Italy’s data protection authority (the Garante) issues its first GDPR fine to the Rosseau platform operating the Italian political party 5-Star Movement (Movimento 5 Stelle) websites.
The platform named Rousseau has been running websites affiliated to the Italian political party Movimento 5 Stelle as a data processor. In 2017 the platform had suffered a data breach which led to a requirement from the data protection authority of the implementation of a number of security measures including an obligation to update their privacy notice.
While the latter was updated, the platform failed to implement several key GDPR security measures. The platform used an outdated content management system that was vulnerable to cyber attacks. The application had several authentication related weaknesses, including unsalted hashes and weak passwords, lack of an audit logging practice, especially of administrative access, as well as deficiencies in tamper protection for logs. Other deficiencies include failure to comply with best practices (more particularly anonymisation) for e-voting systems.
The Rousseau platform that is the processor and not Movimento 5 Stelle that is the controller was found in violation of Article 32 of the GDPR for the lack of appropriate technical and organisational measures and was issued a 50,000 EUR fine. This sets an interesting precedent as for the first time, a data protection authority hasn’t considered the data controller as liable for the actions performed by the data processor.