Shanghai Moonton Technology Co. Ltd. – €72,000 Fine (Spain, 2024)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
On 2 November 2022, a security breach occurred on Shanghai Moonton Technology Co. Ltd.’s (the controller) videogame forum. The controller is a Chinese videogame company headquartered in Shanghai that was acquired by Bytedance in March 2021. The breach affected 442 Spanish data subjects and included usernames on the controller’s forum, user ID numbers, frequency of each data subject’s visit to the forum, the reported sex of data subjects, IP addresses, email addresses and the data subjects’ activities on the forum including publications and interactions. On the day of the breach, 2 November 2022, the personal data obtained in the breach was published on a third party website. The following day, 3 November 2022, a member of the controller’s security team identified the publication of the data on the third party website. From 4 November to 16 November 2022, the controller investigated the data breach. The controller identified the location of each data subject based on their IP address and notified the corresponding DPAs accordingly. It began notifying DPAs on 11 November 2022. On 21 November 2022, the controller notified the Spanish DPA (AEPD) of thebreach. In its investigation, the AEPD noted that the controller used moderators which were volunteers, not employees or contractors, in order to manage its forums. Moderators were hired using a two-week trial period and were required to abide by terms of service and a code of conduct. The controller gave moderators access to users’ personal data in order to monitor the forums and where necessary, revise or eliminate posts, block user access to the forum, respond to users or approve new users. This access included data which was available to all users on the forum including data subjects’ usernames, user IDs, number of visits to the forum, reported sex, and activities on the forum. In addition, moderators were given access to personal data which was not already publicly available to all forum users: data subjects’ emai
GDPR Articles Cited
On 2 November 2022, a security breach occurred on Shanghai Moonton Technology Co. Ltd.’s (the controller) videogame forum. The controller is a Chinese videogame company headquartered in Shanghai that was acquired by Bytedance in March 2021. The breach affected 442 Spanish data subjects and included usernames on the controller’s forum, user ID numbers, frequency of each data subject’s visit to the forum, the reported sex of data subjects, IP addresses, email addresses and the data subjects’ activities on the forum including publications and interactions. On the day of the breach, 2 November 2022, the personal data obtained in the breach was published on a third party website. The following day, 3 November 2022, a member of the controller’s security team identified the publication of the data on the third party website. From 4 November to 16 November 2022, the controller investigated the data breach. The controller identified the location of each data subject based on their IP address and notified the corresponding DPAs accordingly. It began notifying DPAs on 11 November 2022. On 21 November 2022, the controller notified the Spanish DPA (AEPD) of thebreach. In its investigation, the AEPD noted that the controller used moderators which were volunteers, not employees or contractors, in order to manage its forums. Moderators were hired using a two-week trial period and were required to abide by terms of service and a code of conduct. The controller gave moderators access to users’ personal data in order to monitor the forums and where necessary, revise or eliminate posts, block user access to the forum, respond to users or approve new users. This access included data which was available to all users on the forum including data subjects’ usernames, user IDs, number of visits to the forum, reported sex, and activities on the forum. In addition, moderators were given access to personal data which was not already publicly available to all forum users: data subjects’ emai
Related Enforcement Actions (0)
No other enforcement actions found for Shanghai Moonton Technology Co. Ltd. in ES
This is the only recorded action for this entity in this jurisdiction.
Details
Fine Date
19 January 2024
Authority
Agencia Española de Protección de Datos
Fine Amount
€72,000
GDPRhub ID
gdprhub-7861About this data
Cite as: Cookie Fines. Shanghai Moonton Technology Co. Ltd. - Spain (2024). Retrieved from cookiefines.eu
Last updated: