Datainspektionen på Åland

Datainspektionen på Åland sköter om dataskyddet i den offentliga förvaltningen på Åland. Datainspektionen i Sverige bytte namn vid årsskiftet och heter nu Integritetsskyddsmyndigheten. Se närmare på imy.se

European Data Protection Board

EDPB adopts Guidelines on examples regarding data breach notification

The EDPB adopted guidelines on examples regarding data breach notification. These guidelines complement the WP 29 guidance on data breach notification by introducing more practice orientated guidance and recommendations. They aim to help data controllers in deciding how to handle data breaches and what factors to consider during risk assessment. The guidelines contain an inventory of data breach notification cases deemed most common by the national supervisory authorities (SAs), such as ransomware attacks; data exfiltration attacks; and lost or stolen devices and paper documents. Per case category, the guidelines present the most typical good or bad practices, advice on how risks should be identified and assessed, highlight the factors that should be given particular consideration, as well as inform in which cases the controller should notify the SA and/or notify the data subjects. The guidelines will be submitted for public consultation for a period of six weeks.

The guidelines and more information about the public consultation are available here

EDPB & EDPS adopt joint opinions on new sets of SCCs

The EDPB and EDPS have adopted joint opinions on two sets of contractual clauses (SCCs). One opinion on the SCCs for contracts between controllers and processors and one on the SCCs for the transfer of personal data to third countries.

The Controller-Processor SCCs will have an EU-wide effect and aim to ensure full harmonisation and legal certainty across the EU when it comes to contracts between controllers and their processors.

Andrea Jelinek, Chair of the EDPB, said: “The EDPB and EDPS welcome the controller-processor SCCs as a single, strong and EU-wide accountability tool that will facilitate compliance with the provisions under both the GDPR and the EUDPR. Among others, the EDPB and the EDPS request that sufficient clarity has to be provided to the parties as to the situations where they can rely on these SCCs, and emphasise that situations involving transfers outside the EU should not be excluded.”

Several amendments were requested in order to bring more clarity to the text and to ensure its practical usefulness in day-to-day operations of the controllers and processors. These include the interplay between the two documents, the so-called "docking clause" which allows additional entities to accede to the SCCs, and other aspects relating to obligations for processors. Additionally, the EDPB and EDPS suggest that the Annexes to the SCCs clarify as much as possible the roles and responsibilities of each of the parties with regard to each processing activity - any ambiguity would make it more difficult for controllers or processors to fulfil their obligations under the accountability principle.

Wojciech Wiewiórowski, EDPS, said: “We are convinced these SCCs can facilitate the compliance of controllers and processors with their obligations, both under the GDPR and under the legal framework of EU institutions and bodies (EUIs). Moreover, we hope these SCCs will ensure further harmonisation and legal certainty for individuals and their personal data. It is in this context that we aim to make these documents as future-proof as possible.”

The draft SCCs for the transfer of personal data to third countries pursuant to Art. 46 (2) (c) GDPR will replace the existing SCCs for international transfers that were adopted on the basis of Directive 95/46 and needed to be updated to bring them in line with GDPR requirements, as well as taking into account the CJEU ‘Schrems II’ Judgment, and to better reflect the widespread use of new and more complex processing operations often involving multiple data importers and exporters. In particular, the new SCCs include more specific safeguards in case the laws of the country of destination impact compliance with the clauses, in particular in case of binding requests from public authorities for disclosure of personal data.

Wojciech Wiewiórowski, EDPS, said: “Given our practical experience, we have made these comments to improve these SCCs with a view to fully ensure that personal data of EU citizens is afforded an essentially equivalent level of protection when transfers to third countries take place. We believe these suggestions and amendments are crucial in order to achieve these aims in practice.”

In general, the EDPB and the EDPS are of the opinion that the draft SCCs present a reinforced level of protection for data subjects. In particular, the EDPB and the EDPS welcome the specific provisions intended to address some of the main issues identified in the Schrems II judgment. Nevertheless, the EDPB and EDPS are of the view that several provisions could be improved or clarified, such as the scope of the SCCs; certain third party beneficiary rights; certain obligations regarding onward transfers; aspects of the assessment of third country laws regarding access to public data by public authorities; and the notification to the SA.

EDPB Chair Andrea Jelinek added: "The conditions under which SCCs can be used must be clear for organisations and data subjects should be provided with effective rights and remedies. In addition, the SCCs should include a clear distribution of roles and of the liability regime between the parties. As regards the need, in certain cases, for ad-hoc supplementary measures in order to ensure that data subjects are afforded a level of protection essentially equivalent to that guaranteed within the EU, the new SCCs will have to be used along with the EDPB Recommendations on supplementary measures.”

The EDPB and the EDPS invite the Commission to refer to the final version of the EDPB Recommendations on supplementary measures, should the final version of the recommendations be adopted before the Commission’s SCC decision. This document was submitted for public consultation until 21 December 2020 and is still subject to possible further modifications on the basis of the results of the public consultation.

The agenda of the EDPB's 44th plenary session is available here

Note to editors:
Please note that all documents adopted during the EDPB Plenary are subject to the necessary legal, linguistic and formatting checks and will be made available on the EDPB website once these have been completed.

Polish DPA & Virgin Mobile Polska: Incidental safeguards review is not regular testing of technical measures

 

The President of the Personal Data Protection Office (UODO) imposed a fine of PLN 1.9 million (EUR 460,000) on Virgin Mobile Polska for the lack of implemented appropriate technical and organisational measures to ensure the security of the processed data.

UODO stated that the company infringed the principles of data confidentiality and accountability specified in the GDPR. Virgin Mobile did not carry out regular and comprehensive tests, measurements and evaluations of the effectiveness of the technical and organisational measures applied to ensure the security of the data processed. Activities in this regard were only undertaken when there were suspicions of vulnerability or in connection with organisational changes. Moreover, no tests were carried out to verify safeguards related to the transfer of data between applications related to the servicing of buyers of prepaid services. In addition, the vulnerability associated with data exchange in these systems was used by an unauthorised person to obtain data from some of the company’s clients.

