Icelandic DPA fines InfoMentor

Icelandic DPA fines InfoMentor

Icelandic DPA fines InfoMentor for a data breach affecting hundreds of children from 2019.

 

The Icelandic Data Protection Authority has fined the company InfoMentor EUR 23,100 for not ensuring the proper security of personal data of several data subjects, mainly affecting children. According to this report from the EDPB, in an incident reported in February 2019, their system, Mentor, an information system for schools and other parties, which provides  services for working primarily with children,was subject to a data breach. A vulnerability on their part, led to the six-digit system number of each user being visible in the URL address of a particular page within the Mentor system. This resulted in unauthorised parties gaining access to the personal information of these students, including the national identification numbers and avatars of over 400 children. 

 

At its core, this data breach was caused primarily by human error, including a delay in fixing a vulnerability that the company had been aware of. 

 

InfoMentor acknowledged that the company had been aware of the vulnerability which led to this data breach, and that a solution had already been created. However, due to human error, the solution was not fully implemented into their Mentor system until after the data breach had already occurred. This data breach could have been avoided, had those vulnerabilities been addressed once the relevant persons had been made aware of them. In addition, InfoMentor sent national identification numbers of students affected by the data breach to the wrong schools and data protection officers in error.

The Icelandic DPA fined InfoMentor based on the number of data subjects affected, and the fact that those affected were children.

 

The rights and freedoms of children were directly affected by this data breach. The most significant factors considered by the Icelandic DPA  in determining the administrative fine were the number of data subjects directly and potentially affected, and the fact that the data subjects are children. The Icelandic DPA also considered that InfoMentor‘s main activity is the development and operation of an information system intended for schools and other entities working with children. On the plus side, there was no indication of harm suffered by the data subjects as a result of this breach. In addition, InfoMentor has taken numerous steps to improve their  security and address the vulnerabilities which caused this breach, affecting the personal data within their system.

 

Does your company have all of the mandated safeguards in place to ensure compliance with the ePrivacy, GDPR and Data Protection Act 2018 in handling customer data? Aphaia provides ePrivacy, GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, EU AI Ethics Assessments and Data Protection Officer outsourcing. We can help your company get on track towards full compliance.

COVID-19 travel certificates

COVID-19 travel certificates questioned by Italian DPA

COVID-19 travel certificates launch in the EU soon, however the Italian DPA has pointed out some issues that need critical attention before the rollout. 

 

This summer, COVID-19 travel certificates or “vaccine passports” will be rolled out throughout the EU, with the official launch of this scheduled for the end of June. The majority of EU countries should be technically prepared by the first week of June, according to this article from Euractiv. In order to avoid delays, the aim is to have the systems for the functioning of these certificates ready when the legislation is published. The passes are expected to be legally valid and operational all over Europe. These EU COVID-19 travel certificates, which we wrote about last month, will take the form of a QR code containing information related to a person’s status with regard to the COVID-19 vaccine, or virus (whether it be negative test results or the presence of antibodies). Due to the amount of data intended to be contained in these QR codes, and the nature of that data, data protection authorities around Europe are paying close attention to the rollout of these certificates to ensure the people’s rights and freedoms of natural persons. The Italian DPA has issued a statement pointing out certain key issues which will require special attention in ensuring that the rights and freedoms of natural persons remain protected. 

 

Twenty countries, including Italy, are expected to be part of the first group to begin technical checks to interconnect the systems, from the second week of May. 

 

EU member states have been divided into three groups and rated based on their preparedness to begin system testing. The first group which includes Italy, France, Spain and Germany are expected to start testing the interconnected systems from the second week of May. The third, and last group is expected to begin their phase of testing around the middle of June. This technical testing will include checking the entire setup, after checking that the system is validated, and changing the keys. For this reason, an EU official explained, the member states are divided into groups for testing and being tested in phases. 

 

While the technical work is being done to lay the groundwork for COVID-19 travel certificates, the EU is working on the legal basis of the initiative. 

 

On April 29th, European lawmakers adopted a negotiating decision on the proposal by the Commission for the COVID-19 travel certificates or digital green certificates. This set the stage for the inter-institutional negotiation, where the Council will represent the 27 member states. With the goal of having the certification system up and running for summer, in an effort to save the struggling European tourism sector. There may seem to be a bit of pressure for time, however data protection authorities appear to be keeping a watchful eye on the process. 

 

The Italian DPA has released a statement pointing out some major critical issues for vaccination passes. 

 

The COVID-19 travel certificates have been criticized by the Italian DPA. The EDPB reported that the supervisory authority has highlighted that this rollout is affected by several data protection shortcomings, including the lack of assessment of possible large scale risks affecting the rights and freedoms of individuals. Contrary to EU GDPR requirements, the decree called “Italy Reopens”, does not provide a suitable legal basis to introduce and regulate a nationwide green pass. Among the issues cited by the Italian DPA, the decree does not specify the purposes of the processing of health data, and paves the way to multifarious and unforeseeable future applications which potentially conflict with EU initiatives and go against the GDPR. The Italian SA has noted that the major critical issues that it has found are ones that could have easily and quickly been addressed beforehand, however the SA has offered its cooperation to the government in resolving those criticalities. 

