Italian SA Fines US Company Offering Diabetes App

The European Data Protection Board (“EDPB”) has released a decision regarding notification of data breach to the Italian SA due to an employee’s sending – as part of an information campaign – email messages with the recipients’ addresses in the ‘Cc’ field rather than in the ‘Bcc’ one. This resulted in enabling every recipient to view the other recipients’ email addresses that in this case, also contained data disclosing health data.

The disclosure to the email recipients of other patients’ health status without an appropriate legal ground and adequate technical and organisational measures entailed the violation of Articles 5(1)(a) (f) and 9 of the Regulation. The mandatory acceptance of privacy policy and terms of use entailed the violation of lawfulness and transparency principles and the conditions for consent (Articles 5 (1) (a), 6, 7, and 9 of the GDPR). The unclear, incomplete information provided to the data subjects was in breach of Articles 5, par. (1) (a), 12 and 13 GDPR. The company had also infringed article 27 of GDPR as it had failed to appoint its EU representative.

According to the decision, taking into account the unintentional nature of the emailing activity along with the cooperation shown by the company in the course of the fact-finding activities and the company’s organization profile, the Italian SA imposed a EUR 45,000 administrative fine and an order to bring the processing into compliance with the GDPR.

You can reach further information here.

Kind regards,

Zumbul Attorneys at Law

info@zumbul.av.tr