In connection with a data breach, as a result of which an unauthorised person obtained customers data from one of the databases, the Supervisory Authority carried out the inspection at the company. As a result of the irregularities found, the authority instituted administrative proceedings finalised with the imposition of a fine.
In the course of the proceedings, the UODO disagreed with the controller which claimed to have tested and monitored the technical and organisational measures taken to ensure the security of personal data. The Supervisory Authority considered that these activities were neither regular nor comprehensive, as they were carried out incidentally and did not cover all the systems in which the data was processed.

In the course of the proceeding, it turned out that data exchange between applications in the IT system was to take place after verification of certain parameters from registration applications of prepaid services’ customers. The aim was for the programme to check whether the request for the transfer of the data had been received from the authorised entity. In practice, this verification did not work, and before its implementation the mechanism was not tested. However, vulnerability in this process (consisting in failure to verify the relevant parameters) was used by an unauthorised person to obtain the data. It was only after this incident that appropriate activities were undertaken regarding the repair of this functionality in the company’s IT system.

The Supervisory Authority considered that the implementation of a data processing system for use without proper validation of assumed parameters was a flagrant breach by the controller.

In imposing a fine, the UODO took into account that the breach committed by the operator was serious as it posed a high risk of adverse effects of legal remedies for a large number of persons (e.g. the risk of identity theft). It should be remembered that although unauthorised persons had short-term access to the systems, but sufficient to collect large amounts of data. Moreover, the breach itself was long-term, with the vulnerability of data leakage existing for a long time.
The Office also took into account mitigating circumstances, such as the good cooperation of the controller, the quick removal of the breach after its detection, but also the implementation of additional solutions to further improve the security of the data processed.

However, given the scale and gravity of the breaches, the UODO considered that it would be disproportionate to apply remedies other than an administrative fine.

The fine is intended to prevent the company from committing similar negligence in the future.

To read the press release is Polish, click here.

To read the full decision in Polish, click here.

For more information please contact the Polish DPA at kancelaria@uodo.gov.pl

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.

Polish DPA & ID Finance Poland: Checking potential system vulnerabilities cannot be delayed

The inability to quickly identify the threat and remove it led the company ID Finance Poland to data loss. Therefore, the President of the Personal Data Protection Office (UODO) found that the company had not implemented appropriate technical and organizational measures, which resulted in a loss of confidentiality of the personal data principle, and imposed an administrative fine on the company in the amount of over PLN 1 million (EUR 250,000).

The punished company (owner of a lending platform MoneyMan.pl) did not respond adequately to the signal about gaps in its security. It did not check quickly enough the information that its client’s data was available on one of its servers. Such notification was not treated seriously, so a few days after the company received the signal, an unauthorized person copied the data and then deleted it from the server. The person demanded a ransom for returning the stolen information. Only then did the company start analysing the security features on its servers and notified data breach to the supervisory authority at the same time. 
In the proceedings, the UODO established that the breach took place following the failure to restore the appropriate security configuration after one of the servers operated by the processor (hosting company) was restarted. The controller was notified about this by one of its cybersecurity specialists, who detected the vulnerability and indicated sample, publicly available information. Instead of diligently checking the received notifications and monitoring the processor, whether it duly dealt with the case in terms of checking the security, the controller had doubts about whether this was an attempt to extort other data from him, which he indicated in his correspondence to the processor. As a result, they did not immediately check the system’s identified vulnerabilities and a few days later, the data was stolen from this server.

This breach would not have occurred if the controller had immediately reacted appropriately to the information that the data on his server was unsecured. In the opinion of the Personal Data Protection Office, the controller should maintain the ability to quickly and effectively identify any breaches in order to be able to take appropriate action. Moreover, the controller should be able to quickly investigate the incident in terms of whether there has been a data breach and take appropriate remedial action.

The supervisory authority also found that the processor's lack of a sufficiently quick response to the notification of a system vulnerability does not exclude the controller's responsibility for the data breach. The controller must be able to detect, address, and notify data breach - this is a critical element of technical and organizational measures.

In the opinion of the UODO, the company, despite promptly providing the processor with information about a potential vulnerability in the server's security, did not take sufficient action. The proceedings showed that the controller briefly analysed the signal received, did not take it seriously and did not oblige the processor to deal with the case properly. 

When imposing a fine for the loss of the confidentiality of personal data due to a series of negligence by the controller, the UODO took into account the scale of the breach and the scope of the stolen data. In addition, because unencrypted passwords have also leaked, it is possible to use these data to log in to different customer accounts, if they used the same login (e.g. e-mail) and password on other websites. In establishing the amount of the fine, the authority also took into account the controller's delay in taking preventive measures.

The amount of the fine should fulfil both a repressive and a preventive function. In the opinion of the authority, it should prevent similar breaches in the future both in the penalized company and at other controllers’.

To read the press release is Polish, click here.

To read the full decision in Polish, click here.

For more information please contact the Polish DPA at kancelaria@uodo.gov.pl

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.

Polish DPA & WARTA: Failure to notify a personal data breach without undue delay as a reason for imposing a fine

Towarzystwo Ubezpieczeń i Reasekuracji WARTA S.A. (WARTA S.A. Insurance and Reinsurance Company) infringed the provisions of the General Data Protection Regulation, because it did not notify a personal data breach to the President of the Personal Data Protection Office. The supervisory authority therefore imposed a fine on the company in the amount of PLN 85 588 (EUR 20,000).

In May 2020, the Personal Data Protection Office (UODO) received information from a third party about the personal data breach which consisted in sending by e-mail an insurance policy by an insurance agent, being a processor for the WARTA S.A. Insurance and Reinsurance Company, to an unauthorised addressee.

The attached document contained personal data in the scope of, among others, names, surnames, addresses of residence, PESEL numbers (personal identification numbers) and information concerning the subject matter of insurance (passenger car). Important in this case is the fact that the supervisory authority has been informed of the personal data breach by an unauthorised addressee who has taken possession of documents not intended for him or her, and the confidentiality of the persons concerned has been breached. 

