Personal data breaches

Directive 2002/58/EC refers to the processing of personal data and the protection of privacy in the electronic communications sector (ePrivacy Directive). The directive introduces the obligation for data processors from electronic communications area to notify data breaches. Also, some European countries already have a much larger data breach obligation or more categories of data processors. At the EU level, such an obligation could be directly mandated through the new Data Protection Regulation.

This section seeks to look at how this obligation was implemented in national law, what sanctions the Data Protection Authorities may apply and what is the media coverage of such breaches. 

CountryData breaches imposed for all data processors? (or just for some categories)Data breaches included in the national ePrivacy lawCompetent authority to receive data breaches notifications

Sanctions for data breaches

Major data breaches published by DPA or media
AustriaAny provider of public services.Yes (Telekommunikationsgesetz - TKG)RTR – Rundfunk und Telekom Regulierungs GmbHNone

1,8 GB database with school data

This website lists some of the data breaches.

BulgariaProviders of electronic communications networks or services only.

Yes. Electronic Communications Act (Article 243b) and Commission Regulation (EU) 611/2013 of 24 June 2013 on the measures applicable to the notification of personal data breaches under Directive 2002/58/EC

of the European Parliament and of the Council on privacy and electronic communications

Communications Regulation Commission –  (Electronic Communications Act)

 

Commission for Personal Data Protection – (Commission Regulation (EU) 611/2013)  

Where the provider having a direct contractual relationship

with the end user, despite having made reasonable

efforts, is unable to identify within a reasonable timeframe all individuals who are likely to be adversely

affected by the personal data breach, the provider may notify

those individuals through advertisements in major national or

regional media, in the relevant Member States, within that timeframe. (Article 3, para 7 of Commission Regulation (EU) 611/2013)

Publication only if DPA wants/ fines only if not implementing security standards.

Fines – 1000 – 10 000 Euro (Article 327, para 3 of Electronic Communications Act)

 
Czech RepublicNo

Yes

Laws No.

101/2000

127/2005

The Office for Personal Data Protection (OPDP)

Immediate direct notice to aggrieved parties. OPDP can steer and set condition for publishing such notice. Voluntary publication in national media in case the data operator cannot define who can be endangered by the data breach.

Fines

100 000 – 10 000 000 CZK

No provision regarding publication of reported breaches in media. Government CERT can issue a

Fines only if not implementing security standards or conditions defined by the law

Fine 100 000 CZK

Over 1.2 million customer records at T-Mobile Czech Republic were stolen by one of its employee in 2016. The Czech DPA imposed a fine of 3.6 mil CZK (130 000 EUR)

Security bug in the Internet banking of the pension savings section. Access to personal data of all clients.

 

France

Only concern public ISPs as defined in the

Article L 33-1 Code on Postal and Electronic Communication

Yes

Article 34bis of Law 78-17 of 6 January 1978

 

CNIL (French Data Protection Authority)

 

CNIL investigates data breaches notification and decides upon the gravity of violation, if the concerned person was adequately informed, if appropariate technical measures were in place prior to the violations. CNIL may impose the violation to inform the concerned person if it has not been properly.

 

Penal sanctions Article 226-16 until 226-34 of the Penal Code

 
GermanyYes

§ 42a BDSG

§ 15a TMG

§ 93 II TKG

§ 109a TKG

Federal Commissioner for Data Protection

16 Commissioners for Data Protection of the federal states

 

Federal network agency (for telecommunication services, together with the federal DPC)

Notification to DPA and customers; if the notification is missing, fines up to 300.000 € can be charged

18mio e-mail accounts hacked in April 2014

145mio ebay customers affected by hack

The IT-systems of the German Bundestag have been targeted by Hackers. However, there is no information about whether any computers containing sensitive information were penetrated.

Further information can be found here.

A tester was able to access health data provided by Barmer GEK (Germany’s second biggest health insurance) of a third person by faking his identity using the person’s name, date of birth and the identification number of the insurance in a phone call with the hotline of Barmer GEK. As a consequence, data protection authorities claimed that they want to review the authentication procedure for phone calls with insurance companies.

Aerticket AG, a company based in Berlin selling approximately 3.5mio flight tickets per year, stated that there was a data breach: Information regarding tickets, names and addresses of customers as well as payment information was accessible on the internet without any bigger efforts. According to Aerticket, about 1.5mio bookings per year had been affected by the security breach. However, it seems that the security breach was not used by criminals so far.

