2018年8月29日,保加利亚个人数据保护委员会根据本国个人数据保护法第87条第3款的规定,由时任保加利亚税个人数据保护委员会主席Ventsislav Karadjov先生向NRA(保加利亚国家税务局)发布了关于此前信息泄露事件的处罚命令——因NRA违反第(EU)2016/679号条例第32条第1款(b)项,即是违反了GDPR第32条第1款(b)项的规定,处以的罚款金额为510万列弗,约合2014.6万人民币元,260.87万欧元。
案件详情
2019 年 7 月 15 日,一名黑客成功突破保加利亚国家税务局(“NRA")的安全系统,随后向保加利亚媒体发了一封电子邮件,邮件内容除了批评保加利亚政府网络安全状况之外,还分享了访问被盗数据的途径。此外邮件还声称,超过 500 万个人以及企业的信息被窃,部分被黑的信息(约 11 GB)已泄露给本地媒体。
据报道,在互联网上被非法访问和分发的信息包含总共6074140个人的个人数据,其中包括4104786保加利亚和外国公民的生活数据主体,以及1959598死者。数据主体的以下个人数据类别遭到未经授权的泄露:保加利亚公民的姓名,个人识别号码和地址,电话,电子邮件地址和其他联系方式,个人年度纳税申报表中的数据等。这是迄今为止保加利亚最大的个人数据泄露事件。
在保加利亚个人数据保护委员会(CPDP)对国家税务局(NRA)处理数据进行的为期一个月的检查中发现,此次信息泄露事件的主要原因是:保加利亚国家税务局(“NRA")在其内部程序,活动和处理过程中,作为数据控制者,尚未实施适当的技术和组织措施,从而导致数据泄露-由NRA收集和处理的个人数据未授权被访问。
报道称,这次数据泄露事件的受害范围涉及到几乎全体保加利亚国民,其危害影响深远。被盗的信息包括保加利亚人的姓名、住址以及个人收入等。事发后,保加利亚当局采取行动,逮捕了一名 20 岁的涉事男子。
另外,此事件造成的影响还包括:加拿大国税局CRA,美国国税局IRS,澳大利亚国税局ATO等纷纷表态,一方面提醒跨境纳税人谨防税务欺诈,防止别有用心的人利用此次信息泄露事件对纳税人进行敲诈;另一方面提醒跨境纳税人合规申报和披露海外金融账户信息,更加完善遵从税收法规。
处罚金额
依据 GDPR 的规定 , 保加利亚国家税务局(“NRA”)本来可能面临最高 2000 万欧元的罚款,但 CPDP 最终仅处以510万列弗,约合2014.6万人民币元,260.87万欧元,理由大致如下: 其一,CPDP 负责人 Ventisalav Karadzho 表示,罚款的主要目的是确保国家机关将来遵循正确的数据处理程序,而不是为了惩罚。
其二,保加利亚国家税务局在发现数据盗窃事件后已经采取了一些数据保护措施,如解雇两名高级 IT 专家。
其三,这次数据泄露与保加利亚政府在网络安全方面(尤其是关键基础设施防护)的投入严重不足有关,缺乏基本的侵权防护,并不仅仅是保加利亚国家税务局的过错。
其四,造成的后果并不是过于严重。财政部长弗拉迪斯拉夫·戈拉诺夫(Vladislav Goranov)表示,尽管此次漏洞影响了数百万人,但并未被归类为情报,也不会危害该国的金融稳定。他还说,被黑客入侵的数据不够详细,无法提供有关任何人的财务信息的“实质性结论”,并且,如果有人试图利用这些数据,则“将受到保加利亚法律的影响”。
合规启示
保加利亚数据保护委员会对NRA下达的处罚令中指出,NRA主要违反了GDPR第32条 处理安全 第1款 的规定。同保加利亚CPDP前一天对DSK Bank EAD的数据泄露事件的处罚原由是一样的,但两者的处罚金额相差巨大。对NRA的处罚金额约是DSK的5倍。GDPR第32条 处理安全 第1款 明文规定:
考量现有技术实施成本和处理的性质、范围、背景、目的以及给自然人的权利和自由带来不同可能性和严重程度的风险,数据控制者和数据处理者应当采取适当技术性和组织性措施以保证应对风险的适当安全水平,酌情考虑但不限于以下因素:
个人数据的匿名化和加密;
保证处理系统和服务持续、保密、完整、可用和自我修复的能力;
在发生物理性和技术性故障的情况下及时恢复个人数据的可用性和访问能力;
定期测试、评价和评估处理过程技术性和组织性措施的有效性。
这启示我们:首先,任何企业都应该重视数据安全检查,在系统安全方面采取有效防护措施,并定期排除安全隐患。其次,由保加利亚数据保护委员会给出的对NRA的最终处罚金额的原因可看出,应对数据泄露事件时,采取及时措施,主动上报,积极止损,与监管机构保持良好密切的沟通,将影响控制在尽可能小的范围内,是明智之举。
事实上,网络社会,无论谁都无法完全消除数据泄露的风险,但应对数据泄露事件,无论采取多少努力都不为过。SCA安全通信联盟始终关注安全通信和身份认证领域,亦在信息安全领域提供中立、专业的GDPR、网络安全等级保护、技术认证、合规的咨询和培训服务。对企业应对网路数据安全事件,如何采取实质措施避免损害的扩大或减轻不利影响?SCA在此建议:第一,学习相关法律知识,第二,为企业信息安全相关重要成员做相关业务培训,听取专业人士的建议。
文末附保加利亚个人数据保护委员会对NRA处罚原文。本文由SCA结合相关法律文件整理,转载请注明出处。
欢迎关注SCA官方微信公众号“奥航智讯”留言讨论。更多GDPR相关内容请点击下方文字链接:
SCA连载系列之| GDPR个人数据处理的6大原则包含哪些内容?
