Court case 4-25-326 – Court Ruling (Estonia, 2025)

Genetic testing company Asper Biogene (the controller) was targeted by a cyberattack from September 26 to November 10 2023. The attackers exfiltrated data for about 10,000 data subjects from 22 EU Member States, including genetic data. The DPA investigated the incident and found that the controller did not implement sufficient security measures. In particular, the controller allowed weak passwords, used weak encryption for passwords, and did not implement multi-factor authentication. The DPA found a breach of Article 32 GDPR and issued a €80,000 fine. In the same investigation, the DPA found that the controller’s DPO was the sole member of the Board of Directors and that he formally appointed himself for the role. Furthermore, he lacked the data protection expertise required for the role. The DPA fined the controller €5,000 for violating Articles 37(5) and 38(6) GDPR. The controller challenged the decision. The Court annulled the DPA's decision. With regards to the violation of Article 32, the Court held that the controller could not be sanctioned based on the procedural rules in effect at the time of the violation. Specifically, Article 14 of the Criminal Code (now repealed) only allowed companies to be prosecuted for GDPR violations that were committed by a specific individual on behalf of the company. With regards to the appointment of the DPO, the Court confirmed the violation but considered the fine to be disproportionate and annulled it. In this regard the Court considered, among other factors, that the controller had since appointed a new DPO, that the proceedings were sufficient punishment for the controller, and that there was no public interest in the proceedings. The Court also held that the infringement was minor in nature.