Italy: DPA fines Facebook 1m EUR
The Italian DPA fined Facebook 1 million Euro on account of breaches committed within the framework of the ‘Cambridge Analytica’ case.
https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9121506
Denmark DPA: Decision on Lowell Danmark A/S – opportunistic TLS encryption of email based on risk assessment
https://www.datatilsynet.dk/tilsyn-og-afgoerelser/afgoerelser/2019/jul/klage-over-manglende-kryptering/
The Data Inspectorate has in this regard emphasized that Lowell Danmark A / S stated that a risk assessment has been carried out, in which the concrete procedure is deemed to be appropriate assurance that opportunistic TLS was used when transmitting the relevant emails 1.2 encryption based on AES256, that X’s e-mail client supported this encryption form and that the 2 e-mails sent were encrypted on the transport layer.
The Data Inspectorate notes that the supervision in general – when processing e-mail with sensitive and / or confidential information – encourages the data controller to set up his mail server in order to enforce TLS (Forced TLS), as a minimum in version 1.2. However, it is the opinion of the Authority – not in itself – to use an opportunistic TLS, contrary to Article 32 of the Data Protection Regulation, if the data controller, based on a risk assessment, has correctly considered that such setup constitutes an appropriate safeguard.
However, it is the opinion of the Authority – not in itself – to use an opportunistic TLS, contrary to Article 32 of the Data Protection Regulation, if the data controller, based on a risk assessment, has correctly considered that such setup constitutes an appropriate safeguard.
In the specific case, the Data Inspectorate has not found evidence that could override the risk assessment made by Lowell Danmark A / S in relation to the use of encryption form. However, in the specific case, the Data Inspectorate must emphasize that a risk assessment cannot be based on what the data subject itself may have authorized, since such acceptance cannot be equated with what level of security is appropriate.
Poland DPA: Bisnode case (data scraping without notification)
Commentaries and articles
https://www.lexology.com/library/detail.aspx?g=a10fbec0-8234-41da-9ddb-9cac58c360c6
https://www.technologylawdispatch.com/2019/04/privacy-data-protection/processing-publically-available-personal-data-without-telling-data-subjects-the-polish-data-protection-authority-has-bad-news-for-you/
https://techcrunch.com/2019/03/30/covert-data-scraping-on-watch-as-eu-dpa-lays-down-radical-gdpr-red-line/
https://hubun.io/gdpr-enforcement-begins-eu-starts-punishing-covert-data-scraping/
ICO: What good cookie compliance looks like..
Romania DPA: Fine on Unicredit for privacy-by-design failure 130,000 EUR
The national ID number of those making payments was displayed in transaction histories of receivers
https://www.dataprotection.ro/?page=Comunicat_Amenda_Unicredit&lang=ro
Netherlands: DPA: cookie walls don’t comply with GDPR
Recording LfDI Baden-Württemberg 28.Juni 2019 (IHK)
contains the passage in which LfDIBW suggests that correct reference to other DPA’s guidance will protect from a fine – even if LfDIBW disagrees to that guidance.
Denmark: DPA: Technical specification for encryption of email
( Published by the DPA on 20-09-2018)
In July, the Data Inspectorate announced a sharper practice with regard to encryption of e-mail. On the basis of a number of inquiries, the Authority has now prepared a text that concretises the tightening technically.
https://www.datatilsynet.dk/emner/persondatasikkerhed/transmission-af-personoplysninger-via-e-mail/
Link to press release: ttps://www.datatilsynet.dk/presse-og-nyheder/nyhedsarkiv/2018/sep/teknisk-konkretisering-ift-kryptering-af-e-mail/
Romania: DPA fines hotel 15,000 EUR for not protecting list of breakfast guests
The operator of WORLD TRADE CENTER BUCHAREST SA was sanctioned with a fine in the amount of 71.028 lei, the equivalent of 15.000 euro.
The breach of personal data security was that a printed paper list used to check breakfast customers and containing personal data of 46 clients housed at the hotel’s WORLD TRADE CENTER BUCHAREST SA was photographed by unauthorized people outside the company, which led to the disclosure of the personal data of some clients through online publication.
The operator of WORLD TRADE CENTER BUCHAREST SA has been sanctioned because it has not taken steps to ensure that its employees who have access to personal data only process their application, according to the law.
https://www.dataprotection.ro/index.jsp?page=O_noua_amenda_GDPR&lang=ro