Therefore, the supervisory authority requested the Company to clarify whether, in connection with sending of electronic correspondence to an unauthorised recipient, an analysis was carried out in terms of the risk to the rights and freedoms of natural persons necessary to assess whether there was a data protection breach resulting in the need to notify the UODO and the persons affected by the breach. In the letter, the supervisory authority indicated to the company how it could notify the breach and called for explanations. 

The Company confirmed that there had been an incident related to a personal data breach and that an assessment had been conducted in terms of the risk to the rights and freedoms of natural persons. It was on the basis of that assessment that the fined company found that the breach did not require notification to the UODO. The company considered that the breach was caused by sending the insurance policy document to the wrong e-mail address indicated by the customer himself or herself. In addition, the unauthorised recipient addressed the company with a request for and the company asked for a permanent deletion of the message with a request for feedback confirming its deletion.

Despite the letter from UODO requesting clarification, the company still did not notify a personal data breach and did not communicate the incident to the persons affected by the breach. The supervisory authority has therefore initiated administrative proceedings. It was only as a result of the initiation of the proceedings that the company notified a personal data breach and informed two persons affected by the breach.

Such action by the company resulted in a long duration of the breach, which must be regarded as an aggravating circumstance. All the more so, since five months have elapsed from being informed of the personal data breach to the notification of the personal data breach to the supervisory authority.

In the course of the proceedings, the UODO considered that the fact that the breach occurred as a result of a mistake of a customer who provided the wrong e-mail address cannot cause the lack of qualification of the event as a personal data breach. When allowing the possibility to use e-mail for communication with the customer, the controller should be aware of the risks associated with, for example, incorrect e-mail address provided by the customer. Therefore, in order to minimise these risks, the controller should take appropriate organisational and technical measures, such as verification of the address provided or encrypting the documents sent in this way.

Also, the fact of requesting the wrong recipient to permanently delete the correspondence received cannot determine that a risk to the rights and freedoms of the data subjects is not high. The controller is not sure whether the unauthorised addressee has not made, for example, a copy of the documents or has not recorded them. 

When imposing an administrative fine, the President of the UODO also took into account mitigating circumstances, such as the fact that the breach concerned the personal data of two persons and that the company asked the wrong recipient to permanently delete the correspondence received. However, it is worth mentioning that a request for deletion of data is not tantamount to guaranteeing that the data is actually erased by an unauthorised person and does not preclude possible negative consequences of their use.

To read the press release is Polish, click here.

To read the full decision in Polish, click here.

For more information please contact the Polish DPA at kancelaria@uodo.gov.pl

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.

EDPB adopted documents - 42nd & 43rd plenary

300,000 SEK fine against housing company

The Swedish Data Protection Authority has issued an administrative fine of SEK 300,000 against a housing company for unlawful video surveillance in an apartment building.

The Swedish Data Protection Authority (DPA) received a complaint concerning video surveillance in an apartment building belonging to the housing company Uppsalahem. The complainant claimed that there was a surveillance camera in the apartment house directed towards the complainant's front door.

The DPA's audit shows that the housing company had set up a surveillance camera monitoring the floor where the complainant lives. The camera's monitoring area clearly covered two apartment doors, one of which belongs to the complainant and the other belonging to a resident whom has been subject to disturbances and harassment.

The housing company states that the purpose of the video surveillance was to resolve disturbances having occurred in the stairwell over time.

"The way the video surveillance was set up, on the ground floor of the property, left all residents of the house subject to monitoring on their way to and from their respective home. This is especially true for the complainant and the closest neighbour, since their front doors are so clearly included in the monitoring area of the video surveillance. Even if the company had a legitimate interest for video surveillance, it was outweighed by the residents' right to privacy," says Gustav Linder, legal advisor at the Swedish Data Protection Authority's video surveillance team.

In its decision, the Swedish Data Protection Authority concludes that the video surveillance in question, monitoring individuals in their home environment is particularly privacy sensitive. For that reason, the DPA imposes a fine of SEK 300,000 on the housing company.

The housing company has ceased the video surveillance in question.

To read the original press release in Swedish, click here

For further information, please contact the Swedish SA: datainspektionen@datainspektionen.se

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.

Europeiska dataskyddsstyrelsen – 43:e plenarsessionen

Bryssel den 16 december – Europeiska dataskyddsstyrelsen samlades för sin 43:e plenarsession den 15 december. Under mötet diskuterades en rad olika frågor.

Europeiska dataskyddsstyrelsen antog sin strategi för 2021–2023. I strategin fastställs dataskyddsstyrelsens strategiska mål grupperade kring fyra pelare, samt tre nyckelåtgärder för varje pelare som ska bidra till att målen uppnås. De fyra pelarna:
•   Påskyndad harmonisering och underlättad efterlevnad.
•   Understöd för en verksam tillsyn och ett effektivt samarbete mellan nationella tillsynsmyndigheter.
•   En strategi för ny teknik som bygger på de grundläggande rättigheterna.
•   Den globala dimensionen.

Strategin ska bl.a. genomföras genom ett arbetsprogram som kommer att innehålla närmare uppgifter om Europeiska dataskyddsstyrelsens åtgärder. Arbetsprogrammet ska antas under våren 2021.
Dataskyddsstyrelsen har som en del i sin strategi för 2021–2023 beslutat att som ett pilotprojekt inrätta en stödpool med experter. Syftet är att stötta ledamöterna med expertis som kan behövas för utredningar och tillsyn, och att främja samarbete och solidaritet ledamöterna emellan genom att dela, stärka och komplettera fackkunskap och bidra till de behov som finns i den praktiska verksamheten.
 
