Sweden: DPA fines Umeå University (~53,000 EUR)

Very interesting case involving sensitive personal data that

  • was shared via unencrypted email (which was pointed out to the university, but was not reported as an incident)
  • stored on box.com, protected only by username/password, despite the fact that the University’s risk assessment didn’t support this – and in violation to internal published policies

(I hope I read the documents correctly..)

Press release:


France: CNIL fines Google (100 mio EUR) and Amazon (35 mio EUR) over cookies, trackers and privacy notices

On 7.12.2020 the CNIL fined total o 135 million Euro – Google LLC (60 Mio.), Google Ireland (40 Mio.) and Amazon (35 Mio.)

Press release in English:

Article by TwoBirds on EDPB Guidelines on targeting social media users (draft)


includes summary of criteria proposed by EDPB in context of “Data manifestly made public by the data subject”.
Also distinction by EDPB between explicit and inferred/combined special categories of personal data.
Assumptions or inferences regarding special category data would also constitute special category data

SWeden: DPA audited eight healtcare providers, fines seven (up to 3 mio EUR)

The Data Inspectorate has now completed an inspection of eight care providers. What has above all been examined is whether the care providers have carried out the needs and risk analysis required to be able to give the staff the right access to personal data in the main medical record systems.

– Caregivers must make a careful analysis and assessment of what staff’s needs are for information in the medical record systems and what risks there are if staff have access to patient data. Without such an analysis, care providers cannot assign the staff the right qualifications, which in turn means that the operations cannot guarantee patients the privacy protection they are entitled to, says Magnus Bergström, who is the coordinator for the eight reviews.

The Data Inspectorate states that seven of the care providers have not carried out a needs and risk analysis, while one care provider has carried out an analysis which, however, has certain shortcomings.

The authority also states that seven of the care providers do not limit the users’ permissions for access to the respective medical record system to what is only needed for the user to be able to fulfill his or her duties.

This means that the seven care providers have not taken sufficient measures to be able to ensure and demonstrate an appropriate security for the personal data in the medical record systems.

https://www.datainspektionen.se/nyheter/brister-i-hur-vardgivare-styr-personalens-atkomst-till-journaluppgifter/ with links to details of the specific cases