C.B. Sistemi s.r.l. – Complaint Upheld (Italy, 2023)

CB Sistemi s.r.l. (the processor) provided health care provider Medical Center s.r.l. (the controller) with the StudioWEB platform, which made the results of medical examinations available to patients through an authentication process. A person accessed the StudioWEB platform with his grandmother's credentials. He then discovered a vulnerability that allowed logged-in patients to access other reports by changing the URL link. Specifically, the person stressed that by changing the final number of the URL link, it was possible to access other patients' reports. It was also even possible to see the "Event Log" of the report, which showed a list of the users who have downloaded the report. Thus, the person informed both the controller and the Italian DPA of the vulnerability. The processor immediately fixed the vulnerability and later explained that it was due to a bug introduced with a software update. Pursuant to [https://www.garanteprivacy.it/documents/10160/0/Codice+in+materia+di+protezione+dei+dati+personali+%28Testo+coordinato%29.pdf/b1787d6b-6bce-07da-a38f-3742e3888c1d?version=7.0 Article 157 of the Italian Privacy Code], the DPA requested the controller to provide more information on the matter that were necessary to evaluate its data protection practices. To begin with, the Italian DPA held that the medical reports shown on the platform could be considered as data concerning health pursuant to Article 4(15) GDPR. In this regard, and taking into consideration the submission by the controller, the DPA noted that the vulnerability of the system had been foreseen in the initial test phase and appropriately blocked. Therefore, since the processor did not take into account the vulnerability following the software update of the same portal, the DPA believed that the processor had not adopted appropriate measures to guarantee a level of security adequate to the risk, as provided by Article 5(1)(f) GDPR and Article 32 GDPR to ensure the confidentiality, integrity, ava