Data processors obligations
Contrary to the previous regime, the GDPR imposes explicit obligations to processors. In particular, P must take all measures necessary to ensure secure processing art. 32 (art. 28(3)(c) GDPR)
Recently, The Italian Data Protection Authority took action against a non-compliant P.
Roma Servizi per La Mobilita (P) carried out processing infringing the data protection regime from 2016 to April 2019 (IT DP law pre-GDPR and GDPR itself)
#personaldata related to the vehicle’s owner and the users of the license to move in the ‘limited traffic zone’ (ZTL or zone di traffico limitato) of Rome were accessible to an indeterminate number of 3Pt, who could read the QR code stamped in the licence with a generic mobile app and were able to unlock the content, thus allowing access to users PD
It was also possible to view PD related to the ZTL of those who obtained the licence by logging into the webpage to verify the licence and modifying the value of a parameter (PID parameter)
It concluded that the P failed to implement adequate TOSM appropriate to the risk, to avoid the violation of confidentiality of the PD (non-authorised access, involuntary or unlawful), thus violating art. 32 GDPR
Fine: €60.000
Date: 11/20/21
Similarly, CNIL – Commission Nationale de l’Informatique et des Libertés imposed a €75.000 fine on a P due to insufficient security measures (27/01/21). Interestingly, it held that P must also seek the most appropriate TOM to ensure the security of personal data, and offer them to the data controller. Decision here
0 comentarios