DPA of Baden-Württemberg (Germany) fined a health insurance company 1'240'000 EUR for insufficient implementation of TOMs resulted in personal data of app. 500 individuals being accidentally processed for advertising purposes without due consent. The fine is quite high, especially given that there have been some mitigating factors in this case: not too many data subjects … Continue reading On a crucial importance of TOMs under GDPR Article 32
An interesting GDPR enforcement case came from Belgium in late May. Imagine that a data controller is sending unsolicited postal communications and ignoring data subject rights to object (Article 21) and to be forgotten (Article 17). On top of that, it misidentified legal basis and relied on the legitimate interest instead of consent (of course, … Continue reading Belgian data protection watchdog sends controversial ‘message’ with regard to non-profit data controllers.
In Finland one of the first fines handed out to a water supply management company which used location data in the vehicles used by employees which is considered systematic monitoring. A DPIA should be conducted. Taken from DLA Piper blogFollowed from a complaint made by an individual. Kymen Vesi processed location data of its employees … Continue reading Finnish business fined for tracking employees
A fine for SEK200k has been awarded to a Government Service Centre (SSC) which handles salaries and such for 47 Swedish government authorities. SSC is a processor to the 47 government authorities, although a controller to their own employees. It was a breach of 282k employees salary data, including their own.