A Danish court has delivered judgment imposing a fine on a 31-year-old man, who made a post on Facebook disclosing name and photo of a person convicted as rapist, and information that the person in question was suspected of having committed yet a rape.
According to the GDPR, any sharing of personal data generally requires a lawful basis for processing, irrespective of whether sharing is made by a private individual or company. The court held that the 31-year-old did not have such lawful basis. In addition, the Court found the information 'sensitive', which intensifies the requirements of the GDPR.
Furthermore, the post was made in such way that he also linked to an initial Facebook post about the rapist. However, the court held that any subsequent sharing of an initial post does not constitute an independent infringement.
The judgment is the first to be delivered on the basis of the GDPR. Previously, the Danish DPA has recommended that both IDdesign (a Danish company selling Scandinavian furniture and home accessories) and the Danish taxi company, Taxa 4x35, be issued a fine (see more about the IDdesign fine here, and the Taxa 4x35 fine), however, no decisions have (yet) been made in these cases.
The unpublished judgement can be obtained anonymously in Danish by contacting Anni Kreiberg at firstname.lastname@example.org
The Spanish DPA imposed a EUR 30,000 fine on the airline company Vueling Airlines, seeing that the website of the airline forced users to give consent if they wanted to use the website.
According to the GDPR, consent must be freely given, specific, informed and unambiguous. It lies in the requirement for the consent being freely given that any denied consent may not entail any negative consequences. In this matter, it was an issue of negative consequences as it was not possible to access the website; hence the consent was invalid.
Without a valid consent, the airline did not have a legal basis as required by the GDPR.
Read the decision here (in Spanish).
The Greek DPA has imposed a fine of EUR 400,000 in total on a telecoms company for several violations of the GDPR.
Due to technical errors in the telco’s systems, more than 8,000 customers had received phone calls pertaining to marketing, although having declined to receive such calls.
The Greek DPA found that the possession of customers’ telephone numbers was contrary to the data minimisation principle, that the lack of respect for customers’ decline to receive marketing calls was contrary to the right to object and, finally, that there were no appropriate organisational measures implemented for detecting any technical errors, which thereby was a violation of data protection by design and by default.
Read the decision here (in Greek).
The DPA has expressed their criticism towards Lowell Danmark A/S, a company providing credit management and part of the UK Lowell group, in a case where the company had sent an email containing confidential information through opportunistic TLS 1.2, although it was not possible to verify whether the receiving domain could receive TLS. For that reason, Lowell Danmark A/S could not prove whether the email was actually received encrypted.
In order to comply with the GDPR requirements for appropriate technical or organisational measures, it is a requirement from the DPA, that confidential and sensitive data shall always be sent encrypted when submitted through the internet.
As Lowell Danmark A/S could not demonstrate that processing had been subject to encryption, the submission was in violation of the requirement for being able to verify that the principles for processing have been complied with, including protection against unauthorised access to personal data.
Read the decision here (in Danish).