Record EU GDPR fine repealed by Amazon

Amazon has repealed the record EU GDPR fine on the basis that there was no data breach.

 

In July, we reported that Amazon was facing a possible fine for alleged GDPR violations totalling €350 million. According to this Bloomberg report, Amazon is now repealing this fine, which stands at €746 million. The CNPD, Luxembourg’s privacy watchdog hit Amazon with this record-breaking fine, claiming that it’s processing of user data was a violation of the EU GDPR. This fine is the result of a 2018 complaint from French privacy rights group La Quadrature du Net.

 

Amazon has repealed the record EU GDPR fine, claiming that there has been no data breach.

 

Amazon has disagreed with the CNPD’s findings, claiming that there has been neither a data breach, nor any customer data exposed to a third party. The world’s largest online retailer has also stated that there are guidelines as to what employees are allowed to do with customer data, which is collected in order to improve the customer experience. Some lawmakers and regulators have voiced concerns that the data collected is being used to give the company an unfair advantage in the marketplace. Amazon is being scrutinized by EU authorities over its use of data from sellers on its platform as they question whether it unfairly favors its own products.

 

The initially proposed fine of roughly 2% of Amazon’s global sales rose to the maximum fine under the EU GDPR – 4% of the company’s annual global sales.

 

Under the EU GDPR, regulators can fine companies up to 4% of their annual global sales. The fine proposed at first was roughly 2% of Amazon’s global sales at €350 million, but following the gaining of approval from other regulators in the Bloc, the fine now stands at €746 million. This fine is related to alleged compliance issues surrounding the company’s collection, storage and use of user data.

While Amazon stated that there has been no data breach, sources claim that their manner of storing user data violated the GDPR.

 

While Amazon claims that there has been no data breach, according to whistleblowers who previously worked with the company as information security officers, the manner in which data is stored on Amazon’s databases make it impossible for the company to comply with Article 17 of the GDPR. Article 17 states that data subjects have the right to request that all their personal data be erased by a data controller, and to have that request fulfilled without delay. Allegedly, data stored by Amazon is at risk, as there is a lack of clarity on what data is being stored, where it is stored and who can access it, making it impossible to fulfill the requirements of Article 17 of the EU GDPR.

 

 

Does your company have all of the mandated safeguards in place to ensure compliance with the GDPR, Law Enforcement Directive and Data Protection Act 2018? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.

Non-transparent data checks by utility company result in a fine

Non-transparent data checks by an electric supply company have resulted in a fine from Hamburg DPA.

 

A recent fine from Hamburg DPA is the direct result of an electric supply company performing non-transparent data checks. The company was offering discounted sign up costs to first time customers, and as part of that process, performed data checks to verify whether customers signing up were indeed new, first time customers or whether they had previously held accounts. These data checks were not transparent as the company failed to inform customers that these checks were a part of their process. As a result the company was hit with a fine from Hamburg DPA. According to this release from the EDPB, a data check, or data comparison in and of itself is not illegal. However, the fact that customers were not informed that these checks would be performed resulted in a GDPR violation, as the company violated the transparency obligation under the GDPR.

 

The electric supply company was found to have violated Articles 12 and 13 of the GDPR.

 

The electric supply company, Vattenfall Europe Sales GmbH was found to have violated Articles 12 and 13 of the GDPR, after an assessment of their process by the Hamburg Commissioner for Data Protection and Freedom of Information. There were a total of around 500,000 people affected. Article 13 relates to the information which needs to be provided to a data subject at the time when data is collected. It states that, under Article 12 of the GDPR,“The controller shall take appropriate measures to provide any information referred to in Articles 13… relating to processing to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language…”

 

The established violation and fine are not related to the processing itself, but the lack of transparency in communication with customers.

 

The fine, the corresponding violation and the eventual decision made this August by the Hamburg DPA, are not related to the actual data comparisons themselves as this, in and of itself, is not explicitly regulated by the GDPR. The company performed data checks comparing the data received from customer sign ups to customer data from previous years. This data had been stored according to tax and commercial law. The data checks were intended to prevent situations where customers may sign up and receive these bonus contracts repeatedly, resulting in this offer, which is meant to attract new customers, no longer being profitable for the company.The established illegality is limited to the insufficiently fulfilled transparency obligations to customers.

 

The company has accepted the fine of EUR 901,388.84 and ceased the non-transparent data comparison immediately after the DPA’s first action.

 

Vattenfall Europe Sales GmbH did not contest the fine, which amounted to EUR 901,388.84, and in fact immediately stopped performing the non transparent data checks once Hamburg DPA issued its initial decision. The company has cooperated fully with the Hamburg Commissioner and has agreed with the DPA on a manner of informing first time and existing customers about the data comparison and its purpose, in a transparent and comprehensive way. This will allow consumers to make an informed decision as to whether they want to apply for a discounted bonus contract, knowing that it includes an internal verification of their status as a new customer or a non-discounted contract which would not include this data comparison.

