Data breach: provision on the duty of communication to data subjects and notification to the Data Protection Authority
The Italian Data Protection Authority, with provision no. 21 of January 27, 2022, ruled on a communication relating to a security incident. The violation of personal data was caused by a ransomware cyber-attack, which entailed the encryption of the data contained in the servers and PCs of the data controller (with consequent impossibility of accessing and processing them) and the probable exfiltration of the same.
The data controller, however, had not communicated the data breach to the data subjects, pursuant to art. 34 of the GDPR, although the violation of personal data could present a high risk for the rights and freedoms of natural persons.
Therefore, the Authority ordered the data controller to communicate the violation of personal data to the data subjects and to provide adequately documented feedback on the measures adopted to mitigate the possible prejudicial effects of the violation for the data subjects.
Italian DPA: measures for the use of SPID services by minors
The Italian Data Protection Authority, in the opinion given on the outline of the “Linee guida operative per l’utilizzo dei servizi SPID da parte dei minori“, proposed by AgID (Agenzia per l’Italia Digitale), identified the guarantees for the use of the public digital identity system (SPID) by minors.
In fact, the processing concerning the issue of the SPID and its use to access online services expose minors to risks that require specific protection, with the adoption of adequate measures to mitigate them, distinguishing between the over 14 and under 14 for the different level of maturity and awareness.
Minors over 14 will be able to able to obtain a SPID identity to access the services offered to them by the Public Administration. Children under 14, instead, will be able to use it only for the online services provided by schools. Parents will request the SPID for them.
Court of Rome: the wife’s access request to obtain personal data from the deceased husband’s accounts it’s lawful
The Court of Rome, in an order concerning the request for access by a woman for the recovery of personal data from the accounts of the deceased husband, established that the family reasons worthy of protection pursuant to art. 2-terdecies of Legislative Decree no. 196/2003 prevail over the non-disclosure clause of the rights on the contents stipulated by the internet service provider with the user, then deceased, who adhered to the general conditions.
Belgian Data Protection Autorithy: the IAB Europe TCF framework violates data protection rules
The Belgian Data Protection Authority, with decision no. 21 of February 2, 2022, has established that the Transparency and Consent Framework (TCF), developed by IAB Europe, does not comply with some provisions of Regulation (EU) 2016/679 (GDPR). TCF is a widespread mechanism that facilitates the management of user preferences for personalized online advertising, and which plays a key role in so-called Real Time Bidding (RTB). The Authority fined IAB Europe for € 250,000 and gave the company two months to present an action plan to align its activities.
The Authority established, in particular, that the TCF violates the provisions of articles 5, paragraph 1 (letters a and f), and articles 6, 12, 13, 14, 25, 32, 37-39, of the GDPR.
This is a disruptive decision, especially considering that thousands of operators in the digital advertising field base their business on the standards set by the TCF.
CSIRT Italy: cyber alert related to the war in Ukraine
On February 14, 2022, the CSIRT (Computer Security Incident Response Team) Italy, issued a bulletin in which it prescribes rules and methods for raising prevention and monitoring measures for national ICT infrastructures from possible cyber risks deriving from the Ukrainian situation. In particular, public entities and institutions, organizations and companies, that have relations with Ukrainian entities and with which telematic interconnections are in place, are subject to high risks.
Therefore, in addition to the adoption of best practices in the field of cybersecurity and compliance with the measures provided for by current legislation, the CSIRT recommends raising the level of attention by adopting as a priority some organizational and technical measure.