121 Matching Annotations
  1. Jul 2021
    1. the diligence with which the controller acts after a cyber-attack of these characteristics matters

      operational readiness or remedial action?

    2. not to impose a penalty in the form of an administrative fine and to replace it with the penalty of a warning under Article 76. 3 of the LOPDGDD in relation to Article 58.2 b) of the RGPD.

      warning, NOT administrative fine, due to remedial action/diligence post-factum

    3. in view of the diligence carried out by VOX with regard to the prompt communication of the security violation to this Spanish Data Protection Agency, as well as the initiation of actions aimed at minimizing the negative consequences of the aforementioned security violation, and as indicated in proven facts six and seven of this resolution, which show that following the security incident and the reports commissioned by the security experts, the entity has remedied the vulnerabilities identified and the level of security has been improved

      remedial action

    4. Contrary to what VOX indicates in its allegations to the agreement of initiation, this Agency is not considering the personal data subject to the security breach as ideological data that deserve to be subsumed under the umbrella of Art. 9 of the RGPD which, under the heading "Special categories of data", includes as such personal data that reveal (...), political opinions (...), but the type of data that has been exposed and the specific type of exposure, i.e., on the Internet, reveals a certain risk that must be taken into account, as indicated below. The data in question is related to the subscription to a newsletter on the activity of the political party, and that, although it does not necessarily imply data of an ideological nature, the public exposure of this information through the Internet may give rise to certain combinations with other information - also published on the Internet or by other sources, such as comments on social networks, participation in forums, monitoring of certain user profiles on social networks, etc., - and place its headlines in a certain position in that sense. On the possibility of combining information on a holder of personal data, we can mention Opinion 4/2007 of the Article 29 Working Party, "On the concept of personal data" which, although it analyses the possibilities of identifying someone through combinations with other information, is very clear when we refer to the risk of attributing a certain political ideology, starting only from the data of a subscriber to the information of that party, and combining it with another. In particular, it indicates the following: (...)when we speak of "indirectly" identified or identifiable, we are generally referring to the phenomenon of "unique combinations", be they small or large. In cases where, at first sight, the available identifiers do not make it possible to single out a particular person, that person may still be 'identifiable', because that information combined with other data (whether or not the data controller is aware of them) will make it possible to distinguish that person from others. This is where the Directive refers to "one or more specific elements characteristic of their physical, physiological, mental, economic, cultural or social identity". Some of these characteristics are so unique that they make it possible to identify a person effortlessly (the "current Prime Minister of Spain"), but a combination of details belonging to different categories (age, regional origin, etc.) can also be conclusive enough in some circumstances, especially if one has access to additional information of a certain kind. This phenomenon has been extensively studied by statisticians, always ready to avoid any breach of confidentiality (...) Thus, the different pieces that make up the personality of the individual are brought together in order to attribute to him/her certain decisions (...) As indicated above, in this case, a search on the Internet, for example, of the name, surname or e-mail address of one of the affected parties may offer results that, combined with the subscription to receive news about the activity of the political party, i.e. those who have been the object of the security breach, reveal to us a certain political ideology, the revelation of which does not have to have been consented to by the owner. This possibility entails a risk that must be assessed when processing certain data with this characteristic and which increases the demand for the degree of protection in relation to the security and safeguarding of the integrity and confidentiality of these data. This risk must be taken into account by the controller and, on the basis of this risk, measures must be established which would have prevented the controller from losing control of the data and, therefore, of the holders of the data who provided them to the controller.

      risk assessment - personal data & political ideology - combination of data/sources

    5. From the actions carried out, it has been verified that the security measures that the investigated entity had in place in relation to the data it was processing, were not adequate at the time of the data breach, since, according to the report provided (...) several serious confirmed vulnerabilities were found that must be corrected and that in general have to do with the validation of the input parameters, and that must be corrected as soon as possible (...)

      finding of not adequate security measures

    6. This possibility is a risk

      risk: disclosure of a certain political ideology --> potential harm? material? moral?