Dataskyddsstyrelsen utfärdade ett uttalande i slutet av övergångsperioden för brexit där man beskriver vilka konsekvenser övergångsperiodens upphörande får för personuppgiftsansvariga och personuppgiftsbiträden. Dataskyddsstyrelsen underströk särskilt frågan om överföring av uppgifter till ett land utanför EU och konsekvenserna för tillsynsområdet och systemet med en gemensam kontaktpunkt. Övergångsperioden för brexit – under vilken den brittiska tillsynsmyndigheten fortfarande deltog i Europeiska dataskyddsstyrelsens administrativa samarbete – löpte ut i slutet av 2020. Dataskyddsstyrelsen antog vidare ett informationsmeddelande om uppgiftsöverföring enligt dataskyddsförordningen efter övergångsperioden.
 
Dataskyddsstyrelsen antog riktlinjer för begränsningar av registrerades rättigheter enligt artikel 23 i dataskyddsförordningen. Riktlinjerna syftar till att påminna om villkoren för att tillämpa sådana begränsningar mot bakgrund av EU-stadgan om de grundläggande rättigheterna och dataskyddsförordningen. De innehåller en grundlig analys av vilka kriterier som gäller för att få tillämpa begränsningar, vilka bedömningar som måste göras, hur registrerade kan utöva sina rättigheter efter det att begränsningarna har upphävts och följderna om artikel 23 i dataskyddsförordningen överträds. Dataskyddsstyrelsen erinrar om att varje begränsning måste ske med respekt för andemeningen i den rättighet som begränsas, och att begränsningar som är så omfattande och inskränkande att en grundläggande rättighet förlorar sin mening inte kan motiveras. I riktlinjerna analyseras också hur lagstiftningsåtgärder varigenom begränsningar införs måste uppfylla kravet på förutsebarhet, och en närmare beskrivning ges av de skäl för begränsningar som förtecknas i artikel 23.1 i dataskyddsförordningen och de rättigheter och skyldigheter som kan begränsas. En närmare förklaring ges också av hur begränsningarnas nödvändighet och proportionalitet bedöms enligt artikel 23.1 i dataskyddsförordningen. Ett åtta veckors offentligt samråd kommer att hållas om dessa riktlinjer.
 
Efter offentligt samråd antog dataskyddsstyrelsen en slutlig version av riktlinjerna för samspelet mellan det andra betaltjänstdirektivet (PSD2) och dataskyddsförordningen. De riktlinjerna syftar till att ge ytterligare vägledning om dataskyddsaspekterna i samband med PSD2, särskilt om förhållandet mellan relevanta bestämmelser i dataskyddsförordningen och PSD2. Ett avsnitt om förebyggande av bedrägerier infördes för att ta hänsyn till synpunkter som inkommit under det offentliga samrådet.
 
Dataskyddsstyrelsen antog också en slutlig version av riktlinjerna om artikel 46.2 a och 46.3 b i förordning 2016/679 för överföringar av personuppgifter mellan offentliga myndigheter och organ i och utanför EES. I dessa artiklar behandlas överföring av personuppgifter från myndigheter eller organ inom EES till offentliga organ i tredjeländer utan beslut om adekvat skyddsnivå. Ordalydelsen och den rättsliga motiveringen anpassades för att ta hänsyn till synpunkter och återkoppling som inkommit under det offentliga samrådet, och nödvändiga ändringar infördes med beaktande av Schrems II-målet.
 
Dataskyddsstyrelsen antog även ett uttalande om skyddet av personuppgifter som behandlas i samband med åtgärder för att förhindra att det finansiella systemet används för penningtvätt eller finansiering av terrorism. Dataskyddsstyrelsen anser att det är av yttersta vikt att åtgärderna mot penningtvätt är förenliga med rätten till integritet och uppgiftsskydd enligt artiklarna 7 och 8 i EU-stadgan om de grundläggande rättigheterna, principerna om nödvändigheten av sådana åtgärder i ett demokratiskt samhälle och deras proportionalitet samt EU-domstolens rättspraxis. Europeiska kommissionen ombeds därför att i ett tidigt skede involvera dataskyddsstyrelsen när ny lagstiftning mot penningtvätt utarbetas och dataskyddsstyrelsen förklarar sig redo att bidra till diskussionerna i rådet och Europaparlamentet och att i god tid konsulteras av europeiska eller internationella regleringsorgan.
 
Dataskyddsstyrelsen antog slutligen ett yttrande enligt artikel 64 om utkastet till beslut om de bindande företagsbestämmelserna för den personuppgiftsansvarige för Equinix som den nederländska tillsynsmyndigheten lagt fram för dataskyddsstyrelsen. Dataskyddsstyrelsen vill påminna om att artikel 29-gruppens arbetsdokument 256 och 257* håller på att revideras och att organisationer med bindande företagsbestämmelser kommer att behöva ändra dessa i enlighet med dessa revideringar.
 
Meddelande till redaktörerna:
Observera att alla dokument som antas under Europeiska dataskyddsstyrelsens plenarsessioner är föremål för nödvändiga kontroller av rättsliga aspekter, språk och formatering och kommer att läggas ut på dataskyddsstyrelsens webbplats när dessa kontroller har utförts.

* Artikel 29-gruppens arbetsdokument 256 och 257 finns här:
WP256: https://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=614109
WP257: http://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=614110

EDPB_Press Release_2020_20

First EDPB Art. 65 Decision

The EDPB adopted its first binding decision on the basis of Art. 65 GDPR on November 9th. This decision concerns a draft decision by the Irish SA on Twitter International Company.

Following publication of the Irish SA's final decision, the EDPB's binding decision has been published here

The final decision taken by the Irish SA is available in the Register for Decisions taken by supervisory authorities and courts on issues handled in the consistency mechanism

Further information on the Art. 65 GDPR procedure is available here

European Data Protection Board - 43rd Plenary session

Brussels, 16 December - On December 15th, the EDPB met for its 43rd plenary session. During the plenary, a wide range of topics was discussed.

The EDPB adopted its Strategy 2021-2023, which sets out the Board’s strategic objectives, grouped around four pillars, as well as three key actions per pillar to help achieve these objectives. The four main pillars of the EDPB Strategy are:
•    advancing harmonisation and facilitating compliance;
•    supporting effective enforcement and efficient cooperation between national supervisory authorities;
•    a fundamental rights approach to new technologies and;
•    the global dimension.

