Article by TwoBirds on EDPB Guidelines on targeting social media users (draft)

https://www.twobirds.com/en/news/articles/2020/global/edpb-guidelines-on-targeting-social-media-users

includes summary of criteria proposed by EDPB in context of “Data manifestly made public by the data subject”.
Also distinction by EDPB between explicit and inferred/combined special categories of personal data.
Assumptions or inferences regarding special category data would also constitute special category data

SWeden: DPA audited eight healtcare providers, fines seven (up to 3 mio EUR)

The Data Inspectorate has now completed an inspection of eight care providers. What has above all been examined is whether the care providers have carried out the needs and risk analysis required to be able to give the staff the right access to personal data in the main medical record systems.

– Caregivers must make a careful analysis and assessment of what staff’s needs are for information in the medical record systems and what risks there are if staff have access to patient data. Without such an analysis, care providers cannot assign the staff the right qualifications, which in turn means that the operations cannot guarantee patients the privacy protection they are entitled to, says Magnus Bergström, who is the coordinator for the eight reviews.

The Data Inspectorate states that seven of the care providers have not carried out a needs and risk analysis, while one care provider has carried out an analysis which, however, has certain shortcomings.

The authority also states that seven of the care providers do not limit the users’ permissions for access to the respective medical record system to what is only needed for the user to be able to fulfill his or her duties.

This means that the seven care providers have not taken sufficient measures to be able to ensure and demonstrate an appropriate security for the personal data in the medical record systems.

https://www.datainspektionen.se/nyheter/brister-i-hur-vardgivare-styr-personalens-atkomst-till-journaluppgifter/ with links to details of the specific cases

NIST: Securing Telehealth Remote Patient Monitoring Ecosystem

https://www.nccoe.nist.gov/projects/use-cases/health-it/telehealth

“What is this guide about?

Increasingly, healthcare delivery organizations (HDOs) incorporate telehealth and remote patient monitoring (RPM) as part of a patient’s care regimen. RPM systems capture patient biometric data over a prolonged duration. They may offer convenience and may be cost effective for patients and HDOs. These benefits promote increased adoption rates. Without adequate privacy and cybersecurity measures, however, unauthorized individuals may expose sensitive data or disrupt patient monitoring services.

The NCCoE performed a risk assessment on the telehealth RPM ecosystem, leveraging the NIST Cybersecurity Framework, NIST Privacy Framework, and other relevant guidance to develop a reference architecture. The reference architecture demonstrates how HDOs may use standards-based approaches and commercially available cybersecurity technologies to implement privacy and cybersecurity controls enhancing the resiliency of the telehealth RPM ecosystem.”

Belgian DPA to Take Down Websites Infringing GDPR

On November 26, 2020, the Belgian Data Protection Authority (“Belgian DPA”) signed a cooperation agreement with DNS Belgium, the organization managing the “.be” country code top-level domain name. The purpose of the cooperation agreement is to allow DNS Belgium to suspend “.be” websites that are linked to infringements of the EU General Data Protection Regulation (the “GDPR”).

https://www.huntonprivacyblog.com/2020/12/03/belgian-dpa-to-take-down-websites-infringing-gdpr/

France: CNIL sanctions on Carrefour

Sanctions of 2,250,000 euros and 800,000 euros for the companies CARREFOUR FRANCE and CARREFOUR BANQUE

Announcement:
https://www.cnil.fr/fr/sanctions-2250000-euros-et-800000-euros-pour-carrefour-france-carrefour-banque

Délibération de la formation restreinte n° SAN-2020-008 du 18 novembre 2020 concernant la société CARREFOUR FRANCE
https://www.legifrance.gouv.fr/cnil/id/CNILTEXT000042563756

Délibération de la formation restreinte n° SAN-2020-009 du 18 novembre 2020 concernant la société CARREFOUR BANQUE
https://www.legifrance.gouv.fr/cnil/id/CNILTEXT000042564657