 

Does your company have all of the mandated safeguards in place to ensure compliance with the ePrivacy, GDPR and Data Protection Act 2018 in handling customer data? Aphaia provides ePrivacy, GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, EU AI Ethics Assessments and Data Protection Officer outsourcing. We can help your company get on track towards full compliance.

CNPD ordered Statistics Portugal to suspend all data transfers within 12 hours

CNPD ordered Statistics Portugal to suspend all data transfers to a US based processor within 12 hours earlier this week.

The Portuguese DPA, Comissão Nacional de Proteção de Dados or CNPD ordered Statistics Portugal (INE) to suspend all data transfers specific to their census within 12 hours, due to an inadequate level of protection for international data transfers, IAPP reported. After receiving complaints about the conditions for the collection of data via the internet, the Authority carried out a quick investigation. This probe revealed that INE used Cloudfare Inc, a California based web infrastructure and website security company to handle census survey operations. Due to the nature of the services provided by Cloudfare, the company is directly subject to US surveillance legislation for the purposes of national security.

While the international transfers were based on SCCs, it was concluded that the data was still not adequately protected.

Even in cases where the data transfers are based on Standard Contractual Clauses, data protection authorities are obliged to suspend or prohibit data transfers where there are no guaranteesthat these can or will be complied with in the recipient country. US surveillance legislation imposes on certain companies a legal obligation to give unrestricted access to US authorities to the personal data in their possession, without being able to inform their clients of it. With Cloudfare Inc being subject to this legislation and being in possession of large amounts of personal data from Portuguese citizens, this posed some serious risk.

CNPD ordered INE to cease data transfers within 12 hours due to the sensitive nature of the information collected.

The data collection process for the census exercise being executed by INE began on April 19th and was due to be completed by May 3th, however due to the complaints received by CNPD, about a week into the process, they were ordered to cease data transfers within 12 hours. The main reason for the immediate order to cease data transfers was, in addition to the sheer amount of data being collected and processed, the sensitive nature of the data itself. The data included information like religious and health data from the individuals in this large data pool.

Of late, similar issues have been dealt with by various data protection authorities across the EU.

In recent times we have seen similar action being taken by other EU DPAs, for example in Spain and Germany, concerning data transfers on the basis of Standard Contractual Clauses. However, with these transfers being made to the U.S. or any other third country that may have not been recognized as providing an adequate level of data protection and without applying any additional measures, these present an issue. This risk is particularly difficult when dealing with particularly sensitive data, as it was the case in this instance. It is extremely important, when making international data transfers on the basis of Standard Contractual Clauses that the data is subject to a level of protection equivalent to the level provided under EU law.

Does your company have all of the mandated safeguards in place to ensure compliance with the ePrivacy, GDPR and Data Protection Act 2018 in handling customer data? Aphaia provides ePrivacy, GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, EU AI Ethics Assessments and Data Protection Officer outsourcing. We can help your company get on track towards full compliance.

Record AEPD fine

Record AEPD fine imposed on Vodafone

Record AEPD fine imposed on Vodafone for violations of the GDPR as well as Spanish national regulations. 

 

Vodafone Spain has recently been hit with four fines, with a record total of €8.15 million for violations of the GDPR and Spanish national laws. The company has been found guilty of unlawful telemarketing and other data security violations. Over the last two years, some 200 million calls were made resulting in 191 complaints about the company’s practices regarding consent and data processing. 

 

Customers who had opted out of receiving communication were contacted by, or on behalf of the company. 

 

Several citizens who had opposed data processing for advertising were receiving calls and text messages, resulting in 191 complaints. As a result, the company’s headquarters were inspected in September of 2019. It was found that the phone company had not been continuously monitoring their data processor, and lacked the technical and organizational structure to ensure that it was avoiding making contact with citizens who had opted out of receiving communication for advertising purposes, or opted for erasure of their data entirely. The phone company was therefore found to have violated Article 28 of the EU GDPR by neglecting to continuously monitor the data processor in this case. 

 

The company was also found to have exported data without sufficient safeguards in place for international data transfers. 

 

The phone company’s infractions also included a violation of Article 44 of the GDPR, involving a transfer of data to a third country. It was found that data processors in the Republic of Peru had also engaged in advertising activity on behalf of Vodafone. This processor was not being continuously monitored, and the AEPD’s findings revealed that the company did not even have sufficient structures and safeguards in place to conduct this monitoring. 

 

This record AEPD fine included two fines for national laws in addition to the fines for EU GDPR violations. 

 

This total fine, which was imposed last month, consisted of two fines for violations of the EU GDPR and two fines for violations of Spanish national laws. The company was fined the sum of €6 million for violating both Article 28 and Article 44 of the EU’s GDPR collectively. In addition, the AEPD, based on its national competencies, fined another €2 million for the company’s violation of Spanish telecommunications and digital rights laws, and a smaller fine of €150,000 regarding a technical Spanish law governing the use of cookies. This total fine is a new record high for the AEPD, surpassing the €6 million fine imposed on Caixabank earlier this year. 

 

Does your company have all of the mandated safeguards in place to ensure compliance with the ePrivacy, GDPR and Data Protection Act 2018 in handling customer data? Aphaia provides ePrivacy, GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, EU AI Ethics Assessments and Data Protection Officer outsourcing. We can help your company get on track towards full compliance.