GDPR

Adatvédelem mindenkinek / Data protection for everyone

Takeaways from the (so far) highest GDPR fine in Hungary

2020. július 01. 09:00 - poklaszlo

At the beginning of June, the Hungarian DPA published a decision imposing an administrative fine of HUF 100 million (approx. EUR 290,000) under the GDPR. The fine was much higher than the data protection fines imposed in Hungary so far (the highest amount of fines previously imposed was HUF 30 million). The amount of the fine is remarkable; however, the decision also contains several important findings, some of which are discussed below. (The decision is still subject to judicial review.)

1. Background of the case

The case was initiated following a data breach, in which a hacker discovered a vulnerability through the controller’s website, who reported the error to the data controller and recorded a line of the accessed database containing personal data to prove that through the vulnerability, access to personal data was possible.

One of the databases affected by the data breach was a test database that was previously created for bug fixes and that was not erased after the bug fixing was completed. The database contained personal data of customers. In addition, access to databases of newsletter subscribers and website administrators’ data were possible. No encryption was applied to the databases.

The Authority found that the vulnerability was known for a long time and an update was available on the market that could have been used to fix the vulnerability, but the controller failed to use this update to fix the vulnerability. (The update was not part of an official software update package but still it was easily accessible.)

2. Some important findings of the Authority in this case

The Hungarian DPA made some important points in its decision:

  • In relation to websites that are publicly available on the Internet and can also be visited by (in some cases, a large number of) customers, it can be expected from website operators to be prepared for potential vulnerabilities. This should not be of particular problem to the Client in the present case in terms of the state of science and technology and the cost of implementation, also in view of its position in the market." (Decision, p. 13)
  • However, in the absence of the use of encryption, in the present case, the vast majority of personal data stored in the databases affected by the data breach became readable or accessible without authorization. This fact has significantly increased the risks to data subjects in connection with the data breach." (Decision, p. 14)
  • “[….] the Authority, by this decision, obliged the Client, in order to reduce the risks, to review all databases containing personal data to determine whether the use of encryption is justified and to inform the Authority about the results of such review, also in accordance with the principle of accountability. " (Decision, p. 14)
  • "The data controller still has the possibility to store the data in anonymized form, but it must be done in such a manner that it is not possible to draw any conclusion from the data to the data subjects and to identify them in the future." (Decision, p. 15)

3. The administrative fine

The Authority imposed a fine of HUF 100 million (approx. EUR 290,000) in connection with the infringement of certain provisions of the GDPR (principles of purpose limitation, data minimization; failure to take appropriate data security measures).

The Authority assessed the followings as aggravating circumstances in relation to the fine:

  • the data breach was due to a data security vulnerability for which free repair patch has long been available on the market and the vulnerability could be easily detected even by a third party,
  • the large number of data involved, the risks posed by their sensitivity, as well as the market position of the Client (data controller), on the basis of which the Clinet can be expected to apply the appropriate data security measures,
  • the risks arising from the use of the (open source) content management system and their assessment must be borne by the Client, in the absence of measures, the Client has not complied with the requirements of its own internal regulations,
  • the lack of applied encryption and related risk assessment also increased the risks of exposure to the data breach,
  • the involvement of users with administrator rights in relation to the website,
  • the data security vulnerabilities can be considered as systemic problems,
  • the long-term storage of a test database set up for bug fixing purposes without a proper purpose and in a manner where the database contained data relating to identifiable data subjects,
  • data security deficiencies and, in principle, unlawful data processing affected the personal data of a large number of data subjects, a significant number also in relation to the proportion of the country's population,
  • infringements of GDPR principles are considered to be in the higher maximum fine category according to the GDPR.

Circumstances in favor of the controller:

  • the Authority has not previously established a breach of obligations in connection with the processing of personal data against the Client,
  • the Client acknowledged during the procedure that it should have erased the test database involved in the data breach earlier.

Other circumstances considered (but not classified as mitigating factors):

  • the Client has taken almost all the required measures related to the management of the data breach immediately, so no problem in the Client’s specific data breach management practice was revealed,
  • the Client cooperated with the Authority in the investigation of the case.

4. Key takeaways from the case

Based on the above, this case provides a number of important lessons for data controllers. It is worth highlighting that the application of adequate data security measures, especially encryption and pseudonymization are crucial. The possibility of applying encryption should be considered by data controllers in all cases and, where possible, strongly recommended. And in cases where encryption is not applicable, data controllers should be able to justify why such security measures have not been applied.

Another important message of the decision is that data controllers should pay increased attention to prevention, including vulnerability tests. It is also a tool for prevention where databases that are no longer needed are erased or anonymized immediately.

An important message of the decision is that data controllers have the possibility to store the data in anonymized form, but it must be done in such a manner that it is not possible to draw any conclusion from the data to the data subjects and to identify them in the future.

Szólj hozzá!
Címkék: fine encryption Hungary EN GDPR Hungarian DPA anonymisation data security purpose limitation

Ajánlott bejegyzések:

A bejegyzés trackback címe:

https://gdpr.blog.hu/api/trackback/id/tr5215970798

Kommentek:

A hozzászólások a vonatkozó jogszabályok  értelmében felhasználói tartalomnak minősülnek, értük a szolgáltatás technikai  üzemeltetője semmilyen felelősséget nem vállal, azokat nem ellenőrzi. Kifogás esetén forduljon a blog szerkesztőjéhez. Részletek a  Felhasználási feltételekben és az adatvédelmi tájékoztatóban.

Nincsenek hozzászólások.
süti beállítások módosítása