A former Management Trainee at a global car rental company in the UK was fined for illegally accessing customer data. Between 18 March and 1 April 2019, the individual accessed at least 213 records across 25 branches without authorization, particularly during an unscheduled visit on 31 March 2019. Following an internal audit and investigation, the trainee were dismissed for gross misconduct, and the case was referred to the Information Commissioner’s Office. The individual pleaded guilty at Huddersfield Magistrates’ Court and was fined £265, with additional costs and a victim surcharge.
***The Belgium Data Protection Authority (DPA) concluded that the administrator of a software platform for booking doctor appointments is a data processor, not a data controller, as they do not determine the purposes of data processing. The platform administrator only provided an online scheduling system, with purposes set by healthcare providers. Consequently, access requests under GDPR should be directed to the data controllers (healthcare providers), not the data processor. The DPA found no GDPR violations by the platform administrator regarding the individual’s access request complaint.
***
The Austrian DPA fined a football league organizer €12,100 for failing to erase a player’s personal data after the player’s request. The player’s profile, which included identifiable information, remained partially visible on the league’s website despite the DPA’s order to delete it entirely. The fine was issued due to the controller’s repeated non-compliance and minimal cooperation.
Comments are closed.