It has been almost a year since the GDPR regulation came into force, along with the new data protection regime for data processors.
It has had a major impact on the responsibilities of both data controllers and their data processors. Data processors are liable if they do not comply with the obligations imposed specifically by the GDPR or if they do not act within the scope of the data controllers’ legal instructions.
The Italian data protection authority issued its first fine showing that the data protection authorities are keen to enforce the regulation.
The fine of €50,000 was levied against the Rousseau platform for failing to implement technical and organisational security measures following a data breach.
The Rousseau platform operates a number of websites affiliated to Movimento 5 Stelle, the Italian political party. This platform suffered a data breach in summer 2017 which led Garante, the Italian data protection authority to implement further security measures, in addition to updating the privacy information notice giving more transparency to the data processing activities performed.
Interestingly the fine was levied against the Rousseau association which is the data processor and not against Movimento 5 Stelle which is the data controller.
For the first time, the data protection authority did not take into consideration that the data controller is liable for any breaches performed by the data processor and in this case recognised the liability of the data processor.
Moreover, the decision gives a clearer understanding of the security measures that privacy authorities are expected to have in place with reference to entities processing large amounts of personal data.
Further information about both Maltese and EU GDPR cases will be given during the GDPR – one year on conference being organised on the 5th June in the morning at the Intercontinental Hotel in St Julian’s.