2019年8月28日,保加利亞個人數據保護委員會根據保加利亞《個人數據保護法》第87段第3條規定,個人數據保護委員會主席Ventsislav Karadjov先生在對DSK Bank EAD的數據處理進行調查後,對違反保加利亞第2016/679號條例即GDPR第32條第1款(b)項的行爲發出了刑事命令,因其23,270份信貸記錄中,共有33,492名銀行客戶未經授權訪問個人數據,其中包含個人數據和無限數量的客戶相關第三方(包括其配偶、供應商、後代和擔保人)。最終確定罰款金額爲100萬BGN(列佛)約51.1 萬歐元395.36萬人民幣。
案件事實概述
在保加利亞個人數據保護委員會(CPDP)對銀行處理數據進行的爲期一個月的檢查中已經確定,DSK Bank EAD在日常活動和處理過程中,作爲數據控制者,未能設法實施適當的技術和組織措施,也沒有提供必要的技術來保證永久的機密性,安全性,用於處理個人數據的系統和服務器的完整性,可用性和可持續性。導致本行客戶及相關第三方客戶的公民身份,個人身份證號碼,永久或當前地址,身份證複印件(包含生物特徵數據);稅務文件中包含的所有個人數據,證明借款人和第三方的收入和健康保險,以及健康狀況信息,遭到泄露。
綜上可知:保加利亞個人數據保護委員會(CPDP)對DSK Bank EAD的違規事件的處罰依據是GDPR第第32條 處理安全 第1款 (b)項,處罰金額爲100萬BGN(列佛)約51.1 萬歐元。
對其進行違規分析可知:DSK銀行數據泄露事件主要是因其缺乏保障信息安全的技術和組織措施。GDPR第32條 處理安全 第1款 明文規定:
考量現有技術實施成本和處理的性質、範圍、背景、目的以及給自然人的權利和自由帶來不同可能性和嚴重程度的風險,數據控制者和數據處理者應當採取適當技術性和組織性措施以保證應對風險的適當安全水平,酌情考慮但不限於以下因素:
(a)個人數據的匿名化和加密;
(b)保證處理系統和服務持續、保密、完整、可用和自我修復的能力;
(c)在發生物理性和技術性故障的情況下及時恢復個人數據的可用性和訪問能力;
(d)定期測試、評價和評估處理過程技術性和組織性措施的有效性。
合規啓示
衆所周知GDPR是目前來說最嚴個人數據保護法。此次DSK 銀行數據泄露事件讓我們更加清醒的認識到,GDPR在歐盟衆成員國數據保護機關中的重要地位——根據保加利亞個人數據保護法,處罰決定只能由保級利亞數據保護委員會主席下達,但處罰依據仍是GDPR。
此次DSK 銀行被罰,對於中國出海企業來說,鑑於GDPR的長臂法案效應,企業應該重視數據安全並做定期的數據安全檢查,在系統安全和組織方面採取更多、更有效的保護措施。當然這需要企業參加相關的技術和組織培訓。本文由SCA結合相關法律文件整理,轉載請註明出處。
附:保加利亞官網對DSK銀行的處罰原文:
The Chairman of the Commission for Personal Data Protection has issued a Penal Order to DSK Bank EAD
Today, 28.08.2019, pursuant Art. 87, para. 3 of the Personal Data Protection Act, Mr Ventsislav Karadjov - Chairman of the Commission for Personal Data Protection, after an investigation regarding processing of data of DSK Bank EAD, issued a Penal Order for violation of Art. 32, § 1 (b) of Regulation (EU) 2016/679, with a view to the unauthorised access to the personal data by third parties of a total of 33 492 (thirty-three thousand four hundred ninety-two) customers of the bank in 23 270 (twenty-three thousand two hundred and seventy) credit records, containing personal data and an unlimited number of related third parties to the customers (including their spouses, vendors, descendants and guarantors). The amount of the penalty imposed is BGN 1,000,000.
During the one-month inspection undertaken by the Commission for Personal Data Protection (CPDP) over the processing of data by the bank it was established that, in the course of its everyday activity and processing, DSK Bank EAD, as a data controller, has not managed to implement the appropriate technical and organizational measures and has not provided the necessary ability to guarantee a permanent confidentiality, security, integrity, availability and sustainability of the systems and servers for processing personal data of individuals. The following personal data of customers of the Bank and related third parties has been compromised: three names, citizenship, personal identification number, permanent or current address, available copies of identity cards, containing biometric data; all personal data contained in tax documents, certifying the income and health insurance of the borrowers and third parties, as well as health status information (including some credit files containing declarations by the Work Capability Assessment Commission /WCAC/ for reduced working capacity), payment numbers bills, as well as registration numbers and dates of notarized acts with signatures.