On May 16, 2019, the Lithuanian data protection authority (DPA) has issued its first GDPR fine, penalizing MisterTango, an electronic payment service provider (the Company), over €61,500 for the lack of implementation of data minimization, disclosing personal data and failing to report a breach. Though the decision may be appealed to the Lithuanian administrative court within 30 days.
The Company suffered a data breach in July 2018, when its customers’ personal information became available online. According to the DPA, more than 9,000 screenshots of banking transactions appeared online. The Company failed to inform DPA about the data breach within the 72-hour period as established by the GDPR. Also, DPA found out that the Company processes more personal data for the purpose of executing the payments than it claims to be necessary, storage of personal data is longer than the Company has determined and a single employee was responsible for security and information management at the Company.
What we can learn from the GDPR related first fine in Lithuania
On-site professional expertise and cooperation with DPA: a press release shows that the DPA did a formal inspection and the Company did not put enough efforts to explain the situation and specifics of its data processing activities to the DPA.
DPA stated that the fine was issued based on the possible breach of personal data security, i.e. it is not clear whether the leaked data reached third parties and whether the breach caused any actual harm to data subjects. In addition, DPA findings with regards to processing more personal data than it is necessary and failure to meet storage terms are based on the information provided by the Company without assessment of the specifics of the market practice. For example, the DPA indicated that the names and amounts of the senders are excessive data in relation to data processing for executing the payments. However, it is not assessed that personal data such as the names and amounts of the senders may be processed for meeting anti-money laundering requirements established by the laws.
Hence, the Lithuanian case demonstrates that the team of data protection professionals within the Company, which would be able to explain its data processing activities in a understandable legal manner as well as full cooperation with the DPA may provide legal certainty and reduce the amount of fine.
Procedures and basic best practices are critical: a press release shows that the Company was unlikely to demonstrate its compliance with data processing, including data breach notification requirements.
The DPA will no longer have sympathy for failure to put the right processes in place. Breach management and other security controls are now considered basic requirements. Properly managed role-data breach management procedure is a straightforward and effective way to ensure that any data breach is appropriately managed and monitored.
Hence, if the Company would have proper procedures in place, comprising the facts relating to the personal data breach, its effects, the remedial action taken and likelihood of the risk to the rights and freedoms of data subjects, the fine would not have been imposed.
Law firm PwC Legal
Legal Services, PwC Lithuania
Tel: + 370 523 92300