Irish DPC fines global social media company €17m for GDPR breach

On March 15, the Irish Data Protection Commission (DPC) adopted a ruling fining a global social media company 17 million euros (about $18.6 million) after it found the company failed to prevent a series of data breaches in 2018. The DPC investigated a series of 12 data breach notifications received between June 7, 2018 and December 4, 2018, to examine the company’s compliance with GDPR data processing requirements. personal data. Following the investigation, the DPC concluded that the company had breached Articles 5(2) and 24(1) of the GDPR by failing “to have in place appropriate technical and organizational measures which would enable it to easily demonstrate the security measures it has implemented in practice protect EU user data, in the context of the twelve personal data breaches. » Section 5 sets out principles relating to the processing of personal data and requires companies to ensure that personal data of EU residents is processed “in a manner that provides appropriate security of personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures. Section 24(1) requires data controllers to “implement appropriate technical and organizational measures to ensure and be able to demonstrate that processing is carried out in accordance” with the GDPR. The DPC noted that since the processing under review constituted “cross-border” processing, the “decision represents the collective views of the DPC and its counterpart supervisory authorities across the EU”.