 

 

Does your company have all of the mandated safeguards in place to ensure compliance with the GDPR, Law Enforcement Directive and Data Protection Act 2018? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.

Halifax-based company fined by the ICO

A Halifax-based company fined by the ICO was found to have been making unlawful pension calls. 

A Halifax-based company, Parker Beach LTD (PBL) has been fined by the ICO, a total of £50,000 for unlawful cold calls regarding pensions, according to this report from the ICO. The ICO’s investigation revealed that the company, which operates under the trading name “Your Pension Options”,  made calls to people regarding their pensions, looking to arrange an introduction to an advisor. These calls were unauthorized, and resulted in 16 complaints to the ICO. The company has admitted to making over 96 thousand calls. Pension cold calling was banned in 2019, specifically to protect vulnerable pensioners and their retirement funds, as cold calls are admittedly one of the more common ways of defrauding people out of pension and retirement funds. 

Pension calls have been outlawed since 2019, and are only allowed under very few, specific conditions. 

Pension calls are outlawed, unless certain conditions apply. If the caller is authorized by the Financial Conduct Authority (FCA), or is the trustee or manager of an occupational or personal pension scheme, or if the recipient has an existing relationship with the caller and has consented to calls, these calls are considered lawful. This stance was taken in 2019, making it illegal for companies to make nuisance cold calls to people regarding pensions schemes. The ICO’s Head of Investigations, Andy Curry has stated that cold calls have been a common tool in fraud, and for that reason, tough action will be taken on companies who utilize this kind of marketing. He said in a statement, “Companies are responsible for knowing the law and following it. We have a range of powers and enforcement action which we can and will take on behalf of the public to put a stop to the activities of unscrupulous companies.”

The ICO fined the company and issued an enforcement notice ordering them to make no further calls. 

In their investigation, the ICO uncovered that PBL sourced the data for its calls from a third party supplier which obtained the data itself from various websites. Signing up on the site required users to agree to possible marketing from an extensive list of organizations from various sectors. It did not appear possible that these users could select which, if any of these organizations, they would like to have their details forwarded to or from which they would like to receive marketing material. This means that PBL did not obtain clear, informed consent. As a result the company was hit with a fine for £50,000, and also an enforcement notice ordering them stop making further calls. Under the Privacy and Electronic Communications Regulations (PECR), the ICO can issue fines of up to £500,000

Does your company have all of the mandated safeguards in place to ensure compliance with the GDPR, Law Enforcement Directive and Data Protection Act 2018? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today

Fine imposed for unsecured website

Fine imposed for unsecured website

Fine imposed for unsecured website for registration of new orthodontic patients. 

 

Patient personal data was found to be at risk, including citizen service numbers, when an orthodontic practice allowed new patients to sign up via an unsecured website. According to this report, several fields of mandatory personal information were captured on an unsecured connection. This could have resulted in a data breach, which could have led to fraud, with several individuals affected, including minors. The Dutch DPA has imposed a fine of €12,000 on an orthopedic practitioner. 

Sensitive personal data was at risk of being accessed by unauthorized parties. 

 

An unsecured connection was used to capture mandatory personal information from new patients signing up for orthodontic services. 

 

The unsecured website being used to capture information from new patients included a form, requiring the input of personal data into mandatory fields. The required information included patients’ parents’ information, their general practitioner, insurance information as well as their dentist and citizen service number. This information was sent over an unencrypted connection, making it unsecured. Individuals submitting their personal information while signing up on the website of an orthodontic practitioner are trusting that their sensitive data will be protected. In addition, the majority of orthodontic patients are children and young adults, so this case involved the personal data of several children. Data protection laws have specific safeguards for the sensitive data of children, who are considered a particularly vulnerable group. 

 

Fine imposed for unsecured website after a complaint was lodged about a privacy violation. 

 

A complaint was lodged with the Dutch DPA regarding a privacy violation. Because the complaint was regarding poor security within the health sector, a sector with particularly strict privacy requirements, this complaint was taken very seriously by the DPA. Monique Verdier, the DPA’s deputy chair commented on the situation stating “When you register with an orthodontist, you entrust your personal data to them. This is data that the practice needs, but it is also of interest to criminals. Taking good care of your patients includes taking good care of their personal data. This applies to all care providers, not just large institutions.” It is a business’ responsibility to ensure that its website is GDPR compliant, and to secure customer data and websites, preventing possible data breaches, phishing, and other forms of malicious online activity. A fine of €12,000 was imposed on the orthodontic practitioner for this infraction. 

 

An objection to this fine was lodged, which the DPA declared unfounded. 

The fine imposed on the orthodontic practitioner is not final, and was challenged by the provider. While the fine may be revocable, the DPA has called the objection by the practitioner unfounded. An application for judicial review can be submitted to the district court to have the €12,000 fine revoked. If this is done, the final decision will rest in the hands of the district court. 

 

Does your company have all of the mandated safeguards in place to ensure compliance with the GDPR, Law Enforcement Directive and Data Protection Act 2018? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.