    1. may use that information to harass within the game and even in real life (even minors, who are many who play habitually)

      potential material/moral harm & vulnerable data subjects (minors, teens, kids)

    2. specific points what makes them known, where they work, etc., for this reason providing data about a player gives information to know what natural person he is.
    1. The unauthorized data collection was confirmed, the scale of the breach was determined and remedial actions were taken, i.e. the correct configuration of the server was restored (port closure) and the passwords of the moneyman.pl users were reset.

      customer notification stated clearly in other tag/point in the decision

    2. high risk of violating the rights or freedoms of natural persons to whom the data relates
    3. the personal data on the server was publicly available
    4. ID Finance Poland Sp. z o.o. in liquidation with its seat in Warsaw at ul. Hrubieszowska 6A
    5. personal data of 218,657 people were processed

      risk factor

  2. May 2021
  3. Apr 2021
    1. passengers' names, contact details, address details, identity cards and passport numbers, booking and travel, destination, accommodation and contracting related data
    1. Articles 5, 24, 25 and 32 Regulation (EU) 2016/679

      cross-reference with Art. 5, 24, 25

    2. it can be mentioned, as a mitigating factor, that FB employees have been educated about information security and that a written information security policy has been prepared with procedures for the handling of personal information.
    3. As described above, this was information about the well-being, learning outcomes and social conditions of 18 undergraduate students. To a large extent, the information related to something that was lacking in them and in one case that the child welfare authorities had interfered with the person concerned. This included health information, but according to point 3 (b). Article 3 Act no. 90/2018, such information, both in terms of physical and mental health, is considered to be sensitive.

      sensitive personal data

    4. It is clear that FB reported the security breach immediately after it emerged. The school has also responded well to the Privacy Policy's requests for clarification and information within the time limits that have been granted.

      satisfactory/good cooperation with DPA

    5. Therefore, there should have been measures in place that would have prevented the security breach in question. However, from the evidence of the case it will be assumed that they were not present.
    6. both by e-mail and by telephone

      diligence of remedial action

    7. it is important that almost immediately after the security breach was sent the teacher in question send a message to all recipients, that they should delete the data they had received incorrectly

      quick remedial action

    8. it is clear that this was not processing for unlawful purposes but human error

      does this characterize the gravity of the harm?

    9. this is not a long-term violation but a unique case

      scope of processing and severity of violation: not grave, but unique event vs. long-term violation

    10. It is clear that the security breach in question involved a significant reduction in the privacy rights of the students concerned in the light of the nature of the personal information in question.

      how the data breach affected privacy right of data subjects

    11. This case concerns the processing of personal information by the educational institution.
    12. attachment containing the sensitive personal information had been sent to 20 students and 37 guardians, in addition to which the sender had also sent a copy to himself
    13. Risk assessments and safeguards will be reviewed regularly.
    14. All staff of the school involved in the processing of personal information have been instructed on security breaches and presentation of the procedures.
    15. educational lectures for most staff

      for whole paragraph: did staff training pre-exist the data breach? or these training took place after the breach and notification of the DPA? not clear from machine translation

    16. FB has formulated an internal privacy policy which provides procedures for the processing of personal data for employees

      remedial measure - internal privacy policy; does it initiate staff training?

    17. that FB contacted the guardians of the students in question on August 16, 2019, both by e-mail and by telephone

      data controller contacted to notify the breach

    18. the students' well-being, learning outcomes and social conditions were taken into account. To a large extent, the information related to something that was lacking in them and in one case to the fact that the child protection authorities had interfered with the person in question. Then, in one case, there was information about mental health and in another case physical health.

      sensitive personal data: physical health, mental health, learning outcomes, social conditions, etc.

      esp. regarding students, so vulnerable data subjects!

    19. by mistake

      no maliciousness!

    20. emailed to unauthorized parties
    21. sensitive information about interviews with students
    1. also in consideration of the invasiveness of the contested treatment with respect to the fundamental rights of the interested parties

      harms but not enough analysis

      moral harm? (inference)

    2. it is noted that, as is clear from the documentation acquired during the preliminary investigation, the University limited itself to accepting the design choices of the company that provided the whistleblowing application which did not provide for the encryption of personal data

      is this lack of operational readiness? or just preliminary organizational mistake/business decision?

