in this case the website and related IT the measures taken to design and develop the infrastructure were not sufficient to ensure the confidentiality of data in accordance with Article 25 of the General Data Protection Regulation nature. Thanks to this, later, through the website of personal data have become available to an indefinite number of individuals. As data controller, Customer 1 is responsible for the data processor entrusted by him (Customer 2). due diligence when concluding a data processing contract act when selecting the appropriate data processor. Within the framework of the data processing contract Customer 2. negligently designed and developed the system for which only the privacy at the time of the incident, it was not previously reported by either Customer 1 or Customer 2 note. At the basic level, data processing that is illegal, unsafe and leading to a serious incident is thus was practically determined already in the design and development phase of the system, when even the specific data management has not yet started. Subsequent infringements are straightforward consequence of careless design and inadequate data processing mandate. Serious design deficiencies and gender leading to a high-risk privacy incident due to the order of the appropriate data processor Customer 1. therefore violated the general data protection Article 25 (1) to (2) of this Regulation. 5. Sanction and justification applied 1) In clarifying the facts, the Authority has established with regard to Client 1 that data management - infringed Article 25 (1) to (2) of the General Data Protection Regulation, - infringed Article 32 (1) (b) of the General Data Protection Regulation, - infringed Article 34 (1) of the General Data Protection Regulation. In view of this, the Authority instructed the Client to do so, as set out in the operative part take the necessary measures to inform those concerned about the data protection incident Article 34 of the General Data Protection Regulation. The Authority has examined whether it is justified to impose a data protection fine on Client 1. E Article 83 (2) of the GDPR and Infotv. 75 / A. § considered by the all the circumstances of the case. In view of this, the Authority Pursuant to Section 61 (1) (a), in the operative part and in this decision Customer 1 to pay a data protection fine obliged. In imposing the fine, the Authority took into account the following factors: 2 https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_201904_dataprotection_by_design_and_by_default_v 2.0_en.pdf 16The Authority considered the following as an aggravating circumstance: - The handling of personal data affected by the incident is high due to the nature of the data therefore data controllers should exercise extreme caution to guarantee a level of data security commensurate with the level of risk. Customer 1. nevertheless, a large number of personal data (a total of 781 data subjects, a total of about 2506 pieces) personal data, including data on children and contractual amounts ensure the continued confidentiality of your data management system has not taken appropriate measures to - The Authority has identified a fundamentally high-risk data management Customer 1. Unsuitable for preventing and detecting unauthorized access, a applied disproportionate data security measures when personal data could be accessed extremely easily from the outside without being noticed by Customer 1. would be. Security preparedness to handle such data from for-profit businesses highly expected. - the Authority became aware of the data protection incident on the basis of a public interest report, No privacy incident was detected by Customer 1. - The Authority identified identified data security vulnerabilities as a systemic problem considers that the infringing situation has been demonstrated by unauthorized access months before the occurrence of the test, the data controller had the relevant test database respect. - The breach of data confidentiality was practically determined by the system sloppy design when even specific data management has not begun. The later infringing data management is a direct consequence of negligent design and inadequate data processing mandate. - Customer 1. as data controller is responsible for ensuring that any data protection has occurred assess the risks of an incident. This is because the controller is aware that what personal data, for what purposes and using data management methods treats. The potential high risk classification of a privacy incident and therefore about Assessing the need for stakeholder information Customer's 1st main task is this issue cannot be transferred by reference to the “functions of the outcome of the official procedure” a supervisory authority. The controller shall, without undue delay, consult the data subject report the incident as soon as it becomes aware of it, in accordance with Article 34 of the General Data Protection Regulation. may not wait until the formal procedure has been completed. The Authority considered the following as mitigating circumstances: - In the course of the procedure, the Authority did not become aware of any information that the persons concerned have suffered damage as a result of the infringement. - From the facts revealed, it can be concluded that the infringement was not intentional, it Caused by customer 1. negligence. This is also indicated by the fact that the Client is about the incident immediately upon becoming aware of the vulnerability, action was taken in order to eliminate. 