Xplain – Violation Found (Switzerland, 2024)

The software provider Xplain, the controller, was victim of a ransomware attack, in course of which data stored in the Xplain server were published on the dark web. This data included personal data related to the Federal Government, among which sensitive data. The Federal Data Protection and Transparency Officer (hereinafter: DPA) started an investigation against the Federal Offices of the Federal Police and the Customs and Border Security, as well as the controller. Two key elements were considered by the DPA: the circumstances in which the Federal Offices submitted data to the controller and the circumstances in which the controller kept them on its server. The DPA considered that neither of the two Federal offices clearly agreed with the controller about the modalities behind the data storage in their server. More specifically, no requirement was imposed on the transmission and security of data by the controller. As a result, a disproportionate amount of personal data, among which a collection of “unstructured data from federal offices”. Therefore, the DPA found that the controller did not take the appropriate measures to ensure data security and protection. The DPA highlighted that the controller violated the principles of purpose limitation and proportionality behind the retention of personal data. The DPA concluded by giving some recommendations to the controller. Implementing those recommendations aim to reduce the risk of a new data protection breach. The recipients have 30 days to tell the DPA whether they accept its recommendations.