Pursuant to decisions n o 2019-081C of April 24, 2019 and n o 2019-102C of June 6, 2019 of the President of the Commission, five controls were carried out online or at the company’s premises:
– an online check, carried out on May 24, 2019, relating to the carrefour.fr site and the processing carried out from this site;
– an on-site check, carried out on May 28, 2019, relating to the processing carried out by the company CARREFOUR FRANCE, in particular as part of the Carrefour loyalty program (hereinafter the loyalty program), as well as the various databases that ‘she used for the management of her clientele;
– an on-site check, carried out on June 11 and 12, 2019, relating to the exercise of rights and to the responses provided to several complainants who have referred a complaint to the CNIL against the company;
– an on-site check, carried out on June 26 and 27, 2019, focusing more particularly on the management of personal data as part of the loyalty program;
– an on-site check, carried out on July 11, 2019, relating to the security measures developed by CARREFOUR FRANCE to protect the personal data it processes and the data breaches that have occurred.

On the second point, the restricted committee notes, first of all, that the company recognizes a delay in the implementation of its data erasure program but underlines the significant efforts made since the initiation of the procedure to bring itself into compliance. The restricted committee noted that the delegation of control noted the presence of data concerning customers who had been inactive for more than four years, and in particular more than twenty-eight million customers who were members of the loyalty program who had been inactive for five to ten years. With regard to users of the carrefour.fr site, the restricted training emphasizes that the data of more than 750,000 users whose act of purchase dated back five to ten years was kept, and nearly 20,000 users including the last purchase dated back over ten years.<(i>

Triggered by several complaints, the CNIL sanctioned two companies of the CARREFOUR group for breaches of the RGPD concerning in particular the information delivered to the people and the respect of their rights.

Having received several complaints against the CARREFOUR group, the CNIL carried out checks between May and July 2019 with the companies CARREFOUR FRANCE (retail sector) and CARREFOUR BANQUE (banking sector). On this occasion, the CNIL noted shortcomings in the processing of customer and potential user data. The President of the CNIL therefore decided to initiate a sanctioning procedure against these companies.

At the end of this procedure, the restricted committee – the CNIL body responsible for pronouncing sanctions – effectively considered that the companies had failed to meet several obligations under the GDPR.

It thus sanctioned the CARREFOUR FRANCE company with a fine of 2,250,000 euros and the CARREFOUR BANQUE company with a fine of 800,000 euros. On the other hand, it did not issue an injunction when it noted that significant efforts had made it possible to bring all the breaches identified into compliance.

Breaches of the obligation to inform individuals (article 13 of the GDPR)
The information provided to users of the carrefour.fr and carrefour-banque.fr sites as well as to people wishing to join the loyalty program or the Pass card was not easily accessible (access to information too complicated, in very long containing other information), nor easily understandable (information written in general and imprecise terms, sometimes using unnecessarily complicated formulations). In addition, it was incomplete with regard to the duration of data retention.

Concerning the carrefour.fr site, the information was also insufficient with regard to data transfers outside the European Union and the legal basis for processing (files).

On this point, the companies modified their information notices and websites during the procedure in order to comply.

Breaches relating to cookies (article 82 of the Data Protection Act)
The CNIL noted that, when a user connects to the carrefour.fr site or the carrefour-banque.fr site, several cookies were automatically placed on his terminal, before any action on his part. Several of these cookies are used for advertising, however the user’s consent should have been collected before filing.

The companies modified the way their websites function during the procedure. No advertising cookies are now deposited before the user has given their consent.

A breach of the obligation to limit the retention period of data (article 5.1.e of the GDPR)
The CARREFOUR FRANCE company did not respect the data retention periods that it had set. The data of more than twenty-eight million customers who had been inactive for five to ten years were thus kept as part of the loyalty program. The same was true for 750,000 users of the carrefour.fr site who had been inactive for five to ten years.

