Italy: Garante orders Minelli to notify data breach to data subjects
The Italian data protection authority ('Garante') issued, on 27 January 2022, its decision in case No. 21, in which it ordered Minelli S.p.A. to notify a data breach to the affected data subjects, citing Article 34(1) of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), following the notification of the data breach submitted by Minelli to the Garante.
Background to the decision
In particular, the Garante stated that Minelli had notified the data breach to the Garante. In the course of the investigation carried out, the Garante reported that it had emerged that Minelli became aware of the data breach following a report by an employee. In addition, the Garante outlined that Minelli had confirmed that the data breach consisted in the temporary loss of availability of data (including bank details, health data, authentication credentials) contained in a number of servers and PCs owned by Minelli, and the probable loss of confidentiality of the same data, as a result of a ransomware attack. Moreover, the Garante noted that the data breach involved around 800 data subjects, including employees, consultants, customers, and suppliers.
However, the Garante highlighted that Minelli had only notified the data breach to the employee who had initially detected the incident, excluding the need to notify all the data subjects involved. In fact, the Garante highlighted that Minelli had determined that the severity of the potential impact on the data subjects was to be considered negligible with regards to the temporary loss of availability, and low with regards to the possible loss of confidentiality, on account of the fact that no economic or social damage for the data subjects could have resulted from the disclosure of the personal data involved or, in any case, from their unauthorised processing.
Findings of the Garante
Further to the above, the Garante held that, in the light of an overall examination of the circumstances and of the elements acquired, the personal data breach in question was indeed likely to present a high risk for the rights and freedoms of natural persons, noting that the same is a condition for which communication to the data subjects is required.
Consequently, the Garante, based on Article 34(2) of the GDPR, ordered Minelli to notify, without delay and in any even within ten days, the data subjects of the personal data breach. In addition, the Garante required Minelli to provide it, within the subsequent seven days, with adequately documented confirmation on the initiatives taken to comply with the order, as well as any further measures taken to mitigate the possible negative effects of the violation towards the data subjects.
In conclusion, the Garante imposed the aforementioned orders, and highlighted that Minelli may, within 30 days, lodge an appeal before the judicial authority.
You can read the decision, only available in Italian, here.