Belgian Data Protection Authority: no fine for a correctly notified data breach

On 4 June 2018, the Data Protection Officer (DPO) of a telecom company reported a data breach to the Belgian Data Protection Authority. However, the DPA ruled on 8 May 2020 not to impose a penalty on the company. The investigation showed that the data breach was correctly reported and that the company had taken appropriate organisational and technical measures. A data breach therefore does not necessarily give rise to a fine. A brief explanation. 

1. Notification on the basis of the Electronic Communication Act

The fact that it was a telecom operator can be deduced from the fact that the notification was made on the basis of Article 114/1 of the Act of 13 June 2005 on electronic communications. The DPA itself did not disclose which company was involved, but around the same period Orange disclosed a customer data breach. There are therefore suspicions that it is the same operator.

2. What happened?

The telecom company had concluded a Master IT Service Agreement with a company incorporated under Indian law (hereinafter: the processor). The intention was to renew the telecom company's webshop. 

However, the processor had used a copy of a production database with the history of orders on an Amazon Web Server (AWS) Cloud to test the new web shop. This was done in an insecure way, making the customer data of 32,153 customers of the telecom company accessible on the internet for two months. Forensic analysis of the log files showed that these customer data were consulted and/or downloaded by third parties. 

3. No penalty

3.1. No infringement of Articles 5, 24, 32, 33, 34 and 35 GDPR

The inspection report showed that the Inspection Service found that the telecom operator, as data controller, had not provided sufficient justification to demonstrate compliance with Articles 5, 24, 32, 33, and 34 GDPR. 

However, the Litigation Chamber ruled that the telecom company had taken the necessary appropriate technical and organisational measures and was able to demonstrate this. To this end, the DPA referred to the contractual arrangements between the telecom operator and the processor, in particular the contractual ban on the use of personal data for testing:

• An annex called 'Data Privacy Requirements' to the Master IT Service Agreement concluded between the parties in 2014 contained a clause stating that 'confidential data may not be copied from a production environment to a non-production environment unless the confidential data is masked' (translated). 
• Article 7 of the subsequent Processing Contract between the Parties contained a clause stating that 'the Provider shall be obliged, when processing Personal Data ... to make anonymous personal data in non-production environments using industry-standard technology that still permits development, testing and acceptance by Providers or [the telecom operator]' (translated).

In addition, the telecom company:

• developed and documented the necessary internal risk assessment methodologies both for data breaches (the Data Breach Severity Assessment Method) and for the assessment of risks inherent to all processing activities (Security Risk Management Policy), 
• the procedures and measures were evaluated by means of annual external audits,
• acted in a transparent manner with regard to the DPA and stakeholders,
• the data leak was correctly reported to the DPA after the notification of the leak by the CERT.
• formally notified the processor of its errors (notice of default).

The DPA thus found that there was no infringement of Articles 5, 24, 32, 33, 34 and 35 GDPR.

3.2. No infringement of Article 28 GDPR

The Inspection Service stated in the inspection report that the data processing agreement was not 'finalised' by the telecom company until 6 June 2018. The GDPR became applicable on 25 May 2018, which is why the inspection report states that the telecom operator infringed Article 28 GDPR.

Article 28.3 GDPR requires that the processing is governed by a contract or other legal act under Union law or Member State law binding the processor vis-à-vis the controller. The GDPR does not necessarily require a signed contract, but an instrument that is binding under Belgian law. 

Although the telecom operator had signed the data processing agreement only on 6 June 2018, the processor had already signed it before the GDPR became applicable, i.e. on 21 May 2018. Consequently, the Litigation Chamber ruled that there was no breach of Article 28 GDPR because there was an agreement (although not fully signed yet) between the parties about the data processing agreement and that it was signed by the processor in due time.

4. What to remember?

The following should be borne in mind:

• Always use dummy data for testing. Testing should always be done with dummy data. It is important to contractually prohibit the processor from using personal data from a production database for testing.
• Reporting a data breach does not necessarily imply a fine. Companies that have taken appropriate organisational and/or technical measures may also fall victim to a data breach. However, reporting this data breach does not necessarily imply a fine by the DPA. Moreover, it is not inconceivable that a fine for not reporting a data breach that should be reported will be higher than reporting a data breach, even if you are not fully compliant with the GDPR.  
• Formally notify your processor of errors (notice of default). Although, strictly speaking, the supervisory authority could impose a fine on the controller (the telecom company) for a processor error, the DPA has not done so in this case. The DPA refers to the formal notice of default of the processor by the telecom company.
• Always have the data processing agreement signed. Although it could be deduced from the DPA's decision that an agreement that is not fully signed yet is sufficient to constitute a binding agreement, it would seem safer to have the data processing agreement signed by the processor.