In addition, in this case, the restricted committee considers that a retention period of 4 years for customer data after their last purchase is excessive. Indeed, this duration, initially adopted by the company, exceeds what appears necessary in the field of mass distribution, taking into account the consumption habits of customers who mainly make regular purchases.

During the procedure, the company CARREFOUR FRANCE has committed significant resources to make the necessary changes to bring it into compliance with the GDPR. In particular, all data that is too old has been deleted.

A breach of the obligation to facilitate the exercise of rights (article 12 of the GDPR)
The CARREFOUR FRANCE company required, except for opposition to commercial prospecting, proof of identity for any request to exercise rights. This systematic request was not justified since there was no doubt about the identity of the persons exercising their rights. Furthermore, the company was not able to process several requests for the exercise of rights within the time limits required by the GDPR.

On these two points, the company changed its practices during the procedure. In particular, it has deployed significant human and organizational resources to respond to all requests received within a period of less than one month.

Failure to respect rights (articles 15, 17 and 21 of the RGPD and L34-5 of the Postal and Electronic Communications Code)
First of all, the CARREFOUR FRANCE company did not respond to several requests from people wishing to access their personal data. The company approached all the people concerned during the procedure.

Then, in several cases, the company did not proceed with the erasure of data requested by several people when it should have done so. On this point also, the company granted all the requests during the procedure.

Finally, the company did not take into account several requests from people who objected to receiving advertising by SMS or email, in particular due to occasional technical errors. The company became compliant during the procedure on this point as well.

A breach of the obligation to process data fairly (Article 5 of the GDPR)
When a person subscribing to the Pass card (credit card that can be attached to the loyalty account) also wished to join the loyalty program, he had to tick a box indicating that he accepted that CARREFOUR BANQUE would communicate his name to “Carrefour loyalty”, their first name and e-mail address. CARREFOUR BANQUE explicitly indicated that no other data was transmitted. The CNIL however noted that other data were transmitted, such as the postal address, the telephone number and the number of its children, although the company had undertaken not to transmit any other data.

On this point, the company changed its practices during the procedure. It has completely overhauled its online subscription process for the Pass card and people are now informed of all the data transmitted to CARREFOUR FRANCE.

Proposal for a Regulation on European data governance (Data Governance Act)

The proposed regulation includes several measures to increase trust in data sharing, rules on neutrality to allow “novel data intermediaries” to function as safe data-sharing organizers, and practices to give Europeans more control over how their data is used. The commission also published a frequently asked question page to coincide with the announcement.

The proposal is the first of a set of measures announced in the 2020 European strategy for data. The instrument aims to foster the availability of data for use by increasing trust in data intermediaries and by strengthening data-sharing mechanisms across the EU.

Overview page with links etc.:
https://ec.europa.eu/commission/presscorner/detail/en/ip_20_2102

Draft in English:
https://ec.europa.eu/newsroom/dae/document.cfm?action=display&doc_id=71222

Article: Johner Institut on meeting German DIGA requirements

https://www.johner-institut.de/blog/regulatory-affairs/datensicherheit-und-datenschutz-fuer-diga/

includes overview on regulatory requirements:

  • MDR
  • DVG
  • DIGAV
  • BSI 200-1 BSI-Standard 200-1, Managementsysteme für die Informationssicherheit
  • BSI 200-2 BSI-Standard 200-2, IT-Grundschutz-Methodik
  • BSI TR03161 Sicherheitsanforderungen an digitale Gesundheitsanwendungen
  • ISO 27001:2017
  • ISO/IEC 82304-1 Gesundheitssoftware – Teil 1: Allgemeine Anforderungen für die Produktsicherheit
  • ISO/IEC 82304-2 Health Software – Part 2: Health and wellness apps – Quality and reliability [future – includes a “seal”]
  • IEC 8001-5-1 Safety, security and effectiveness in the implementation and use of connected medical devices or connected health software – Part 5-1: Security – Activities in the product lifecycle