Free tools and resources for Data Protection Officers!

Tag Archives for " sanctions "

Portuguese hospital receives 400,000 € fine for GDPR infringement

On July 17, 2018, the Portuguese Supervisory Authority (“CNPD”) imposed a fine of 400.000 € on a hospital for infringement of the European Union General Data Protection Regulation (“GDPR”).

The CNPD carried out an investigation at the hospital which revealed that the hospital’s staff, psychologists, dietitians and other professionals had access to patient data through false profiles. The profile management system appeared deficient – the hospital had 985 registered doctor profiles while only having 296 doctors. Moreover, doctors had unrestricted access to all patient files, regardless of the doctor’s specialty. The CNPD reportedly concluded that the hospital did not put in place appropriate technical and organizational measures to protect patient data.

Source: Portuguese hospital receives and contests 400,000 € fine for GDPR infringement | Inside Privacy

Average data breach fine doubles in one year

City AM reports that the average financial penalty issued by the UK regulator for data fines has doubled over the last year, and now stands at £146,000. City law firm RPC, which made the calculations, also concludes that fines imposed by the Information Commissioner’s Office (ICO) in the twelve months to September 30 th 2018 increased to near the £5m mark – an increase of 24% on the same time span in 2017.

Source: Average data breach fine doubles in one year

First GDPR fine issued by Austrian data protection regulator

Austrian Data Protection Authority (“DSB”) has issued a fine against an entrepreneur for violations of the GDPR. The entrepreneur had installed a CCTV camera in front of his establishment that also recorded a large part of the sidewalk. The DSB found this act to be in violation of the GDPR, as large-scale monitoring of public spaces is not permitted under the GDPR. Apparently the camera was also not sufficiently marked as conducting video surveillance, meaning that the applicable transparency obligations had not been fulfilled.

The amount of the fine, however, was quite moderate: EUR 4,800. According to the deputy director of the DSB, fines should be proportionate – e.g. a controller with an annual income of, for example, EUR 40,000 is unlikely to receive a EUR 20 million fine from the DSB.

Source: First GDPR fine issued by Austrian data protection regulator, Gernot Fritz

Yahoo agrees to $50M settlement package for users hit by massive security breach

One of the largest consumer internet hacks has bred one of the largest class action settlements after Yahoo agreed to pay $50 million to victims of a security breach that’s said to have affected up to 200 million U.S. consumers and some three billion email accounts worldwide.

Source: Yahoo agrees to $50M settlement package for users hit by massive security breach | TechCrunch

Facebook fined £500,000 for Cambridge Analytica scandal

Facebook has been fined £500,000 by the UK’s data protection watchdog for its role in the Cambridge Analytica data scandal. The Information Commissioner’s Office (ICO) said Facebook had let a “serious breach” of the law take place. The fine is the maximum allowed under the old data protection rules that applied before GDPR took effect in May.

Source: Facebook fined £500,000 for Cambridge Analytica scandal – BBC News

EDPB dealing with 162 cross border cases but no fines issued as yet

The European Data Protection Board (EDPB) has by now 162 cross-border cases on its case register and are under investigation. Some 18,000 breach notifications have been received by the 25 EU DPAs which have issued their statistics, and 15 One Stop Shop procedures have been started at the Board. In addition, there have been 233 procedures relating to Mutual Assistance between the DPAs.

Source: EDPB dealing with 162 cross border cases but no fines issued as yet – Privacy Laws & Business

First significant GDPR fines in the pipeline

The European Data Protection Supervisor, Giovanni Buttarelli, says that we can expect to see DPAs take enforcement action soon. He said the sanctions will be imposed in many EU countries and will hit many companies and public administrations but declined to provide details because investigations were still ongoing.

Source: First significant GDPR fines in the pipeline – Privacy Laws & Business

German Lawyer Sanctioned Due to Incomplete GDPR Policy

An interim injunction has been issued by Würzburg Regional Court against a lawyer who displayed an unfinished Privacy Policy on her firm’s website which also included an unencrypted and unprotected contact form. Reaction to the ruling has been mixed as the sanction due to the unfinished GDPR policy was understandable but ruling regarding the unencrypted form was more confusing as this does not affect the transfer of information.

Source: German Lawyer Sanctioned Due to Incomplete GDPR Policy – Compliance Junction

GDPR complaints stack up across the EU as regulators prepare to issue fines

It’s almost five months since Europe’s General Data Protection Regulation (GDPR) went into effect. Meanwhile, EU member states start to tally up GDPR complaints. Numbers have started rolling in from data protection authorities across Europe. As one of the first companies to be warned by a DPA, French startup Teemo might prove that regulators are more interested in keeping companies in line than collecting fees – once Teemo brought itself into compliance, the CNIL considered the issue closed.

Full article: GDPR complaints stack up across the EU as regulators prepare to issue fines – MarTech Today

>