Personal data of 100,000 Belgians leaked by obtaining wrong Tax Return Proposal
100,000 Belgians have been affected by a data breach this month because, due to a printer’s glitch, they received the wrong proposal tax return (VVA) proposal.
The FPS Finance is hiring an outside printer to print its tax return proposals.
A final calculation of taxes payable or received is provided on such proposals.
In 100,000 cases, this calculation ended up in the wrong envelope.
Leaked personal data
Obtaining the wrong RSA is very problematic in terms of GDPR.
In fact, the proposals contain the following information:
-rich registry number of those involved.
This data is personal data and falls under the scope of the GDPR.
Indeed, Article 4(1) GDPR defines “personal data” as follows:
“all information about an identified or identifiable natural person (“data subject”); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or of one or more elements that are characteristic of that natural person’s physical, physiological, genetic, psychological, economic, cultural or social identity;”
The fact that 100,000 Belgians received such sensitive data from other individuals is a serious personal data breach, one can therefore say in this situation that a data breach has occurred.
According to Article 4 of the GDPR, one speaks of a data breach when the following situation occurs:
“a breach of security that results in the accidental or unlawful destruction, loss, alteration or unauthorized disclosure of, or unauthorized access to, data transmitted, stored or otherwise processed.”
Given the fact that the affected Belgians had access to the national registry number, name, first name and income of other persons and the fact that it is possible to use such data to find out a great deal of information about a particular person, this incident certainly qualifies as an unauthorized access to transmitted data that can lead to serious consequences.
Data breaches, based on Article 33 of the GDPR, must be reported to national data protection authority within 72 hours of discovery.
The data subject must also be informed when the breach is likely to result in a high risk to his rights and freedoms.
Both the nature of the breach and recommendations on how to mitigate possible negative consequences should be reported to him
FPS Finance reports that the data breach has since been reported to the Data Protection Authority.
Meanwhile, the affected citizens were also sent the correct RSA.
How could this have been prevented?
How it could come to switched declaration forms is not known exactly. The FPS Finance only releases that the attachments were switched due to a printer’s malfunction.
One can ask the question here, how could this situation have been avoided?
To answer this question, it is essential first and foremost to determine whether the FPS finances and/or the printer involved were aware at all of the possible existence of this risk.
Conducting a DPIA (Data protection impact assessment)can help with this
This is because a properly conducted DPIA provides insight into the risks that a particular processing of personal data poses to data subjects.
A DPIA also outlines the measures your organization should take to cover these risks.
It is then up to your company to actually take those measures.
For more information on how to conduct a DPIA, you can always consult an accreditedDPO.