Mon. Jun 27th, 2022
    en flag
    nl flag
    et flag
    fi flag
    fr flag
    de flag
    he flag
    ja flag
    lv flag
    pl flag
    pt flag
    es flag
    uk flag

    Content Assessment: The Cost of GDPR Compliance? An Icy Response to Email Address and Access Request Non-Compliance

    Information - 95%
    Insight - 90%
    Relevance - 91%
    Objectivity - 92%
    Authority - 95%

    93%

    Excellent

    A short percentage-based assessment of the qualitative benefit of the recent post highlighting the fine of an Icelandic medical travel agency for GDPR noncompliance.

    Editor’s Note: The European Data Protection Board (EDPB) is an independent European body, which contributes to the consistent application of data protection rules throughout the European Union, and promotes cooperation between the EU’s data protection authorities. The EDPB is established by the General Data Protection Regulation (GDPR) and is based in Brussels.

    Shared with permission of the EDPB,* this overview of a recent fine for infringement of the GDPR by an Icelandic medical travel agency highlights the importance of lawful use of email addresses and of handing access requests. The overview is provided for cybersecurity, information governance, and legal discovery professionals in the eDiscovery ecosystem operating under the GDPR, working with email lists, and responsible for data subject access requests (DSARs).


    EDPB News*

    The Icelandic SA: HEI Medical Travel Agency Fined for an Unlawful Use of an E-mail Address and Not Handling an Access Request

    Final Decision

    Background Information

    • Date of final decision: 3 May 2022
    • National case:  2020051610
    • Controller:  HEI ehf. (HEI – Medical Travel)
    • Legal Reference: lawfulness of processing (Article 6), right of access (Article 15)
    • Decision: infringement of the GDPR, fine 1.5 million ISK (approx. 10.700 Euros).
    • Keywords: lawfulness of processing, access request, e-mail list, erasure of personal data.

    Summary of the Decision

    Origin of the Case

    A complaint was made to the Icelandic SA about the use of the complainant’s e-mail address at HEI ehf., a medical travel agency in Iceland, as well as the company’s handling of the complainant’s request for access.

    Key Findings

    In its decision, the Icelandic SA notes that an employee at HEI ehf. had obtained the complainant´s, and several other doctors´, e-mail addresses, by logging into the internal website of the Icelandic Medical Association, with the access of a doctor who was a family member of the employee. HEI used the mailing list to send a targeted e-mail to doctors, including the complainant. In determining the fine, the Icelandic DPA considered that even though HEI had considered itself authorized to use the list, there was nothing in the case that proved that the company had ascertained the lawfulness of processing.

    Furthermore, the complainant’s request for access had not been processed in accordance with the law. After the complainant had requested access of his data, the company erased his data. The company could therefore not answer the Icelandic SA´s questions on how many doctors were on the mailing list.

    Decision

    When deciding the fine, the Icelandic SA took into account, among other things, how the mailing list was collected and then used as well as the erasure of the complainant’s data. HEI ehf. was fined 1.5 million ISK (approx. 10.700 Euros).

    For further information: decision in national language see below or access Vinnsla á persónuupplýsingum og afgreiðsla aðgangsbeiðni hjá HEI – Medical Travel – sektarákvörðun.

    Read the original announcement.


    Read the Complete Decision: Decision in National Language (Icelandic) on HEI-Medical Travel Fine (PDF) – Mouseover to Scroll

    personuvernd.is-Vinnsla á persónuupplýsingum og afgreiðsla aðgangsbeiðni hjá HEI Medical Travel sektarákvörðun

    *Shared with permission.

    Additional Reading

    Source: ComplexDiscovery

     

    Have a Request?

    If you have information or offering requests that you would like to ask us about, please let us know and we will make our response to you a priority.

    ComplexDiscovery is an online publication that highlights cyber, data, and legal discovery insight and intelligence ranging from original research to aggregated news for use by cybersecurity, information governance, and eDiscovery professionals. The highly targeted publication seeks to increase the collective understanding of readers regarding cyber, data, and legal discovery information and issues and to provide an objective resource for considering trends, technologies, and services related to electronically stored information.

    ComplexDiscovery OÜ is a technology marketing firm providing strategic planning and tactical execution expertise in support of cyber, data, and legal discovery organizations. Focused primarily on supporting the ComplexDiscovery publication, the company is registered as a private limited company in the European Union country of Estonia, one of the most digitally advanced countries in the world. The company operates virtually worldwide to deliver marketing consulting and services.

    Early Lessons from the Cyber War: A New Microsoft Report on Defending Ukraine

    According to a new report from Microsoft, the Russian invasion relies...

    From Continuity to Culture? Preserving and Securing Ukrainian Public and Private Sector Data

    Highlighted by ComplexDiscovery prior to the start of the current Ukrainian...

    Considering Access Control Policy Models? Blockchain for Access Control Systems (NIST)

    As current information systems and network architectures evolve to be more...

    Friends in Low Places? The 2022 Data Breach Investigations Report from Verizon

    The 15th Annual Data Breach Investigations Report (DBIR) from Verizon looked...

    TCDI to Acquire Aon’s eDiscovery Practice

    According to TCDI Founder and CEO Bill Johnson, “For 30 years,...

    Smarsh to Acquire TeleMessage

    “As in many other service industries, mobile communication is ubiquitous in...

    A Milestone Quarter? DISCO Announces First Quarter 2022 Financial Results

    According to Kiwi Camara, Co-Founder and CEO of DISCO, “This quarter...

    New from Nuix? Macquarie Australia Conference 2022 Presentation and Trading Update

    From a rebalanced leadership team to three concurrent horizons to drive...

    On the Move? 2022 eDiscovery Market Kinetics: Five Areas of Interest

    Recently ComplexDiscovery was provided an opportunity to share with the eDiscovery...

    Trusting the Process? 2021 eDiscovery Processing Task, Spend, and Cost Data Points

    Based on the complexity of cybersecurity, information governance, and legal discovery,...

    The Year in Review? 2021 eDiscovery Review Task, Spend, and Cost Data Points

    Based on the complexity of cybersecurity, information governance, and legal discovery,...

    A 2021 Look at eDiscovery Collection: Task, Spend, and Cost Data Points

    Based on the complexity of cybersecurity, information governance, and legal discovery,...

    Five Great Reads on Cyber, Data, and Legal Discovery for June 2022

    From eDiscovery ecosystem players and pricing to data breach investigations and...

    Five Great Reads on Cyber, Data, and Legal Discovery for May 2022

    From eDiscovery pricing and buyers to cyberattacks and incident response, the...

    Five Great Reads on Cyber, Data, and Legal Discovery for April 2022

    From cyber attack statistics and frameworks to eDiscovery investments and providers,...

    Five Great Reads on Cyber, Data, and Legal Discovery for March 2022

    From new privacy frameworks and disinformation to business confidence and the...

    Hot or Not? Summer 2022 eDiscovery Business Confidence Survey

    Since January 2016, 2,701 individual responses to twenty-six quarterly eDiscovery Business...

    Inflection or Deflection? An Aggregate Overview of Eight Semi-Annual eDiscovery Pricing Surveys

    Initiated in the winter of 2019 and conducted eight times with...

    Feeding the Frenzy? Summer 2022 eDiscovery Pricing Survey Results

    Initiated in the winter of 2019 and conducted eight times with...

    Surge or Splurge? Eighteen Observations on eDiscovery Business Confidence in the Spring of 2022

    In the spring of 2022, 63.5% of survey respondents felt that...