Lithuanian DPA Hopes First GDPR Fine Is A Wake Up Call
It took a year but Lithuania's data protection authority issued its first fine last week to a fintech company for breaching three provisions of the GDPR.
Lithuania's data protection authority is hoping a recent fine it imposed on a company for violating the GDPR will serve as a warning shot and get the attention of other companies in the country.
The country's State Data Protection Inspectorate, which oversees the data protection law, fined MisterTango, a financial services company that provides free bank accounts and payment services for EU citizens, €61,500 for violating three provisions of the GDPR earlier this month.
The DPA said last week the fine, which translates to roughly $68,621 and can be appealed, would be applied company's annual worldwide turnover. The payment initiation service provider is the first in the country to be fined by the authority.
There have only been a handful of GDPR fines relative to the number of reported breaches but privacy experts have cautioned the industry to expect larger fines as the EU prepares to enter the second year of GDPR enforcement. With the fine, Lithuania joins France, Spain, Germany, Poland, Austria, Bulgaria, Cyprus, and Malta in imposing significant GDPR fines.
MisterTango, which has been around since 2014, suffered a breach last summer, spilling customer data - including 9,000 screenshots of banking transactions, but failed to report it to the country's supervisory authority within 72 hours, a time span outlined in the GDPR.
Because of the breach – the cause of which is unclear – the banking transactions were viewable for two days, an incident the data protection authority says should have been considered a breach of data security and reported.
In a press release last week, the State Data Protection Inspectorate, known as Valstybinė duomenų apsaugos inspekcija in Lithuania, said MisterTango violated Articles 5, 32 and 33 of the regulation.
In addition to failing to report the breach - something MisterTango should have done under Article 33 of the GDPR – it also improperly processed and disclosed personal data, according to the Inspectorate. Following an investigation, the Inspectorate found that MisterTango was collecting too much data and holding onto it for too long. The Inspectorate claims the amount of data the company collects, like data pertaining to unreported electronic invoicing, the names and amounts of senders, dates, topics, the "nature and amounts of available loans," pension fund names, and so on and so forth, is "excessive."
The authority calls out MisterTango elsewhere in the press release for failing to implement a proper personal data protection policy, something it blames partly on the company having one employee in charge of security and information technology management.
The DPA said the fine should serve as a “significant signal” to other companies.
“In the opinion of the Inspectorate, the imposition of fines under the General Data Protection Regulation should be a significant signal to other companies only by declaratory implementation of the provisions of this legislation,” a translated statement by the Inspectorate reads.
Lithuanian flag via Mr.TinDC's Flickr photostream, Creative Commons