Ensure at all times that your data processor implements appropriate technical and organizational measures; otherwise, you might be fined!

On 18 July 2017, the French Data Protection Authority (CNIL) imposed a fine of €40,000 on a rental car company for negligence. The latter did not sufficiently monitor the activities of its data processor.

What happened? Personal data of tens thousands of members of its loyalty program (e.g. email addresses and driving license numbers) gathered via a dedicated website were – involuntarily – made available on the Internet during a few months. How? While its data processor was replacing a server used for payment processing, one line of code was accidentally and unknowingly deleted.

Once notified of the data leak by the CNIL (who was informed beforehand by an Internet activist), the rental company reacted promptly and took immediate steps to secure the affected website. Fortunately, according to the log files, there has not been any large-scale data extraction from the server concerned.

Although the agreement between the rental car company and its data processor contained a data protection clause and despite the fact that the leak was caused by the latter, the rental car company was found negligent. Why? First, the rental car company did not provide its data processor with any specification for the website development. Second, such replacement was a delicate process and the rental company should have conducted vulnerability tests before going live.

As a result thereof, the CNIL found that the data controller did not take all useful precautions, with regard to the nature of the data and the risks of the processing, to preserve the security of the data and, in particular, prevent their alteration and damage, or access by non-authorized third parties, in violation of Article 34 of the French data protection act. The CNIL, however, took into account its prompt reaction, its improved security measures and its cooperation when deciding the amount of the fine.

In Belgium, there is a similar obligation set out in Article 16 of the Belgian data protection act of 8 December 1992, but the Privacy Commission is not empowered to impose fines….yet! As from May 2018 and the entry into force of the EU General Data Protection Regulation (GDPR), the supervisory authority will have various corrective powers, including the right to impose an administrative fine up to €10 million or 2 % of the total worldwide annual turnover of the preceding financial year, whichever is higher.

One of the controller’s obligations under the GDPR is, pursuant to Article 24, to “(…) implement appropriate technical and organizational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation [notably the security of processing, as set out in Article 32]. Those measures shall be reviewed and updated where necessary”. Also, pursuant to Article 28, the controller will use “(…) only processors providing sufficient guarantees to implement appropriate technical and organizational measures”, while the data processor must “(…) allow for and contribute to audits(i.e. own underlining).

The CNIL’s decision and the GDPR can be found on:

https://www.legifrance.gouv.fr/affichCnil.do?oldAction=rechExpCnil&id=CNILTEXT000035276047&fastReqId=623604798&fastPos=1

http://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679&from=FR