    3. Therefore, considering the permanent nature of the offense, which is, moreover, of an omissive nature, the applicable discipline must be identified with reference to that in force at the date of completion of the case, to be recognized precisely at the time of the cessation of the conduct, which occurred after the aforementioned date of 12 December. 2018, when both the aforementioned Regulation and the internal adjustment regulations (Legislative Decree 101 of 2018) already applied.

      ommissive nature of offence and applicability of GDPR

    4. dispute relating to the "failure to comply with current and more specific rules to ensure the protection of rights and freedoms with regard to the processing of employees' personal data in the context of employment relationships

      kind of data subject: employees ?

    5. the University has notified the "dispersion of common personal data (name, e-mail address) relating to 2 whistleblowers via the whistleblowing platform (provided by Agic Technology srl) on search engines"
    6. art. 5, par. 1, lett. a) of the Regulations

      cross-reference with Art. 5

    7. have involved the InfoSapienza Center for the suspension of the whistleblowing application and the cancellation from some search engines of the cached copies of the web pages containing these data
    8. have communicated the violation of personal data to the two interested parties
    9. the personal data […] affected by the data breach were the following: name; surname; structure / seat; phone; e-mail; reporting date
    1. The GDPR does not prevent an organisation from implementing third party scripts. Rather, the GDPR requires that each organisation assess the risks arising in the circumstances of their own implementation and put controls in place to protect the personal data that it processes. Ticketmaster has shown very limited knowledge at the date of the Incident of the risk of implementing third party scripts into a payment page, despite it being widely known and documented at that time. A fortiori, Ticketmaster has not evidenced that it deployed appropriate and proportionate controls to manage this risk.

      risk assessment required for data controller - here absent

      ticketmaster neglected the profound risk

    2. Despite the notifications by, amongst others, Monzo and Commonwealth Bank of Australia of possible fraud involving the Ticketmaster website, the integrity of the chat bot was not initially checked, assessed or otherwise tested to ensure that it has not been compromised. Indeed, it took Ticketmaster approximately nine weeks from the date of Monzo's notification of possible fraud involving the Ticketmaster website for Ticketmaster to run a payment through its payment page and monitor the network traffic thereon.

      initial lack of post-factum remedial action

    3. the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons

      appropriate organisational measures

    4. unauthorised or unlawful processing and against accidental loss, destruction or damage
    5. failed to comply with its obligations under Article 5(1)(f) and Article 32 GDPR

      cross-reference with Art. 5

    6. By 28 June 2018, all potentially impacted data subjects were emailed to inform them of the Personal Data Breach.
    7. Ticketmaster have been unable to provide the Commissioner with a breakdown of the individuals affected during the period from 25 May 2018 to 23 June 2018.

      not enough mitigation efforts

    8. customer's personal data that was the subject of the breach included "name, address, email address, full credit card number, C VV, and Ticketmaster username and password"
    9. Further, Ticketmaster stated: "As part of Ticketmaster's GDPR readiness programme, Ticketmaster invested £2.5 million on an internal privacy portal to deal with data subject rights issues, including complaints.e"

      operational readiness

    10. It was because of Ticketmaster's business decision to include the chat bot on its payment page that the chat bot was able to unlawfully process the personal data of customers. An attacker directed its attack at the Inbenta servers and inserted malicious code into the JavaScript for the chat bot.

      data controller's business decision lead ultimately to the unlawful processing (infringement)

      lack of diligence: business decision + notifications from card companies and users, no thorough investigation of all notified incidents/suspicions (as above)

      organizational measures in place + 3rd party forensics team, but diligence is lacking

      so, type of breach: third-party from Inbenta OR business decision and lack of diligence of controller?

    11. Because Ticketmaster included the chat bot on its payment page, the personal data scraped by the malicious code included financial data such as names, payment card numbers, expiry dated and CVV numbers.
    12. On 22 June 2018 at 8.53pm, Ticketmaster received a notification from Barclaycard regarding around 37,000 instances of known fraud. As set out below, this is the date from which Ticketmaster has stated that it had knowledge of the Personal Data Breach in its personal data breach reports submitted to the Commissioner.

      actual incident on which the notification of the DPA is based

      what type of breach? data exposed online? fraud?

