Thu. Mar 28th, 2024

Content Assessment: The Cost of GDPR Compliance? An Icy Response to Email Address and Access Request Non-Compliance

Information - 95%
Insight - 90%
Relevance - 91%
Objectivity - 92%
Authority - 95%

93%

Excellent

A short percentage-based assessment of the qualitative benefit of the recent post highlighting the fine of an Icelandic medical travel agency for GDPR noncompliance.

Editor’s Note: The European Data Protection Board (EDPB) is an independent European body, which contributes to the consistent application of data protection rules throughout the European Union, and promotes cooperation between the EU’s data protection authorities. The EDPB is established by the General Data Protection Regulation (GDPR) and is based in Brussels.

Shared with permission of the EDPB,* this overview of a recent fine for infringement of the GDPR by an Icelandic medical travel agency highlights the importance of lawful use of email addresses and of handing access requests. The overview is provided for cybersecurity, information governance, and legal discovery professionals in the eDiscovery ecosystem operating under the GDPR, working with email lists, and responsible for data subject access requests (DSARs).


EDPB News*

The Icelandic SA: HEI Medical Travel Agency Fined for an Unlawful Use of an E-mail Address and Not Handling an Access Request

Final Decision

Background Information

  • Date of final decision: 3 May 2022
  • National case:  2020051610
  • Controller:  HEI ehf. (HEI – Medical Travel)
  • Legal Reference: lawfulness of processing (Article 6), right of access (Article 15)
  • Decision: infringement of the GDPR, fine 1.5 million ISK (approx. 10.700 Euros).
  • Keywords: lawfulness of processing, access request, e-mail list, erasure of personal data.

Summary of the Decision

Origin of the Case

A complaint was made to the Icelandic SA about the use of the complainant’s e-mail address at HEI ehf., a medical travel agency in Iceland, as well as the company’s handling of the complainant’s request for access.

Key Findings

In its decision, the Icelandic SA notes that an employee at HEI ehf. had obtained the complainant´s, and several other doctors´, e-mail addresses, by logging into the internal website of the Icelandic Medical Association, with the access of a doctor who was a family member of the employee. HEI used the mailing list to send a targeted e-mail to doctors, including the complainant. In determining the fine, the Icelandic DPA considered that even though HEI had considered itself authorized to use the list, there was nothing in the case that proved that the company had ascertained the lawfulness of processing.

Furthermore, the complainant’s request for access had not been processed in accordance with the law. After the complainant had requested access of his data, the company erased his data. The company could therefore not answer the Icelandic SA´s questions on how many doctors were on the mailing list.

Decision

When deciding the fine, the Icelandic SA took into account, among other things, how the mailing list was collected and then used as well as the erasure of the complainant’s data. HEI ehf. was fined 1.5 million ISK (approx. 10.700 Euros).

For further information: decision in national language see below or access Vinnsla á persónuupplýsingum og afgreiðsla aðgangsbeiðni hjá HEI – Medical Travel – sektarákvörðun.

Read the original announcement.


Read the Complete Decision: Decision in National Language (Icelandic) on HEI-Medical Travel Fine (PDF) – Mouseover to Scroll

personuvernd.is-Vinnsla á persónuupplýsingum og afgreiðsla aðgangsbeiðni hjá HEI Medical Travel sektarákvörðun

*Shared with permission.

Additional Reading

Source: ComplexDiscovery

 

Generative Artificial Intelligence and Large Language Model Use

ComplexDiscovery OÜ recognizes the value of GAI and LLM tools in streamlining content creation processes and enhancing the overall quality of its research, writing, and editing efforts. To this end, ComplexDiscovery OÜ regularly employs GAI tools, including ChatGPT, Claude, Midjourney, and DALL-E, to assist, augment, and accelerate the development and publication of both new and revised content in posts and pages published (initiated in late 2022).

ComplexDiscovery also provides a ChatGPT-powered AI article assistant for its users. This feature leverages LLM capabilities to generate relevant and valuable insights related to specific page and post content published on ComplexDiscovery.com. By offering this AI-driven service, ComplexDiscovery OÜ aims to create a more interactive and engaging experience for its users, while highlighting the importance of responsible and ethical use of GAI and LLM technologies.

 

Have a Request?

If you have information or offering requests that you would like to ask us about, please let us know, and we will make our response to you a priority.

ComplexDiscovery OÜ is a highly recognized digital publication focused on providing detailed insights into the fields of cybersecurity, information governance, and eDiscovery. Based in Estonia, a hub for digital innovation, ComplexDiscovery OÜ upholds rigorous standards in journalistic integrity, delivering nuanced analyses of global trends, technology advancements, and the eDiscovery sector. The publication expertly connects intricate legal technology issues with the broader narrative of international business and current events, offering its readership invaluable insights for informed decision-making.

For the latest in law, technology, and business, visit ComplexDiscovery.com.