25-10-2024

A Fine Was Imposed Against Vilnius Region Municipality’s Administration for Improper Processing of Personal Data

The State Data Protection Inspectorate (the SDPI), having performed an investigation as per the Vilnius Region Municipality’s Administration (hereinafter - the Municipality) Announcement Regarding the Personal Data Security Breach (the PDSB) - breaking in to the server of the Administration -, imposed an administrative fine of 9,000.00 EUR against the Municipality for the infringements of personal data processing in accordance to the provisions of the General Data Protection Regulations (the GDPR).

The SDPI determined that the Municipality, as the data controller, insufficiently ensured the safety of personal data - due to the PDSB, its activity was disturbed: for a certain time, the Municipality could not provide certain services, the servicing of persons encountered disturbances, the paying out of social benefits was late, i.e., the PDSB affected many persons. After the hacker encoded the personal data being processed on the Municipality's servers, the confidentiality of data was infringed as well.

The SDPI determined that the principles of integrity and confidentiality enshrined in Article 5 Part 1 Point f, and the provisions indicated in Article 32 Part 1 Points b, c and d, Article 32 Part 2 of the GDPR were infringed.

Concerning Security Measures

In accordance to the requirements of the statutes of law, every data controller must ensure proper protection against malware. The investigation uncovered that the Municipality did not use sufficient measures to protect themselves against malware, the access rights to the server were being improperly controlled, and the safety of passwords was not being ensured. It was also determined that until this incident the effective and timely data restoration was not ensured. Due to this, the continuity of services being provided by the Municipality was disturbed. Other technological and organizational security measures were not properly implemented as well - updating of the software, monitoring of network etc.

Concerning the Informing of the Data Subject

The PDSB may pose much danger to the rights and liberties of natural persons - material and moral damage might be done (discrimination, stolen or forged identity, financial losses, loss of reputation etc.).

The Municipality indicated to the SDPI that it provided the information about the incident that have occurred to the society on the “Facebook” account and in the press release. The SDPI, having assessed the fact that the number of data subjects whose personal data security has been breached is quite high, agreed that such public method of informing is proper. However, it also determined that the content of the announced public announcements does not conform to the requirements of the GDPR - the Municipality should have advised the citizens how to protect themselves against possible negative consequences (e.g., be vigilant and critically assess all the phone calls and messages that they receive, closely monitor their bank accounts activity etc.).

Concerning the Imposition of the Fine

When deciding on the value of the fine, the SDPI had regard to the values of administrative fines being imposed against authorities or institutions indicated in Article 33 of the Law on the Legal Protection of Personal Data of the Republic of Lithuania, and followed the 24-05-2023 European Data Protection Board Guidelines No. 04/2022 Regarding the Calculation of Administrative Fines in Accordance to the GDPR.

When analysing the circumstances of the infringement, the SDPI had regard to a couple of factors. First, the effect of the infringement towards large number of data subjects and the processing of sensitive data, which was deemed an aggravating circumstance, was assessed. Moreover, it is to be noted that the Municipality was never previously fined for similar infringements. This is to be considered as neutral factor.

The decision of the SDPI in accordance to the procedure laid-down in the Law on Administrative Judicial Procedure of the Republic of Lithuania within 1 month from the day of its delivery may be appealed to the Regional Administrative Court.