Following the incident at the State Enterprise Centre of Registers on 20 July 2020, which disrupted the operation of state registers and state information systems managed by the State Enterprise Centre of Registers, Lithuanian State Data Protection Inspectorate (DPA), after conducting an investigation under the General Data Protection Regulation (GDPR), in February 2021 imposed a fine for improper implementation of technical and organizational data security measures.
A fine of EUR 15,000 was imposed on the State Enterprise Centre of Registers for infringements of Article 32(1) (b) and (c) of the GDPR, namely failure to ensure the ongoing integrity, availability and resilience of processing systems and services, as well as failure to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident.
The fine imposed on the Centre of Registers as the data controller and / or data processor of 22 registers and information systems. Such a decision on the fine was issued having regard to the state of the art and the costs of implementation, and taking into account the nature, scope, context and purposes of the processing as well as the risk of varying likelihood and severity for the rights and freedoms of individuals, failure to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, infringement of Article 32(1)(b)(c) of the GDPR, and also taking into account the factors listed in Article 83(2)(a),(d)(g) (related to the nature, gravity, duration and scope of the data), which are to be recognized as aggravating the infringement of the SE Centre of Registers.
Pursuant to the Law on Legal Protection of Personal Data, a supervisory authority may impose an administrative fine of up to 0.5% of the current year’s budget or other general annual revenues received in the previous year of the public authority or body, but not more than thirty thousand euros, on the authority or body that has violated the provisions of Article 83(4)(a)(b)(c) of the GDPR.
In determining the amount of the administrative fine, the DPA took into account the factors mitigating the violation committed by the SE Centre of Registers listed in Article 83(2)(b), (c), (e), (f) (h) of the GDPR, namely the absence of intent, the efforts made to restore the damaged data, the absence of facts about the material damage suffered by the data subjects, the close cooperation with the DPA and the absence of previous violations of a similar nature. The DPA also took into account that the State Enterprise Centre of Registers, when implementing security measures, is dependent both on the data controller, the Ministry of Health of the Republic of Lithuania, and other institutions dealing with consolidation of state IT resources, and decided that the fine is a proportionate measure to ensure compliance with the provisions of the GDPR in the future.
The DPA points out that ensuring the security of personal data is not only the duty of the data controller, but also the direct responsibility of the data processor provided for in Article 32 of the GDPR. The processor is directly liable for non-performance or improper performance of this obligation too.
For further information, please contact the Lithuanian supervisory authority: ada@ada.lt