The Strategy will also be implemented through a Work Programme, which will further detail the EDPB’s actions. This Work Programme will be adopted in early 2021.
As part of its 2021-2023 Strategy, the EDPB decided to establish a Support Pool of Experts (SPE) on the basis of a pilot project. The goal is to provide material support to EDPB Members  in the form of expertise that is useful for investigations and enforcement activities and to enhance cooperation and solidarity between EDPB Members by sharing, reinforcing and complementing strengths and addressing operational needs.

The EDPB issued a statement on the end of the Brexit transition period in which it describes the main implications of the end of this period for data controllers and processors. In particular, the EDPB underlined the issue of data transfers to a third country as well as the consequences in the area of regulatory oversight and the One-Stop-Shop (OSS) mechanism. The Brexit transition period, during which the UK Supervisory Authority is still involved in the EDPB’s administrative cooperation, expires at the end of 2020. Additionally, the EDPB adopted an information note on data transfers under the GDPR after the Brexit transition period ends.

The EDPB adopted Guidelines on restrictions of data subject rights under Article 23 GDPR. The guidelines aim to recall the conditions surrounding the use of such restrictions in light of the Charter of Fundamental Rights and the GDPR. They provide a thorough analysis of the criteria to apply restrictions, the assessments that need to be observed, how data subjects can exercise their rights after the restrictions are lifted, and the consequences of infringements of Art. 23 GDPR. The EDPB recalls that any restriction needs to respect the essence of the right that is being restricted and that restrictions that are extensive and intrusive to the extent that they void the fundamental right to the protection of personal data of its basic content cannot be justified. Additionally, the guidelines analyse how the legislative measures setting out the restrictions need to meet the foreseeability requirement and examine the grounds for the restrictions listed by Article 23(1) GDPR and the obligations and rights which may be restricted. An explanation of the "necessity and proportionality" test that restrictions need to pass based on Article 23(1) GDPR is also provided. The guidelines will be submitted for public consultation for a period of 8 weeks.

Following public consultation, the EDPB adopted a final version of the Guidelines on the interplay of the Second Payment Services Directive (PSD2) and the GDPR. The guidelines aim to provide further guidance on the data protection aspects in the context of the PSD2, in particular on the relationship between relevant provisions in the GDPR and the PSD2. To address comments received during the public consultation, among others, a section on fraud prevention was included.

Also following public consultation, the EDPB adopted a final version of the Guidelines on articles 46 (2) (a) and 46 (3) (b) of Regulation 2016/679 for transfers of personal data between EEA and non-EEA public authorities and bodies. These articles address transfers of personal data from EEA public authorities or bodies to public bodies in third countries, where these transfers are not covered by an adequacy decision. The final version of the guidelines integrates updated wording, and legal reasoning in order to address comments and feedback received during the public consultation, as well as necessary changes following the Schrems II ruling.

The EDPB also adopted a statement on the protection of personal data processed in relation with the prevention of the use of the financial system for the purposes of money laundering and terrorist financing. The EDPB considers it a matter of the utmost importance that the anti-money laundering measures are compatible with the rights to privacy and data protection enshrined in Articles 7 and 8 of the Charter of Fundamental Rights of the European Union, the principles of necessity of such measures in a democratic society and their proportionality, and the case law of the CJEU. Therefore, the EDPB calls on the European Commission to be involved in the drafting process of any new anti-money laundering legislation from the early stages and states its readiness to contribute to discussions within the Council and the European Parliament, as well as to be consulted in a timely manner by any European or international regulatory body.

Finally, the EDPB adopted an Art. 64 opinion on the draft decision regarding Equinix’s Controller Binding Corporate Rules (BCRs), submitted to the Board by the Dutch SA. The EDPB would like to recall that the Article 29 WP 256/257 referentials* are currently being revised and that BCR holders will be required to modify their BCRs and incorporate any additional commitments that may need to be included in the BCRs in accordance with such updated referentials.

Note to editors:
Please note that all documents adopted during the EDPB Plenary are subject to the necessary legal, linguistic and formatting checks and will be made available on the EDPB website once these have been completed.

*The Article 29 WP 256/257 referentials are available here:
WP256: https://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=614109
WP257: http://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=614110

Irish Data Protection Commission announces decision in Twitter inquiry

The Data Protection Commission (DPC) has today announced a conclusion to a GDPR investigation it conducted into Twitter International Company. The DPC’s investigation commenced in January, 2019 following receipt of a breach notification from Twitter and the DPC has found that Twitter infringed Article 33(1) and 33(5) of the GDPR in terms of a failure to notify the breach on time to the DPC and a failure to adequately document the breach. The DPC has imposed an administrative fine of €450,000 on Twitter as an effective, proportionate and dissuasive measure.

The draft decision in this inquiry, having been submitted to other Concerned Supervisory Authorities under Article 60 of the GDPR in May of this year, was the first one to go through the Article 65 (“dispute resolution”) process since the introduction of the GDPR and was the first Draft Decision in a “big tech” case on which all EU supervisory authorities were consulted as Concerned Supervisory Authorities.

The European Data Protection Board has published the Article 65 decision and the final decision on its website (see below).

---
Note for Editors:
Article 33(1) GDPR:
“In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.”

Article 33(5) GDPR:
“The controller shall document any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken. That documentation shall enable the supervisory authority to verify compliance with this Article.”

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.

University failed to sufficiently protect sensitive personal data

Umeå University has processed special categories of personal data concerning sexual life and health through, amongst other, storage in a cloud service, without sufficiently protecting the data. The Swedish Data Protection Authority is therefore issuing a fine of SEK 550,000 against the university.

The Swedish Data Protection Authority has now completed an audit of Umeå University, concluding that the University has violated the General Data Protection Regulation by processing special categories of personal data without applying appropriate technical and organisational measures to protect the data.

