The grand duchy’s privacy watchdog has reported steep increases in the number of complaints and data breach reports since the introduction of the EU’s General Data Protection Regulation eight months ago.
A spokesman for the National Commission for Data Protection (CNPD), the body that enforces GDPR rules in Luxembourg, told Delano on 29 January that: “The CNPD has received 351 complaints since 25 May.” Just over half of complaints (193) were lodged after 28 September, meaning the number of grievances slowed slightly at the end of last year.
The CNPD spokesman reported that:
“In total, we have received 474 complaints in 2018 compared to 200 in 2017. 400 of these complaints came from citizens, while 74 were received by other supervisory authorities in the context of the EU cooperation system. (This is new since 25 May.)”
Organisations that hold personal data have reported to the CNPD, as they are required to under GDPR, an average of 24 data breaches a month. “Since 25 May, we have received 172 data breach notifications,” the spokesman stated.
57% of data breaches were caused by internal errors
27% were caused by external malicious activity
7% were caused by internal malicious activity
3% were caused by external errors
The most frequent causes of data breaches between 25 May and 31 December 2018 were:
Personal data mistakenly sent to the wrong person (49 incidents)
Providing personal data about the wrong person (21)
Involuntary publication (20)
Lost or stolen device (14)
The CNPD spokesman said the agency recorded a large increase in the number of inquiries that it has fielded from the public. “Information requests have also more than doubled. From 2017 to 2018, they went from 520 to 1,113,” he said.
However, the figures for the EU are incomplete, “as national complaints remain the responsibility of the Member States and they are not obligated to disclose these to us,” a spokeswoman for the European Data Protection Board, the umbrella outfits for EU data protection agencies, told Delano on 28 January.
According to the report:
“Several high level cases are ongoing and could cause fines up to 4% of the annual [turnover] of a business, if there is a serious infringement. So far three fines have been issued.”
In Germany, “a social network operator for failing to secure users’ data” was fined €20,000 in November 2018
In Austria, a “sports betting café for unlawful video surveillance” was fined €5,280 in September 2018