Data Protection Newsletter

For updates all year 'round ..follow our Company page here -

https://www.dhirubhai.net/company/27137555/

What caught our eye …..

?The world of data protection is ever evolving. With EU Data Protection Authorities issuing guidance and fines on a near weekly basis, as well as case law slowly emanating from the courts, there truly is never a dull moment!

?Amongst the twitter feeds, google alerts and news headlines…. here is what caught our eye in November 2022.

?Ireland: On the 28th November 2022, the DPC announced the conclusion to an inquiry into Meta Platforms Ireland Limited (MPIL), data controller of ?“Facebook”, imposing a fine of €265 million and a range of corrective measures. This inquiry began in April 2021 on foot of media reports into the discovery of a collated dataset of Facebook personal data available on the internet. The main issue here is Meta’s failure to apply measures to meet the requirements of Article 25 -Data Protection by Design and Default. In short, Meta failed to “bake in” privacy measures and settings and therefore individuals phone numbers could be scraped from the platform.

?Germany: A working group of German data protection regulators has found that Microsoft 365 cannot be used lawfully under the GDPR despite Microsoft recently updating their Data Processing Agreement . The concerns ?mainly relate to the lack of transparency around the fact that Microsoft may be acting as a controller by determining the means and purposes of processing. The German State of Hesse has already banned the use of MS 365 in schools and

?EU: The CJEU has recently held that controllers must implement technical and organisational measures to inform other controllers with whom they shared the personal data that the data subject, to whom the data relates, has made an erasure request.

??

The Moral of the story is…

?Each month we analyse a decision of the Data Protection Commission to understand what it means for companies big or small.?

?This month we have taken a closer look at the DPC fine of the University College Dublin (UCD).

?In December 2020 UCD was fined of €70,000 in respect of the number of infringements of GDPR. The DPC decision also included a reprimand and an order to bring processing operations concerning its email service into compliance with Articles 5 and 32 of the GDPR

What happened?

?UCD notified DPC of seven personal data breaches between 8 August 2018 to 21 January 2019. The personal data breaches concerned instances where unauthorised third parties accessed UCD email accounts, or where the login credentials for UCD email accounts were posted online, or both.

?Unauthorized access to email accounts has resulted in access to personal data stored in emails in those accounts, including inboxes and sent items. The personal data in question therefore relates not only to the holders of email accounts, but also to a much larger number of third parties.

?What did the DPC say?

In relation to those breaches, the DPC found that UCD infringed Articles 5(1)(f) and 32(1) of the GDPR by failing to process personal data on its email service in a manner that ensured appropriate security of the personal data using appropriate technical and organisational measures.

The DPC also found that UCD infringed Article 5(1)(e) of the GDPR by storing certain personal data in an email account in a form which permitted the identification of data subjects for longer than necessary for the purpose for which the personal data were processed.

?In addition, UCD had infringed Article 33(1) of the GDPR by failing to notify one of the personal data breaches to the DPC without undue delay. This personal data breach was notified 13 days after UCD became aware of it.

?What does that mean for my organisation?

1.?????Assess the risk levels of the personal data being exchanged via email systems.

2.?????Apply appropriate safeguards such as encryption.

3.?????Minimise the risk of hacking/third party unauthorised access by implementing two-factor authentication across your email system.

4.?????Regularly review your organisation’s email retention policy to reduce the amount of data your employees store in their mailboxes.

5.?????Data erasure from emails can be automated. There are email services where you can set messages for deletion after a designated length of time.

6.?????It’s important to educate your team about email safety. Links and attachments from unknown sources should never be clicked or downloaded.

Tales from the Coalface

?As part of our audit process, we ask our clients what data processors they use, and what due diligence and contracts they have in place. Here are some facts and tips regarding management of data processors.

?Q. Who or What is a Data Processor?

A.?A data processor processes personal data on behalf of a data controller. A data processor can be a natural or legal person, public authority agency or other body. A data processor does not include employees of a data controller. Common examples of data processors include _ IT managed service provider, outsourced payroll, outsourced recruitment, outsourced CCTV monitoring.

?Q. What does the GDPR say about Data Processors??

A.

·??????Art 28 says that controllers shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures

·??????Recital 81 states that ?the controller should use only processors providing sufficient guarantees, in particular in terms of expert knowledge, reliability and resources, to implement measures which will meet the requirements of the GDPR, including for the security of processing.

·???????The processor shall not engage another processors without prior written authorisation of the controller

·???????Processing should be governed by a contract which includes specifics of the processing amongst other details

·???????The processor should notify the controller of a personal data breach affecting their data without undue delay

?Q. What questions should I ask my data processors??

A. ?

·???????What training staff have received with regard to data protection, security and confidentiality?

·???????What technical measures have they implemented to protect the data on their systems?

·???????What physical security have they in place?

·???????Please sign this service contract and data processing agreement!

??

Q. What happens if my processor has a breach??

A. Your processor should notify you without undue delay. An investigation into the causes of the breach?and liability of the processor should be conducted.