The Lithuanian data protection inspectorate issued a 61,500 EUR fine against a payment services provider for violations of the data minimization, adequate security measures and data breach reporting requirements of GDPR.

Key takeaways:

  • Data minimization:
    • Collect only the information you need. If you only need name, identification code, bank account number, currency, balance, purpose of payment/payment code,  then collect just that.
    • It is not necessary to also collect: date of unreported electronic invoicing, names and amounts of senders; part of message text for unread messages; purpose, nature and amounts of available loans; pension fund names, units and value; types of credit; outstanding balances; numbers of issued payment cards and amounts in them.
    • Do not retain data for longer than necessary. Here, the inspectorate held that holding data for 216 days was too long (especially when the retention term was supposed to be 10 minutes).
  • Data Breach:
    • Two (2) days of unauthorized access to personal data available on the Internet is considered as a personal data breach that must be reported.

Read more about the fine.