In an unprecedented Decision, the DSI analyses the assessment of the impact of the processing of personal data by a Service Provider on the protection of natural persons' data, concluding that risk prevention measures have not been sufficient, as well as the severity of the breach. The fine applied by the DSI is currently the largest fine imposed so far for infringements of the General Data Protection Regulation (hereinafter - the Data Regulation), not only in Latvia but also in the Baltics. Moreover, the amount of the fine imposed is several times higher than the largest ever publicly known fine imposed by the DSI for breaches of Data Regulation.
In the Decision, the Director of the DSI, Jekaterina Macuka (hereinafter - the DSI Director), states that a number of infringements by the Service Provider have been established:
- When a customer subscribes to an electronic communications service, the service is provided and connected without the customer confirming the contract. The Service Provider thus processes the data of persons whose identity has not been verified, in breach of Article 5(1)(a) and (d) of the Data Regulation;
- The Service Provider invoices the person who has not accepted the contract for the services provided, recording and storing personal data;
- Personal data of a customer who has not confirmed the contract and has not paid the invoices issued was transferred by the Service Provider to an out-of-court debt collection company;
- By uploading the aforementioned contracts to the user's account in the customer self-service system, the Service Provider disclose the personal data of the personal code owner (name, surname, date of birth and home address) to the third parties who used the personal data;
- The service provider compares the personal data of new clients with the data of existing and former clients available in its database.
Determination of the amount of the fine:
The decision analyses the criteria that influence the level of the fine. One of the criteria for determining the amount of the fine is whether the infringement was committed intentionally or negligently. The Decision explains that the infringement was committed intentionally because, although the Service Provider had identified and assessed the risks, they had not been properly assessed, and appropriate risk control measures had not been put in place. The Director of the DSI points out that an intentional or deliberate infringement is one that involves both knowledge and awareness of the nature of the infringement, while an unintentional or negligent infringement means that there was no intent to cause the infringement, even though the controller has breached the legal duty of care.
In light of the above, in the opinion of the Director of the DSI, the Service Provider's actions are characteristic of an intentional infringement. This is indicated in particular by the conduct of the personal data protection impact assessment, which found that the initial risk of a person trying to apply for service by submitting another person's personal data was credible and indicated as mitigating measures, for example, the implementation of The Office of Citizenship and Migration Affairs tool and email verification, which cannot be considered as effective measures to address that risk. Reliance on consumers generally being in good faith and not taking unlawful actions when using the personal data of others does not mean that the Service Provider should not take all possible risk-mitigating steps to make sure that such unlawful actions are not possible at the time of requesting the service. In light of the above, the Director of the DSI concludes that the Service Provider was aware that such a risk existed and that it was initially assessed as credible, but that the mitigating measures were not chosen in accordance with that risk since even after the implementation of those measures it was possible to apply for the service using another person's personal data.
Another criterion for determining the amount of the fine is the duration of the infringement. The longer the duration of the infringement, the more weight the DSI may attach to this circumstance. In the view of the Director of the DSI, it is important to take into account the period of time during which it was possible to apply for the service without online banking authentication. In the present case, it took almost a year to apply for the service without online banking authentication and verification of the person's identity, without checking that the person's name matched the personal identification number provided by the person.
According to the DSI, one of the most important aspects to be taken into account when assessing the gravity of the infringement is whether the processing of personal data is related to the core business of the controller (the person who determines the purposes and means of the processing of personal data). That is to say, if the processing of personal data is related to the core business of the controller, it should also be subject to a corresponding increase in the attention of the controller, and the controller cannot use the excuse of insufficient knowledge of the legal framework or repeated mistakes made by employees. In the present case, the processing of personal data is only part of the core business of the Service Provider carried out to provide services to its customers. The DSI has taken this into account in order to set a lower fine.
In accordance with the 4% threshold set out in Article 83(5)(a) of the Data Regulation, the maximum fine applicable, given that the Service Provider has a turnover exceeding 200 million per year, is EUR 8 024 733,84. Taking into account the average gravity of the infringement found, the DSI set the initial range of the fine at 10-20% of the applicable maximum fine, i.e. between EUR 802 473,38 and EUR 1 604 946,77. Given that the Service Provider is seen to have acted to prevent inappropriate processing of personal data, the starting point for the application of the fine is set at 15% of the amount of the maximum fine applicable (EUR 1 604 946,77), i.e. EUR 240 742,02. At the same time, taking into account the assessment of the criteria for setting the amount of the fine analysed in the DSI Decision, a coefficient of 5 was set to the initial point of application of the fine, resulting in a fine of EUR 1 203 710,10.
The Decision concludes that the level of the fine chosen is dissuasive, i.e. having a genuine deterrent effect. A fine is dissuasive if it prevents a person from infringing the objectives and rules laid down by European Union law. In the light of the circumstances of the case and the conduct of the Service Provider, a fine of EUR 1 203 710,10 would be sufficient to deter the Service Provider from further infringements of data processing.
The service provider explains that the company has implemented and complies with strict requirements for the protection of personal data, which it continues to improve in line with innovations, best practices, recommendations of experts and supervisory authorities, as well as business development requirements.
The service provider disputes the Data State Inspectorate's decision on a grand sentence in court. Available: https://jauns.lv/raksts/bizness/523025-tet-court-apstrid-data-state-inspection-decision-on-giant-punishment