Therefore, there should have been measures in place that would have prevented the security breach in question. However, from the evidence of the case it will be assumed that they were not present.

The GDPR does not prevent an organisation from implementing third party scripts. Rather, the GDPR requires that each organisation assess the risks arising in the circumstances of their own implementation and put controls in place to protect the personal data that it processes. Ticketmaster has shown very limited knowledge at the date of the Incident of the risk of implementing third party scripts into a payment page, despite it being widely known and documented at that time. A fortiori, Ticketmaster has not evidenced that it deployed appropriate and proportionate controls to manage this risk.

The university hospital has thus not taken appropriate organisational measures, in accordance with Article 32 of the General Data Protection Regulation, to limit users' access to personal data of patients in the medical record system.

At the time of the inspection, Karolinska University Hospital was unable to present any needs and risk analysis.

The template for needs and risk analyses available in Karolinska University Hospital's guidelines are not filled in regularly.

These measures are regarding authentication not appropriate because they cannot provide an adequate level of protection for gaining access to the application.

The rapporteur criticises the company for not having put in place the necessary measures to protect the personal data it processes after becoming aware of the existence of a vulnerability on its website.