On 5 October last, the Luxembourg Data Protection Authority (CNPD) published a new decision by which it sanctioned a life insurance company for erroneously sending two emails intended for one of its clients and containing amongst others medical data to unauthorised third-party recipients with an email address similar to that of the client. In view of the GDPR infringements identified, the CNPD imposed a significant fine of 135.000 EUR and specifically ordered the company, thereby also referring to its professional secrecy obligations, to implement adequate security measures in relation to the sending of emails containing special categories of data, such as medical data.
This article sets out the key takeaways of the decision of the CNPD...
|