Data Privacy

GDPR Fines and Guidance on AI, Healthcare, and Public Transparency

The Italian Data Protection Authority (Garante privacy) issued a newsletter detailing several enforcement actions and guidance. Fines were issued to a bank (€100,000) and a municipality for transparency violations, and a hospital (€80,000) for improper access to patient health records. Global data protection authorities also affirmed that data protection fully applies to AI.

Hospital Fined €70k for Data Breach; FAQs on Public Tender Data Published

The Italian Data Protection Authority (Garante privacy) has fined a company managing a hospital €70,000 for the unauthorized disposal of a patient's tissue sample and failure to notify a data breach. The newsletter also announced new FAQs on data processing and transparency in public tenders.

Garante Privacy Fines Verisure Italia and Aimag for GDPR Violations

The Italian Data Protection Authority (Garante Privacy) has fined Verisure Italia €400,000 for unlawful marketing practices and Aimag for inadequate security measures. Both companies are ordered to cease unlawful data processing and comply with GDPR.

GDPR Fines for Employee Monitoring and Email Privacy

The Italian DPA has issued a €120,000 fine to an agricultural seed company for unlawfully monitoring employee driving habits via company vehicles. The newsletter also covers GDPR implications for accessing a dismissed employee's email and new tools against telemarketing.

IMY Fines Trygg-Hansa SEK 35 Million for Data Exposure

The Swedish Authority for Privacy Protection (IMY) has issued an administrative fine of SEK 35 million against Trygg-Hansa. This action follows a data exposure incident where information for 650,000 customers was accessible to unauthorized persons via the internet for over two years.

Administrative Fine for Data Collection Without Security

The Swedish Privacy Protection Authority (IMY) has issued an administrative fine of SEK 100,000 against the Equality Ombudsman (DO) for insufficient security measures during personal data collection via a web form. The incident led to the inadvertent disclosure of approximately 500 tips and complaints.

GDPR Breach Fines for SL Group Companies

The Swedish Authority for Privacy Protection (IMY) has issued administrative fines of SEK 75,000 each to Aktiebolaget Storstockholms Lokaltrafik (SL) and Waxholms Ångfartygs AB (WÅAB). The fines were imposed for processing personal data related to employee sobriety tests in breach of the GDPR, specifically regarding excessive data storage and handling of potentially sensitive health data.

Apoteket and Apohem Fined for GDPR Violations

The Swedish Authority for Privacy Protection (IMY) has fined Apoteket AB SEK 37 million and Apohem AB SEK 8 million for GDPR violations. The companies improperly transferred sensitive personal data to Meta via the Meta Pixel tool, failing to implement adequate protective measures.

Sportadmin Fined SEK 6 Million for GDPR Data Leak

The Swedish Authority for Privacy Protection (IMY) has imposed an administrative fine of SEK 6 million on Sportadmin following a data leak that exposed personal data of over 2.1 million individuals. The authority found that Sportadmin did not maintain an appropriate level of security to protect the data, violating GDPR Article 32.

AEPD Resolves GDPR Breach: 492 Individuals' Data Published

The Spanish Data Protection Agency (AEPD) has initiated a sanctioning procedure against the Consejería de Hacienda y Administración Pública of the Junta de Extremadura for publishing the personal data (name, surname, and DNI) of 492 individuals on its website. The data was published without consent as part of a public employment selection process and has been accessible since September 2019.