Background information
- Date of final decision: 7 July 2022
- Cross-border case or national case: National case
- Controller: US Company – Senseonics INC
- Legal Reference: GDPR Article 5, para 1 letters a), b) and f) (lawfulness, fairness and transparency; purpose limitation; integrity e confidentiality); Article 6 (lawfulness of processing); Article 7 (conditions of consent); Article 9 (processing of special categories of personal data, including health data); Article 12 (transparent information, communication and modalities for the exercise of the rights of the data subject); Article 13 (Information to be provided where personal data are collected from the data subject) and Article 27 (Representatives of controllers or processors not established in the Union)
- Decision: finding of infringements of the GDPR (imposition of administrative fine and order to comply)
- Key words: GDPR, data breach, App, health data, lawfulness, fairness and transparency, glucose monitoring system, diabetes, consent, EU representative
Summary of the Decision
Origin of the case
Notification of data breach to the Italian SA due to an employee’s sending – as part of an information campaign – email messages with the recipients’ addresses in the ‘Cc’ field rather than in the ‘Bcc’ one. This resulted into enabling every recipient to view the other recipients’ email addresses that in this case, also contained data disclosing health data.
Key Findings
The Italian SA found that the controller (a US company) has unlawfully disclosed email accounts and health data relating to about 2,000 Italian diabetic patients and committed additional infringements of data protection laws. In particular, after downloading the app, users were expected to accept, by a single click, the terms of use of the service jointly with the contents of the privacy policy. This prevented them from giving their consent separately to the individual processing operations including the processing of health-related data. Fairness and transparency principles were also infringed since the information provided to users was unclear as well as incomplete, and the company had failed to designate, in writing, its EU representative for all privacy-related issues in pursuance of the GDPR.
Decision
The disclosure to the email recipients of other patients’ health status without an appropriate legal ground and adequate technical and organisational measures entailed the violation of Articles 5(1)(a) (f) and 9 of the Regulation. The mandatory acceptance of privacy policy and terms of use entailed the violation of lawfulness and transparency principles and the conditions for consent (Articles 5 (1) (a), 6, 7 and 9 of the GDPR). The unclear, incomplete information provided to the data subjects was in breach of Articles 5, par. (1) (a), 12 and 13 GDPR. The company had also infringed article 27 GDPR as it had failed to appoint its EU representative.
Taking into account the unintentional nature of the emailing activity along with the cooperation shown by the company in the course of the fact-finding activities and the company’s organization profile, the Italian SA imposed an EUR 45,000 administrative fine and an order to bring the processing into compliance with the GDPR
For further information:
decision in national language "Ordinanza ingiunzione nei confronti di Senseonics Inc."
The news published here does not constitute official EDPB communication, nor an EDPB endorsement. This news item was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. Any questions regarding this news item should be directed to the supervisory authority concerned.