Strict position of the Court on the level of detail of information provision to the data subject and application of security measures

The Supreme Administrative Court of Lithuania adopted a decision in the case of Secure Nordic Payments (former name MisterTango, UAB) regarding personal data breach, by which it upheld the decision of the State Data Protection Inspectorate (hereinafter SDPI) to impose a fine of EUR 61,500.

The following key data processing issues were stated in the court judgement:

  • The company did not ensure proper provision of information to the clients about processing of their personal data, i.e. the company did not disclose in detail to the clients all data it collects about the client, including data received from other sources, such as payer’s name, surname, bank account numbers (including payment cards), their currency, balances, reserved amounts; information on recent transactions (date, name of payer or recipient, purpose of payment, amount), dates of submission of unopened electronic invoices, names of senders and amounts, dates of submission of unread messages, topics and part of message text, purpose, nature, amounts of loans, names of pension funds, accrued units, their value, accrued amounts, dates of last log in, nature of deposits held (term, savings, etc.), currencies, amounts, interest, terms, types of credit (e.g. home), balances payable, amounts and dates of other payments, numbers and amounts of payment cards issued), etc. In the view of the court, the general naming of categories of personal data is not appropriate as it does not comply with the principles of transparency and fairness towards the data subject.
  • Temporary recording of personal data is considered to be the processing of personal data and such activities are subject, to full extent, to the GDPR, so it does not matter how long such data is kept by the company and whether it is stored and permanently accessible;
  • Breaches of security of financial data, such as credit card data, can not only cause direct harm but can also lead to identity theft when used together;
  • In the event of a breach, the company, did not document the personal data security breach, did not assess the consequences, therefore there is no reason to state that the breach should not have been reported to the SDPI;
  • The company has not implemented appropriate technical or organizational measures to ensure a level of security adequate to the risks.

This Court judgement is a sign for companies to review their processes and make the following assessments:

  • privacy policies, i.e. whether data subjects are informed in detail about the processing of their personal data by listing all personal data processed, accessible and recorded by companies;
  • whether the companies have a properly prepared “map” of personal data, which must include all processes of receiving, collecting and recording personal data;
  • whether both data processing and security breach management procedures are properly documented in companies;
  • whether companies carry out appropriateness tests on selected technical or organizational security measures.

All of these issues only prove once again that the area of ​​personal data is a living process that requires constant periodic review and professional assessment.

If you have any questions, please contact the team of ECOVIS ProvetusLaw.

Prepared by Brigida Bacienė, Certified Data Protection Expert

Newsletter SubscriptionGet in touch