Uber fined by Italian DPA for lack of transparency

A major privacy violation has landed Uber companies fined by Italian DPA, Garante, €2 million and €120,000 respectively. 

 

A privacy violation affecting over 1.5 million individuals has landed Uber two fines of 2 million and 120 thousand euros each, from Italian DPA Garante, according to this report. The company, Uber BV has a European office in Amsterdam, and Uber Technologies Inc (UTI), has a registered office in San Francisco. Both of these offices were held responsible for the privacy violation affecting over 1.5 million Italian users, including drivers and passengers. During an investigation carried out at Uber Italy following a privacy violation made public by the company’s US leader in 2017, the Italian DPA found Uber had committed several violations including processing data without consent, and failure to notify the Authority of a privacy violation. 

 

Uber had previously been fined by two other authorities in Europe for a similar violation. 

 

A privacy violation which occurred before the full application of the GDPR, resulted in Uber being fined by both the Dutch and UK authorities on the basis of their respective national regulations. The personal information processed by Uber included personal and contact information (name, phone number and email), app access credentials, location data, relationships with other users (sharing trips, introducing friends, profiling information).

 

The Italian DPA fined both Uber BV and Uber Technologies Inc for multiple privacy violations. 

 

In recent times, the Italian Authority has  sanctioned the Dutch company Uber BV and the US company Uber Technologies Inc, as joint controllers. Both companies were found responsible for violations of Europe’s privacy law affecting Italian users. The sanctions concern inadequate information given to users (the information related failed to communicate to the co-controllership of the data), which according to the Authority, was “formulated in a generic and approximate way” with “unclear and incomplete information” and “not easy to understand”. 

 

According to the Italian DPA, the purposes of the processing were not properly specified in the information, the references to the rights of the data subjects were vague and incomplete, and it was not clear whether or not users were obliged to provide their data, nor whether there were consequences to a possible denial. In addition, without having valid consent, the company processed the data of approximately 1,379 passengers, and went on to profile them on the basis of their so-called “fraud risk”. Finally, the company also failed to notify the Authority of the processing of data for geolocation purposes, as was required by the legislation which existed prior to the new GDPR. 

 

The Authority decided on two fines; one for €2 million and another for €120,000. 

 

In deciding on the amount of the fines, the Authority considered the seriousness of the violations, and also  the number of people affected as well as the economic conditions of the society. The Authority decided on two fines, with a total of  €2 million and €120 thousand euros to both Uber BV and Uber Technologies Inc. 

Does your company have all of the mandated safeguards in place to ensure the safety of the personal data you collect or process? Aphaia can help. Aphaia also provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.

Google was fined by the AEPD and ordered to come into compliance after Lumen Project data transfers

Google was fined by the AEPD and ordered to come into compliance after  GDPR violations relating to Lumen Project data transfers. 

 

The AEPD has issued a decision in the case against Google LLC, which states that the company has committed two very serious GDPR violations. The Spanish Data Protection Agency decided to impose a fine of 10 million euros on Google LLC, for sharing data with third parties without a legal basis to do so, and for infringing upon citizens’ right to erasure. This case concerned the transfer of requests regarding the removal of content from Google’s various products and platforms, such as Google search and YouTube, to a third party, called the ‘Lumen Project’.

 

User data was being unlawfully transferred to a third party, the Lumen Project, when customers requested that their data be erased. 

 

When users requested that their information be deleted, thereby exercising their right to erasure, they were required to fill out a form and consent to their information being shared with the third party. This process violated both articles 6 and 17 of the GDPR. According to the AEPD’s statement, this transfer of data by Google LLC to the Lumen Project is imposed on users who, when filling its forms to exercise their right to erasure, were not given the choice to opt out of sharing this data. As a result, Google cannot possibly obtain valid consent for the  transfer of that user data via that process. In addition, Google’s privacy policy made no mention of the processing of personal data of users, nor the transfer of that data to the Lumen Project among the purposes. The system through which users are able to exercise their right to erasure was designed by Google LLC, and it led the user through various pages to complete their request. Part of this process required the user to fill a form, consenting to the  transfer of their data, including their identification, email address, and other information, to a third party. 

 

As a result of this infringement, Google was fined and ordered to come into compliance. 

 

 The AEPD explained in its decision that, once the request for removal of content has been submitted and the right has been met, meaning the deletion of personal data has been agreed upon, “there is no possibility of subsequent processing of the same, as is the communication that Google LLC makes to the Lumen Project. Google was hit with a fine for €10 million for the two infractions and is also expected to delete all the personal data that has been the subject of a request for the right to erasure, which was transferred to the Lumen Project. The company is also expected to urge the Lumen Project to delete, and cease the use of, the personal data that it has received. 

 

Does your company have all of the mandated safeguards in place to ensure the safety of the personal data you collect or process? Aphaia can help. Aphaia also provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.

