Okay, there were only 7 employees, and this personal data breach which was investigated by the Finnish DPA was concerning a single employee who was on sick-leave.
What is super interesting about this case is that the employer (a family business) put the fact that the employee was on sick leave on the company website. It seems that because the employee was sending an automated response to emails that he/she was on sick leave, gave the idea that this data was now public data.
It then digs into the employment act and secrecy concerning employee data, and the decision was that sanctions would be placed on this business, i.e. it was a personal data breach which has an impact on ‘rights and freedoms’.
Clearly I’ve cut out a load of details here… but what is important is that even the small family businesses are not immune to GDPR sanctions.
So the question is when do you press the red BREACH button?
- Is it when you first become aware a personal data breach could have occurred?
- Is it when you are sure that a personal data breach has occurred which triggers an investigation,
- or is it on conclusion of this investigation?
Booking.com decided on option 3.
Booking.com have been fined €475k because of this. They did report the breach but what is significant about this fine is that a minor incident reported by a customer of a hotel was dismissed on 9 Jan, then a second identical report from another customer of the same hotel triggered an investigation on 13 Jan. However, the report of the breach was not until 7 Feb, 3 days after the internal security investigation was concluded. The fine is because booking.com should -according to the Dutch DPA- have reported the breach on the 13 Jan.
In fact it is common practice, to not report the breach until one is sure there has been a breach, and sometimes even the circumstances of the breach. This case shows that this is not an advisable route.