Financial company fined for lacking sufficient organizational measures Summary Our remarks The complainant, a client of a financial company, • The employer, who is also the data controller, holds discovered that her personal data hosted by the the responsibility for the data processing carried Belgian National Bank (’BNB’) had been unlawfully out by its employees in line with its predefined accessed 20 times between 2016 and 2018. purposes. However, the employer may also be held The defendant was a company operating within liable for unauthorized data processing carried the financial sector which offered services such as out by its employees. In cases where employees personal loans. The ex-husband of the complainant engage in unauthorized data processing, it is the was employed at the company. According to the entity, not the employee, that is accountable for defendant’s data protection officer, employees were adhering to data protection legislation, unless only allowed to access the personal BNB files of clients specific circumstances indicate otherwise. As per in order to grant or manage credit. However, the the Opinion 1/2010 of the Article 29 Working Party, complainant’s ex-husband accessed the personal file companies and organizations are often considered of the complainant in violation of these guidelines. responsible for data processing, rather than the individual employees within them. Therefore, it is Although the complainant’s ex-husband was imperative for the data controller to implement accountable for the unauthorized access to the suitable technical and organizational measures complainant’s file, the data controller retained to prevent any abusive data processing by its responsibility as a data controller and employer employees, especially when it comes to special under GDPR, Articles 5(2) (accountability principle) categories of personal data such as financial and 24 (responsibility of the controller). Therefore, the information relating to persons. employer was responsible for ensuring the safety of its • Although the defendant is considered the data data processing and remained accountable for any controller for the purposes of the data processing violations. carried out by its employees, this does not mean The complainant inquired with the data protection that it is the only entity responsible in this case. The officer, on more than one occasion, about the data employee was also considered a data controller for that was accessed, the identity of the individuals who the specific, unauthorized data processing activities accessed the data, as well as the purpose and legal he carried out, and actions were brought against basis. This information, despite the numerous requests, him in a separate case. was not provided to the complainant. • The Belgian DPA emphasized the value of following Decision of the Belgian DPA best practices when securing personal data. The company was fined 100,000 EUR for the following Although not explicitly mentioned in the GDPR, violations: measures such as keeping log files allow the data controller to demonstrate compliance with • Lacking sufficient organizational and technical Article 32 (security of processing) by documenting measures ensuring the security of processing that technical steps have been taken to limit (GDPR, Article 32 in conjunction with Article 24). unauthorized access by an employee to a • Failing to provide the data subject with requested database of personal data. information (GDPR, Article 15). • Data controllers must respond to access requests The company was ordered to implement a compliance in accordance with the GDPR, Article 15, providing process for access to BNB files. the data subject with a list of the data that has been accessed, the identity of the individuals who accessed it, the purpose, and the legal basis. Published: 26-04-2021 Journal number: DOS-2019-02288 Tags: 05 Data security 77