GENERALI ESPAÑA, SOCIEDAD ANONIMA DE SEGUROS Y REASEGUROS: Insufficient technical and organisational measures to ensure information security

The Spanish DPA has imposed a fine on GENERALI ESPAÑA, SOCIEDAD ANONIMA DE SEGUROS Y REASEGUROS. The controller had suffered a data breach where unknown third parties gained access to the customer data management system using credentials of a broker which allowed them to access customer data such as name, IBAN, personal identification number. The incident affected approximately 1.5 million individuals. During its investigation, the DPA found, in particular, that the controller had failed to implement appropriate technical and organizational measures to protect personal data in order to prevent such an incident. The DPA also found that the controller had failed to carry out a risk assessment, although this was deemed necessary given the significant number of customers and the fact that the controller was consequently processing personal data of those data subjects on a large scale. The original fine of EUR 5 million was reduced to EUR 4 million due to immediate payment.

GDPR Articles: Art. 5 (1) f) GDPR, Art. 25 GDPR, Art. 32 GDPR, Art. 35 GDPR
Industry: Finance, Insurance and Consulting