IT services company

Description

A Croatian IT company provides IT services to entities such as mobile operators, banks and state institutions in Croatia, as well as to companies abroad (USA, Great Britain, the Netherlands, etc.), thereby acting as a data processor in relation to personal data. The data controller, a telecommunications company using the services of the IT provider, informed the DPA as well its users of the potential breach of personal data by the IT provider. The incident consisted of a security breach which led to unauthorized access and processing of personal data by hackers and involved personal data of 28,085 respondents. The incident occurred because the IT provider had not taken the necessary measures to achieve an adequate level of security in accordance with existing and foreseeable risks. The IT provider, as a data processor, was obliged to take appropriate technical security measures in such a way as to ensure the permanent confidentiality of the system, including regular testing, evaluation and assessment of the effectiveness of technical and organizational measures to ensure security of processing. When assessing the appropriate level of security, the IT provider should have taken particular account of the risks of unauthorized disclosure of personal data. Due to failure to take appropriate technical measures for the security of personal data processing, the DPA imposed an administrative fine on the IT provider. The amount of the fine is unknown at the moment. In its decision, the DPA took into account the nature of the IT provider’s business activity, whose role should be to support other entities through opinions and guidelines, proposing solutions for the implementation of web applications, and especially designing and implementing appropriate technical measures.