Lack of evidence of fraudulent use does not affect the classification of a breach Summary Our remarks In 2015, a payment service provider called SLIMPAY • One important technical measure that can help reused personal data from its databases for testing ensure compliance with Article 32 is logging server purposes as part of a research project on an anti-fraud activity. Server logs are records of all activity that mechanism, and the data was left stored on a server occurs on a server, such as who accessed the without proper security measures. This led to personal server, what data was accessed, and when the data being freely accessible by anyone from the access occurred. By logging server activity, data internet. controllers and processors can monitor and track potential security breaches, unauthorized access The database contained information such as civil attempts, and other suspicious activity. The data status and bank information (e.g., IBAN) related to controller will also be able to monitor which data around 12 million persons. In 2020, a SLIMPAY client potential intruders had access to during a personal reported the data breach, and SLIMPAY took measures data breach. to stop it and notified the French Data Protection Authority (DPA). However, SLIMPAY did not notify the • It is not a mitigating factor that a breach data subjects affected, even though they were in occurs due to human errors. On the contrary, possession of the contact information for about 6 organizational and technical measures should try million of the affected data subjects. to compensate for human shortcomings. In this case, no data subjects suffered any harm, which • The lack of evidence of fraudulent use of data SLIMPAY argued should indicate that no fine should be does not affect the classification of the security imposed on them. breach. This is because the risk of fraudulent use of personal data was real, regardless of The decision of the French DPA whether any cases of fraud occurred. The fact that many people’s data was made accessible to The French DPA imposed a fine of 180,000 EUR on unauthorized third parties was enough to create a SLIMPAY for not ensuring an adequate level of security risk. (GDPR, Article 32), and for failing to inform the affected data subjects of a data security breach • The data controller is only obliged to inform (GDPR, Article 34). the data subjects if the personal data breach is “likely to result in a high risk to the rights and freedoms of natural persons”. A personal data breach concerning financial information like IBAN constitutes a high risk for the data subjects, and therefore they should have been notified about the breach in this case. This notification should be sent directly to the data subject or can in some situations be done via public communication. The DPA notes in the case that, even though public communication would probably not be sufficient in this case, it would have been better than not doing anything at all. Published: 28-12-2021, Journal number: N/A Tags: 05 Data security 132