Joining the noyb country reporter team has been a very interesting experience for a number of reasons, and, for me, the most significant aspect is having to read the decision as it was originally published by the Italian authority, understand the key points, and translate what happened. Not just a ‘literal’ translation from Italian into English. But a translation following the noyb standard, which aims to make decisions “understandable” to a wider audience, and not just those who are already familiar with technical terms.
Well, in the meantime, I’ve been compiling a collection of summaries of decisions, and I’ve summarised a few that contain interesting points. In some cases, I’ve even recalled real-life situations I’ve experienced:
Use of corporate email, signs about surveillance cameras, and discussions regarding the strictly personal use of personal data
The case involving a €10,000 fine imposed on the Italian town. An employee sent an email requesting an FFP2 mask, citing health issues he was experiencing at the time. Another employee replied and copied an email address into the conversation, which corresponded to a mailbox to which six other employees had access. Upon realising the mistake, the employee sent the subsequent messages only to the original sender. In its decision, the authority emphasised that the fact that the health issue of the employee who requested the protective mask was already known to others did not alter the fact that personal data had been processed without an appropriate legal basis, in addition to a breach of the principles of lawfulness, fairness, transparency and data minimisation. Why did this decision leave me thinking? Sometimes I get the feeling that corporate email can be a ticking time bomb. I think my biggest shock came when I worked at a bank and was responsible for DLP. I remember crystal clear how I started work on the first working day of January, and by the middle of that month I was already desperate and embarrassed by the false positives popping up on DLP. More than just an urgent refinement of the rules (I acquired that knowledge and ‘vocabulary’ over the following months), I realised how everyone simply worked in an environment that was absolutely monitored (bearing in mind that it is a bank, so extremely sensitive information circulates on a daily basis) but who seemed unaware of this, or to have forgotten that the first thing an employee does is access a document containing information on monitoring and sign it. At least in that specific situation, I was able to use this huge daily concern as a justification for taking action in conjunction with the bank’s internal communications team, seizing the opportunity on 28 January to remind staff of certain personal data protection measures, including the use of corporate email.
A fine imposed on a bar for installing CCTV cameras without proper signage. This is interesting because it highlights the importance of guidelines (in this case, Guideline 3/2019 was cited) and the need to provide information about entering a premises that is being monitored.
Disputes between neighbours: the ruling concerned the installation of surveillance cameras aimed down an alleyway, but which filmed a neighbour’s door and window. I found the case interesting because the exception provided for in the GDPR for data processing for purely personal purposes was discussed and, in this instance, rejected. It was emphasised that there was no legal basis for the processing, and a fine, even if low, was imposed.
A nightmare for many: data breaches, ransomware attacks, and a growing number of incidents involving the misuse of corporate email and internal processes with gaps
A case involving a fine imposed on a hospital that fell victim to a ransomware attack. Alongside dreams in which I have an exam coming up (usually maths) and haven’t studied, or a subject I know I’ll fail because I didn’t attend lessons, this one represents a personal nightmare; but, unlike those involving school-related themes, it fills me with dread even when I’m awake. In this case, what happened was that vulnerabilities in the controller’s firewall were exploited by the attackers, who managed to obtain the credentials of a supplier. Using the compromised credentials and a VPN connection, the attackers managed to launch the main attack a few months later, accessing the controller’s server which held health data on patients, staff and consultants. The attackers exfiltrated data from the server located in the Netherlands and established a backdoor connection. They then disabled the antivirus and ran code that spread ransom notes across workstations. In this case, the controller notified the Italian authority, which, in turn, made the following observations in its decision: it was considered that there had been a breach of the principles of integrity and confidentiality and a failure to implement adequate measures to detect data leaks promptly. The controller did not have a log management system that could have detected the suspicious activity preceding the attack. It was found that the network security measures were highly inadequate, with critical vulnerabilities such as a lack of network segmentation, VPN access without multi-factor authentication, maintenance accounts using shared admin credentials, and approximately 130 users possessing full admin privileges. Furthermore, the controller continued to run obsolete communication protocols. As I said at the start, this type of attack really frightens me, but reading this ruling, I am somewhat struck by the kind of vulnerabilities that can exist in a large controller, and, worse still, one whose scope of work involves the processing of special category data. Personally, I haven’t had to deal with any major security incidents “on our side”, although I have received reports of incidents that occurred on a supplier’s side (in this case, the company responsible for the staff gym scheme). In any case, one of the things I believe is absolutely essential is a good awareness programme aimed at staff, running continuously throughout the year, as well as a thorough stakeholder assessment and investment in a technically competent security team that incorporates all internal tests and audits into their routines. And of course, always keep the response procedures to hand for dealing with different incidents, with practical drills involving everyone concerned on a regular basis (personally, I actually found these drills quite fun, too)
The case where a doctor sent an email to 15 internal departments and the local medical board, with the personal details of 13 patients attached. The doctor’s intention was to clarify his working hours, but as a result, the patients’ details were exposed. I found this case particularly fascinating, and I could relate to it personally. I have experienced first-hand an internal incident involving a bank correspondent who sent an email to a loooong list of email addresses in the “cc"field, but without hiding the addresses. It was a bit of a chaos when one of the people clicked ‘reply all’, and the mess only got worse when people started talking to each other in that crazy chain. I remember following the standard incident reporting procedure and taking steps to reinforce the most basic guidelines on sending emails to multiple recipients, and so on. Returning to the decision, I found it interesting that the Authority highlighted precisely this point, and considered that the controller had not implemented appropriate technical and organisational measures regarding providing instructions to staff on how to handle patient data properly. Other points I found interesting in this decision were: the Authority reinforced the understanding already addressed on other occasions, such as the fact that the mere indication of receiving medical treatment reveals information about a person’s state of health (for example, Lindenapotheke (C-21/23)). The fact that the health data was shared with individuals who were already aware of the patients’ condition was deemed irrelevant; consequently, it was found that there was no legal basis for processing this special category of data. A similar argument was also put forward in the case of the FPPS mask, namely that prior knowledge of the data subject’s health condition did not alter the fact that the law had been breached.
There was a case involving a former employee of a company who asked his former employer to delete his corporate email account. In this case, a fine was imposed on the controller, on the grounds that the company had taken too long to act, both in responding to the data subject and in taking any action regarding the request. This caught my attention, because I could only think of the importance of having clear and functional internal processes, both for handling requests from data subjects and in relation to former employees’ access to corporate systems.
A recent case really got to me because, at one point, we needed to produce a contract signed between the controller and an external consultancy. The thing that left me “disappointed, but not surprised” was that they couldn’t find the contract in question. Mind you, I’m not even going to get into the size of the two companies involved (huge and extremely well-known), which might lead one to think that this sort of operational failure would never occur in large, well-structured companies in the market. HOWEVER, I remember perfectly well being completely shocked to learn that this did indeed happen, on two occasions in my professional life. The companies had completely different market histories, scopes and target audiences. And even the reasons why this might happen with some suppliers were different. In one case, I believe it was down to internal disorganisation, poor communication and the need to start offering a product or service “for yesterday”. In the other, it was more a question of maturity. That classic scenario of a brand-new company where you learn to change a tyre whilst driving. However, in both cases, the gaps were addressed. In the first, a person responsible for supplier management gradually pushed for this standardisation, alongside the audits (internal and external) that were putting pressure on this issue. In the second, the company’s growth necessitated a period of maturing and organisation. In all cases, I believe that, however obvious it may seem, it is never too much to emphasise that: you should ALWAYS have a contract, especially one with a data protection agreement.