    13. Ticketmaster has received approximately 997 complaints alleging financial loss and/or emotional distress.
    14. On or around 5 May 2018, Ticketmaster engaged four third party forensics firms (together "the Incident Response Team") to investigate the Australia Event and any data breach and subsequent fraud.

      initial response to incident (Australia)

    15. On 1 May 2018, the Commonwealth Bank of Australia provided Ticketmaster with data concerning 1,756 MasterCard users who had been victims of fraud and who had all transacted on Ticketmaster's Australian website.
    16. criteria

      mostly risk factors

    17. the breach or potential breach

      UK also distinguishes between actual and potential breach!

    18. the infringements constitute a serious failure to comply with the GDPR and, accordingly, that the imposition of a penalty is appropriate

      serious infringement and penalty

    19. unauthorised or unlawful processing and against accidental loss, destruction or damage

      type and consequence of breach?

    20. Monzo Bank have advised that around 6,000 cards have had to be replaced in relation to Ticketmaster transaction fraud.
    21. Barclays Bank have advised that around 60,000 individual card details had been compromised.
    22. 9.4 million EEA data subjects were notified as having been potentially affected
    23. an incident from 25 May 2018 to 23 June 2018, affecting personal data processed by Ticketmaster during that period (the "Incident")

      infringement - actual breach

    1. The university hospital has thus not taken appropriate organisational measures, in accordance with Article 32 of the General Data Protection Regulation, to limit users' access to personal data of patients in the medical record system.
    2. it is a question of very large data collections with sensitive personal data and wide-ranging permissions.
    3. in breach of Article 5(1)(f) and 5(2) and Article 32(1) and (2)

      cross-reference: Art. 5 GDPR

    4. This in turn has meant that there has been a risk of unauthorised access and unwarranted dissemination of personal data in the context of the internal confidentiality, on the one hand, and in the context of the single file management, on the other.

      potential breach: risk of unauthorised access and unwarranted dissemination of personal data

    5. At the time of the inspection, Karolinska University Hospital was unable to present any needs and risk analysis.
    6. negative consequences for data subjects

      potential harms

    7. The data also concern people who are in a situation of dependency when they are in need of care.

      patients as vulnerable ('dependent') data subjects

    8. sensitive personal data
    9. Both the data collections size as the number of people sharing information with each other has increased significantly.


    10. This means that users at Karolinska University Hospital technically have access also to information on patients at SLSO within the internal confidentiality, and vice versa.
    11. In the policy document "Decision on the allocation of competences"

      some organizational measures, i.e. framework for permission to data, is present

    12. Following the inspection, Karolinska University Hospital has begun work to ensure that needs and risk assessments are carried out throughout the organization. Among other things, a needs and risk analysis has been carried out for the Perioperative Medicine and Intensive Care function in accordance with Karolinska University Hospital Guidelines.

      some organizational measures have been taken, after the inspection (and instruction?)

    13. The template for needs and risk analyses available in Karolinska University Hospital's guidelines are not filled in regularly.

      can this be classified under operational readiness? because needs & risk analyses are not filed regularly (as probably required?)

    14. 1 970 000 patient records are registered on, and de facto patients at, Karolinska University Hospital
    15. hospital had started work on an action plan and a needs and risk analysis.

      the hospital replied they had started working on relevant action plan for (instructed) risk analysis

    16. Previous review of Karolinska University Hospital's authorisation management The Swedish Data Protection Authority has previously conducted an inspection of Karolinska University Hospital's access control etc. By the Data Inspectorate Decision 920-2012, notified on 26 August 2013, states that Karolinska University Hospital was instructed, among other things, to carry out a needs and risk analysis as a basis for assigning authorisations in TakeCare.

      in 2013 the Hospital was instructed to carry out a risk analysis - have they acted on the DPA's instruction?

    17. The University Hospital has not taken measures to ensure and be able to demonstrate adequate security for personal data.

