A year after GDPR came into force, the Lithuanian Data Protection Authority (VDAI) has issued its first administrative fine. UAB ‘Mister Tango’, a company that provides financial operation services globally, was fined 61,500 EUR in respect of GDPR Articles 5, 32 and 33 relating to improper processing of personal data in instant screen images (screenshots).
Improper processing of personal data
Furthermore, for at least 2 days the list of processed payments showing customers’ data was visible online. Disclosure of personal data is treated as a personal data breach and must be reported within 72 hours (GDPR Art. 33). However, VDAI was not informed about the incident.
Data Protection Authority investigation
Before deciding to impose the fine, the VDAI considered all the factors relative to whether or not ‘Mister Tango’ acted to the best of its abilities in making sure that data processing was transparent, compliant and secure.
VDAI concluded that ‘Mister Tango’ doesn’t have the necessary technical and organisational security measures in place to ensure the required level of safety, including protection against unauthorised processing or disclosure (GDPR Art.32).
The VDAI’s decision has not yet come into force and can be appealed against through the court.