Incident Details
The Dutch Supervisory Authority imposed a penalty of €150,000 on a credit card company in December 2023 for not conducting a thorough data protection impact assessment (DPIA) as required by Article 35 of the GDPR for its "identification and verification process". The data processing included sensitive personal information such as name, date of birth, place of birth, email address, phone number, gender, Dutch government ID number, ID document number, and a photograph.
Incident
How Did the Breach Happen?
The security incident occurred because the credit card company did not conduct a thorough data protection impact assessment (DPIA) as required by Article 35 of the GDPR for its procedure of "identification and verification".
What Data has been Compromised?
The data breach involved confidential personal details like full name, date and place of birth, email address, phone number, gender, Dutch national identification number, identification document number, and photograph.
Why Did the company's Security Measures Fail?
The security measures of the company were ineffective as they neglected to conduct a thorough assessment of data protection impacts (DPIA) and did not adequately consider data protection obligations.
What Immediate Impact Did the Breach Have on the company?
The violation led to a penalty of €150,000 that was enforced by the Dutch regulatory authority on the credit card corporation.
How could this have been prevented?
Performing a thorough data protection impact assessment (DPIA) as outlined in Article 35 of the GDPR and adhering to data protection regulations could have averted this breach.
What have we learned from this data breach?
The incident underscores the necessity of conducting comprehensive assessments on data protection impacts (DPIAs) and adhering to data protection laws to prevent hefty penalties and safeguard confidential personal information.
Summary of Coverage
A credit card institution located in the Netherlands received a €150,000 fine from the Dutch Supervisory Authority in December 2023 due to the inadequate performance of a data protection impact assessment (DPIA). This incident exposed the sensitive personal information of 1.5 million clients, emphasizing the significance of carrying out DPIAs and adhering to data protection regulations.