Lack of security of visa applications results in a fine from the Dutch Supervisory Authority

The Dutch Supervisory Authority has fined the Ministry of Foreign affairs €565,000 for a lack of security of visa applications. 

 

The Ministry of Foreign affairs has been fined by the Dutch Supervisory Authority for a lack of security of personal data processed for visa applications according to this report from the EDPB. The Dutch Supervisory Authority has found that the personal data in all these applications has not been adequately protected. The Ministry of Foreign Affairs has processed personal data of applicants for an average of 530,000 visa applications per year for the past three years. This personal data includes sensitive information, such as an applicants’ fingerprints, names, addresses, country of birth, purpose of travel, nationality and photograph. In addition, the Dutch Supervisory Authority also found that the Ministry of Foreign Affairs failed to adequately inform visa applicants that their personal data would be shared with other parties.

 

The digital systems used to process visa applications were inadequately secured making it possible for unauthorised parties to access and alter information. 

 

The systems used by the Ministry of Foreign Affairs to process the visa applications were found to be inadequately secured, putting applicants’ personal data at risk. 

The Dutch Supervisory Authority found that the digital system used by the Ministry of Foreign Affairs for the Schengen visa process, known as the National Visa Information System (NVIS), was inadequately secured. As a result, there was a possibility that unauthorised parties could access and change files. User rights need to be appropriately assigned to prevent access unauthorised parties. The DPA suggests regular checks of user rights and data logging. In addition, the Ministry of Foreign Affairs failed to sufficiently inform visa applicants about the sharing of their personal data with third parties.

 

The Dutch Supervisory Authority imposed a fine of €565,000 and ordered the Ministry of Foreign Affairs to come into compliance or face further sanctions. 

 

The Dutch Supervisory Authority fined the Dutch Ministry of Foreign Affairs €565,000 for the long-term, large-scale, and serious GDPR violations associated with its visa-issuing process. In addition to imposing this fine, the Dutch Supervisory Authority also ordered the Minister of Foreign Affairs to ensure that an appropriate level of security is implemented. Failure to do this moving forward would result in a penalty of €50,000 per two week period. The ministry was also ordered to provide applicants with adequate information regarding the sharing of their data, or possibly face a penalty of €10,000 per week.

Does your company have all of the mandated safeguards in place to ensure the safety of the personal data you collect or process? Aphaia can help. Aphaia also provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today

Medical data breach leads to major fine from CNIL

Earlier this month, the CNIL imposed a fine of €1.5 million after a medical data breach affecting nearly 500,000 people revealed a company’s security flaws.

 

Early last year, a major data breach affecting nearly 500,000 people was reported. The breach involved information including users’ surnames, first names , social security numbers, names of their prescribing doctors, dates of their examinations, and most critically medical information on conditions (HIV, cancers, genetic diseases, pregnancies, drug treatments followed by the patient, or even genetic data). In February 2021, the CNIL carried out several inquiries into the company DEDALUS BIOLOGY, a software company, which supports medical analysis laboratories. Based on the findings, CNIL concluded that the company had breached several obligations under the GDPR, in particular the obligation to ensure the security of personal data. The CNIL decided to impose a fine of 1.5 million euros and to make this decision public. The amount of this fine was decided based on the seriousness of the violations, but also considered the turnover of the company.

 

CNIL sanctioned the software company for violating several GDPR obligations following the medical data breach.

 

Two companies requested the services of DEDALUS BIOLOGY for the migration from software to another tool. In this case, the company extracted a larger volume of data than was required to perform this task. The company has therefore processed data beyond the instructions given by the data controllers.

This breach of the obligation for the processor to comply with the instructions of the controller is a violation of article 29 of the GDPR. CNIL also fined the company over a breach of the obligation to regulate their processing by a formalized legal act as the maintenance contracts transmitted to CNIL by DEDALUS did not contain the information provided for by article 28-3 of the GDPR which stated that data processing “…shall be governed by a contract or other legal act under Union or Member State law…”

 

During its investigation, CNIL also encountered several technical and organizational faults in terms of security within DEDALUS BIOLOGY with regard to the operations of migrating the software to another. These included the lack of a specific procedure for data migration operations, the lack of encryption of personal data stored on a problematic server, as well as  the absence of automatic deletion of data after migration to the other software. In addition the company’s systems lacked the authentication required from the Internet to access the public area of ​​the server and had user accounts shared between several employees on the private area of the server. DEDALUS also lacked a supervision procedure and security alert escalation on the server. This lack of satisfactory security measures contributed to the data breach which compromised the medical and administrative data of nearly 500,000 people and violated  Article 32 of the GDPR. 

Does your company have all of the mandated safeguards in place to ensure the safety of the personal data you collect or process? Aphaia can help. Aphaia also provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.