Details:
| Summary | The DPA from Hamburg has issued a fine against a company that operates an online marketplace, especially for worn underwear. The company advertises that it guarantees one hundred percent anonymity. On the platform, users can upload photos of underwear. In most cases, smartphones or other mobile devices were used to take the photos. The camera apps of the smartphones or GPS modules of the cameras often store additional information in the image file alongside the actual image as a standard setting. Based on this data, a fairly precise localization is possible. A review by the DPA revealed that the company had not cleaned up the residual information or metadata in the uploaded photos. Consequently, the data could be entered into any map service and the exact location where the photo was taken could be determined. The number of data subjects involved was approximately around 760 women between the ages of 18 and 50. For this reason, the DPA found that the company had failed to take appropriate technical and organizational measures to ensure a level of security appropriate to the risk posed to the data subjects. In addition, the DPA concluded that the company had unlawfully processed the associated data by uploading the photos without cleaning them. |
| Link: | link |
| Related articles: | Art. 6 GDPR, Art. 32 GDPR |
| Type: | Insufficient technical and organisational measures to ensure information security |
| Fine: | EUR Unknown |
| Sector | Industry and Commerce |
All data is based on The CMS’s Law GDPR Enforcement Tracker Source: https://www.enforcementtracker.com/