A research group at the University had requested from the police preliminary investigation reports concerning cases of male rape and, upon receiving such reports, proceeded to scanning and storing them digitally. The reports contained information on, among other things, suspicion of crime, name, personal identity number and contact details, as well as sensitive data about sexual life and health.

The Swedish Data Protection Authority’s investigation shows that the research group stored over a hundred scanned preliminary investigation reports in an American cloud service, despite the University having informed via its intranet that special categories of data should not be stored in the cloud service in question.

— The cloud service and the way the university uses it does not provide sufficient protection for this type of personal data, says Linda Hamidi, who led the Swedish Data Protection Authority’s audit.

When the research group sent an e-mail to the police requesting further information, one of the scanned reports was attached as a reference, a practice that the research group later repeated despite the fact that the police pointed out the inappropriateness in sending sensitive material in unencrypted e-mails.

— These events show that the University has not taken necessary measures to ensure a level of security appropriate in relation to the risk.

The Swedish Data Protection Authority also criticises the University for failing to report the incident as a personal data breach. Since 25 May 2018, organisations are obliged to report personal data breaches to the Swedish Data Protection Authority.

— The controller is obliged to notify the DPA of data breaches and furthermore to present to us what has been done to mitigate the effects of the incident and to prevent similar incidents from happening in the future.

The overall assessment of concluded infringements led to the Swedish Data Protection Authority issuing an administrative fine of SEK 550,000 against the University.

To read the original press release in Swedish, click here

For further information, please contact the Swedish SA: datainspektionen@datainspektionen.se

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.

Coordinated Supervision Committee appoints new coordinator

During its third plenary meeting, the Coordinated Supervision Committee (CSC) elected Clara Guerra from the Portuguese supervisory authority (SA) as its new coordinator for a term of two years. Ms. Guerra succeeds former coordinator Giuseppe Busia following his departure from the Italian SA for a new position as President of the Italian Anticorruption Authority. Iris Gnedler from the German Federal SA will stay on as deputy coordinator for another year.

Editor's note:

The Coordinated Supervision Committee was established in December 2019 and its primary role is to ensure the coordinated supervision of the large EU Information Systems and of EU bodies, offices and agencies in accordance with Article 62 of Regulation 2018/1725 or with the EU legal act establishing the large scale IT system or EU body, office or agency. The Committee was created within the framework of the European Data Protection Board (EDPB) and brings together the EU supervisory authorities (SAs) and the European Data Protection Supervisor (EDPS), as well as the supervisory authorities of the Non-EU Schengen Member States, when foreseen under EU law.

The Committee will cover IT systems, bodies, offices and agencies in the fields of Border, Asylum and Migration (SIS, EES, ETIAS and VIS), Police and Justice Cooperation (SIS, EPPO, Eurojust, ECRIS-TCN) and the Internal Market (IMI). The Committee currently covers IMI, Eurojust and the EPPO. Supervision of the remaining systems, bodies, offices and agencies will be gradually moved to the Committee over the following years. You can find more information on the Committee in the press release available here: https://edpb.europa.eu/news/news/2019/more-effective-supervision-large-eu-information-systems_en

The Estonian Data Protection Inspectorate obliged e-pharmacies to immediately terminate access to another person’s prescription information

On 30 November, the Estonian Data Protection Inspectorate issued a precept, granted in a warning, with a one-day compliance deadline and a penalty of 100,000 euros to three pharmacy chains that allowed viewing in the e-pharmacy environment the current prescriptions of another person without their consent on the basis of access to their personal identification code.

‘We considered it necessary to urgently suspend the display of valid prescriptions to third persons in e-pharmacy environments on the basis of personal identification codes, as there is no legal basis for such display,’ said Maris Juha, Supervisory Director.

It must be possible to buy prescription medicine for other people, but the solution must ensure that the pharmacist is sure that the prescription information is accessed with the consent of the prescription holder. The Estonian Data Protection Inspectorate cannot approve the violation of data protection requirements in the e-pharmacy environments of the three pharmacy chains.

When the lawyer of the Data Protection Inspectorate checked the e-pharmacy environments, they were able to gain quick access to the prescription information of other persons, using the chat window. First, they had to choose in the chat window whether they requested their own prescription information or the prescription information of someone else, and if they entered the personal identification code of another person, the corresponding information became available. Only one of the three pharmacy chains had a solution which required prior confirmation of whether the person has the right to view the above information. However, another person’s justification is not equivalent to the voluntary consent of the prescription holder, because the e-pharmacy cannot check whether and for what purpose consent has been given and whether it has been given voluntarily.

The Estonian Data Protection Inspectorate initiated an own-initiative procedure pursuant to clause 56 (3) 8) of the Personal Data Protection Act. On 30 November, the e-pharmacies of Apotheka, Südameapteek, and Azeta.ee received the precept, granted in a warning, due by 1 December.

Deficiencies in how healthcare providers control staff access to patient journal data

The Swedish Data Protection Authority has audited eight health care providers in how they govern and restrict personnel’s access to the main systems for electronic health records. The DPA has discovered insufficiencies that in seven of the eight cases lead to administrative fines of up to SEK 30 million.

The Swedish Data Protection Authority has now concluded a review of eight health care providers. What has been examined primarily is whether the health care providers have conducted the needs' and risk analysis required in order to assign an adequate access authorisation for personal data in the electronic health records.

— Health care providers must carry out a thorough analysis and assessment of the personnel's need to access information in the health records and the risks that accessing patient data includes, according to the Swedish Patient Data Act that is complementary to the GDPR. Without such analysis, health care providers cannot assign the personnel a correct level of authorisation, which in turn means that the organisations cannot guarantee patients' right to privacy protection," says Magnus Bergström, coordinator of the eight audits.

The Swedish Data Protection Authority notes that seven of the health care providers have not carried out a needs' and risk analysis, while one care provider has carried out an analysis that, however, includes some shortcomings.

The authority concludes that seven of the health care providers do not limit the users' access authorisation to the respective patient journal system to what is strictly necessary for the performance of their tasks.

