Icelandic DPA fines InfoMentor

Icelandic DPA fines InfoMentor

Icelandic DPA fines InfoMentor for a data breach affecting hundreds of children from 2019.

 

The Icelandic Data Protection Authority has fined the company InfoMentor EUR 23,100 for not ensuring the proper security of personal data of several data subjects, mainly affecting children. According to this report from the EDPB, in an incident reported in February 2019, their system, Mentor, an information system for schools and other parties, which provides  services for working primarily with children,was subject to a data breach. A vulnerability on their part, led to the six-digit system number of each user being visible in the URL address of a particular page within the Mentor system. This resulted in unauthorised parties gaining access to the personal information of these students, including the national identification numbers and avatars of over 400 children. 

 

At its core, this data breach was caused primarily by human error, including a delay in fixing a vulnerability that the company had been aware of. 

 

InfoMentor acknowledged that the company had been aware of the vulnerability which led to this data breach, and that a solution had already been created. However, due to human error, the solution was not fully implemented into their Mentor system until after the data breach had already occurred. This data breach could have been avoided, had those vulnerabilities been addressed once the relevant persons had been made aware of them. In addition, InfoMentor sent national identification numbers of students affected by the data breach to the wrong schools and data protection officers in error.

The Icelandic DPA fined InfoMentor based on the number of data subjects affected, and the fact that those affected were children.

 

The rights and freedoms of children were directly affected by this data breach. The most significant factors considered by the Icelandic DPA  in determining the administrative fine were the number of data subjects directly and potentially affected, and the fact that the data subjects are children. The Icelandic DPA also considered that InfoMentor‘s main activity is the development and operation of an information system intended for schools and other entities working with children. On the plus side, there was no indication of harm suffered by the data subjects as a result of this breach. In addition, InfoMentor has taken numerous steps to improve their  security and address the vulnerabilities which caused this breach, affecting the personal data within their system.

 

Does your company have all of the mandated safeguards in place to ensure compliance with the ePrivacy, GDPR and Data Protection Act 2018 in handling customer data? Aphaia provides ePrivacy, GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, EU AI Ethics Assessments and Data Protection Officer outsourcing. We can help your company get on track towards full compliance.

CNPD ordered Statistics Portugal to suspend all data transfers within 12 hours

CNPD ordered Statistics Portugal to suspend all data transfers to a US based processor within 12 hours earlier this week.

The Portuguese DPA, Comissão Nacional de Proteção de Dados or CNPD ordered Statistics Portugal (INE) to suspend all data transfers specific to their census within 12 hours, due to an inadequate level of protection for international data transfers, IAPP reported. After receiving complaints about the conditions for the collection of data via the internet, the Authority carried out a quick investigation. This probe revealed that INE used Cloudfare Inc, a California based web infrastructure and website security company to handle census survey operations. Due to the nature of the services provided by Cloudfare, the company is directly subject to US surveillance legislation for the purposes of national security.

While the international transfers were based on SCCs, it was concluded that the data was still not adequately protected.

Even in cases where the data transfers are based on Standard Contractual Clauses, data protection authorities are obliged to suspend or prohibit data transfers where there are no guaranteesthat these can or will be complied with in the recipient country. US surveillance legislation imposes on certain companies a legal obligation to give unrestricted access to US authorities to the personal data in their possession, without being able to inform their clients of it. With Cloudfare Inc being subject to this legislation and being in possession of large amounts of personal data from Portuguese citizens, this posed some serious risk.

CNPD ordered INE to cease data transfers within 12 hours due to the sensitive nature of the information collected.

The data collection process for the census exercise being executed by INE began on April 19th and was due to be completed by May 3th, however due to the complaints received by CNPD, about a week into the process, they were ordered to cease data transfers within 12 hours. The main reason for the immediate order to cease data transfers was, in addition to the sheer amount of data being collected and processed, the sensitive nature of the data itself. The data included information like religious and health data from the individuals in this large data pool.

Of late, similar issues have been dealt with by various data protection authorities across the EU.

In recent times we have seen similar action being taken by other EU DPAs, for example in Spain and Germany, concerning data transfers on the basis of Standard Contractual Clauses. However, with these transfers being made to the U.S. or any other third country that may have not been recognized as providing an adequate level of data protection and without applying any additional measures, these present an issue. This risk is particularly difficult when dealing with particularly sensitive data, as it was the case in this instance. It is extremely important, when making international data transfers on the basis of Standard Contractual Clauses that the data is subject to a level of protection equivalent to the level provided under EU law.

Does your company have all of the mandated safeguards in place to ensure compliance with the ePrivacy, GDPR and Data Protection Act 2018 in handling customer data? Aphaia provides ePrivacy, GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, EU AI Ethics Assessments and Data Protection Officer outsourcing. We can help your company get on track towards full compliance.

Standard Contractual Clauses

Standard Contractual Clauses may not be enough, as suggested by recent decision by BayLDA

BayLDA, the Bavarian DPA has recently ordered a German company to cease from using Mailchimp, despite the use of Standard Contractual Clauses.

