Su­per­vi­sor Aut­ho­ri­ty: Failure to report a Data Breach

The Irish Data Pro­tec­tion Com­mis­sio­ner has imposed a fine of EUR 125,000 because a con­trol­ler (the City of Dublin) dis­c­lo­sed per­so­nal data of ap­pro­xi­m­ate­ly 13,000 people without aut­ho­ri­sa­ti­on after a server was at­ta­cked with malware. In ad­di­ti­on to the master data of the data sub­jects, account data and special ca­te­go­ries of data were also af­fec­ted, in par­ti­cu­lar in­for­ma­ti­on on ethnic origin and health data.

It was par­ti­cu­lar­ly si­gni­fi­cant that the city did not report the data breach to the su­per­vi­so­ry aut­ho­ri­ty without delay and that the data sub­jects were not informed.

Re­com­men­ded actions

• When making changes to ICT systems, carry out ap­pro­pria­te risk as­sess­ments to de­ter­mi­ne whether per­so­nal data could be af­fec­ted and to ensure that ap­pro­pria­te or­ga­ni­sa­tio­nal and tech­ni­cal me­a­su­res are taken.
• Report data brea­ches to the data pro­tec­tion su­per­vi­so­ry aut­ho­ri­ty without delay and careful­ly, and inform the data sub­jects if ne­ces­sa­ry. Do not wait for the results of in­ves­ti­ga­ti­ons by third parties (e.g. processors).
• The Con­trol­ler must comply with the re­port­ing ob­li­ga­ti­on in a timely manner.
• If a su­per­vi­so­ry aut­ho­ri­ty ex­press­ly in­s­tructs that a breach must be re­por­ted to the data sub­jects (Art. 34(4) GDPR), as in the present case, you should take action without delay as the Controller.

Source: https://dataprotection.ie/en/dpc-guidance/law/decisions-made-under-data-protection-act-2018/inquiry-CDETB

Do you require as­sis­tance in im­ple­men­ting data pro­tec­tion rights or have spe­ci­fic ques­ti­ons? Then please feel free to contact us: consulting@AdOrgaSolutions.de