Let the GDPR penalties begins
In many places in Europe, penalties and large fines are already being imposed for breaches of personal data laws.
There is hardly any way of avoiding the fact that on 25 May this year, EU introduced the long-awaited Personal Data Protection Registry (GDPR). Needless to say, not all companies have met up to the strict rules, therefore the authorities have started to clean up the sinners.
Computerworld writes that the German Data Protection Authority has awarded the first fine according to the new rules. It is the big German dating site Knuddels.de that has to pay 20,000 euros, after the company was hit by a hacker attack.
The attack resulted in the hackers, among other things, being able to steal 330,000 users’ passwords and email addresses. Although Knuddel.de itself was exposed to a crime, the digital burglars revealed that the passwords were found as unencrypted text.
According to Computerworld, the German Computer Inspectorate states that Knuddels.de has been cooperative in getting the data security in order, and that the fine could have been much higher.
Personal messages to psychologists
In Denmark, the Danish Data Protection Agency has, according to DR, just reported the therapy portal, GoMentor.
It was the user Ann Pettersson who originally approached the Data Inspectorate. She had contacted a psychologist at GoMentor for help with stress. Then, without a password, she was given access to read four other clients’ confidential communication with the processors.
– These were psychological problems of a sexual nature. There were psychological problems in relation to abuse, alcohol, drugs, childhood problems. Really difficult personal stories, says Ann Pettersson to DR.
She has apparently gained access to the correspondence because different types of users can be mixed together under certain circumstances.
GoMentor’s director, Troels Sletved, did not want to be interviewed about the case, but confirms in writing to DR that there has been a breach of personal data security.
He writes that they are very sorry that the breach happened and that they take their data responsibilities very seriously and they are in the process of ensuring that personal data is processed properly and confidentially.
GoMentor has initiated a major investigation with external consultants to solve the problems.
Uber paid hackers and didn’t tell anyone about it
Although the British are on their way out with brexit, GDPR continues to apply for them. The British Data Inspectorate ICO has given the driving service Uber a fine of £ 385,000 equivalent to € 440 080 million for not having adequately protected the user’s data before a hacker attack. The hackers could therefore download data on 2.7 million UK customers including their full name, email and telephone number.
When Uber became aware of the attack, the company chose to pay the hackers $ 100,000 to destroy the stolen data rather than informing their customers about the big leak.
The hacker attack took place before the GDPR came into force, and Uber did not have any formal disclosure obligation at that time. However, the ICO does not conceal that the cover-up along with the payment to the criminals has influenced their decision.
In the Netherlands, Uber also just got a fine.
Hospital used false profiles
In Portugal too, the authorities have begun to break down on GDPR breaches. In July, a hospital received a fine of € 400,000 because of not having control over their personal data security.
The hospital staff had access to patient data through false profiles, and doctors had unlimited access to patient information beyond what was relevant to their expertise. The hospital defends itself by saying that they were only using the healthcare platform provided by the Portuguese Ministry of Health.