Lack of appointment of data processor: Italian Data Protection Autorithy sanctions Lazio Region
The Authority has imposed 75.000 € fine to the Lazio region for failing to appoint a data processor to whom the institution had entrusted the management of health service bookings through the regional call centre (ReCUP).
This is one of the first measures for breach of Article 28 of the GDPR by a PA, which signals an increasing focus by the Authority on verifying formal compliance with the GDPR.
Read the judgement
Clusit Report 2021: 14% more cyber attacks last year
The latest edition of the Clusit report, an annual study dedicated to cybersecurity, was published on 16 March. The studies carried out showed a significant increase in the number of cyber attacks detected in the last period, confirming a trend that has been consolidated in recent years.
In the current situation of epidemic crisis, as predicted by many, the healthcare sector has emerged as one of the main targets for cyber criminals. Attacks on the healthcare sector in this context account for more than 12% of the total. Research institutes accounted for 11 per cent.
The data shows that a careful analysis of cyber risks and the adoption of the necessary IT security measures are now essential requirements for any organisation in possession of relevant data and information.
Read the report
Covid bonus: INPS fined for €300,000
Failure to define the criteria for processing the data of certain categories of applicants for the “Covid bonus”, use of unnecessary information in relation to the control purposes, use of incorrect or incomplete data, inadequate assessment of privacy risks.
These are the reasons why the Italian Data Protection Authority ordered INPS to pay a fine of €300,000 for multiple violations of the GDPR Regulation committed during the anti-fraud investigations carried out by INPS regarding the so-called “Covid bonus”.
Read the judgement
ZTL permits: data accessible to anyone through a QR reader
A municipality has been sanctioned by the Italian Data Protection Authority because the system adopted for the verification of ZTL permits, based on a software reading of the QR code displayed on the coupon, allowed anyone with a smartphone to access the data of the permit holder.
The Authority, in particular, imposed two separate sanctions, the first on the municipality which, as controller of the data processing of the beneficiaries of the ZTL passes, had not adopted technical and organisational measures to ensure an adequate level of security. The second sanction was imposed on the mobility services company which the municipality uses and which, in this case, acts as data processor. The company was charged with an erroneous risk assessment which, according to the Authority, led to the use of an inadequate information system that did not comply with the principles of privacy by design and privacy by default, which did not limit access to data to authorised persons only.
Read the judgement
Use of Whatsapp and other instant messaging apps to share sensitive data in the workplace
A recent study published by Veritas Tecnhology conducted on a sample of more than 12,500 employees found that more than 75% of respondents used instant messaging services or video conferencing applications to exchange and transmit documents containing critical information about their company. The use of such tools, as highlighted over time by several European data protection authorities, can expose personal data to numerous risks of breaches and – at the same time – does not guarantee the security of company information.
Read the Report
Failure to appoint the DPO and disclosure of the data of more than 5000 interested parties: the Data Protection Authority sanctions the Ministry for Economic Development
The Authority has fined the Ministry of Economic Development (Mise) €75,000 for failing to appoint a Data Protection Officer (DPO) by 28 May 2018, the date of full application of the GDPR, and for disclosing on its institutional website the personal information of over 5,000 managers.
The sanction highlighted failings on the part of the Ministry, both in terms of substance and form, thus drawing attention to various aspects of the principle of accountability of the processor enshrined in the GDPR.
Read the judgment
Covid-19 and data protection: the collection of legal provisions
On 25 March, the Italian Data protection authority published the updated version of the main legal provisions with implications for the protection of personal data.
Read the updated version
Cloud security for Healthcare Services: Enisa report on cyber security in the healthcare sector published
On 18 January, the European Cybersecurity Agency published a report analysing the development and technological innovations in the healthcare sector and, in particular, the progressive migration process towards cloud solutions, with an in-depth analysis of the main critical issues in terms of data protection and cybersecurity linked to the digitalisation and dematerialisation of processes.
These include in particular:lack of investment in cybersecurity;difficulties in integrating cloud systems with existing infrastructure.