GDPR News – April 2021
Selected GDPR decisions from the month of February
Application of old TLS version drew criticism from the Danish DPA
When looking into a case initiated by the DPA itself, the DPA established that the self-service solution available with the Police for applying for a firearms certificate (www.digimeld.politi.dk/vaaben/HTML/index.aspx?type=p70401) – during which your personal ID number must be entered – warns you about the page using weak encryption and that unauthorised persons in consequence thereof may have access to the data that is entered.
The self-service solution only supported TLS version 1.0, but the Danish National Police had stated that this version was the best, which the said solution could support, and that work was in progress for replacing it.
The DPA stated that forms and web-solutions for processing personal data are subject to safety requirements, including in particular that the data controller must ensure that personal data do not become accessible to anyone unauthorised. Data that can be characterised as worthy of protection, including information on personal ID numbers, must therefore be ensured in such way that the contents cannot be accessed by anyone unauthorised, which is done by encrypting the transport layer (TLS) subject to version 1.2 or higher versions.
The DPA established that TLS versions 1.0 and 1.1 contain known vulnerabilities which do not ensure the necessary confidence and integrity of the data being exchanged. Hence, the DPA found grounds for criticising the Danish National Police for not processing personal data in compliance with the rules provided for in Article 32.1 of the GDPR.
Fine for disclosing video surveillance
Car wash business Miljø- Kvalitetsledelse AS has been fined NOK 35,000 (about EUR 3,500) by the Norwegian DPA for illegally disclosing personal data from a video surveillance.
When malicious damage was made to a purchase terminal, Miljø- Kvalitetsledelse AS sent uninvited recordings and data from the video surveillance of the car wash system to the employer of the person, which Miljø- Kvalitetsledelse AS assumed had caused the malicious damage.
The DPA found that the disclosure lacked legal basis and was contrary to Articles 6.1 and 5.1 (a) of the GDPR. The recordings had already been surrendered to the Police, and the DPA found the forwarding of the recordings to the data subject’s employer unnecessary for preventing and clarifying the malicious damage.
Miljø- og Kvalitetsledelse AS have an appeal period of 3 weeks from the time of receiving the decision.
District Court of the Hague reduces administrative fine by 24%
The Dutch DPA had imposed an administrative fine of EUR 460,000 on a hospital in consequence of violating Article 32 of the GDPR when failing to implement satisfactory measurements for protecting patients’ personal data.
The fine constituted a basic fine of EUR 310,000 plus two additional fines of each EUR 75,000, totalling EUR 460,000 in consequence of the hospital not having implemented two-factor authentication, and not having made regular controls on logins for access to medical records.
The case was brought before the District Court of the Hague who found the fine too high. The court did not find the basic fine of EUR 310,000 unreasonable, but the additional fines should be reduced since the hospital had taken steps to prevent that personal data found on digital platforms could be accessed by unauthorised staff.
Furthermore, during the objection period, the hospital had implemented two-factor authentication and intensified logins, which the court considered a willing to cooperate, hence the fine was reduced to a total of EUR 350,000.