Germany, Federal DPA: 9.550.000 EUR fine on 1&1 Telecom Gmbh

The BfDI had become aware that callers could obtain extensive information on further personal customer data in the customer care of the enterprise alone by giving the name and date of birth of a customer. In this authentication procedure, the BfDI sees a violation of Article 32 GDPR , according to which the company is obliged to take appropriate technical and organizational measures to systematically protect the processing of personal data.

After BfDI had raised the concerns, 1 & 1 Telecom GmbH was transparent and very cooperative. In a first step, the authentication process was first secured by requesting additional information. In a further step, 1 & 1 Telecom GmbH is currently introducing a new authentication procedure which has been significantly improved in terms of technology and data protection, in consultation with the BfDI .

Despite these measures, the imposition of a fine was necessary. Among other things, the infringement was limited only to a small proportion of customers, but presented a risk to the entire customer base. In determining the amount of the fine remained BfDI due to the cooperative throughout the process behavior by 1 & 1 Telecom GmbH in the lower Range of possible penalty.

https://www.bfdi.bund.de/SiteGlobals/Modules/Buehne/DE/Startseite/Pressemitteilung_Link/HP_Text_Pressemitteilung.html

Netherlands, DPA: Cloud storage of patient data reviewed by Dutch DPA — and found GDPR compliant

The Dutch Data Protection Authority (AP) sees no reason to initiate a more detailed investigation into possible violations of the GDPR by MRDM when storing medical data on a cloud platform. This concerns personal data originating from Dutch hospitals. Public questions have been asked about how the organization works. The privacy regulator has obtained information on this from MRDM. – MDRM is a third party IT Services provider processing patient data for Dutch hospitals.

MRDM in turn uses a sub-processor (apparently Google) for the storage of that personal data. This sub-processor is a cloud platform that is located outside the EU. The storage of data is done via the cloud. The ‘exploratory investigation’ of the AP related to that last step: the processing of patient data in the cloud.

As part of an explorative inquiry the DPA lookes at the storage, by MRDM’s sub-processor, of patient data in the cloud.
Apparently, the following have been reviewed

  • the standard operating procedures,
  • the sub-processing agreements and
  • technical and organizational security measures.

The personal data is stored in the Netherlands, the contracts with the cloud platform ensure that there is no international transfer of personal data to third countries outside the EEA. In addition, MRDM has informed the AP about how the data is protected.

The decision of the Dutch DPA not to investigate further might be seen as a sign that n that GDPR compliance can be achieved in respect of cloud-based processing of patient data.

DPA press release:
https://autoriteitpersoonsgegevens.nl/nl/nieuws/ap-stelt-geen-onderzoek-naar-opslag-medische-gegevens-cloud

Blog post by BakerMcKenzie:
https://www.bakermckenzie.com/en/insight/publications/2019/11/draft-eprivacy-regulation-rejected

Media article:
https://www.agconnect.nl/artikel/medische-data-google-cloud-krijgt-geen-avg-onderzoek

Austrian DPA issues order against Swiss company (non-EU controller)

https://datenrecht.ch/datenschutzbehoerde-oesterreich-anordnung-gegen-ein-unternehmen-in-der-schweiz/

Official text:
https://www.ris.bka.gv.at/Dokument.wxe?Abfrage=Dsk&Entscheidungsart=Undefined&Organ=Undefined&SucheNachRechtssatz=True&SucheNachText=True&GZ=&VonDatum=01.01.1990&BisDatum=15.11.2019&Norm=&ImRisSeitVonDatum=&ImRisSeitBisDatum=&ImRisSeit=EinerWoche&ResultPageSize=100&Suchworte=&Position=1&SkipToDocumentPage=true&ResultFunctionToken=6e210071-f568-4d14-8190-04972ac3df66&Dokumentnummer=DSBT_20190822_DSB_D130_206_0006_DSB_2019_00

Denmark DPA: Decision on Lowell Danmark A/S – opportunistic TLS encryption of email based on risk assessment

https://www.datatilsynet.dk/tilsyn-og-afgoerelser/afgoerelser/2019/jul/klage-over-manglende-kryptering/

The Data Inspectorate has in this regard emphasized that Lowell Danmark A / S stated that a risk assessment has been carried out, in which the concrete procedure is deemed to be appropriate assurance that opportunistic TLS was used when transmitting the relevant emails 1.2 encryption based on AES256, that X’s e-mail client supported this encryption form and that the 2 e-mails sent were encrypted on the transport layer.

The Data Inspectorate notes that the supervision in general – when processing e-mail with sensitive and / or confidential information – encourages the data controller to set up his mail server in order to enforce TLS (Forced TLS), as a minimum in version 1.2. However, it is the opinion of the Authority – not in itself – to use an opportunistic TLS, contrary to Article 32 of the Data Protection Regulation, if the data controller, based on a risk assessment, has correctly considered that such setup constitutes an appropriate safeguard.

However, it is the opinion of the Authority – not in itself – to use an opportunistic TLS, contrary to Article 32 of the Data Protection Regulation, if the data controller, based on a risk assessment, has correctly considered that such setup constitutes an appropriate safeguard.

In the specific case, the Data Inspectorate has not found evidence that could override the risk assessment made by Lowell Danmark A / S in relation to the use of encryption form. However, in the specific case, the Data Inspectorate must emphasize that a risk assessment cannot be based on what the data subject itself may have authorized, since such acceptance cannot be equated with what level of security is appropriate.

Poland DPA: Bisnode case (data scraping without notification)

Commentaries and articles
https://www.lexology.com/library/detail.aspx?g=a10fbec0-8234-41da-9ddb-9cac58c360c6

https://www.technologylawdispatch.com/2019/04/privacy-data-protection/processing-publically-available-personal-data-without-telling-data-subjects-the-polish-data-protection-authority-has-bad-news-for-you/

https://techcrunch.com/2019/03/30/covert-data-scraping-on-watch-as-eu-dpa-lays-down-radical-gdpr-red-line/

https://hubun.io/gdpr-enforcement-begins-eu-starts-punishing-covert-data-scraping/