Denmark DPA: Decision on Lowell Danmark A/S – opportunistic TLS encryption of email based on risk assessment

https://www.datatilsynet.dk/tilsyn-og-afgoerelser/afgoerelser/2019/jul/klage-over-manglende-kryptering/

The Data Inspectorate has in this regard emphasized that Lowell Danmark A / S stated that a risk assessment has been carried out, in which the concrete procedure is deemed to be appropriate assurance that opportunistic TLS was used when transmitting the relevant emails 1.2 encryption based on AES256, that X’s e-mail client supported this encryption form and that the 2 e-mails sent were encrypted on the transport layer.

The Data Inspectorate notes that the supervision in general – when processing e-mail with sensitive and / or confidential information – encourages the data controller to set up his mail server in order to enforce TLS (Forced TLS), as a minimum in version 1.2. However, it is the opinion of the Authority – not in itself – to use an opportunistic TLS, contrary to Article 32 of the Data Protection Regulation, if the data controller, based on a risk assessment, has correctly considered that such setup constitutes an appropriate safeguard.

However, it is the opinion of the Authority – not in itself – to use an opportunistic TLS, contrary to Article 32 of the Data Protection Regulation, if the data controller, based on a risk assessment, has correctly considered that such setup constitutes an appropriate safeguard.

In the specific case, the Data Inspectorate has not found evidence that could override the risk assessment made by Lowell Danmark A / S in relation to the use of encryption form. However, in the specific case, the Data Inspectorate must emphasize that a risk assessment cannot be based on what the data subject itself may have authorized, since such acceptance cannot be equated with what level of security is appropriate.

Poland DPA: Bisnode case (data scraping without notification)

Commentaries and articles
https://www.lexology.com/library/detail.aspx?g=a10fbec0-8234-41da-9ddb-9cac58c360c6

https://www.technologylawdispatch.com/2019/04/privacy-data-protection/processing-publically-available-personal-data-without-telling-data-subjects-the-polish-data-protection-authority-has-bad-news-for-you/

https://techcrunch.com/2019/03/30/covert-data-scraping-on-watch-as-eu-dpa-lays-down-radical-gdpr-red-line/

https://hubun.io/gdpr-enforcement-begins-eu-starts-punishing-covert-data-scraping/

Denmark: DPA: Technical specification for encryption of email

( Published by the DPA on 20-09-2018)

In July, the Data Inspectorate announced a sharper practice with regard to encryption of e-mail. On the basis of a number of inquiries, the Authority has now prepared a text that concretises the tightening technically.

https://www.datatilsynet.dk/emner/persondatasikkerhed/transmission-af-personoplysninger-via-e-mail/

July: https://www.datatilsynet.dk/presse-og-nyheder/nyhedsarkiv/2018/jul/skaerpet-praksis-ift-krypteret-e-mail/

Link to press release: ttps://www.datatilsynet.dk/presse-og-nyheder/nyhedsarkiv/2018/sep/teknisk-konkretisering-ift-kryptering-af-e-mail/

h

Romania: DPA fines hotel 15,000 EUR for not protecting list of breakfast guests

The operator of WORLD TRADE CENTER BUCHAREST SA was sanctioned with a fine in the amount of 71.028 lei, the equivalent of 15.000 euro.

The breach of personal data security was that a printed paper list used to check breakfast customers and containing personal data of 46 clients housed at the hotel’s WORLD TRADE CENTER BUCHAREST SA was photographed by unauthorized people outside the company, which led to the disclosure of the personal data of some clients through online publication.

The operator of WORLD TRADE CENTER BUCHAREST SA has been sanctioned because it has not taken steps to ensure that its employees who have access to personal data only process their application, according to the law.

https://www.dataprotection.ro/index.jsp?page=O_noua_amenda_GDPR&lang=ro