Three enforcement cases across Europe

Data minimisation, data subject rights and information security are among the three recent enforcement cases in Data Protection in this week’s review from Samad Miah, Data Protection Consultant at Xcina Consulting.
Stay informed of other key emerging themes as events unfold. Follow our round-up of latest stories and find out what the latest developments mean for you. Our weekly review below helps you decide.
Finland data protection regulator reprimands parking services provider
What happened
- The Finnish data protection regulator held that a parking services provider (the data controller) violated the principles of data minimisation and data protection by default as customers were not informed of an alternative method for receiving a printed copy of a receipt.
- When paying at a payment machine, the customer could choose to receive an electronic receipt, a paper receipt or no receipt at all.
- If the customer wanted an electronic receipt, they had to give their phone number so that the receipt could be delivered by SMS.
- When the printer contained within one particular payment machine did not work due to a technical failure, the customer was under the impression that their only option to receive a receipt was electronically.
- However, it was later ascertained that the customer could have requested a paper receipt from customer service but they were not informed of this option.
Why it matters
- The Finnish data protection regulator considered the data controller’s actions to be a violation of the principles of data minimisation and data protection by default as it did not implement appropriate technical and organisational measures to ensure that, even in the event of a technical failure, it would not collect more data than was necessary from the customer.
- The Finnish data protection regulator ordered the data controller to bring its processing operations into compliance with the EU GDPR – this would involve informing the customer, in the event of a technical failure, that providing their phone number is optional and that a printed copy of the paper receipt is possible by contacting customer service.
- More information on the case can be found here.
Dutch data protection regulator issues €525,000 fine for unnecessarily requesting proof of identity
What happened
- The Dutch data protection regulator has issued a significant fine against a media company (the data controller) for a violation of Article 12(2) of the EU GDPR by asking data subjects to upload a copy of their ID to verify their identity so that they could exercise their rights to access and erasure.
- Between May 2018 and January 2019, the Dutch data protection regulator received a number of complaints from data subjects who did not have an account with the data controller but had to provide a copy of their identity as verification before they could submit an access request or an erasure request under Chapter 3 of the EU GDPR.
- This request for ID was not required for users who had an account.
Why it matters
- The Dutch data protection regulator stated that requiring ID to verify the validity of a request may, in some cases, violate the EU GDPR by preventing the data subject from exercising their rights.
- As a result, the data controller must first try to verify a data subject’s identity based on the information it already has.
- The data controller must also only request a copy of the data subject’s ID if there is a lawful basis to do so (under Articles 6 and 9 of the EU GDPR).
- In this particular case, the Dutch data protection authority stated that it was possible to verify the data subject’s identity based on other information (e.g. subscription details, name, and email address).
- More information on the case can be found here.
Swedish data protection regulator issues €150,000 fine on hospital for not sending emails securely
What happened
- The Swedish data protection regulator issued a fine of approximately €150,000 on a hospital for a violation of the security principle of the EU GDPR by emailing unencrypted health records to patients and hospitals abroad.
- The Swedish data protection regulator highlighted that this case involved large amounts of health data, which is more sensitive in nature, and included children’s data.
- It was found that health data was being sent by email without encryption since at least 2014. At some point, the hospital began using Microsoft Outlook’s Transport Layer Security (TLS) encryption. However, if the email software on the recipient’s side did not support TLS, the emails were still sent without encryption.
Why it matters
- In order to determine the fine for these violations, the Swedish data protection regulator considered the large amount of data and the long period of time over which it was shared.
- As a mitigating factor, the Swedish data protection regulator recognised that the hospital had, after conducting a Data Protection Impact Assessment (DPIA), eventually introduced an end-to-end encryption solution in 2019.
- More information on the case can be found here.