BELGIUM DPA: Insufficient technical and organisational measures to ensure information security

The Belgian DPA fined a mobile operator EUR 25,000. The controller had assigned the data subject's phone number to an unauthorized third party, causing the data subject to lose access to his/her phone number. As the SIM card of the data subject had been deactivated, that would have allowed the third party to access various personal data of the data subject in the period between September 16 and September 19, 2019, such as call history and accounts of various services (e.g. Paypal, WhatsApp and Facebook) associated with the number.

GDPR Articles: Art. 5 (1) f), (2) GDPR, Art. 24 GDPR, Art. 32 GDPR, Art. 33 (1), (5) GDPR, Art. 34 (1) GDPR
Industry: Media, Telecoms and Broadcasting