Tietosuojavaltuutetun toimisto (Finland) - 60/171/2020

From GDPRhub
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.
Tietosuojavaltuutetun toimisto (Finland) - 60/171/2020
LogoFI.png
Authority: Tietosuojavaltuutetun toimisto (Finland)
Jurisdiction: Finland
Relevant Law: Article 5(1)(a) GDPR
Article 12(1) GDPR
Article 34 GDPR
Type: Complaint
Outcome: Violation Found
Started:
Decided:
Published: 15.01.2020
Fine: None
Parties: Anonymous
POP Pankki
National Case Number/Name: 60/171/2020
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Finnish
Original Source: Finlex.fi (in FI)
Initial Contributor: n/a

The Tietosuojavaltuutetun toimisto issued a reprimand to the controller that could not communicate a personal data breach to all affected data subjects due to a lack of contact data.

English Summary

Facts

Following the disclosure of a data breach, the controller stated that he had modified the forms on its website avoiding any further storage of personal data in a database. Upon instruction by the DPA, the controller signed a Data Processing Agreement pursuant to Article 28 GDPR and provided a report on the measures taken to ensure that a data breach would not happen again in similar situations.

The data controller has further communicated the personal data breach to data subjects pursuant to Article 34 GDPR, also by giving public notice. According to the information provided by the data controller, 9,000 to 10,000 data subjects have thus been directly contacted by letter.

However, about 7,000 data subjects could not be reached due to a lack of contact data. As communication to the aforementioned data subjects would involve disproportionate effort under Article 34(3)(c) GDPR, the data controller gave public notice on its website informing its customers of the data breach. In addition, a bulletin has been published on the controller's Facebook Fanpage.

Holding

As the data controller could not communicate a personal data breach to all affected data subjects due to a lack of contact data, it should not have (publicly) claimed that additional breach information was sent to all of them, creating the impression that data subjects not contacted were not affected. Thus, the controller did not fulfill the transparency obligations following from Article 5(1)(a) and 12(1) GDPR for public notices.

Comment

Share your comments articles here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the original. Please refer to the Finnish original for more details.

FACTS
The security breach has been due to the fact that some of the controller staff employed by the controller have access to the publishing system, which has allowed unnecessarily extensive access to the information contained in the website forms. Following the disclosure of the security breach, the controller stated that he had modified the forms on the website so that the personal data contained therein was not stored in the database. According to the controller, it has taken over the information contained in the forms previously stored in the database and verified that it is in its entirety. The controller has asked the processor to permanently destroy previously stored forms.

The controller has clarified that he has concluded an agreement with the controller in question on the processing of personal data within the meaning of Article 28 of the General Data Protection Regulation. The controller and the processor have agreed that the personal data will not be stored in the database and thus the processor will not have access to the data. If, however, the data were to be stored in the database due to an error or malfunction, the processor will only be entitled to process the personal data in accordance with the controller's specific instructions to remedy the error.

The data protection officer has been instructed by the data controller to notify the data breach to the data subjects and to adapt the processing operations to the provisions of the general data protection regulation. In addition, the decision required the controller to enter into an agreement, within the meaning of Article 28 of the General Data Protection Regulation, with the controller of the personal data processing company. The controller has provided a report on the measures taken by the deadline to ensure that a security breach does not occur again in similar situations.

The data controller has provided Article 34 alerts directly to data subjects and has also used a public notice. According to the information provided by the data controller, 9000 to 10 000 data subjects have been directly contacted by letter and have sufficient contact information.

Approximately 7,000 registrants could not be reached personally due to lack of contact information. Finding the contact information would have taken an unreasonable amount of effort, according to the controller. The controller has made a public announcement in order to reach data subjects with whom he or she could not have personal contact. According to the information provided by the controller, it has published a bulletin on its website informing its customers of the security breach. In addition, a bulletin has been published on the controller's Facebook page. 

DECISION OF THE DATA PROTECTION SUPERVISOR
The Assistant Data Protection Supervisor shall give notice to the controller in accordance with Article 58 (2) (b) of the General Data Protection Regulation. The Article 34 notification by the controller did not fulfill the requirement of transparency under Articles 5 (1) (a) and 12 (1) of the General Data Protection Regulation for a public communication.

Article 5 of the General Data Protection Regulation lays down the general principles governing the processing of personal data. According to Article 7 (1) (a), personal data must be processed lawfully, properly and in a transparent manner for the data subject. In addition, Article 12 of the General Data Protection Regulation lays down the obligations of the controller with regard to transparent information to the data subject. The controller shall take appropriate measures to provide the data subject with all processing information in accordance with Article 34 in a concise, transparent, easily understood and accessible form, in clear and simple language.

The data controller has come to the public notice because he has not been able to reach all data subjects in person. The content of the Communication has been largely in line with the requirements of Articles 33 and 34 of the General Data Protection Regulation. However, the notice included a paragraph stating that "additional information on the situation was sent to the persons concerned personally". However, the notification has not been provided to the approximately 7,000 data subjects affected by the security breach. Thus, the data subject may have mistakenly assumed that he or she had not been the subject of a security breach unless personally notified. Therefore, the Assistant Supervisor considers that the controller has not provided information in accordance with Articles 5 (1) and 12 (1) of the General Data Protection Regulation.

APPLICABLE LAWS
Articles 5.12, 34, 58 of the EU General Data Protection Regulation (2016/679)
Article 16 of the Privacy Act (1050/2018)