Google was fined by the AEPD and ordered to come into compliance after Lumen Project data transfers

Google was fined by the AEPD and ordered to come into compliance after  GDPR violations relating to Lumen Project data transfers. 

 

The AEPD has issued a decision in the case against Google LLC, which states that the company has committed two very serious GDPR violations. The Spanish Data Protection Agency decided to impose a fine of 10 million euros on Google LLC, for sharing data with third parties without a legal basis to do so, and for infringing upon citizens’ right to erasure. This case concerned the transfer of requests regarding the removal of content from Google’s various products and platforms, such as Google search and YouTube, to a third party, called the ‘Lumen Project’.

 

User data was being unlawfully transferred to a third party, the Lumen Project, when customers requested that their data be erased. 

 

When users requested that their information be deleted, thereby exercising their right to erasure, they were required to fill out a form and consent to their information being shared with the third party. This process violated both articles 6 and 17 of the GDPR. According to the AEPD’s statement, this transfer of data by Google LLC to the Lumen Project is imposed on users who, when filling its forms to exercise their right to erasure, were not given the choice to opt out of sharing this data. As a result, Google cannot possibly obtain valid consent for the  transfer of that user data via that process. In addition, Google’s privacy policy made no mention of the processing of personal data of users, nor the transfer of that data to the Lumen Project among the purposes. The system through which users are able to exercise their right to erasure was designed by Google LLC, and it led the user through various pages to complete their request. Part of this process required the user to fill a form, consenting to the  transfer of their data, including their identification, email address, and other information, to a third party. 

 

As a result of this infringement, Google was fined and ordered to come into compliance. 

 

 The AEPD explained in its decision that, once the request for removal of content has been submitted and the right has been met, meaning the deletion of personal data has been agreed upon, “there is no possibility of subsequent processing of the same, as is the communication that Google LLC makes to the Lumen Project. Google was hit with a fine for €10 million for the two infractions and is also expected to delete all the personal data that has been the subject of a request for the right to erasure, which was transferred to the Lumen Project. The company is also expected to urge the Lumen Project to delete, and cease the use of, the personal data that it has received. 

 

Does your company have all of the mandated safeguards in place to ensure the safety of the personal data you collect or process? Aphaia can help. Aphaia also provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.

Protection of health data: new section on AEPD website

The AEPD has launched a new section on its website containing information and resources specific to the protection of health data.

 

The Spanish Agency for Data Protection (AEPD) recently published a new web space in the Areas of Interest section on its website, to facilitate consultation and disseminate information on the processing of health data. The aim of this initiative is to respond to the needs expressed by representatives of the health sector to have a compilation of legislation and other resources on the topic of health and data protection. Health data is considered special category data and therefore special provisions are to be made for the protection of this type of data in particular. 

 

This new section of the AEPD website contains information intended for various members of the community.

 

The resources provided by the AEPD in this new section of their website are intended for citizens, data controllers, data protection professionals, health institutions, as well as the pharmaceutical industry, among others. It is made up of seven sections which include general information on the treatment of health data and how to exercise the right of access to medical records. In addition, there are answers to questions related to medical research. It also outlines the criteria set by the AEPD based on queries raised by members of the health sector, as well as information on inspections that have been carried out. Some of the additional resources which can be found in this new section are topics related to health research and clinical trials, as well as information on personal data breaches within the health sector. 

 

Health officials and other concerned parties are encouraged to make use of these resources.

 

The new section of AEPD’s website was launched on May 3rd and contains several useful links. It is expected that the information contained therein will be updated regularly, and kept up to date with news, important legislative updates, and any personal data breaches which concern specifically health data. This new web space can be accessed via this link and can be used by anyone, to stay up to date on any developments with regards to health data. Health officials and other concerned parties are encouraged to make use of this new, very valuable resource provided by the AEPD.

Does your company have all of the mandated safeguards in place to ensure the safety of the personal data you collect or process? Aphaia can help. Aphaia also provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.

Encryption Keys and privacy: AEPD discusses how keys may be considered personal data

Encryption keys and privacy explored by the AEPD, and why some encryption keys may be considered personal data.

 

 

 

Encryption keys and privacy go hand in hand, and  have proven to be extremely useful in the online world. However some can be considered personal data under the GDPR, and must be treated as such. The AEPD has published an article discussing encryption keys and how they should be handled under the EU GDPR.

There are two types of encryption systems, one of which uses a public key, making it very suitable for internet use.

 

Encryption systems can be broken down into two main categories: symmetric and asymmetric encryptions. With symmetric encryption systems, one single key does both the encryption and decryption. On the other hand, with asymmetric encryption there is usually one key, which could be public, and another key for the decryption, which is private, with only the legitimate owner having possession. While the encryption and decryption keys are linked, it is difficult to ascertain one from the other. Asymmetric keys are inherently very suitable for the internet, thanks to the one freely accessible key. This is known as the public key and is useful for authentication, verification signatures, the exchange of symmetric keys, among other things.

