Data Protection

Hospital Fined €70k for Data Breach; FAQs on Public Tender Data Published

The Italian Data Protection Authority (Garante privacy) has fined a company managing a hospital €70,000 for the unauthorized disposal of a patient's tissue sample and failure to notify a data breach. The newsletter also announced new FAQs on data processing and transparency in public tenders.

Garante Privacy Fines Verisure Italia and Aimag for GDPR Violations

The Italian Data Protection Authority (Garante Privacy) has fined Verisure Italia €400,000 for unlawful marketing practices and Aimag for inadequate security measures. Both companies are ordered to cease unlawful data processing and comply with GDPR.

GDPR Fines for Employee Monitoring and Email Privacy

The Italian DPA has issued a €120,000 fine to an agricultural seed company for unlawfully monitoring employee driving habits via company vehicles. The newsletter also covers GDPR implications for accessing a dismissed employee's email and new tools against telemarketing.

AEPD Resolves GDPR Breach: 492 Individuals' Data Published

The Spanish Data Protection Agency (AEPD) has initiated a sanctioning procedure against the Consejería de Hacienda y Administración Pública of the Junta de Extremadura for publishing the personal data (name, surname, and DNI) of 492 individuals on its website. The data was published without consent as part of a public employment selection process and has been accessible since September 2019.

Spanish DPA Resolution on Data Rights Claim

The Spanish Data Protection Agency (AEPD) has issued a resolution regarding a data rights claim (EXP202517310). The claimant exercised their right of access, and after initial non-compliance, the respondent has now demonstrated that the right was attended to and a response was provided.

Data Protection Commission 2024 Annual Report

The Data Protection Commission (DPC) has published its 2024 Annual Report, detailing €652 million in administrative fines issued, including significant penalties against Meta and LinkedIn. The report also highlights the conclusion of numerous inquiries and breach notifications.

DPC Fines CDETB €125,000 for GDPR Data Breach

The Irish Data Protection Commission (DPC) has fined the City of Dublin Education and Training Board (CDETB) €125,000 for a GDPR data breach. The inquiry found CDETB infringed multiple GDPR articles related to security measures, breach notification to the DPC, and notification to data subjects.

DPC Inquiry into TikTok Data Transfers to China

The Irish Data Protection Commission (DPC) has opened an inquiry into TikTok Technology Limited regarding the transfer of EEA users' personal data to servers in China. This follows TikTok's admission that limited data was stored in China, contrary to previous evidence provided to the DPC.

Data Protection Commission Opens Inquiry into Children's Health Ireland

The Data Protection Commission (DPC) has opened a formal inquiry into Children's Health Ireland (CHI) concerning the security of children's health records at Tallaght University Hospital. The inquiry follows protected disclosures and a breach notification, and will examine CHI's GDPR compliance regarding physical data security.

CJEU Rules Pre-Ticked Checkboxes Invalid for Cookie Consent

The European Court of Justice (CJEU) ruled that pre-ticked checkboxes are invalid for obtaining cookie consent. This decision, welcomed by data protection authorities, clarifies that active user behavior is required for valid consent regarding data processing.