23 Aug
2019

Belgian and German data protection authorities cooperate on Mastercard’s data breach

The Belgian Data Protection Authority (DPA) as well as the Hessian authority of Germany have been notified by Mastercard company of a data breach detected on 19 August 2019 which would have affected a large number of data subjects, a significant portion of which would be German customers. Since the main establishment of Mastercard is located in Waterloo, the Belgian DPA is working closely with its Hessian counterpart and the other competent authorities to defend the interests of the persons affected by this incident.


Data breach: release of personal data from the "Priceless Specials" program


On 19 August 2019, Mastercard noticed that customer’s data from the loyalty program "Priceless Specials" had been released on the internet for a certain period of time.

The data breach revealed information such as names, payment card numbers, email addresses, home addresses, phone numbers, gender and dates of birth.

Since the company has its main establishment in Waterloo, it has notified the Belgian Data Protection Authority of the data breach, but it also notified the Hessian Authority given the origin of the affected persons. Mastercard has confirmed to the Belgian DPA that they have informed those affected by the incident. They have also published a FAQ on their website : https://www.mastercard.de/de-de/faq-pricelessspecials.html.

David Stevens, Chairman of the Belgian Data Protection Authority: "We have received a lot of questions and complaints since the announcement of this incident, we want to reassure users: we have contacted MasterCard in order to get additional information, and are following this case closely together with the Hessian data protection authority and all the other possible concerned authorities."

Cross-border cooperation mechanism : the one-stop-shop principle

The GDPR, effective since 25 May 2018, provides for a cooperation mechanism called one-stop-shop between supervisory authorities. This mechanism can be activated when the processing of personal data has an impact on citizens from various countries of the EU, or when a controller is established in more than one Member State. 

The one-stop-shop stipulates that only one authority will be the main interlocutor for a controller established in the EU, while allowing the concerned supervisory authorities to participate in its decision-making process.