[导读：2019年5月16日，立陶宛数据保护监管机构（State Data Protection Inspectorate）对互联网支付公司MisterTango违反《通用数据保护条例》（General Data Protection Regulation, GDPR）的行为处以61500欧元的罚款，这是立陶宛的首张GDPR罚单。立陶宛监管机构此次所作出的处罚除警示其它企业外，同时彰显了立陶宛对数据泄露的严格监管态度，尤其是金融领域的敏感信息。
本文源自Global Data Review网站，原文如下：
Lithuania"s data protection authority has fined a payments processing company for breaching three provisions of the GDPR.
The State Data Protection Inspectorate has levied a €61,500 fine against fintech company MisterTango for inappropriate data processing, disclosing personal data and failing to report a breach, it said today. The authority said that the fine should be seen as a “significant signal to other companies”.
MisterTango suffered a data breach in July 2018, when its customers’ personal information became available online. More than 9,000 screenshots of banking transactions also appeared online, according to the authority.
Observers said it is not yet clear whether the disclosure happened as a result of a technical error or a hack, though the company claims it was the former.
The company also failed to inform the regulator about the data breach within the 72-hour period dictated by the GDPR, an Inspectoratepress release said.
The regulator found that the company accesses and collects more personal data than is necessary to execute payments since it collects detailed financial information alongside each payment. The authority argued that MisterTango should only be collecting data which is necessary to process the transaction, such as account numbers and payment details.
A single employee was responsible for security andinformation management at the company, which meant that the company could not implement proper data protection policies, the regulator said.
The enforcer also said that the case should prompt other companies to “pay more attention to the management of data security breaches and cooperation with the supervisory authority during investigations”.
Andrius Iškauskas, a partner at WINT in Vilnius, told GDR that MisterTango’s failure to inform the regulator was the company’s “biggest mistake”.
The regulator may have also increased the fine because screenshots posted online during the data breach contained confidential banking information as well as personal data, Iškauskas said. He also noted that the press release did not state that the breach caused any actual harm, and as such the fine could be seen as “too stern”.
Vytautas Mizaras, a partner at Ellex Valiunas in Vilnius, said that the fine is “higher than expected”, given that it is not clear whether the leaked data reached third parties and that MisterTango could have easily corrected some of its issues.
The authority’s decision to issuesuch a penalty, Mizaras said, demonstrates that it takes a “strict view” on data breaches, particularly those involving financial information.
Rimtis Puišys, a partner at Eversheds Saladžius inVilnius, said that the incident represents “quite a major breach”, and that the authority’s reaction demonstrates its seriousness. The regulator has previously focused on consultation rather than fines, he said. The leak of sensitive financial data also likely increased the fine, he said.
Though MisterTango is entitled to appeal to the Lithuanian administrative court, given the apparently clear findings of the regulators’ investigation, the company may struggle to succeed if it chooses to do so, Puišys said.
Mindaugas Civilka, a partner at TGS Baltic in Vilnius, said that MisterTango may be successful "in at least partially challenging the decision", if it can demonstrate that it has "immediately addressed the incident and eradicated all potential consequences".
A MisterTango spokesperson told GDR that it plans to appeal the decision and that it disagrees with the Inspectorate’s findings.
“An audit by the Lithuanian bank concluded that there was no danger to extended financial data of our customers and because there was no breach, according to the GDPR, we did not have to inform our customers,” the spokesperson said. “We think that the fine is inadequate for the extent of the breach and the diligence of the investigation.”
Only 58 of the customer’s emails became publicly accessible and were never actually accessed, “to the best of [the company’s] knowledge”, he said.
MisterTango also suffered a €30,400 fine in 2018 for failure to comply with money laundering regulations.