Data controller and data processor of the failure to adopt adequate technical and organizational measures in the event of a cyber-attack.
The Italian Data Protection Authority, with two separate judgments, has fined a nursing home, the data controller, for € 30,000, and a company, as data processor, for € 7,000, following a cyber-attack suffered by the controller of processing. In fact, according to the Authority, the controller and the data processor are responsible for the failure to adopt the technical and organizational measures in accordance with article 5 and 32 of the GDPR. In this case, the data controller, through the data processor, had not adopted the using of a secure network protocol and a password policy, so creating the conditions for the occurrence of the cyber-attack.
Google Analytics could violate the GDPR
The Austrian Data Protection Authority, in a decision issued on 22 December 2021, has stated that the use of the Google Analytics service, provided by Google LLC, is not compliant with Regulation (EU) 2016/679. This is the first decision issued by a European Data Protection Authority in response to the 101 complaints filed by NOYB in the wake of the “Schrems II” judgment of the European Court of Justice (CJEU), which invalidated the data transfer agreement between the European Union and the United States “Privacy Shield”, which had replaced the previous “Safe Harbor” agreement.
The news has a particularly significant impact, as the Italian Authority has also been involved in the matter with a complaint and will be asked to give its verdict in the coming months.
Italian Data Protection Authority launches inspection plan for the first half of 2022
The Italian Data Protection Authority announced the launch of the inspection campaign, which will be carried out with the support the Guardia di Finanza.
The investigations will focus on:
- processing of personal data with regard to ‘database providers’;
- processing of personal data by platforms and websites with regard to the proper management of cookies;
- processing of personal data in the field of so-called ‘video surveillance’;
- data processing by dating sites; operators in the area of data monetization and by manufacturers and distributors of smart toys;
- algorithms and artificial intelligence in the public and private sector;
- checking that the roles of controller and processor are correctly identified.
Marketing: Data Protection Authority sanctions use of unverified lists
The Data Protection Authority issued a sanction of 400.000 € against a data controller who had conducted extensive marketing campaigns, using a data processor who made use of lists of data subjects (obtained from another company) that were not suitable for commercial purposes.
The decision is relevant because the Authority confirms, once again, the existence of an autonomous responsibility on the part of the data controller for the failure to conduct adequate controls on the source and lawfulness of the data processed.
Aggressive telemarketing. The Authority fines an energy company € 26 million
In a decision of last December, the Data Protection Authority sanctioned a company operating in the energy market for numerous infringements of personal data protection legislation. In particular, it was found that telemarketing activities were often carried out to restricted numbers or those registered in the opposition register. In addition, the company did not adequately allow data subjects to exercise their rights under the GDPR.