Critical infrastructure: Technical and organisational measures specific to the health sector
https://www.dkgev.de/fileadmin/default/Mediapool/2_Themen/2.1_Digitalisierung_Daten/2.1.4._IT-Sicherheit_und_technischer_Datenschutz/2.1.4.1._IT-Sicherheit_im_Krankenhaus/B3S_KH_v1.1_8a_geprueft.pdf
Prof. Härting on company strategies when responding to DPA requests (in German)
Auskunftsersuchen der Datenschutzbehörden – rechtsstaatlich selten einwandfrei
https://www.cr-online.de/blog/2019/11/17/auskunftsersuchen-der-datenschutzbehoerden-rechtsstaatlich-selten-einwandfrei/
Polish DPA fines company 201.000 PLN (47000 EUR) for making withdrawal of consent not ‘as easy as it was to give’.
Data subjects were forced to state the reason for unsubscribing from direct marketing e-mail and the messages were misleading.
https://uodo.gov.pl/en/553/1092
Germany BMWi: Orientation paper on data protection of health data
Germany BMWi: Orientierungshilfe zum Gesundheitsdatenschutz
(health data, patient data)
https://www.bmwi.de/Redaktion/DE/Downloads/M-O/orientierungshilfe-gesundheitsdatenschutz.pdf?__blob=publicationFile&v=16
Discussion papers Tilburg Institute for Law, Technology, and Society (TILT)
Ireland: Irish DPA – Data Breach Trends from the First Year of the GDPR
Kuketz-Forum: “Transportverschlüsselung bei E-Mails”
Technical discussion on transport encryption for emails (incl. striptls attacks in starttls)
https://forum.kuketz-blog.de/viewtopic.php?f=6&t=4992#p50638
ICO awareness material on secure communication of data
“Communicating the importance of information security to staff”
https://ico.org.uk/media/for-organisations/think-check-share/1043597/think-check-share-toolkit.pdf
Denmark: DPA criticizes insufficient mail encryption
On the basis of a complaint, the Data Inspectorate has considered that the use of the encryption form of the opportunistic TLS without further control in a specific case was not an adequate precaution.
The Data Inspectorate criticizes Lowell Danmark A / S (hereinafter Lowell) in a case where a citizen has complained that Lowell has sent confidential information about the citizen unencrypted over the Internet.
In a previous decision (January 2019-31-1263), the Data Inspectorate decided that the safeguards that Lowell had taken in the specific case on the basis of their risk assessment were appropriate. The use of opportunistic TLS was supplemented with a check whether the recipient domain supported TLS, and the risk assessment showed that in cases where the recipient domain was unable to receive TLS, a communication method other than email was used.
The difference between the present case and the previous decision was that Lowell in this case could not verify whether the recipient domain could receive TLS, and despite this lack of verification sent the email with opportunistically tuned TLS 1.2 – and thus Lowell could not prove , whether the email was actually received encrypted.
Therefore, in the present case, the Data Inspectorate finds that Lowell has not been able to demonstrate that the processing has been done in a way that ensures sufficient security for the personal data concerned, including protection against unauthorized access to personal data, using appropriate technical or organizational measures, cf. Article 5 (1) of the Data Protection Regulation. 2, cf. Article 32 (1) (f). 1 and 2.