Tietosuojavaltuutetun toimisto (Finland) - 2206/171/20
|Tietosuojavaltuutetun toimisto - 2206/171/20|
|Authority:||Tietosuojavaltuutetun toimisto (Finland)|
|Relevant Law:||Article 5(1)(c) GDPR|
Article 5(1)(e) GDPR
Article 25(2) GDPR
Article 32(1)(d) GDPR
Article 32(2) GDPR
|National Case Number/Name:||2206/171/20|
|European Case Law Identifier:||n/a|
|Original Source:||Finnish DPA (in FI)|
Hackers accessed around 165.000 personal data stored by the controller. The Finnish DPA found that the controller violated both the minimization and the storage limitation principles and failed to adopt adequate security measures to prevent the attack.
English Summary[edit | edit source]
Facts[edit | edit source]
Hackers invaded the information systems of the accommodation service provider Forenom, the controller. They gained access to a database containing approximately 165.000 personal details of the controller's customers. After receiving complaints from affected data subjects, the Finnish DPA launched investigations to ascertain the circumstances of the data leak. When asked to comment on the facts, the controller argued that the type of data collected depended on the group to which the person belonged, whether tenant, owner or company contacts. As for the data retention period, landlord and tenant information were kept for 10 years from the end of the tenancy or contract, while customer relationship management data were kept for 5 years since the last activity. According to the controller, long-term apartment rentals play a significant role in its business. Therefore, they found it necessary to keep the data to respond to eventual compensation claims that, based on the national Accounting Act, can be made within a 10-year time limit. After this period, the data were either deleted or anonymized.
Holding[edit | edit source]
The DPA held that the data controller did not comply with the data minimization principle nor with the storage limitation principle. It emphasized that not all accommodation and tenancy information would fall under the scope of the the Accounting Act and that the controller did not provide a clear explanation of which data was being retained for 10 years and why. According to the DPA, the controller must also implement appropriate technical and organizational measures to ensure by default that only necessary personal data were being processed for the purpose of responding to eventual damage claims. It recalled that this obligation applies not only in relation to the amount of personal data collected, but also to the storage time and the availability of the data. Finally, the DPA stated that the controller failed to assess the possible risks involved in retaining such data and to take appropriate technical and organizational security measures to prevent these risks. Consequently, the DPA found a violation of Article 5(1)(c) and (e), Article 25(2), Article 32(1)(d) and Article 32(2) GDPR.
Comment[edit | edit source]
Share your comments here!
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Finnish original. Please refer to the Finnish original for more details.