Series
Blogs
Italy – Bcc data breach notification triggers wider investigation and fine
Italy – Bcc data breach notification triggers wider investigation and fine
19 March 2024
Series
Blogs
19 March 2024
A medical technology firm notified the Italian Supervisory Authority (the “Garante”) of a Bcc data breach. That notification triggered a wider investigation and fine. We consider the practical implications.
Medtronic Italia provides the Minimed Mobile (the “App”). That App links an insulin pump to the user’s smartphone so that the user can visualise the information from the pump on their smartphone. Once the user creates an account on “CareLink Personal”, the App receives the data from the insulin pump and, at the user’s discretion, synchronises the information with the CareLink Personal user’s account.
Unfortunately, Medtronic was subject to a personal data breach after sending an email to the users of its App. This was a Bcc data breach, in that the recipients of the email were all in the “To” field (instead of the “Bcc” field) and hence visible to each recipient. Medtronic notified the personal data breach to the Garante.
The data breach notification triggered an investigation by the Garante into not just the personal data breach but also the wider processing by Medtronic. In particular, the Garante sought confirmation that:
The Garante found that Medtronic failed to comply with the GDPR and, in doing so, confirmed that emails are personal data. The breaches consisted of:
The Garante issued administrative fines against Medtronic of EUR 250,000 (security failings) and EUR 50,000 (transparency failings).
There are three important points to come out of this fine.
First, regulators are unlikely to be sympathetic to Bcc data breaches. Whilst these are often the result of human error and/or failure to follow guidelines and policies, there should really be no possibility of this type of mistake happening in the first place. For example, the UK Information Commissioner suggests that where the email contains special category of personal data, emails should be sent using specialist email services to prevent recipient details being included in the “To” or “Cc” fields (here).
Second, this is another example of the Garante requiring clear and specific disclosure of the legal basis (and related purposes) relied upon for each processing operation. A detailed and clear privacy policy is key to protecting yourself against sanctions should you be investigated.
Finally, this is a salutary lesson that notifying a personal data breach may well trigger a broader investigation, especially when it involves special categories of personal data.