SCA连载系列之| GDPR“数据处理”、“处理安全”、“加密”分别对应哪些内容?
SCA连载GDPR罚单之| 德国首例GDPR 数据处理案件,为啥罚单是2万欧元?轻罚的依据是什么?
SCA连载GDPR罚单之| 葡萄牙数据监管机构认定Barreiro医院违反GDPR
附:保加利亚个人数据保护委员会对NRA处罚原文
Update on the undertaken inspection at the National Revenue Agency
29.08.2019
During the one-month inspection undertaken by the Commission for Personal Data Protection (CPDP) over the processing of data by the National Revenue Agency (NRA), it was established that, in the course of its internal procedures, activities and processing, the Agency, as a data controller, has not implemented the appropriate technical and organizational measures, resulting in a data breach - unauthorized access to subjects’ personal data, collected and processed by the NRA. The following categories of personal data of data subjects have been a subject of an unauthorized disclosure: names, personal identification numbers and addresses of Bulgarian citizens, telephones, e-mail addresses and other contact details, data from the annual tax returns of individuals, data on personal income tax expense on income statement, data from insurance declarations, data on health insurance premiums (NOTICE: no personal medical status or information on treatment of citizens have been disclosed), data on issued acts for administrative violations, data on completed payments of taxes and social security liabilities through Bulgarian Posts AD, as well as data on claimed and refunded VAT, which has been paid abroad.
It was found that the information, which was illegally accessed and distributed on the Internet contained personal data of a total of 6 074 140 individuals, including 4 104 786 living data subjects both Bulgarian and foreign citizens, and 1 959 598 deceased individuals.
CPDP issued a Decision, containing Orders to the NRA dated 23.08.2019 pursuant Art. 58, § 2, letter „d” in connection with Art. 57, § 1, letter „a” and Art. 83, § 2, letters „a", „c", „d", „f" and „g" of Regulation (EU) 2016/679 to take the appropriate technical and organizational measures in line with the data protection legislation in force, such as:
- Measures to enhance the protection of personal data processing in applications, providing e-services to citizens;
- Performing risk analysis of systems and processing operations, including established rules and functional obligations for the processing of every single information system;
- Carrying out impact assessments at the event of identifying „high risk” for each system, and the appropriate measures, which have to be taken;
- Performing an impact assessment on the initial launch of new information systems and applications.
The deadline for implementation of the orders is six months, starting the date when the Agency has received them.
On 28.08.2019, pursuant Art. 87, § 3 of the Personal Data Protection Act, Mr Ventsislav Karadjov - Chairman of the Commission for Personal Data Protection, issued a Penal Order to the NRA for violation of Art. 32, § 1 (b) of Regulation (EU) 2016/679, with a view to a data breach of unauthorized access, unauthorized disclosure and dissemination of personal data of individuals from the information databases maintained by the Agency. The amount of the imposed penalty is BGN 5 100 000.
The issuance of the Penal Order embodies the administrative and criminal responsibility of the NRA, as a data controller, for the unauthorized access and dissemination of personal data. The fact that this data has leaked into the public domain does not automatically mean that it has been misused, insofar as the abuse presupposes the commission of additional illegal acts that can separately be considered as crimes.
CPDP has received numerous requests for clarification on the procedure for lodging complaints and protection against misuse of personal data. The Commission would like to inform citizens that the subject of complaints and alerts regarding the breach of personal data security in the NRA is identical to the subject of the inspection carried out by the CPDP and in this context there is an obstacle to seek administrative and criminal liability for the same breach. This is a manifestation of the legal principle of ne bis in idem (no one can be pursued, trailed or punished twice for the same thing). However, this principle does not preclude the affected data subjects to seek compensation, but this can only be done judicially, in line with the general rules of procedure in the courts. For this purpose, it is not necessary to request an official document from CPDP or a specific decision issued by the Commission over a specific case.
