Home

Internal

Global

Contatto

de|en|it

Cinque nuovi Associate Partner per Rödl & Partner Italia |

In tutto il mondo

Utilizziamo cookie tecnici per personalizzare il sito web e offrire all’utente un servizio di maggior valore. Chiudendo il banner e continuando con la navigazione verranno installati nel Suo dispositivo i cookie tecnici necessari ai fini della navigazione nel Sito. L’installazione dei cookie tecnici non richiede alcun consenso da parte Sua. Ulteriori informazioni sono contenute nella nostra Cookie Policy.

The Data Protection Authority sanctioned the Association Rousseau

Registro dei provvedimenti n. 83 del 4 aprile 2019 doc. web NO 9101974

Are the minimum security measures dead? Without going into the merits of the inevitable, but useless, political and party polemics, attention must be drawn to the most significant aspect of the measure of the Italian Data Protection Authority relating to the Rousseau platform: a few weeks before Easter, the authority has confirmed to us that the repealed minimum security measures are still alive.

Main types of security measures that, according to the evaluation of the Data Protection Authority, should have been carried out by the association Rousseau are:

Data Center Security Measures

Perimeter security / vulnerability assessment
Robustness of password storage systems
Obsolescence of systems, making it impossible to apply security patches

Risk management

Minimization of risks for users: partial removal does not completely eliminate the risk that the user may be identified by other details.

Privileged User Management Measures

racking on system logs
users with shared administration privileges: making it impossible to trace the precise responsibilities of those who did what.
lack of audit capability of privileged users
failure to separate administration activities by defined areas

The Data Protection Authority, has sanctioned the Association Rousseau, considering it responsible for the failure to implement such measures adequate for the safety and protection of users (Ex Art. 32 and 83).

Today, elevated to the minimum standard of that adequacy required by the GDPR and not only (think of the NIS regulations), the minimum measures of security have been at the base of the sanction imposed on the 5 Star Movement (or, better, on the Rousseau Association): the Rousseau platform did not present adequate security measures to the treatment, starting from the very failure to respect the prohibition of sharing of the credentials of authentication among subjects authorized to the treatment. This is exactly the former minimum measure whose "failure to adopt [...] represents a violation of the obligation to provide adequate technical and organizational measures".

The difference from before?

Today, minimum measures are no longer sufficient to avoid the risk of sanctions. Today, the minimum measures are the basis of a protection of personal data that must be completed through the implementation of additional measures that vary depending on our reality, the processing operations carried out, the context in which a company operates. Today, we can remember and list the minimum measures, while the other measures require us to examine our reality not only from a legal point of view, but also from a technical point of view.

The provisions of the guidelines should not be interpreted to preclude or limit the provisions of the European Convention on Human Rights and Convention 108.

Contact

Nadia Martini

Avvocato

Partner

+39 02 6328 841

Invia richiesta

Profilo

Contact Person Picture

Rödl & Partner Italy

Discover more about our services in Italy:

Data Protection, Intellectual Property & Information Technology

Data Protection Bites

Our newsletter aims at collecting updates, news and insights on data protection matters worldwide, with a special focus on the GDPR. Read all releases »