With the provision no. 237 of 24 April 2024 (web doc. n. 10025835), the Guarantor for the Protection of Personal Data has reiterated a fundamental principle for those who manage personal data online: Keeping your IT systems up to date is a legal requirement, not just good IT practice.
The case concerns a company that, following a complaint about unwanted emails, was the subject of investigations that highlighted the prolonged use of a Outdated and vulnerable CMS, despite security updates having been available for months. Technical analysis has confirmed the presence of critical vulnerabilities (CVSS up to 9.8/10) which could have exposed the data to unauthorized processing, illicit access or cyber attacks.
What the Guarantor has established
The Guarantor has detected the breach of data protection obligations (articles 5, 24 and 32 GDPR), underlining how:
-
failure to adopt adequate technical measures;
-
continued use of out-of-date software;
-
the inability to detect unauthorized access in a timely manner;
have represented a serious breach. A sentence was then inflicted administrative fine of 30,000 euros, to which is added the obligation to communicate the corrective measures adopted within 30 days.
The message for all companies
This case highlights an aspect that is often underestimated: Cyber security is not only a technical responsibility, but also a legal one.
Anyone who manages websites, e-commerce, newsletters or CRM has the duty to:
-
Check for available updates regularly for CMS, plugins, modules and management systems;
-
apply security patches promptly;
-
actively monitor traffic and anomalous access;
-
document risk assessments and the measures adopted.
Failure to do so may result in heavy economic sanctions, but above all it can compromise user trust and company reputation.
🔍 Want to know if your site is up to date and secure? Let's evaluate together the status of your CMS, your extensions and the security practices in use.
