Hungarian authority fines data controller EUR 7,500 data breach and rules free online services not suitable for high-risk processing

In the most recent determination of the National Authority for Data Protection and Freedom of Information (NAIH), a data controller for a political social gathering, accountable for a data breach the place six Excel information had been made publicly out there by way of a file-sharing web site, should pay a high-quality of HUF 3 million (EUR 7,500) for infringing data-security provisions of the EU’s General Data Protection Regulation (GDPR) and failing to cooperate with the Authority. The breached Files contained an inventory of private data (e.g. names, phone numbers, e mail addresses, addresses, ID card numbers) of political social gathering members and the social gathering’s operational data. In complete, the breach affected roughly 2,000 data topics.

In the current case, the Authority discovered that the private data of members, supporters and activists related to the political social gathering constituted high-risk processing, in response to recital 75 of the GDPR, which states that processing data inked to political opinion must be thought of inherently dangerous. In this context, the GDPR additionally considers it a threat if the processing may result in discrimination or if the processing entails a lot of data topics. The processing that might give rise to identification theft or misuse can also be thought of to be a threat beneath the GDPR.

The vary of data within the Files made it doable to establish those that are sympathetic to a political social gathering and carry out totally different duties in its operation. The manner the Files had been processed resulted in high-risk for the privateness of the data topics, since membership of a political organisation, even previous membership, displays the political beliefs of the person. Data regarding political beliefs fall right into a particular class of private data beneath Article 9(1) of the GDPR and are topic to stricter rules. The data controller on this case gave senior social gathering officers and activists entry to the Files by way of a hyperlink. As a end result, hundreds of data topics had been capable of entry the Files online on the similar time with out restrictions. The Authority discovered on this context that free online services that permit customers to create and edit information online whereas interacting with different customers in actual time do not meet a stage of data safety proportionate to the dangers posed by high-risk processing since information from these online services will be simply exported and saved to the private computer systems of customers with none entry management.

Despite repeated requests for info, the data controller did not display to the Authority precisely what measures had been taken to make sure that the controller’s data processing complied with the related provisions of the GDPR for dealing with a data breach.

Aggravating and mitigating circumstances

In the imposition of fines, the Authority assessed the next as aggravating circumstances:

  • the data breaches involved private data of a lot of data topics;
  • the data safety weaknesses arose in relation to data processing the place particular classes of private data on political beliefs had been processed along with contact particulars;
  • the data breaches had been thought of a systemic drawback because the incident was not the results of a single safety breach; and
  • the data controller did not cooperate with the Authority throughout the investigation.

Mitigating circumstances included:

  • the Authority was not conscious of any info in the middle of the process indicating that the data topics had suffered any particular hurt or injury because of the infringement; and
  • the NAIH additionally thought of that the controller had no historical past of earlier infringements within the processing of private data.

The undeniable fact that the Authority was made conscious of the breach by way of an incident report was not explicitly taken under consideration as a mitigating circumstance.

What can data controllers do to keep away from fines?

In phrases of precautions to keep away from doable fines, data controllers ought to contemplate the next measures:

  • information must be processed and saved in an inside system (e.g. devoted server) or in a good, protected cloud service with state-of-the-art encryption and traceable entry controls (e.g. password safety with entry management and inside logging);
  • public word-processing purposes must be averted for delicate data;
  • at all times cooperate with the Authority following the notification of a data breach;
  • the unfavorable influence of the incident must be minimised as a lot as doable.

The article was co-authored by Daniella Huszár.

Related Posts