Switzerland – revised FADP/DSG .. links (Rosenthal/Vasella)

David Rosenthal in Jusletter: “Das neue Datenschutzgesetz”

Webinars with David Rosenthal: Revision Datenschutzgesetz: Zehn Schritte zur Umsetzung der neuen gesetzlichen Anforderungen für Unternehmen

Das revidierte Datenschutzgesetz – Empfehlungen zur Umsetzung
Deutsch – https://www.walderwyss.com/user_assets/publications/201118_Newsletter-146_D.pdf
English – https://www.walderwyss.com/user_assets/publications/201118_Newsletter-146_E.pdf

ENISA: “Cloud Security for Healthcare Services” and “Procurement Guidelines for Cybersecurity in Hospitals”

Brand-new ENISA Report on Cloud Security for Healthcare Services

incl. threat catalog, security measures, names good practices
– “Medical Devices” as one of three examples.

Incl. GDPR requirements etc – nicely embedded in the discussion.

Also links to the ENISA “Procurement Guidelines for Cybersecurity in Hospitals” from last year

Procurement Guidelines for Cybersecurity in Hospitals

Cloud Security for Healthcare Services

Germany: Niedersachen/Lower Saxony – Survey on Cookies and Trackers in Websites

incl. scope, approach, results, guidance and questionnaire


Guidance on consent on web sites

Germany: LG Bonn, 1&1 case (900,000 EUR fine) final

(in German) AG Bonn, 11.11.2020, 29 OWi 430 Js-OWi 366/20-1/20 LG:

900,000 EUR for weak authentication/process in a call center, which allowed the ex-wife of a customer to get the new mobile number of her ex-husband.

1. To calculate the fine, the court used the global turnover of the group of enterprises (not just the German affiliate).
2. The court did not stick to the GDPR fine catalog of the German DPAs, but rather went much lower..

A nice quote at the end. (via Google translate, with manual fixes)

It should also be taken into account that the publicly effective issue of the fine notice resulted in a damage to K’s reputation. Due to the amount of the fine initially imposed, the public got the impression that it was a matter of a serious data protection breach – also and especially with regard to fault. However, this is not the case.

After carefully weighing all the circumstances relevant to the assessment, the Chamber has determined a much lower fine than the originally proposed on, despite the high range of possible fines ,

900,000 euros

as being appropriate to the act and guilt. This is effective, proportionate and, given the many mitigating aspects, also sufficiently deterrent.

So 900,000 EUR for a non-serious breach.

Note: employee as vulnerable person

from wp248 rev.01 (adopted)
[Guidelines on Data Protection Impact Assessment (DPIA) and determining whether
processing is “likely to result in a high risk” for the purposes of Regulation 2016/679]


page 10:

“Data concerning vulnerable data subjects (recital 75): the processing of this type of data is a criterion because of the increased power imbalance between the data subjects and the data controller, meaning the individuals may be unable to easily consent to, or oppose, the processing of their data, or exercise their rights. Vulnerable data subjects may include children (they can be considered as not able to knowingly and thoughtfully oppose or consent to the processing of their data), employees , more vulnerable segments of the population requiring special protection (mentally ill persons, asylum seekers, or the elderly, patients, etc.), and in any case where an imbalance in the relationship between the position of the data subject and the controller can be identified.”