Privacy Transformation - Issue 43

PRIVACY

COVID-19 response and data protection law in the EU and US

COVID-19 response and data protection law in the EU and US

Managing the COVID-19 outbreak and stopping its spread is now a global challenge. In addition to the significant health and medical responses underway around...

Combining privacy and innovation: ICO Sandbox six months on

Combining privacy and innovation: ICO Sandbox six months on

It’s been an exciting, interesting and challenging first six months for the ICO Sandbox – both for those externally involved in the various projects and for the ICO staff working on the scheme. Ian Hulme discusses the progress so far.

SECURITY & TECH

Adtech giant Criteo is being investigated by France’s data watchdog

Adtech giant Criteo is being investigated by France’s data watchdog

Adtech giant Criteo is under investigation by the French data protection watchdog, the CNIL, following a complaint filed by privacy rights campaign group Privacy International. “I can confirm that the CNIL has opened up an investigation into Criteo .

Irish data security company Getvisiblity raises €1.25m

Irish data security company Getvisiblity raises €1.25m

Cork-based company founded as a spin-out from Smarttech247 in 2018. The start-up has developed proprietary software that uses artificial intelligence to discover, classify and protect unstructured data typically contained in PDFs, spreadsheets and text documents.

DATA BREACH

Dutch Donor Register Data Breach

Dutch Donor Register Data Breach

The Dutch Government has reported that the destruction of the paper archive of the Donor Register has revealed that 2 external hard disks are missing. These discs contain a copy of all donor forms with registrations and changes in the Donor Register in the period 1998-2010, potentially in excess of  6.9 million records.

*Notice is in Dutch*

ENFORCEMENT

Swedish DPA imposes administrative fine on Google

Swedish DPA imposes administrative fine on Google

The Swedish Data Protection Authority imposes a fine of 75 million Swedish kronor (approximately 7 million euro) on Google for failure to comply with the GDPR. Google as a search engine operator has not fulfilled its obligations in respect of the right to request delisting.

Danish DPA

€7,000 - A city government employee had his work computer stolen, which contained the personal data of about 1,600 city government employees, including sensitive information and information about social security numbers. [Notice]

€14,000 -  A computer, containing personal data that was not protected by encryption, has been stolen, including sensitive information and personal identification numbers of 20,620 city residents.

Icelandic DPA

€20,600 - The DPA noted that a former employee of the SAA received boxes of allegedly personal belongings that he had left there, but which also contained patient data, including the health records of 252 former patients and documents with the names of about 3,000 people who had participated in rehabilitation for alcohol and drug abuse. [Notice]

€9,000 - In violation of Art. 32 GDPR, a teacher had sent an e-mail to his students and their parents with an attachment containing data on their well-being, academic performance and social conditions. [Notice]

Spanish DPA (AEPD)

€15,000 - The data subject argued that he had sent a private letter to the hotel management and union delegates containing information about an episode of harassment he had suffered, describing a specific medical condition. In violation of the principle of integrity and confidentiality, the hotel management and union delegates subsequently read the contents of this letter in a meeting with other employees. [Notice]

€4,000 - Unlawful usage of video surveillance cameras which also monitored parts of the public space (violation of principle of data minimization). [Notice]

Italian DPA

€4,000 - The DPA's decision reveals that the high school unlawfully published health data and other information in the teacher rankings published on the Institute's website. This publication was made in violation of the principles of lawfulness, fairness, transparency and data minimization. [Notice]

More GDPR enforcement information can be found on:

enforcementtracker.com

COURTS, JUDGEMENTS & OPINIONS

Court rules against Data Protection Commissioner in long-running case sparked by 'Isis' graffiti in hospice

Court rules against Data Protection Commissioner in long-running case sparked by 'Isis' graffiti in hospice

CCTV was checked to try and trace who did the graffiti. A worker was subsequently disciplined when spotted taking unauthorised breaks on the footage.

Australian privacy watchdog launches court action against Facebook over Cambridge Analytica access

Australian privacy watchdog launches court action against Facebook over Cambridge Analytica access

Social media giant Facebook is being taken to Federal Court over alleged privacy breaches that exposed the personal data of more than 300,000 Australians.

GUIDANCE

DPC - Data Protection and COVID-19

DPC - Data Protection and COVID-19

Governments, as well as public, private, and voluntary organisations are taking necessary steps to contain the spread and mitigate the effects of COVID-19, widely referred to as the ‘coronavirus’. Many of these steps will involve the processing of personal data (such as name, address, workplace, travel details) of individuals, including in many cases sensitive, ‘special category’ personal data (such as data relating to health).

ICO: Blog - Don’t get caught out when it comes to pupil photos

We’ve issued two reprimands, which are legal warnings, recently to schools for wrongly disclosing the personal data of children.