GDPR News – October 2021
Selected GDPR decisions from the month of October
EUR 412,000 fine for failing security measures
The Norwegian DPA has imposed a fine of EUR 412,000 on Norwegian municipality of Østre Toten. In January 2021, the municipality experienced a cyberattack entailing that the data of the municipality became encrypted and back-ups were deleted.
Subsequently, a substantial amount of data became released on the dark web and about 30,000 documents containing data about ethnic origin, political stand, religious conviction, trade union memberships, sexual orientation, health status and bank details on residents and employees of the municipality became the object of the cyberattack.
The DPA’s investigation ascertained that the municipality suffered from basic flaws with respect to personal data security and relating internal audits. Among others, the DPA ascertained that the municipality had not used two-factor authentication when logging into systems and had no sufficient back-up systems.
Dantherm draws criticism for failing security measures
On 25 September 2020, Dantherm reported a breach on personal data security to the DPA after Dantherm had been exposed to a ransomware attack during which hackers accessed Dantherm’s IT environment and leaked data about current and former employees to the dark web.
Apparently, the hackers gained access through the user “AV” who held administrator rights. The user account had previously been used by an external consultant who ought not have access at the time of the attack. The hackers deleted most of the log files, hence, Dantherm could not answer the question about to which extent the account “AV” had been active or deactivated.
The DPA stated that it is for the data controller to identify any risks for the data subjects arising out of the data controller’s processing, and to ensure that adequate security measures are implemented for protecting the data subjects against such risks. The requirement for appropriate security entails that there must usually be a limit to administrative privileges in systems where access to confidential personal data or special categories of personal data across various resources in the domain structure can be obtained. Hence, appropriate security is usually reflected by administrator rights only being granted to relevant limited resources and only for a limited span of time.
This could be implemented by not granting broad administrative privileges and access, and by such not being granted on a permanent basis, but rather on an ad hoc basis.
Granting of administrator rights should be organised in such way that access is only granted to relevant resources, and in all cases, all usage of said rights should be subject to machine registration (logging). Furthermore, log files should be saved in such way that users with administrator rights cannot delete or change them.
The DPA found that Dantherm’s processing of personal data was not in compliance with the regulations on adequate security.
When assessing the matter, the DPA took into account that Dantherm had not ensured that users with administrator rights could not delete or change log files.
In addition, the DPA found that Dantherm had not observed the requirements about the data controller being obliged to prove adequate security when processing personal data. In that connection, the DPA emphasised that Dantherm could not document in which periods the AV account had been active.
The DPA therefore found grounds for criticising Dantherm for not processing personal data in compliance with the regulations under the GDPR. The matter concerned socalled cross-border processing of personal data, as employees in Germany, Poland and England, among others, were affected by the breach. Therefore, the DPA has in its capacity as lead supervisory authority decided according to the “one-stop-shop-mechanism.
Hardware dealer’s processing of personal data on website users draws serious criticism
When the DPA initiated the matter, Danish hardware dealer Alstrøm – Din Isenkræmmer ApS (“Alstrøm”) changed its consent solution, and accordingly the DPA decided about two consent solutions.
The first consent solution which Alstrøm used informed website users that data was collected and processed during their access to the website www.alstrom.dk. Accordingly, website users were given the option of choosing “Read more about cookies” or “Close”.
Data was collected for several purposes, and it was not possible for the website user to reject granting consent.
The DPA found that by using the first consent solution, Alstrøm had not collected a valid consent for processing data about their website users. The reason for such was that website users could not select between the various processing purposes, and that website users did not have the option of rejecting a consent.
On those grounds the DPA expressed severe criticism of the fact that processing of personal data had not been made in accordance with Article 6 of the GDPR.
The other consent solution used on www.alstrom.dk provided more information to website users about the processing made by Alstrøm, just as website users were given the option of opting for or opting out of various purposes of the processing and could select either “Accept” or “ACCEPT ALL”.
Even in this case the DPA found grounds for criticising the consent solution: The DPA found that the visual layout of the consent solution pushed website users in the direction of the “ACCEPT ALL” button, and for that reason it was not as uncomplicated to refrain from consenting as it was to grant consent.
The DPA therefore also severely criticised the second consent solution because collection of data about website users actually already began when access was made to www.alstrom.dk, such data being collected for the purpose of statistics and marketing, despite the fact that website users had not consented to such.