The EDPB has highlighted that the first significant fine under the GDPR has been imposed by the State Data Protection Inspectorate in Lithuania. An administrative fine of EUR 61,500 was imposed on a financial services organisation for breaches of Articles 5, 32 and 33 of the GDPR, arising out of a personal data breach in the payment initiation service system which had not been reported to the supervisory authority.
MisterTango UAB operates internationally and provides payment services to the residents and companies of Lithuania and to foreign residents and companies. It has established a branch in Latvia and provided services in other countries. Therefore, the Latvian personal data protection supervisory institution also had input into the case. The case illustrates that organisations should pay more attention to the management of data breaches and cooperation with the supervisory authority in the course of the investigations.
Having carried out the investigation, the Inspectorate determined that the company breached the requirements of the GDPR, as it improperly processed personal data in screenshots, made personal data publicly available and failed to report the personal data breach to the personal data protection supervisory authority.
Improper processing of personal data
MisterTango UAB was found to be processing more personal data than is necessary for effecting the payment initiated by the payer itself. The Inspectorate considered that, under the GDPR’s data minimisation principle, only such data as the name, surname and, if the payer wishes, his/her identification code, bank account number, currency and balance and purpose of the payment/payment code necessary for effecting the payment should be collected. However, in addition to that data, the company collected other data such as names of the senders and amounts, purposes, types, amounts of the loans and other data which was superfluous. In addition, the company was storing data for much longer than was necessary, e.g. 216 days instead of 10 minutes.
Under Article 5 of the GDPR, a company must be able to demonstrate compliance with the principle of accountability but in this case it failed to provide sufficient evidence to the supervisory authority during the investigation.
Publicity of personal data
The website with the list of payments processed by MisterTango UAB was visible publicly for more than 2 days. The payments made by the customers of different bank institutions through the payment initiation service system of MisterTango UAB and the customers’ personal data were made public. In addition, more than 9,000 screenshots setting out details of the payment sessions of the customers of 12 different banks in different countries were made publicly available. Management, installation and maintenance of the IT infrastructure (hardware and software) of MisterTango UAB were carried out by one employee. This meant that MisterTango UAB had failed to implement appropriate technical or organisational measures which would help to ensure a level of security appropriate to the risk, including protection against unlawful processing, or disclosure. This breached Articles 5 and 32 of the GDPR.
Failure to give the notification of the personal data breach
Under the GDPR, an incident leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed is a personal data breach. As MisterTango UAB had failed to notify the Inspectorate of the breach, it had breached Article 33 of the GDPR.
When deciding on the amount of the administrative fine, the Inspectorate took into account all circumstances of the case as well as the total annual worldwide turnover of the company.