Agencia Española de Protección de Datos (Spanish supervisory authority) has imposed a fine of 3.5 million euros on a company for GDPR violations following a hacker attack on its database system. Cybercriminals gained access to internal systems via a web application, resulting in data exfiltration from both the company and other affected entities. The DPA determined that the company’s security measures were insufficient, constituting breaches of GDPR articles 5.1 (f) and 32. Additionally, the DPA criticised the company’s slow response, leading to even greater damage.
Read more here
***
The General Data Protection Regulation (GDPR) mandates that personal data generally must be accurate, accessible, and that individuals must have knowledge of its sources. However, OpenAI has openly acknowledged its inability to correct misinformation generated by ChatGPT or provide details about data origins. Despite being aware of the issue, OpenAI maintains that ensuring factual accuracy in large language models is still an ongoing research challenge. Consequently, the non-profit organisation Noyb (None of Your Business) has lodged a complaint against OpenAI with the Austrian Data Protection Authority.
Read more here
***
Dutch supervisory authority (AP) issued guidance on facial recognition. The document is intended for privacy professionals and organisations that want to use facial recognition. It says that facial recognition is prohibited in most cases, but there are exceptions, with one of them being facial recognition used, where necessary, for authentication or security purposes. The AP also defines under which conditions there can be ‘personal or household use’ when applying facial recognition – if this is the case, the GDPR does not apply. The AP mentions unlocking a phone with facial recognition as an example.
Read more here
***
The Garante Della Privacy (Italian DPA) fined a bank €10,000 for not promptly fulfilling an access request made by an heir on behalf of a deceased individual. Despite repeated requests, the bank initially denied the existence of accounts in the deceased’s name and later failed to provide the requested information. The bank’s objections, citing operational misunderstandings due to the data subject’s use of an incorrect email address, was dismissed by the DPA. The DPA emphasised that data subjects are not obliged to use specific formats or channels when making requests under the GDPR.
Read more here