17 - The Authority took into account that the Client had not previously established a personal data breach. Other circumstances considered: - After becoming aware of a data protection incident, Customer 1. is the incident Article 33 of the General Data Protection Regulation immediately took the action required by the Commission to investigate the incident, it referred it to the Authority reported the vulnerability within 72 hours of becoming aware of it, Customer 2. terminated and the illegally managed database deleted. The Authority Thus, Customer 1 did not identify any problem in its specific privacy incident management practices. The Authority did not, in breach of its legal obligations, not specifically assessed as an attenuating circumstance. - The Authority also took into account that Client 1. cooperated in everything a Authority in the investigation of the case, although this conduct is not - as the law obligations were also not exceeded, he assessed as explicitly mitigating as a circumstance. In view of the above, the Authority considers it necessary to impose a fine, only Infotv. 75 / A. Did not consider it appropriate to apply the warning under The amount of the data protection fine shall be exercised in the exercise of the Authority's statutory discretion determined. Infringements by Customer 1. Article 83 (4) (a) of the General Data Protection Regulation are considered to be infringements of the lower fine category. In imposing the fine, the Authority finally took into account the Client's 1. economic weight. In this round took into account that - according to its 2019 report, HUF 5,344,545,000 (five billion three hundred and forty-four million to five hundred and forty-five thousand forints). - According to its annual report closing the liquidation activity in 2020, on 1 January 2020 551,404,000 HUF (five hundred and fifty-one million four hundred and four thousand forints). - It will be liquidated from 16 June 2020. The Authority for the period of the infringement (13 November 2019 to 4 February 2020) took into account the economic data for 2019 and 2020. The infringement In view of the weight of the Client and the above-mentioned management data of the Client, the amount of the fine imposed is therefore a In the opinion of the Authority, it can be considered proportionate to the gravity of the infringement. 2) In clarifying the facts, the Authority has established with regard to Client 2 that the infringed Article 32 (1) of the General Data Protection Regulation (b). The Authority has examined whether it is justified to impose a data protection fine on Client 2. In this context, the Authority will comply with Article 83 (2) of the GDPR and Infotv. 75 / A. § considered by the all the circumstances of the case. 18 In view of this, the Authority Pursuant to Section 61 (1) (a), in the operative part and in this decision the Client also pays 2 data protection fines obliged. In imposing the fine, the Authority took into account the following factors: The Authority considered the following as an aggravating circumstance: - The handling of personal data affected by the incident is higher due to the nature of the data therefore data controllers should exercise extreme caution to guarantee a level of data security commensurate with the level of risk. Customer 2. nevertheless, a large number of personal data (a total of 781 data subjects, a total of about 2506 pieces) personal data, including data on children and contractual amounts data) system developed and operated by it for the Client has not taken appropriate measures to ensure its continued confidentiality. - The Authority has identified a fundamentally high-risk data management Customer 2. Unsuitable for the prevention and detection of unauthorized access, a applied disproportionate data security measures when personal data could be accessed extremely easily from the outside without being noticed by Customer 2. would be. Security preparedness to handle such data from for-profit businesses highly expected. - the Authority became aware of the data protection incident on the basis of a public interest report, No privacy incident was detected by Customer 2. - The Authority identified identified data security vulnerabilities as a systemic problem considers that the infringing situation has been demonstrated by unauthorized access months before the occurrence of the test database in question. - Customer 2. failed to perform the website and system development during that security tests or other security measures to detect the vulnerability; or could have been eliminated (e.g., website vulnerability scan, test and live database termination of the remaining relationship). These defaults to Customer 2 are high as the main activity is the provision of IT services operates as a business. The Authority considered the following as mitigating circumstances: - In the course of the procedure, the Authority did not become aware of any information that the persons concerned have suffered damage as a result of the infringement. - The Authority took into account that Client 2 had not previously established a personal data breach. Other circumstances considered: - The Authority also took into account that Client 2. cooperated in everything a Authority during the investigation of the case, although this conduct - as required by law 19 obligations were also not exceeded - it was not assessed as explicitly mitigating as a circumstance. In view of the above, the Authority considers it necessary to impose a fine, only Infotv. 