Italy

Notifications to the Data Protection Authority are imposed for all data breaches involving electronic communication services (and not, for example content providers). Data Protection Authority issued Guidelines for the implementation of the e-privacy directive and a model for data breach notifications.

On April 26th 2013 the Authority established that all the telecommunication companies and internet providers are obliged to inform their users in case of breach of their personal data, without any delay.

The ePrivacy directive was adopted by Italy by Law 69 of May 28 2012. The adoption produces some changes in the Italian Data protection code for adapting it at the internet environment. One of the most important change is the introduction of the definition of “personal data breach” as a “security breach leading, accidentally or not, to the destruction, loss, alteration, unauthorised disclosure of or access to personal data transmitted, stored or otherwise processed in the context of the provision of a publicly available communications service.” (art.3-g bis).

The regulation adopted on April 4 2013 contains duties for electronic communication services to provide adequate technical and organizations measures to guarantee data security.  In June 2013 Italy adopted the indications contained in the EU Rule 611 2013.
Autorità Garante per la protezione dei dati personali (National Data Protection Authority). For the enforcement of the Code, the  Authority cooperates with a special Unit of Police and of the Guardia di Finanza.

Failure or delay to notify a personal data breach to the Italian DPA is sanctioned with a fine ranging between Euro 25,000 to Euro 150,000.  Failure or delay to notify a personal data breach to the contractor or other individuals is sanctioned with a fine ranging between Euro 150 and Euro 1,000 for each contractor or individual.

Providers’ failure to keep an inventory of personal data breaches can be sanctioned with a fine ranging between Euro 20,000 to Euro 120,000

Provision of untrue information, or submission of untrue records or documents, in connection with the notification to the Italian DPA in the case of data breaches, is punished with imprisonment from six months to three years.
During the year 2013, the Authority received around 20 communications of data breach, by the main electronic communication providers. One of this breach involved around 250.000 users of a social network by a hacker attack.
MaltaNo

Yes

S.L. 440.01 Processing of Personal Data (Electronic Communications Sector) Regulations

Information and Data Protection CommissionerSanctions for failure to comply with any regulations in the S.L carries a maximum penalty of EUR 23,293.73 for each violationYes
Netherlands

Yes.

Effective 1 January 2017, Dutch data protection law requires organizations to notify the Dutch Data Protection Authority within 72 hours of “a breach of security […] which results in a significant chance of severe detrimental effects or has severe detrimental effects for the protection of the private life”. The data subject must also be informed if “the breach probably will result in adverse effects on their private life”. These obligations only apply if the Dutch Data Protection Act applies, for instance in situations wherein a Dutch entity is data controller.

 

 

Yes, Article 34a introduced in the the Data Breach Act the notification obligation  - Wet Bescherming Persoonsgegevens.

Also, the Dutch Data Protection Authority published the consultation version of guidelines on breach notification. The document is non-binding in nature.

The Dutch Data Protection Authority

For relatively minor infringements: the fines are go up to 20.250 euro. 

For deliberate and repeated violations, the fines go up to 810.000 euro. 

In certain circumstances fines on legal entities of up to 10% of annual turnover for several privacy violations, including in relation to data breaches;  for telecommunication companies, the maximum fine for violating the data breach notification requirement is 450.000 euro.

Read more here.

Dutch SIM-maker Gemalto: NSA "probably" hacked our network

ASML recently discovered IT systems security incident; no evidence that anything of value has been compromised

Regional newspapers sites hit by DDoS attacks

Cheaptickets.nl encountered a data breach in 2011 in which personal data of over 715,000 clients were leaked

200,000 email addresses stolen from Philip’s database

Disclosure of 537 customers’ data from access to Baby-Dump.nl

List of data breach before 2010

RomaniaOnly for some data processorsYes. Law no 506/2004 on ePrivacyRomanian Data Protection Authority ANSPDCP10 k data lost on 31.03.2014 
SpainNo (research in progress) Spanish data protection agency AGPD

Fines 60.000 € – 600.000 €

None specific to data breaches.

SwitzerlandNot applicableNot applicableNot applicableNot applicableNot applicable

 

Last updated 24 October 2016.

Suggestions? Corrections? Additions? Please send us an email at observatory (at) mappingtheinternet (dot) eu. Or suggest via this webform.

Link - Posted on Friday 19 September 2014

« Personal data security Data retention legislation in Europe »