 

In the aftermath of the Schrems II ruling, we have seen some examples of the practical implications of this judgment. In the most recent case, the Bavarian DPA has ordered a German publishing company to cease from using Mailchimp, the popular US email marketing platform. While the transfer of data to Mailchimp, and by extension to the US, a third country, was based on Standard Contractual Clauses, it was still unlawful. It was found that the company did not do its due diligence in ensuring that this data was adequately protected from access requests by US surveillance authorities. 

 

While the data transfers by the German company were based on Standard Contractual Clauses, BayLDA suggested that additional due diligence needed to be done. 

 

A complaint was filed against the German publishing company with the Bavarian DPA, BayLDA, regarding the company’s occasional use of Mailchimp for their newsletter. The data transfers to Mailchimp by the German publishing company were based on Standard Contractual Clauses. However, under US surveillance law FISA 702, Mailchimp qualifies as an “electronic communication service provider”, rendering the transferred email addresses in danger of being accessed by US intelligence services. BayLDA suggested that there were additional steps needed to be taken by the publishing company, as far as due diligence is concerned, to determine whether any additional measures needed to be put in place to ensure that data transferred to Mailchimp was protected from US surveillance. 

 

Based on the decision by BayLDA, the company has ceased from using Mailchimp with immediate effect, avoiding possible fines.

 

The respondent in this case had argued that its use of Mailchimp was lawful according to GDPR Article 44. Recital 102, in part states that “Member States may conclude international agreements which involve the transfer of personal data to third countries or international organisations, as far as such agreements do not affect this Regulation or any other provisions of Union law and include an appropriate level of protection for the fundamental rights of the data subjects.” In this case, it was ultimately found that this German company was not able to adequately protect the fundamental rights of the data subjects affected, as it had not ensured that this data was sufficiently protected from access by US surveillance. The German publishing company immediately ceased from using Mailchimp for its newsletters, avoiding a possible fine from BayLDA. 

 

This decision by BayLDA provides further clarity on the practical application of Schrems II.

 

This decision by the Bavarian DPA provides further clarity to companies who may be transferring data based on Standard Contractual Clauses, that at times this may not be enough. There is still necessary due diligence to be done on transfers of data outside the EU or UK. Due to third country surveillance laws, which may not be compatible with EU or UK laws, supplementary measures may need to be carried out to adequately protect the data being transferred to service providers in those third countries. 

 

Do you make international data transfers to third countries? We can help you. Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, transfer impact assessments and Data Protection Officer outsourcing.  Contact us today.

Dutch DPA imposes fine

Dutch DPA imposes fine for delayed report of a data breach

Dutch DPA imposes fine on international travel agency booking.com, for their delayed action in reporting a significant data breach. 

 

Netherlands based international travel agency, Booking.com was recently hit with a fine for their delayed action in reporting a data breach. The breach was discovered on January 13, 2019, after having occurred in December of 2018. However the incident was not reported to the DPA until February 7th 2019. Data breaches must be reported to the relevant authorities within 72 hours of their discovery, making this report about 22 days late. As a result, the Dutch DPA imposed a fine of €475,000 on the company. 

 

Because booking.com is an international company with customers from a range of different countries, the investigation into the breach was international in scope. The investigation however was conducted by the Dutch DPA, due to the fact that the company is based in the Netherlands. 

 

Cyber criminals posed as booking.com staff in emails and on the phone in order to steal personal information. 

 

These cyber criminals were able to collect information by posing as booking.com staff in emails and on the telephone. This scam targeted 40 hotels in the UAE in December 2018. The phishers, by using the booking information of these customers to appear more credible when posing as booking.com staff, attempted to gather as much personal and financial information on as many customers as they could, in order to steal money from them. This data included login credentials, as well as financial information. The scope of this data breach was so wide that the criminals were able to access the data of over 4000 people, including the credit card information of over 280 people. In 97 of those cases, even the security code for the credit card was obtained.

 

Booking.com does not object to the fine imposed and has compensated their customers for the financial losses suffered as a result of the breach. 

 

Although booking.com was made aware of the breach on 13 January 2019, it was not until February 4, 2019 that they informed the affected customers. Further still, the company waited until February 8 to inform the DPA of the breach. The company has offered several solutions including financial compensation for any losses suffered by their customers. Booking.com will not lodge any objections or apply for review of the fine imposed. 

 

There has been a significant increase in cyber crimes over the past year, making enhanced security measures even more invaluable. 

 

In recent times, particularly since 2020 there has been a significant increase in personal data theft and related attempts. 2020 saw a rise of 30% more data theft than the previous year. Many individuals have personally fallen victim and suffered financial losses as a result of phishing and other forms of data theft for the purposes of accessing financial information. DPAs have remarked on the explosive increase in these cases over the last year. Enhanced security, as well as timely reporting in the event of a breach, can greatly reduce the impact that this sort of theft has on individuals. 

 

Does your company have all of the mandated safeguards in place to ensure compliance with the ePrivacy, GDPR and Data Protection Act 2018 in handling customer data? Aphaia provides ePrivacy, GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, EU AI Ethics Assessments and Data Protection Officer outsourcing. We can help your company get on track towards full compliance.