75 / A. Did not consider it appropriate to apply the warning under The amount of the data protection fine shall be exercised in the exercise of the Authority's statutory discretion determined. Infringements by Customer 2. Article 83 (4) (a) of the General Data Protection Regulation are considered to be infringements of the lower fine category. In imposing the fine, the Authority finally took into account the 2nd economic weight of the Client. In this round took into account that - According to its 2019 report, HUF 47,155,000 (forty-seven million to one hundred and fifty-five thousand forints) had net sales. - According to its annual report for the year 2020 due to the changeover of the tax type, 1 January 2020 in the period between and 31 March 2020 HUF 1,772,000 (one million seven hundred and seventy-two thousand HUF) net sales. The Authority for the period of the infringement (13 November 2019 to 4 February 2020) took into account the economic data for 2019 and 2020. The infringement In view of the weight of the Client and the above 2. management data, the amount of the fine imposed is therefore a In the opinion of the Authority, it can be considered proportionate to the gravity of the infringement. 3) The Authority shall issue the Infotv. Pursuant to Section 61 (2) a) and c), the decision Customer 2 was also ordered to disclose his credentials as an infringement serious and affects a wide range of persons. ARC. Other issues The powers of the Authority are limited by the Infotv. Section 38 (2) and (2a), its jurisdiction is covers the whole country. The Acre. § 112 and § 116 (1) and § 114 (1), respectively there is a right of appeal against an administrative action. The rules of administrative litigation are laid down in Act I of 2017 on the Procedure of Administrative Litigation (a hereinafter: Kp.). A Kp. Pursuant to Section 12 (1) by a decision of the Authority The administrative lawsuit against the court falls within the jurisdiction of the court. Section 13 (3) a) The General Court has exclusive jurisdiction under subparagraph (aa) of A Kp. Section 27 (1) (b), legal representation is mandatory in litigation within the jurisdiction of the tribunal. A Kp. § 39 (6) of the application for the entry into force of the administrative act has no suspensive effect. A Kp. Section 29 (1) and with this regard Pp. Applicable in accordance with § 604, electronic CCXXII of 2015 on the general rules of administration and trust services. Act (a hereinafter: E-Administration Act) pursuant to Section 9 (1) (b) of the Customer's legal representative obliged to communicate electronically. 20The time and place of the submission of the application is Section 39 (1). THE Information on the possibility of requesting a hearing can be found in Kp. Section 77 (1) - (2) based on. The amount of the fee for an administrative lawsuit is set out in Act XCIII of 1990 on Fees. law (hereinafter: Itv.) 45 / A. § (1). From the advance payment of the fee is Itv. Section 59 (1) and Section 62 (1) (h) shall release the party initiating the proceedings. 74/2020 on certain procedural measures in force during an emergency. (III. 31.) According to Section 35 of the Government Decree (hereinafter: Government Decree), unless this Decree provides otherwise the emergency does not affect the running of the time limits. Pursuant to Section 41 (1) of the Government Decree, the court is hearing at the time of the emergency acting outside. If a lawsuit were to be held outside the time of the emergency, the plaintiff would then you can ask the court to hear out of court instead of hearing the emergency postpone until the end of (a) the court did not order, at least in part, the suspensory effect of the administrative act, (b) the action has suspensory effect and the court has not ordered the suspension of the suspensory effect el, (c) no interim measure has been ordered. The Acre. According to § 132, if the debtor does not comply with the obligation contained in the final decision of the authority fulfilled, it is enforceable. The decision of the Authority Pursuant to Section 82 (1) of the Communication becomes final. The Acre. Section 133 of the Enforcement - if by law or government decree unless otherwise provided - ordered by the decision-making authority. The Acre. Pursuant to Section 134 a enforcement - if local in a law, government decree or municipal authority matter the decree of the local government does not provide otherwise - it is carried out by the state tax authority. Infotv. Pursuant to Section 60 (7), a specific act included in the decision of the Authority obligation to perform, to behave, to tolerate or to stop implementation of the decision shall be carried out by the Authority. Budapest, December 9, 2020 Dr. Attila Péterfalvi President c. professor 21