IT supplier/Dutch Data Protection Authority (DPA)
A sales associate accidentally put a hard drive back in a warehouse after using the hard drive to transfer data from one computer to another. This data concerned personal data. This data breach was reported too late. The Dutch DPA intended to make a fine decision.
A sales associate accidentally returned a hard drive to a warehouse after using the hard drive to transfer data from one computer to another. This data concerned personal data. The hard drive was then accidentally sold to a customer, who became aware of financial data such as social security number, income tax returns and benefits information of other persons. The customer immediately informed the store employee about this and filed a complaint with the Dutch Data Protection Authority (DPA). The DPA investigated and found that the company had not reported this data breach within 72 hours. She announced her intention to impose a fine of the highest category.
The continuity of the company would be jeopardized if the fine were indeed imposed. The company was given the opportunity to defend itself. The fine was nevertheless imposed, after which First Lawyers appealed for the company. Emphasis was placed on evidence of measures the company had taken to prevent such data breaches. This includes actions to raise awareness among employees, the appointment of a Data Protection Officer and conducting quarterly audits to review and discuss compliance with the GDPR at each branch.
The objection was upheld, in the sense that the DPA decided to leave it at a reprimand. First Lawyers subsequently objected to the company’s disclosure of the reprimand, because disclosure would still mean a severe sanction for it. The reprimand was eventually made anonymously known.