Continue reading on DataGuidance with:
Free Member
Limited ArticlesCreate an account to continue accessing select articles, resources, and guidance notes.
Already have an account? Log in
Switzerland: FDPIC issues recommendations to Xplain, OFDF, and Fedpol following ransomware attack
On May 1, 2024, the Federal Data Protection and Information Commissioner (FDPIC) announced that it concluded its investigations into Xplain AG, the Federal Office of Police (Fedpol), and the Federal Office for Customs and Border Security (OFDF), for violations of the principles of data security, legality, and proportionality as well as purpose limitation under the Federal Act on Data Protection 2020 (FADP), following a ransomware attack.
Background to the decision
In May 2023, the FDPIC opened an investigation into Xplain because of a ransomware attack that caused sensitive data stored by Xplain to be published on the darknet. On June 20, 2023, the FDPIC extended its investigation into fedpol and the OFDF, which used applications provided by Xplain, specifically to assess the circumstances in which the data was transferred to and stored by Xplain.
Findings of the FDPIC
The FDPIC found that neither Fedpol nor OFDF had a clear agreement with Xplain on what terms personal data could be stored on Xplain's servers as part of support services that the company provided. The FDPIC highlighted that the extent to which personal data could be transferred to Xplain and stored by Xplain should have been expressly regulated. The FDPIC also found that an unnecessarily large volume of personal data was transferred to Xplain.
The FDPIC also found that, as the controller and processor, Xplain did not have the appropriate technical and organizational data security measures in place, as well as failed to implement contractual requirements regarding data security, in violation of the provisions of the principles of data security, legality, and proportionality as well as purpose limitation (Articles 7, 4(1), 4(2), and 4(3) of the FADP).
Outcomes
In light of the above violations, the FDPIC recommended that Xplain, among other things:
- adopt technical and organizational security measures in accordance with Article 7 of the FADP and the requirements of the federal administration, notably in relation to:
- the processing of particularly sensitive personal data as a service provider;
- the processing of personal data under qualified secrecy protection; and
- the development of software in the area of internal security;
- establish an information security management system (ISMS);
- establish a risk-management system and conduct periodic evaluations;
- put in place continuous awareness-raising among employees;
- periodically carry out internal and external audits;
- provide evidence of certification of the ISMS according to an internationally recognized standard; and
- incorporate the obligations arising from the contracts with the federal administration into the company's own technical and organizational processes.
Furthermore, recommendations from the FDPIC to Fedpol and the OFDF include:
- examination of whether it is necessary to transfer personal data to a service provider and evaluate the circumstances of such a transfer, taking into account data protection risks; and
- recording the data transfers in a clear contractual agreement.
You can read the decisions on Xplain here, on OFDF here, on Fedpol here, all only available in German, and the press release here.
Update: June 5, 2024
FDPIC announces end of procedure
On June 4, 2024, the FDPIC announced that it ended procedures regarding Xplain AG's, Fedpol, and the OFDF investigation.
The FDPIC stated that all the organizations have accepted the recommendations issued by the FDPIC as a result of its investigation.
You can read the press release in French here, in German here, and in Italian here.