Skopje, 4 August 2020 (MIA) – The Personal Data Protection Agency has conducted an extraordinary inspection of the State Election Commission (SEC) in relation to the election day, July 15, 2020, incident on the Commission’s website, the Agency said Tuesday.
“The extraordinary inspection was carried out ex officio to look into and investigate possible breach of the safety of personal data processed by the SEC, in relation to the July 15, 2020 incident that took place after the snap parliamentary polls,” said the press release.
The Agency, it added, identified several violations by the SEC of personal data protection rules because it failed to implement adequate technical and organizational measures so as to protect the websites and the IT infrastructure for the purpose of providing a level of security appropriate to the risk.
According to the Agency, the SEC failed to test the software system for the 2020 parliamentary elections, developed by the company Duna, before being implemented or after the changes made to check whether the system provides personal data security in line with the personal data protection rules.
“The SEC, when hiring Duna broke personal data protection rules. SEC when using new technologies for some kind of processing (in this case Duna’s software system for the 2020 parliamentary elections), didn’t evaluate the impact of the planned operations as regards personal data protection,” said the Agency.
The SEC, it added, posts documents containing personal data on Google Drive before posting them on its websites, thus also transferring personal data. Also, the SEC uses CloudFlare services, whose main infrastructure is located outside North Macedonia. “The SEC breached the general rule for personal data transfer,” said the press release.
According to the Agency, the SEC and Duna failed to notify the Agency about the breach of personal data security, the SEC failed to document these breaches and lacked an internal process to record breaches of personal data safety.
Furthermore, the SEC didn’t appoint a personal data protection officer and IT administrator.
The Agency, said the press release, ordered removal of the breaches and deadlines for the SEC to fix them and to introduce personal data protection rules in its activities.