On 4 June 2018, the Data Protection Officer (DPO) of a telecom company reported a data breach to the Belgian Data Protection Authority. However, the DPA ruled on 8 May 2020 not to impose a penalty on the company. The investigation showed that the data breach was correctly reported and that the company had taken appropriate organisational and technical measures. A data breach therefore does not necessarily give rise to a fine. A brief explanation.
The fact that it was a telecom operator can be deduced from the fact that the notification was made on the basis of Article 114/1 of the Act of 13 June 2005 on electronic communications. The DPA itself did not disclose which company was involved, but around the same period Orange disclosed a customer data breach. There are therefore suspicions that it is the same operator.
The telecom company had concluded a Master IT Service Agreement with a company incorporated under Indian law (hereinafter: the processor). The intention was to renew the telecom company's webshop.
However, the processor had used a copy of a production database with the history of orders on an Amazon Web Server (AWS) Cloud to test the new web shop. This was done in an insecure way, making the customer data of 32,153 customers of the telecom company accessible on the internet for two months. Forensic analysis of the log files showed that these customer data were consulted and/or downloaded by third parties.
The inspection report showed that the Inspection Service found that the telecom operator, as data controller, had not provided sufficient justification to demonstrate compliance with Articles 5, 24, 32, 33, and 34 GDPR.
However, the Litigation Chamber ruled that the telecom company had taken the necessary appropriate technical and organisational measures and was able to demonstrate this. To this end, the DPA referred to the contractual arrangements between the telecom operator and the processor, in particular the contractual ban on the use of personal data for testing:
In addition, the telecom company:
The DPA thus found that there was no infringement of Articles 5, 24, 32, 33, 34 and 35 GDPR.
The Inspection Service stated in the inspection report that the data processing agreement was not 'finalised' by the telecom company until 6 June 2018. The GDPR became applicable on 25 May 2018, which is why the inspection report states that the telecom operator infringed Article 28 GDPR.
Article 28.3 GDPR requires that the processing is governed by a contract or other legal act under Union law or Member State law binding the processor vis-à-vis the controller. The GDPR does not necessarily require a signed contract, but an instrument that is binding under Belgian law.
Although the telecom operator had signed the data processing agreement only on 6 June 2018, the processor had already signed it before the GDPR became applicable, i.e. on 21 May 2018. Consequently, the Litigation Chamber ruled that there was no breach of Article 28 GDPR because there was an agreement (although not fully signed yet) between the parties about the data processing agreement and that it was signed by the processor in due time.
The following should be borne in mind: