Here comes one another evidence of why consistent applications of #GDPR across the #EU is just a ‘shimmering dream’ thus far.
Belgian DPA issued a decision where it said that unintentional (due to human error) sending of an e-mail containing personal data does not mean the violation of Article 32 (security of processing), which prevents the incident from being classified as data breach.
This appears to be in contradiction with #WP29 Guidelines on Personal data breach notification and with the recent #EDPB Guidelines 01/2021 on Examples regarding Data Breach Notifications. Both documents, vice versa, addressed examples of mistakenly sent e-mails, while sufficiency or insufficiency of security measures was not named as a factor of whether the incident should be classified as data breach.
Decisions like this clearly erode the idea and value of ‘consistency’ proclaimed by GDPR and promoted by EDPB.
Another non-obvious conclusion made by Belgian DPA is that unlawfully obtained data cannot be further lawfully processed.
#dataprotection #privacy #datasecurity #databreach #cybersecurity #edpb #dataprivacy #gdprcompliance #databreaches #security #privacyprotection #informationsecurity #infosec #privacyissues #compliance #privacylaw
2 Replies to “Data Breach or not Data Breach?”
A agree. What were they thinking!
This ruling I do not understand because clearly there is a lack of organisational measures, which are clearly prescribed as necessary in the GDPR.
I fully agree, Karen.
I also think that this case exposes a big drawback of the recent EDPB Guidelines 01/2021 on examples re data breach notifications – for unknown reasons they didn’t include any examples to illustrate borderlines between cases constituting ‘data breaches’ and cases not constituting them.