Hard drive finds in the boiler room: Municipality explains itself
We reported on data carriers stored unsecured by a municipality. The mayor now admits that he cannot rule out data leakage.
(Image: Paul Müller (Name geändert))
In mid-December, heise online reported on a data protection incident in the Bavarian municipality of Markt Kipfenberg. Twice within two years, municipal data carriers with presumably sensitive resident data had appeared in openly accessible basement rooms of a residential building. A resident had documented the events and reported them to us.
After we inquired with the municipality at the end of November, some things apparently started to move. On December 11, employees of the Bavarian State Commissioner for Data Protection visited the site together with the mayor. The supervisory authority had previously confirmed to us that they intended to conduct an on-site inspection.
"Stored incorrectly"
On December 17, one day after the article appeared on heise online, Christian Wagner, mayor of Markt Kipfenberg, commented on the municipality's homepage about the incidents: "Due to the town hall renovation," "boxes with data carriers were incorrectly stored in the boiler room of a municipal rental property in 2023," he explained. Even after that, it was neglected "to dispose of the data carriers, and so it happened again in the autumn of this year that the data carriers were placed in the boiler room by an employee, as work had to be carried out by a technician in the room where the data carriers were stored under lock and key."
Videos by heise
The following sentence is somewhat misleading, but presumably means that the municipality cannot rule out data leakage to unauthorized persons: "Because the boiler room was not always locked, it cannot be guaranteed 100 percent that data has fallen into the hands of third parties. Unfortunately, the data carriers also contained personal data of the citizens of Kipfenberg."
GDPR-compliant notification?
These statements suggest that there is a "likely [...] high risk to the personal rights and freedoms of natural persons" in accordance with Art. 34 GDPR. This would imply information obligations of the municipality towards its citizens. The notification on the homepage would hardly suffice, because according to Art. 34 para. 2 GDPR, the municipality as the controller must provide "the name and contact details of the data protection officer or other contact point for further information," as well as "a description of the likely consequences of the personal data breach" (Art. 33 GDPR, para. 3b and 3c). Both are missing in the notification to the residents.
At the end of November, we had already sent some questions to the municipality regarding the incidents. Silvia Obermeier, Head of Administration of the municipality of Markt Kipfenberg, had explained to us that they would only comment once the situation had been clarified with the State Commissioner for Data Protection. On December 18, after the on-site inspection in the boiler room, we reminded her, but have received no answer to date.
(hob)
