Interim Conclusion after one Year GDPR: Data Security Complaints and Breaches

The most common complaint reasons of individuals

A clear increase in queries and complaints to State Data Protection Inspectorate has been observed in recent months. This increase confirms the rise in awareness about General Data Protection Regulation (GDPR) among individuals. In the first year of the GDPR the number of the data protection complaints doubled in comparison to the previous years. The individuals mostly complain about video surveillance, the processing of their personal data on the Internet, the data subject's right of access, processing and transfer of the debtor's personal data, direct marketing and the processing of individual's personal code.

First substantial fine for data security breach in Lithuania

Last year, the State Data Protection Inspectorate focused mainly on consultations and recommendations to companies rather than on fines. Even during investigation of the companies, the State Data Protection Inspectorate was not very strict and mainly indicated to correct the breaches. A few days before the anniversary of GDPR, however, the State Data Protection Inspectorate has imposed the first substantial fine of 61,500 Euro for the internationally operating electronic payment company UAB MisterTango. The company has violated the requirements of GDPR in following aspects:

·         it failed to ensure data minimisation and storage limitation principles, as it collected excessive information to process customer payments and kept these data for even 216 days, when the retention period for this data was set at 10 minutes;
·         due to the security breach  the personal data was made publicly available online for at least two days;
·         it failed to notify the supervisory authority about this breach;
·         a single employee was responsible for personal data security and IT management at the company, which meant that the company could not implement proper data protection against unauthorized and accidental modifications.

The authority's reaction in the UAB MisterTango case demonstrates its seriousness on investigation of data breaches, particularly those involving financial information. This case should encourage other companies to pay more attention not just formally implementing data protection measures on paper. It is important to note that the same or similar breaches of the GDPR have been identified in many of the Inspectorate's investigations: processing too much personal data or data was processed much longer than necessary for the indicated purpose, and sometimes even for an unlimited period. 

Human error as the most frequent data security breach

The State Data Protection Inspectorate has also announced that the most common reason of data security breaches was human error, which determined more than every second violation. The most common factor in the breaches was the unauthorised access or disclosure of personal data.

Investigation of the processing of biometric data

The State Data Protection Inspectorate has investigated three companies that own sports clubs with regard to the processing of biometric data, i.e. fingerprint models, so-called binary codes, for the purpose of entering the sports club by clients and workplace control for employees. The GDPR biometric data consider as a special category of data that are subject to stricter requirements. State Data Protection Inspectorate indicates that the companies that intend to process biometric data have a legal obligation to perform a data protection impact assessment and to evaluate, whether there is a ground to process such personal data, to assess possible risks as well as which safety measures are be sufficient to reduce such risks.

After conducting the investigations, the State Data Protection Inspectorate has ordered one of the companies to stop the processing of persons' fingerprints until the data protection impact assessment is performed and compliance with the GDPR is ensured, and two other companies to cease the processing of employees' fingerprints. All three companies were ordered to ensure the technical and organizational data safety measures.   

With regard to the processing of fingerprint models for identification purpose, the Inspectorate is of the opinion that such processing is possible with explicit consent, but the alternative identification possibilities must also be available for the clients. However, it must also be taken into account that such consent may not be the suitable condition for processing employee's biometrical data for workplace control purposes, as the employee's consent is not voluntary due to the imbalance of power vis-à-vis the employer.