— This means that the seven health care providers have not taken appropriate measures to ensure and be able to demonstrate a sufficient level of security for the personal data in the electronic health record systems.

The deficiencies of seven healthcare providers are so serious that they result in administrative fines of between SEK 2.5 to 30 million. The calculation of the amount of the fine differs significantly depending on whether it is a private company or a public authority. For companies, the maximum fine is EUR 20 million or four percent of the company's global annual turnover, whichever highest. For authorities, in Sweden the maximum fine is SEK 10 million.

The Swedish Data Protection Authority has developed guidelines that summarises the conclusions from the audits with regards to the obligation to conduct needs' and risk analyses.

— This guidance points to the importance of health care providers ensuring that needs' and risk analyses are carried out. The aim is to help care providers in conducting such analyses, which need to be carried out before any access authorisation is assigned in a health record system. Our hope is now that all the healthcare providers in the country use this guidance in their work to ensure that authorisation is correctly done, in order to guarantee patients the privacy protection they are entitled to, says Magnus Bergström.

To read the original press release in Swedish, click here

For further information, please contact the Swedish SA: datainspektionen@datainspektionen.se

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.

EDPB adopted documents - 39th & 40th plenary

Reprimand for disclosure of the list of quarantined persons

The President of the Personal Data Protection Office, after having conducted ex officio proceedings relating to breach of personal data protection of persons subject to medical quarantine by making available to unauthorised recipients a list containing the addresses of persons in medical quarantine, imposed a penalty of a reprimand on the waste management company and ordered the company to communicate the breach to the data subjects.

Let us recall that the Personal Data Protection Office (UODO) received a letter from the State Poviat Sanitary Inspector in Gniezno (hereinafter referred to as ‘PPIS in Gniezno’) with information on the public disclosure of a list containing the addresses of persons who are in quarantine under the administrative decision of PPIS in Gniezno and the mandatory quarantine in connection with the crossing of the country’s border, as well as the address details of persons in home isolation in connection with diagnosed SARS-CoV-2 infection.

For more information (in Polish) please visit: https: //uodo.gov.pl/pl/138/1499

UODO has undertaken activities to clarify the situation. The Office called on the controller to clarify whether, in determining the procedures related to the processing of personal data concerning the addresses of quarantined persons due to the threat of coronavirus, it carried out an analysis of the method of distribution of the above-mentioned data in electronic and paper versions, in terms of the risks associated with the loss of their confidentiality, and to inform about the outcome of this analysis.

The Company stated in the submitted explanations, inter alia, that it carried out the analysis taking into account the circumstances connected with the failure of the processors of the abovementioned lists to comply with procedures in force in the Company and the circumstances related to the stealing or taking away of data. In addition, the controller expressed the view that the lists received included only administrative (police) addresses and did not include names, surnames and other identifiable data.

Having examined all the material collected in this case, the Office stated that information concerning: the name of the locality, street name, building/apartment number, subjecting a person to medical quarantine, constitutes personal data within the meaning of the GDPR, and the fact that persons are in quarantine constitutes a special category of personal data concerning health. On the basis of the above personal data, it is possible to identify the data subjects and therefore the controller is subject to the obligations resulting from the GDPR. UODO also took into account that the confidentiality of the data processed had been breached during the performance of the employee duties of the person responsible for supervising the printed list, left on the desk without proper supervision. At that time another employee recorded the list in the form of a photograph and shared it with another person.

In the UODO’s view, the safeguards indicated in the risk analysis are formulated in general terms and do not relate to specific events related to the activities undertaken by authorised employees. The provisions in the risk analysis, which largely relate only to the signing of the relevant statements and documents by employees, are insufficient and inadequate to the risks associated with the processing of the special categories of data, namely the addresses of the quarantined persons.

Furthermore, in the risk analysis, the controller should take into account both the special character of the data processed and the human factor, i.e. recklessness, negligence or lack of due diligence, which is one of the sources of risk in the processing of personal data.

The supervisory authority also noted that a one-off and cursory analysis also meant that the controller did not take action aimed, inter alia, at regular testing, measurement and evaluation of the effectiveness of technical and organisational measures to ensure the security of processing.

Article 33(1) of the GDPR sets forth that in the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. The company was obliged to report the breach to the President of the UODO, however it failed to do so.

Furthermore, in a situation of high risk to the rights or freedoms of natural persons resulting from a personal data breach, the controller is obliged to communicate the breach to the data subject without undue delay. The controller shall inform persons individually of breaches of their data, unless it would involve disproportionate effort. In such a case, the controller shall issue a public communication or implement a similar measure to inform the data subjects equally effectively.

Disclosure to unauthorised recipients of personal data concerning residence addresses and health data has undoubtedly resulted in a high risk to the rights or freedoms of persons in medical quarantine. Nevertheless, the Company did not communicate personal data breaches to the data subjects.

In connection with such findings, the President of the UODO, stating a breach of the provisions of the General Data Protection Regulation, issued a reprimand to the company and ordered it to communicate the personal data breach to the data subjects.

The fact of taking by the Company disciplinary action against employees who contributed to the breach and the fact that, despite the difficult epidemiological situation, the controller has committed to provide trainings on personal data protection for its employees, are considered to be attenuating circumstances for the final decision, but not affecting its content.

To read the original press release in Polish, click here

To read the full decision in Polish, click here

For further information, please contact the Polish SA: kancelaria@uodo.gov.pl​​​​​​​

Belgian DPA fine for unlawful processing of video images

The Belgian DPA imposed a fine of 1,500 EUR for unlawful processing of personal data made via a video surveillance system. The positioning of the cameras of this video system also constituted an infringement of the data protection by design principle, the DPA concluded.  

The facts
Two complainants had filed a complaint with the Belgian DPA with regard to the video surveillance system of their two neighbours, as well as the further use of the images made by the system.  The complainants demanded that the video surveillance system would be taken down.
The two defendants had installed a video surveillance system with five surveillance cameras (filming 24/7) on their private property. Two cameras that were mentioned in the complaint were positioned in such a way that those cameras filmed the public road or the private property of the complainants and had filmed at least one of the complainants while driving on the public road or entering private property of their own.
The images were used by the defendants in a dispute procedure between the defendants and the complainants regarding environmental planning.
In the same dispute procedure,  a photograph with the image of one of the complainants was used. The complainants thought this was a still image originally made by the video surveillance system, but the photograph turned out to be made by one of the defendants with a smartphone.

