DPAs aren't obliged to exercise a corrective power in all cases of a breach, in particular imposing a fine, for example if the controller took necessary measures to end and further prevent the breach.
The 🇳🇴 University of Agder was fined €12,500 (NOK 150k) for failing to secure personal data on Teams/SharePoint and insufficient internal controls. Short decision, several takeaways for everyone!
[15 July: Municipalities complies with Jan order + 🚨 DPA asks for EDPB opinion on the scope of a controller's documentation obligations regarding a processor's use of sub-processors] The Danish DPA's landmark decision of 2022 to ban certain use of Google products and US transfers, is still ongoing.
🇫🇷 Massive breach and what we can learn immediately from it: data minimisation, deletion, breach response plans - and communication that people actually understand!
This case is not only a goldmine for DPOs in the Swedish healthcare sector (although particularly so), but DPOs in general, for assessing roles, legal bases and processor liability.
🇸🇪 MedHelp must pay SEK 11,3 million (~$1m) for leaking 2,7 million health-related conversations (of 170 000 hours) online for several years and no legal basis for forwarding call to Thailand.
Unauthorised disclosure or access doesn't equate to inadequate measures, but must be proven to prevent damages claims. National courts must assess your case concretely and cannot systematically rely on expert reports. Mere fear 😱 = non-material damages (but must be proven by the data subject).