Background information
- Date of final decision: 23 August 2022
- Cross-border case or national case: National case
- Controller: Company
- Legal Reference: Integrity and confidentiality (Article 5.1.d), Accountability (Article 5.2), Responsibility of the controller (Article 24.1), Security of processing (Article 32)
- Decision: Infringement of the GDPR; administrative fine
- Key words: Security of Processing, Two-factor-verification
Summary of the Decision
Origin of the case
The controller is a company which developed a digital administration platform. Both suppliers and customers can connect to each other on this platform and thereafter upload documents, make payments to each other, etc.
The complainant is not a user of this platform, however he is co-housing with a friend, a third party in these proceedings and a user of this platform. In the context of this co-housing, the complainant and his roommate agreed that the roommate would upload the water bill of their mutual home, to the roommate’s personal account on the platform even though the bill was in the name of the complainant. After uploading the water bill, the platform automatically identified the complainants name on the water bill.
Consequently, the platform automatically invited the roommate to connect with several other businesses, active on the platform, to which the complainant was a customer. Although the roommate did not accept these invitations, it is noted that due to the lack of insufficient security measures, the roommate could easily have had access to various financial and medical data of the complainant.
Key Findings
In its written submissions before the Litigation Chamber of the Belgian Supervisory Authority (SA), the defendant acknowledged that these invitations without any verification of the user’s identity did indeed constitute a violation of article 32 GDPR.
However, these security issues were resolved in less than 48 hours after the defendant was notified by the complainant. Before the hearing, the defendant had already implemented the necessary security measures, which inter alia do not longer allow these automatic invitations, or any other kind of proposed connections.
The data subject’s identity is now validated via two-factor-verification when logging into the platform. An additional validation via two-factor verification of the bank account has been implemented to ensure the identity of the data subject.
Decision
The Litigation Chamber of the Belgian SA found that the controller had failed to implement the necessary security measures, taking into account the risks that are presented by processing data, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed, and thus violated article 5.1.d), article 5.2, article 24.1, article 32,1 and article 32.2 GDPR.
The Litigation Chamber acknowledged the fact that the necessary measures had swiftly been taken by the controller. However, seeing that the sharing of (financial, medical and other) data constitutes the core business of the controller, the Litigation Chamber issued a fine of 2.500 EUR.
For further information: national decision (NL)
The news published here does not constitute official EDPB communication, nor an EDPB endorsement. This news item was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. Any questions regarding this news item should be directed to the supervisory authority concerned.