[导读:2019年5月16日,立陶宛数据保护监管机构(State Data Protection Inspectorate)对互联网支付公司MisterTango违反《通用数据保护条例》(General Data Protection Regulation, GDPR)的行为处以61500欧元的罚款,这是立陶宛的首张GDPR罚单。立陶宛监管机构此次所作出的处罚除警示其它企业外,同时彰显了立陶宛对数据泄露的严格监管态度,尤其是金融领域的敏感信息。

MisterTango此次受处罚的原因有不恰当处理数据、泄露个人信息以及未向监管机构报告数据泄露事件。2018年7月,MisterTango公司用户的个人信息以及9000张网络支付交易截图被非法披露在互联网上,该数据泄露事件发生后72小时内公司亦未向监管机构报告。此外,MisterTango提供支付服务时,违反GDPR超出必要限度读取并收集用户的个人信息。

本文源自Global Data Review网站,原文如下:

Lithuania"s data protection authority has fined a payments processing company for breaching three provisions of the GDPR.

The State Data Protection Inspectorate has levied a €61,500 fine against fintech company MisterTango for inappropriate data processing, disclosing personal data and failing to report a breach, it said today. The authority said that the fine should be seen as a “significant signal to other companies”.

MisterTango suffered a data breach in July 2018, when its customers’ personal information became available online. More than 9,000 screenshots of banking transactions also appeared online, according to the authority.

Observers said it is not yet clear whether the disclosure happened as a result of a technical error or a hack, though the company claims it was the former.

The company also failed to inform the regulator about the data breach within the 72-hour period dictated by the GDPR, an Inspectoratepress release said.

The regulator found that the company accesses and collects more personal data than is necessary to execute payments since it collects detailed financial information alongside each payment. The authority argued that MisterTango should only be collecting data which is necessary to process the transaction, such as account numbers and payment details.

A single employee was responsible for security andinformation management at the company, which meant that the company could not implement proper data protection policies, the regulator said.

The enforcer also said that the case should prompt other companies to “pay more attention to the management of data security breaches and cooperation with the supervisory authority during investigations”.

Andrius Iškauskas, a partner at WINT in Vilnius, told GDR that MisterTango’s failure to inform the regulator was the company’s “biggest mistake”.

The regulator may have also increased the fine because screenshots posted online during the data breach contained confidential banking information as well as personal data, Iškauskas said. He also noted that the press release did not state that the breach caused any actual harm, and as such the fine could be seen as “too stern”.

Vytautas Mizaras, a partner at Ellex Valiunas in Vilnius, said that the fine is “higher than expected”, given that it is not clear whether the leaked data reached third parties and that MisterTango could have easily corrected some of its issues.

The authority’s decision to issuesuch a penalty, Mizaras said, demonstrates that it takes a “strict view” on data breaches, particularly those involving financial information.

Rimtis Puišys, a partner at Eversheds Saladžius inVilnius, said that the incident represents “quite a major breach”, and that the authority’s reaction demonstrates its seriousness. The regulator has previously focused on consultation rather than fines, he said. The leak of sensitive financial data also likely increased the fine, he said.

Though MisterTango is entitled to appeal to the Lithuanian administrative court, given the apparently clear findings of the regulators’ investigation, the company may struggle to succeed if it chooses to do so, Puišys said.

Mindaugas Civilka, a partner at TGS Baltic in Vilnius, said that MisterTango may be successful "in at least partially challenging the decision", if it can demonstrate that it has "immediately addressed the incident and eradicated all potential consequences".

A MisterTango spokesperson told GDR that it plans to appeal the decision and that it disagrees with the Inspectorate’s findings.

“An audit by the Lithuanian bank concluded that there was no danger to extended financial data of our customers and because there was no breach, according to the GDPR, we did not have to inform our customers,” the spokesperson said. “We think that the fine is inadequate for the extent of the breach and the diligence of the investigation.”

Only 58 of the customer’s emails became publicly accessible and were never actually accessed, “to the best of [the company’s] knowledge”, he said.

MisterTango also suffered a €30,400 fine in 2018 for failure to comply with money laundering regulations.

声明:本文来自个人信息与数据保护实务评论,版权归作者所有。文章内容仅代表作者独立观点,不代表安全内参立场,转载目的在于传递更多信息。如有侵权,请联系 anquanneican@163.com。