Role of national law concerning video surveillance cameras
A law of 21 March 2007 regulates the positioning and use of video surveillance cameras. Although the Belgian DPA is technically competent to take into account the provisions of the law, as it did in its decision to specify certain viewpoints, the primacy of the GDPR as EU law resulted in the decision that a priori analysed potential breaches of the GDPR.

Decision of the Litigation Chamber
The litigation chamber of the Belgian DPA upheld that:

-    the images with personal data made by two of the five surveillance cameras were not processed in a lawful way under article 6.1.f. GDPR, as there were legitimate interests for the defendants to protect their own private property, but the filming of large parts of the public road, as well as the filming of the private property of the complainants, was not deemed necessary to safeguard those legitimate interests. Moreover, the Belgian DPA found the interests of the defendants to process personal data through the two surveillance cameras to be overridden by the interests, fundamental rights and freedoms of the complainants;
-    the transfer of images made by the two surveillance cameras containing personal data in the context of the dispute procedure, constituted a breach of article 6.1. GDPR, as the images were unlawfully made in the first place, thus constituting unlawful processing impacting the further processing;
-    the making of a photograph of one of the complainants by one of the defendants, and the further processing thereof, was lawful under article 6.1. GDPR, as the processing was necessary for the defendants to safeguard a legitimate interest, and the latter interest was not overridden by the interests, fundamental rights and freedoms of the data subject;
-    as the two surveillance cameras were wrongfully positioned, resulting in the unlawful processing of images containing personal data, the defendants infringed article 25.1. GDPR .

The Litigation Chamber of the BE DPA therefore imposed a fine of 1,500 EUR for the infringements of article 6 GDPR. In addition, the Litigation Chamber issued a reprimand to the defendants for not respecting article 25.1. GDPR while placing their video surveillance system.

To read the original press release in French, click here. For Dutch, click here

To read the full decision (currently only available in Dutch), click here

Fur further information, please contact the Belgian DPA: contact@apd-gba.be

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.

GDPR fine for unlawful video surveillance in an LSS housing

The Swedish Data Protection Authority issues an administrative fine of SEK 200,000 against Gnosjö Municipality for unlawful video surveillance in an LSS housing.

The Swedish Data Protection Authority received a complaint from a relative of a resident of a residential care home for persons with certain functional impairments (so-called LSS housing) in Gnosjö municipality, claiming that the resident was being monitored illegally. The Authority initiated an audit of the LSS housing and can conclude that the resident in question indeed was monitored in their bedroom in violation of the General Data Protection Regulation, GDPR, and the Swedish Video Surveillance Act.

"The resident has been monitored in the most private sphere of the home, which led to a severe and unjustifiable interference with the residents' right to privacy" says Jeanette Bladh Gustafson, lawyer at the Swedish Data Protection Authority's unit for video surveillance.

The Social Welfare Committee in Gnosjö, which is responsible for the LSS housing, has stated that the resident's disease profile has created major difficulties both for the resident himself and for the staff, and that situations have arisen where there has been a risk to the life and health of the resident. There has also been situations where the staff has suffered injuries.

The Swedish Data Protection Authority shares the assessment of the Social Committee that there has been a need to take measures to manage and improve the situation.

— However, it should be possible for the LSS housing to achieve the same purposes as those for which the video surveillance was carried out with less privacy-intrusive means.

The Swedish Data Protection Authority concludes in its decision that there is no legal basis for the video surveillance, that an impact assessment has not been carried out before initiating the video surveillance and that the controller has failed to clearly inform about the video surveillance. For those reasons, the Swedish Data Protection Authority issues an administrative fine of SEK 200,000 against the Social Welfare Committee.

To read the original press release in Swedish, click here

To read the full decision in Swedish, click here

For further information, please contact the Swedish SA: datainspektionen@datainspektionen.se

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.

Norwegian DPA imposes administrative fine to Østfold HF Hospital

The Norwegian Data Protection Authority has decided on an administrative fee of NOK 750,000 to Østfold HF Hospital. The background is that in the period 2013-2019, the hospital stored report extracts from patient records outside the safe zone. The case started with a notice of personal data breach from the hospital.

The folders where the extracts were stored were not access controlled, and the activity in the folders was not logged. The report extracts have also been stored long after the lists were no longer needed. That such extensive storage of unshielded health information could take place over a long period of time, we believe indicates shortcomings in the internal management system, says senior legal adviser Susanne Lie

About the breach

The report extracts were lists of patients ready for discharge (RfD list) and included special categories of personal data (sensitive patient information). The discrepancy includes three different lists:

  1. An updated RfD list that includes approx. 25-30 patients. This list is updated every 15 minutes.
  2.  A historical RfD list from 2013 until 2019, with 13,800 patients and 26,596 discharges.
  3. Two lists with national identification number and reason for admission, with approx. 30 patients.

The personal information in the lists includes demographic information and name, date of birth, municipality, department affiliation and any information about facilitation when transferring a patient to a municipality. Two of the lists contained national identification number and reason for admission.

There has been no access control in the area / folders where the report extracts were stored and/or temporarily stored, and it has been logged whether employees have been inside the information. The personal information has been available to 118 employees at Østfold HF Hospital, where most have not had an official and justifiable need for such access.

Assessment
The Norwegian Data Protection Authority considers that Østfold HF Hospital has not established a system for access control that is sufficient to prevent similar breaches from occurring in the future, and particular reference is made to the routines for access control and storage of personal data. The management system must involve follow-up that the routines are followed, which also means to ensure that only secure systems are used in the processing of sensitive personal data.

For further information, please contact the Norwegian DPA: international@datatilsynet.no
 

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.

Sidor