InfoCert S.p.A. – Complaint Upheld (Italy, 2024)

Data Breach Notification: The breach was reported on May 8, 2019, by InfoCert to the Italian Data Protection Authority, detailing the unauthorized access to personal data through hacking. Extent of Breach: Hackers accessed about 40,623 user credentials from the portal of the "Ordine degli Avvocati di Roma," leading to the further unauthorized disclosure of personal information of 26,921 members online. Security Measures Post-Breach: Post-incident, InfoCert implemented numerous security measures to enhance data protection and address the vulnerabilities exploited by the hackers. Violations of GDPR Article 32 - Failure to implement adequate technical and organizational measures to ensure a level of security appropriate to the risk. This includes issues with password management and security breaches that were not adequately addressed or remedied. Violations of GDPR Article 33 and 34 - Inadequate handling of data breach notifications to both the supervisory authority and the affected individuals. The timing, content, and completeness of these notifications did not meet the regulatory requirements. Violation of GDPR Article 28 - Inadequate contractual arrangements with processors, lacking detailed descriptions of data processing roles and responsibilities. Violation of GDPR Article 5 - Principles relating to processing of personal data were not adhered to, particularly concerning data security and the integrity and confidentiality of personal data.