Hello Friends,
A Data Fiduciary when requesting consent from a Data Principal under the Digital Personal Data Protection Act is required to provide a notice, detailing the personal data being processed, the purpose, how the Data Principal can exercise their rights, and the process for lodging complaints with the Board. For data processed before the Act's commencement, the Fiduciary must give notice to the Data Principal as soon as it is practicable. Additionally, the notice should be available in English, or any language listed in the Eighth Schedule of the Constitution.
By proactively addressing DPDPA compliance, we not only mitigate legal risks but also reinforce trust and credibility with our customers.
"Given the urgency of this matter, we propose starting the compliance process by taking up privacy assessments today to know the organisational gaps and expedite your efforts in aligning with DPDPA requirements. Taking immediate action will help you to be on the path towards compliance.”
Enjoy reading!
Privacy Enforcement
Italy’s Garante fines Foodinho 5 million euros for rider data breaches.
Garante fines Foodinho €5M for processing biometric data and geolocation tracking of riders. The company was unlawfully processing the personal data of more than 35,000 riders registered on its digital platform. The Garante's investigation found that Foodinho violated several articles of the GDPR, including the principles of accuracy, data minimization, and Data Protection by Design and Default. The watchdog asked Foodinho to make a series of changes, including the messages it sends to riders regarding the deactivation or blocking of their account and the activation of an icon that indicates when the GPS is on, allowing it to be turned off when not on the job.
Greece HDPA fines Nautical Club of Vouliagmeni €56,000 for illegal processing of biometric data.
The HDPA noted that a member of the Group sent a request to the HDPA asking how to object to the processing of their biometric data after they were informed by the Group that the controlled entry-exit system would no longer be carried out by presenting a membership card to the security guard but by processing their biometric characteristics. The Group informed the member of this update without providing further information and justification for this measure. The HDPA found the Group in breach of Article 5(1)(a), Article 35, and Article 38(3) of the GDPR. The HDPA also ordered the Group to cease processing personal data through the biometric-controlled entry system until it has carried out a DPIA.
USA: OCR fines mental health center $100,000 for failure to provide timely access to patient records.
The OCR explained that it launched an investigation after receiving a complaint from a patient who was not given timely access to their medical records, despite multiple requests in writing and by telephone. Furthermore, the OCR's investigation revealed that it took nearly seven months for Rio Hondo to provide the patient's records after their initial request, despite several follow-up calls. The OCR stated that the right of access provisions within the HIPAA Privacy Rules require that individuals or their personal representatives have timely access to their health information within 30 days for a reasonable, cost-based fee. Therefore, in light of the facts above, the OCR found that Rio Hondo failed to take timely action in response to the individual's right of access request.
Data Breach
Background check company suffers data breach affecting over 600,000 people.
SL Data Services was publicly exposed and not password-protected or encrypted. The breach contained vehicle records, court records, property ownership reports, full names, addresses, email addresses, employment details, social media accounts, phone numbers, and criminal records. After the responsible disclosure notice was sent, it took a week before SL Data Services made it unavailable. Unfortunately, those with data in the breach might not even know their information was included.
Privacy in Spotlight
HDFC Life Insurance Reports Data Leak, Assesses Impact of Breach.
HDFC Life Insurance confirmed instances of data breach involving the unauthorized sharing of sensitive customer information. The company has initiated an information security assessment and data log analysis. A detailed investigation is underway in consultation with information security experts to assess the root cause and take remedial action, as necessary. The company has notified the BSE on the data breach.
Regulations
EU Cyber Resilience Act published in Official Journal of the European Union.
The Cyber Resilience Act, published in the Official Journal of the EU on November 20, 2024, mandates cybersecurity requirements for products with digital elements. It specifies essential requirements for security and vulnerability handling, outlines obligations for manufacturers including conformity assessments and risk assessments, and sets reporting obligations for actively exploited vulnerabilities. Importers and distributors must ensure compliance and due care, with enforcement by Member States' authorities, including potential fines of up to €15 million. The Act takes effect on December 10, 2024.
Australia is on a fast-track to having the toughest social media law for youth.
Australia’s government announced it intends to pass legislation by the end of the year banning youth under age 16 from using social platforms, including Facebook, Instagram, TikTok, and X. This would set a new bar worldwide, as it imposes strict age-verification requirements and disallows exemptions for parental consent and pre-existing accounts. Fines would be as high as $32 million for companies that fail to comply.