 

As an online identifier, a public key may be considered personal data under the GDPR.

 

While the keys may be anonymized, it is still possible to identify a person as far as proving that different actions online are commonly linked. The public and private key can be used in this way to identify an individual. According to the GDPR, ‘personal data’ refers to any information relating to an identifiable natural person, or ‘data subject’. An identifiable person, according to Article 4, is one who can be identified directly or indirectly, by reference to an identifier. This identifier may refer to a name, identification number, location data or an online identifier to factors specific to the identity of that natural person.

 

Recital 30 of the GDPR states that natural persons may be associated with online identifiers provided by their devices, applications, tools etc. and that these may leave traces which, particularly when combined with unique identifiers and other information received by servers, may be used to profile or identify natural persons. To this extent, a public key is considered a unique identifier, considering the fact that the probability of two people sharing the same string of characters as a public key is practically zero. This uniqueness is what enables public keys to be used securely within encryption systems online.

 

There is an important link between encryption keys and privacy as public and private keys can be, and have been used to re-identify a person.

 

 

The use of the public and private keys make it possible to profile a person and even prove that different online actions are linked to the same individual. This is the case with authentication or block chain. The accuracy of this type of information is so grave that it has actually been used to successfully re-identify a person, and this service of re-identification is actually now available to law enforcement agencies. Public keys are created by third parties which identify and register the natural person to whom the public he will be assigned, and digital certificate issued. This process is made possible via public key infrastructures (PKI). While the owner or user of a public key has an inaccessible private key which allows for the process of asymmetric encryption, and which cannot be deduced from the public key, the association between the two can be used to link various online actions. Whatever is encrypted with one private key can only be decrypted with a specific public key. As a result, the public key will act as a pseudonym with the consideration of personal data, as under the GDPR (Article 4(5)), pseudonymised information is personal data.

 

Does your company have all of the mandated safeguards in place to ensure the safety of personal information collected on your website or app? Aphaia can help. Aphaia also provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.

AEPD fines EDP Comercializadora

AEPD fines EDP Comercializadora, S.A.U 1.5 million euros

AEPD fines EDP Comercializadora, S.A.U 1.5 million euros for two violations of the GDPR. 

 

EDP Comercializadora, S.A.U, an electricity service provider in Spain has been fined for two violations of the GDPR. The company was found to lack sufficient technical and organizational measures to verify whether someone signing up for its services on behalf of another natural person is indeed authorised to do so, or authorised to process personal data on behalf of the other person. The AEPD also found that in some cases, the company was not providing data subjects with sufficient information related to the processing of their personal data, just by the nature of the informational document provided to data subjects, and the method of providing information. A total of 1.5 million euros in fines was imposed on the company for these violations, in accordance with GDPR Article 83. 

 

AEPD fines EDP Comercializadora, S.A.U €500,000 for a violation of article 25 of the GDPR. 

 

Article 25 (2) of the GDPR addresses the requirement for the implementation of appropriate technical and organisational measures for ensuring the protection of personal data, from the point of collection and throughout the use and storage of this personal data.In addition, the regulation states “In particular, such measures shall ensure that by default personal data are not made accessible without the individual’s intervention to an indefinite number of natural persons.” EDP Comercializadora S.A.U was found to lack sufficient measures to avoid and mitigate the risks associated with the processing of personal data in instances where the service is being registered for by a third party. The company was found to lack the technical and organizational measures required to verify firstly, whether a third-party who hires its service on behalf of another natural person has authorization to perform this contracting, as well as whether they are authorized by that person to process personal data on their behalf. In accordance with article 83 (4) (a), the supervisory authority imposed a fine of €500,000 for this infringement. 

 

An additional 1 million euro fine was imposed by the AEPD. 

 

Article 13 of the GDPR outlines comprehensive and specific information to be provided to all data subjects at the point when personal data is collected from them. This information is all required to be provided by the data controller to every data subject from whom data is collected and processed. Upon review of the document provided to data subjects by the controller, EDP Comercializadora S.A.U, information was found to be lacking regarding the controller, the legal basis for processing not based on consent, the purposes of processing relating to profiling on the basis of legitimate interest, and the possibility to object to processing activities that the controller bases on its legitimate interest. In addition, in some of the company’s procedures, for example contracting the company’s services by telephone, the method of access to the information required by the data subject was not simple and immediate. For this, a fine of €1,000,000 was imposed by the AEPD. 

 

Does your company have all of the mandated safeguards in place to ensure compliance with the ePrivacy, GDPR and Data Protection Act 2018 in handling customer data? Aphaia provides ePrivacy, GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, EU AI Ethics Assessments and Data Protection Officer outsourcing. We can help your company get on track towards full compliance.