Hi privacy navigators,

We hope you had a great holiday season! Since it’s been a few weeks, this edition will cover more updates than usual to ensure you’re caught up on the latest privacy developments.

Here’s what we’ll cover this week:

  • NOYB Victory – Dutch DPA Fines Netflix €475,000
  • Irish DPC with new €251 000 000 Fine against Meta
  • EDPB Issues Opinion 28/2024 on AI Models
  • CNIL Fines Orange €2.4 Million for GDPR Violations
  • German Court Awards €10,000 for Unlawful Disclosure of Employee’s Health Data

NOYB Victory – Dutch DPA Fines Netflix €475,000

The Dutch DPA fined Netflix €475,000 after it failed to fully comply with a data subject’s access request.

The company provided incomplete information and did not connect data categories with the purposes they served, violating Article 15 of GDPR.

Here is an example how we prefer to connect the processed data categories with the processing purposes:

In our experience 99% of privacy policies online don’t comply with this ruling. Now is a good time to remind management that privacy policies should always be up-to-date, providing transparent and clear information regarding all data processing.

Source  

Sponsored Message

Handling GDPR compliance is complex, but it doesn’t have to be overwhelming.

Conformally automates compliance tasks, saving time and avoiding fines.

Map data categories with purposes, track vendors and much more with Conformally.com.

TRY FOR FREE NOW

Irish DPC with new €251 000 000 Fine against Meta

The Irish DPC investigated Meta’s “View-As” feature after a security flaw exposed personal data from 50 million users to unauthorized parties.

Findings included:

  • Lack of Adequate Safeguards: Insufficient measures to protect user data.

  • Violation of GDPR Security Principles: Breach of data protection and accountability requirements.

Organizations must implement rigorous security protocols to avoid breaches and associated fines. Regular audits can help identify and mitigate vulnerabilities.

Source

EDPB Issues Opinion 28/2024 on AI Models

The European Data Protection Board (EDPB) released its Opinion 28/2024, addressing the application of GDPR to artificial intelligence (AI) models. Key points include:

  • Transparency: Organizations must provide clear and accessible information about AI systems.

  • Fairness and Bias: AI models should be tested for and protected against bias to prevent discrimination.

  • Purpose Limitation and Data Minimization: AI systems should use only the data necessary for their specific purpose.

  • Accountability: Organizations must establish clear roles and responsibilities for data controllers and processors.

If you haven’t already, now is a good time for organisations developing AI tools to use these guideline to review practices around transparency, fairness, and bias mitigation to ensure GDPR compliance.

See the full text of the Opinion here.

 

CNIL Fines Orange €2.4 Million for GDPR Violations

The French Data Protection Authority (CNIL) fined Orange, France’s leading telecommunications operator, €50 million for sending unsolicited advertising emails to users without their consent.

Between June 7 and 12, 2023, Orange’s email service, “Mail Orange,” displayed advertisements resembling regular emails in users’ inboxes. These ads were subtly marked, appearing in light grey with the label “publicité” (advertisement) and a cross for deletion.

Additionally, CNIL found that cookies remained active on users’ devices even after consent was withdrawn, continuing to collect data without authorization.

Source

 

German Court Awards €10,000 for Unlawful Disclosure of Employee’s Health Data

A German court ruled that an employee was entitled to €10,000 in damages after the unauthorized sharing of their health data. The employee’s health information, shared via email, was disseminated to nearly 10,000 members of an association.

The court emphasized that the sharing of sensitive health data constitutes harm in itself under GDPR, even without evidence of additional damages. This aligns with the CJEU’s stance on non-material damages.

Source

 

  Hi privacy navigators, We hope you had a great holiday season! Since it’s been a few weeks, this edition will cover more updates than usual to ensure you’re caught up on the latest privacy developments. Here’s what we’ll cover this week: NOYB Victory – Dutch DPA Fines Netflix €475,000 Irish DPC with new €251 […]

Tags: news