Poor personal data security by a digital administration platform has led to a fine for a Belgian data controller.
A Belgian data controller has recently incurred a fine for multiple GDPR violations. The controller in this case is a company that created a platform for digital administration. On this platform, suppliers and consumers can connect, upload documents, send money to one another, etc. Although the complainant in this case was not a user of this platform, he cohabitates with someone who is.
The complainant, as well as his roommate, agreed that even though the water bill was in the complainant’s name, the roommate would upload it to the roommate’s account on the platform in the context of this co-housing. The software recognized the complainant’s identity on the water bill immediately when the water bill was uploaded. As a result, the platform immediately invited the roommate to connect with numerous other current businesses on the platform that the complainant frequented. Although the roommate declined these invitations, it should be highlighted that due to poor security procedures, the roommate may have had easy access to the complainant’s different financial and medical records.
The data controller is responsible for ensuring that personal data is handled in compliance with the EU GDPR.
Many companies use services like email or cloud storage provided by third parties to manage their data. The data controller is still responsible for ensuring that personal data is handled in compliance with the GDPR. The controller is therefore liable for any breach by a non-compliant third party unless it can demonstrate that it was “not responsible in any way for the occurrence that produced the damage.” Because of this, it’s crucial to thoroughly examine any third-party service providers you utilize to be sure they have a solid security track record.
The company had taken security measures before the hearing, including prohibiting automatic invitations and proposed connections.
The company recognized that these invitations without any confirmation of the user’s identity did violate article 32 of the GDPR. After the complainant informed the company about these security issues, they were remedied in less than 48 hours. The company established the appropriate security measures before the hearing, including the prohibition of these automatic invitations and any other proposed connections. Now, while logging onto the platform, the data subject’s identity is verified using two factor authentication. Two-factor bank account verification has been incorporated as an additional validation to confirm the data subject’s identity.
Does your company have all of the mandated safeguards in place to ensure the safety of the personal data you collect or process? Aphaia can help. Aphaia also provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.