GDPR decisions – November 2020

Holst, Advokater | View firm profile

The Irish DPA fines Tusla Child and Family Agency EUR 75,000

In May 2020, the Tusla Child and Family Agency (Tusla) was imposed with an administrative fine of EUR 75,000, which has now been heard and confirmed by an Irish court of law.

The violations consisted of three breaches pertaining to personal data, which occurred because Tusla failed to redact personal data when disclosing documents to different third parties. The first personal data breach occurred when Tusla unintentionally provided the father of two children in foster care with their foster carer’s address. The second breach occurred when Tusla unintentionally provided a person, who was accused of child sexual abuse, with the address of the child, who had filed the complaint, and with the phone number of the child’s mother. The third breach occurred when Tusla unintentionally provided the grandmother of a child in foster care with the address and contact details of the child’s foster parents and the location of the child’s school.

It follows from the decision that Tusla infringed Article 32(1) of the GDPR by failing to implement appropriate organisational measures to ensure a level of security appropriate to the risk presented by its processing of personal data in respect of its sharing of documents with third parties. Furthermore, Tusla infringed Article 33(1) of the GDPR by failing to notify the the Irish data protection agency, DPC, of the third breach without undue delay. On those grounds, the court confirmed the administrative fine of EUR 75,000.

Please see the whole press release here:

Danish Rejsekort is ordered to delete personal data

Rejsekort is a company operating an electronic ticketing system for travelling by bus, train, and metro in Denmark, and in 2015 a person gave her consent for processing of personal data in connection with ordering a personal traveller’s card.

On 19 March 2019, the person withdrew her consent and on the same day Rejsekort confirmed that her customer file with Rejsekort had been closed and her personal data had been deleted.  Rejsekort also informed that pursuant to the Danish Bookkeeping Act, the company was obliged to keep financial data for 5 years, and that Rejsekort also saves data on travel activities and documentation of agreement conclusion for 3 years from the expiry of a customer relationship.

The person approached the Danish DPA and filed a complaint about Rejsekort’s failure to delete all data about her.

The DPA has decided in the matter and criticized Rejsekort of the following:

  • Rejsekort has processed the complainant’s data contrary to the lawfulness, fairness and transparency principle, as Rejsekort ought not have processed data on the complainant on the basis of a consent.
  • Rejsekort’s continued processing of data and information about agreement conclusion between Rejsekort and the complainant, cf. Articles 6 and 17 (1) lit. b of the GDPR.

As a result of the above, the DPA has served an enforcement notice on Rejsekort for the deletion of travel data and information about agreement conclusion regarding the complainant, since Rejsekort is not obliged to keep such data according to the Danish Bookkeeping Act.

Read the whole decision her (in Danish):

ICO fines Marriott International Inc GBP 18.4 million for failing to keep personal data secure

The ICO has fined Marriott International Inc GBP 18.4 million for failing to keep millions of customers’ personal data secure. Marriott estimates that 339 million guest records worldwide were affected following a cyber-attack in 2014 on Starwood Hotels and Resorts Worldwide Inc.

In 2014, an attacker installed a code onto a device in the Starwood system giving them the ability to access and edit the contents of this device remotely. This access was exploited in order to install malware, enabling the attacker to have remote access to the system as a privileged user giving the attacker unrestricted access to the relevant device, and other devices on the network.

The attacker installed further tools to gather login credentials for additional users within the Starwood network in order to access the database storing reservation data for Starwood customers.

The attack remained undetected until September 2018, by which time the company had been acquired by Marriott. The personal data involved were names, email addresses, phone numbers, unencrypted passport numbers, arrival/departure information, guests’ VIP status and loyalty program membership number.

The proposed fine was originally reduced by 20% to GBP 22.4 million to take account of the efforts taken by Marriott to stop the breach and reach out to its customers. The fine was further reduced to GBP 18.4 million due to the general economic consequences of the Covid-19 pandemic.

More from Holst, Advokater