      GDPR 32 infringment

    18. does not have limited user permissions for accessing the medical record system TakeCare to what is needed only for the user to be able to carry out their duties

      lack of limited user permission; lack of restricted access to what is only needed for the carer's duty

      ADD TAG

    1. These measures are regarding authentication not appropriate because they cannot provide an adequate level of protection for gaining access to the application.
    2. In determining the risk to the data subject include the nature of the personal data and the nature of processing matters: these factors determine the potential harm to the individual data subject in the event of, for example, loss, modification or unlawful processing of the data.
    3. the UWV in the employer portal processes personal data, including special personal data. This includes NAWdata, citizen service number, financial data and data on disability, dismissal and childbirth.
    4. The UWV has in determining the confidence level the fact that the employer portal only contains health data processes related to reporting sick or the fact that someone is pregnant. The nature of the sick report is not processed.

      description of health data collected

    5. In the employer portal, the UWV processes, among other things, personal data relating to the employee health.

      sensitive data?

    6. Implementation Institute Employers' insurance (hereinafter: the UWV)
    1. company CARREFOUR FRANCE
    2. The rapporteur criticises the company for not having put in place the necessary measures to protect the personal data it processes after becoming aware of the existence of a vulnerability on its website.
    3. no sensitive data were concerned by the processing operations.
    4. With regard to the degree of cooperation with the supervisory authority, the restricted session noted the company's perfect cooperation, both in facilitating the CNIL's investigations and in taking into account the rapporteur's observations, even before the restricted session's decision. It also notes that the company complied with the rapporteur's legal analysis of all the shortcomings noted, even in cases where a difference of opinion remained.
    5. With regard to the nature, seriousness and duration of the breach, it considers that this criterion is particularly characterized for several breaches, in particular those relating to the duration of the storage of personal data, the modalities of exercising rights and the deposit of cookies.

      indirect consequences of breach

    6. Accordingly, the restricted session considers that the failure to implement mandatory pre-authentication following the discovery of the vulnerability - when this measure had been identified and is the only measure to completely prevent the risk - constitutes a breach of section 32 of the Regulation.

      failure to implement appropriate security measures, i.e. mandatory pre-authentication

    7. To address this vulnerability, the company decided to develop two measures
    8. the change in these practices since the notification of the sanction report
    9. company for having kept for a period of one to six years the identity documents communicated to it by the persons concerned in the context of the exercise of a right. He considers that this period is excessive, as the data is kept beyond the time necessary to achieve the purpose for which it is processed.

      analysis of finding under 37 et seq.

    10. the company acknowledges a delay in the implementation of its data erasure program but emphasizes the significant efforts made since the initiation of the procedure to bring itself into compliance
    11. On the failure to comply with the obligation to keep personal data for no longer than is necessary for the purposes for which it is processed

      risk factor

    1. name and surname, level of education, e - mail address, employment data, e-mail address of the person whose loan the client wants to recommend, personal data regarding earnings, data on marital status, telephone number (landline, mobile, previously used telephone number), PESEL number, nationality, NIP number, password (mistakenly, as indicated by the Company, stored in open text), place of birth, correspondence address, registered address , telephone number to the place of work and bank account number
    2. wide scope
    3. to remedy the breach and minimize the negative impact on data subjects

      remedies follow

    4. unauthorized access by third parties
    1. serious lack of diligence
    2. absence of cooperation with the supervisory authority in order to remedy the infringement and mitigate the possible adverse effects of it
    3. scope in a local environment
    4. treatment


    5. Article 32 of the RGPD has been violated, when a security incident occurs in your system allowing access to personal data of third parties, when accessing your account the claimant in perfumespremium.es, where the data of another customer with breach of security measures
    6. shows personal data, addresses and billing of other users
    7. materialize in the access to the personal data of a third person user client
    8. Security of treatment

      Security of processing

    9. allowing access to the claimant to the personal data of a third person when accessing their account
    10. showing the data of another client
    11. when trying to access your user account in perfumespremium.es appears the personal data of another different user
  4. Mar 2021