The Data Protection Commission (DPC) received a complaint from an Irish individual against Cardmarket, a German e-commerce and trading platform. The individual received an email from Cardmarket, notifying them that it had been hacked and that some of its users’ personal information may have been leaked. The individual alerted the DPC and submitted a complaint in relation to the breach.

Under the One Stop Shop (OSS) mechanism created by the General Data Protection Regulation (GDPR), the location of a company’s main European establishment dictates which European authority will act as the lead supervisory authority in relation to any complaints received. Once the lead supervisory authority (LSA) is established, the authority that received the complaint acts as a concerned supervisory authority (CSA). The CSA is the intermediary between the LSA and the individual . Among other things, the reason for this separation is so that supervisory authorities can communicate with individual complainants in their native language . In this case, the Berlin Data Protection Authority (DPA) acted as the LSA, as the company had its main establishment in the Berlin territorial area. The DPC acted as a CSA, communication with the Berlin DPA and transmitting updates in relation to the investigation (once they were translated from German to English) to the individual complainant in Ireland.

The Berlin DPA concluded its investigation into the breach and the individual’s complaint . It uploaded two draft decisions, one in relation to the overall breach which impacted many other users of the platform throughout Europe, and another in relation to the specific complaint which had been lodged by the Irish individual with the DPC and communicated to the Berlin DPA .

An important aspect of the OSS mechanism is that a CSA may comment on a draft decision issued by a lead supervisory authority . This is to ensure that European supervisory authorities are applying the GDPR consistently i.e. that a final decision reached by the Berlin DPA would have the same conclusion as a decision of the DPC if the company had been located in Ireland and the DPC had investigated the complaint as the lead supervisory authority. The DPC were satisfied with the Berlin DPA draft decisions and did not consider it necessary to raise any points of clarification or requests for amendment on this occasion.

The draft decision in relation to the overall breach described a number of measures taken by the platform to address the breach and mitigate its adverse effects. The measures included taking its servers off of their network and deleting all the data on them, as well as resetting all user passwords and ensuring new passwords were encrypted with the latest hashing methods. The draft decision considered that a repetition of the incident was unlikely, and that the mass disclosure of passwords had been rendered practically impossible in light of the measures taken.

The DPC informed the individual of the outcome of the Berlin DPA’s investigation, providing them with a copy of the overall decision investigating the breach and the decision dealing with their specific complaint.