GDPR Enforcement Action That Did Not Involve a Data Breach

Portugal’s Data Protection Authority  - Comissão Nacional de Protecção de Dados – recently find a hospital for alleged confidentiality, technical and security-related violations of the GDPR.  The fines total hundreds of thousands of euros despite both being punishable with a fine of up to 20 million euros or 4% of global annual turnover.

This is the first monetary penalty imposed by a European privacy regulator since the GDPR became effective in May 2018.  Notably, there was data breach and the CNPD acted upon a newspaper article rather than a compliant.  The privacy regulator found that there were no documented procedures for data access, an unreasonable number of hospital staff possessed access to patient data and, often times, such access was greater than necessary.

Other findings include the absence of documentation defining the rules for creating users of the hospital's information system, maintenance of profiles for doctors who no longer provide services to the hospital and inactive user accounts.

The enforcement action illustrates the GDPR’s mandate of data protection “by design and default.”  Appropriate technical and organizational measures which are designed to implement data-protection principles and to protect the rights of data subjects must be implemented.  Controllers and compliance officers must safeguard personally identifiable data that it collects and implement proper data handling policies from the start.

GDPR enforcement will almost certainly gain momentum In 2019.

ICO Releases Guidance on The Definition of Personal Data Under the GDPR

The U.K. Information Commissioner's Office has released guidance to assist organizations better understand the definition of personal data under the GDPR and when obligations to comply with the provisions of the GDPR apply.  The guidance is also intended to assist individuals to exercise their rights with regard to their personal data.  The guidance also answers questions on whether companies can identify data subjects with the information they possess and what happens when different companies process the same data for different purposes.

French Data Protection Authority Chimes in on Sharing Data

France’s data protection authority has provided every indication of its intent to aggressively enforce data privacy laws.  In fact, it recently issued warnings to French ad tech companies. 

The French Data Protection Authority recently provided some guidance on how organizations can share personal data with third-parties in a manner that complies with the GDPR.  Prior informed consent, disclosure of the identities of third-parties with whom information will be shared and proper notification of updates to such third-parties are all required.  Additionally, those that process personal data to send firs-party marketing communications are required to inform individuals about where the data originated and, without limitation, how they can opt-out of having their data used for direct marketing purposes.  Interestingly, if an individual opt-out, it may do so either by contacting the data recipient or the entity that generated the data.  The latter is then required to transmit the suppression request to its own transferee.

Uses must have a clear and conspicuous method to consent to each and every party that touches their data.