Garante per la protezione dei dati personali (Italy) - 9991183

From GDPRhub
Garante per la protezione dei dati personali - 9991183
LogoIT.png
Authority: Garante per la protezione dei dati personali (Italy)
Jurisdiction: Italy
Relevant Law: Article 5(1)(a) GDPR
Article 5(1)(f) GDPR
Article 9 GDPR
Article 12 GDPR
Article 13 GDPR
Article 32 GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided: 08.02.2024
Published: 08.03.2024
Fine: 300,000 EUR
Parties: Medtronic Italia
National Case Number/Name: 9991183
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Italian
Original Source: Garante per la protezione dei dati personali (in IT)
Initial Contributor: im

The DPA imposed a €300,000 fine against a medical technology firm for its use of the 'To' field instead of the 'Bcc' field when sending emails to the users of its app, leading to unauthorized processing of health data.

English Summary

Facts

The Medtronic Diabetes is a medical technology firm focused on innovation of diabetes solutions such as developing the MiniMed Mobile app which displays insulin pump and continuous glucose monitoring data. The app offers a direct connection with patient's healthcare provider through a 'CareLink' Personal software.

The team member of the firm emailed users of the MiniMed Mobile app in different countries within and outside the EU. The purpose was to notify them about a server maintenance update and the steps needed to regain access to the 'CareLink' Personal software as part of this update.

The member of the team included the recipients’ e-mail addresses in the ‘To’ field instead of the ‘Bcc’ field which stands for ‘Blind Carbon Copy’. As a result, around 5,000 email addresses of MiniMed Mobile app users worldwide were exposed, including 732 in Italy.

The email notification didn't contain personal data, but recipients' email addresses were visible. Medtronic swiftly notified the breach to the Italian DPA, attempting to recall all emails and instructing affected users to delete them. After the incident, the controller re-trained staff on email notification procedures and started implementing an automated tool to prevent such incidents in the future.

These email addresses were in some cases made up of a combination of first name and surname of the data subject, which made it possible to identify the person in question, thus indirectly disclosing data relating to their health within the meaning of Article 9 GDPR. The controller stressed that the content of the e-mail did not include any personal data but revealed that the recipients were users of the MiniMed Mobile app.

Based on this notification of the incident, the DPA requested further preliminary information.

Holding

In this case, the DPA scrutinized the company's actions regarding the sharing of personal health data via email notifications to a large number of recipients. The DPA concluded that the company failed to uphold the obligation to implement adequate security measures to protect personal data as per Article 5(1)(f) GDPR and Article 32 GDPR. According to the DPA, the technical and organizational measures adopted by the Company were not suitable to guarantee a level of security adequate to the risk. This is the case in view of the personal data breach notified by the data controller as such and in view of the significant number of email addresses contained in a single notification.

Additionally, they found a breach of Article 9 GDPR, which concerns the processing of special categories of personal data, such as health data. In this case, the unauthorized disclosure of email addresses of individuals likely experiencing diabetic conditions constituted a breach due to inadequate security measures by the company.

Lastly, The DPA found a breach of Article 5(1)(a) GDPR and Article 12 GDPR and Article 13 GDPR regarding the sharing of patient clinical data through the "Health Partner Share" feature which allowed the patient to link their account with that of their healthcare professional. The violation stemmed from the company's failure to provide clear and transparent information regarding the processing of personal data during the linking of personal data. Specifically, the company's privacy policy lacked clarity regarding the legal basis for processing personal data, including health data, in the context of the feature.

For the aforementioned violations, the DPA imposed a fine of €300,000.

Comment

In this case, the DPA found a breach, among others, of Article 9 GDPR. The Article 9 GDPR prohibits the processing of special categories of data. In this case, the main issue was the processing of such data without ensuring security of processing appropriate to the level of the risk under Article 32 GDPR. In our opinion, the breach concerned the latter Article instead. Article 9 GDPR can be used to explain what sensitive data is, but in our opinion, it should not be an autonomous violation here.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.

SEE ALSO Newsletter of 7 March 2024

[doc. web no. 9991183]
Provision of 8 February 2024
Register of measures
n. 62 of 8 February 2024
THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA
IN today's meeting, which was attended by prof. Pasquale Stazione, president, Prof. Ginevra Cerrina Feroni, vice-president, Dr. Agostino Ghiglia and the lawyer. Guido Scorza, members, and Dr. Claudio Filippi, deputy general secretary;
HAVING REGARD to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 /CE, “General Data Protection Regulation” (hereinafter “Regulation”);
HAVING REGARD TO Legislative Decree 30 June 2003, n. 196 containing “Code regarding the protection of personal data (hereinafter “Code”)”;
GIVEN Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor for the protection of personal data, approved with resolution no. 98 of 4/4/2019, published in the Official Gazette. n. 106 of 8/5/2019 and in www.gpdp.it, doc. web no. 9107633 (hereinafter “Guarantor Regulation no. 1/2019”);
HAVING SEEN the documentation in the documents;
GIVEN the observations made by the deputy general secretary pursuant to art. 15 of the Guarantor's Regulation no. 1/2000 on the organization and functioning of the office of the Guarantor for the protection of personal data, doc. web no. 1098801;
Speaker: the lawyer. Guido Scorza;
PREMISE
1. Violation of personal data
The company Medtronic Italia (hereinafter "Company"), with deed dated XX, subsequently integrated with communication dated XX, notified the Authority of a violation of personal data, pursuant to art. 33 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter the “Regulation”).
In connection with this event, the Company disclosed that: “On XX at approximately 3:30 pm, a member of the Medtronic Diabetes team sent an email notification to users of the MiniMed Mobile app located in various countries within and outside the EU to inform them about (1) a server maintenance update, and (2) the requirement for users to log back in to the CareLink™ Personal software, as part of this server maintenance update. A total of 11 email notifications were sent, using Microsoft Outlook, as a temporary solution while a new automated process was implemented. 10 email notifications contained between 490 and 495 email addresses, while 1 email notification contained 8 email addresses. Based on our investigation to date, the Diabetes team member did not follow Medtronic's defined process for planned and unplanned server outages, and included recipient email addresses in the “To” field, rather than in the “BCC” field. Due to this human error, recipients' email addresses were visible to other recipients, which is approximately 489-494 recipients or 7 recipients, depending on the email sent. Approximately 5,001 email addresses of users of the MiniMed Mobile app worldwide were exposed, of which 732 were in Italy. The content of the email notification did not include any personal data so that only the email addresses were visible to other recipients. Immediately upon becoming aware of the issue, Medtronic took steps to remedy the issue and prevent it from recurring. An attempt was immediately made to recall all emails and an email was sent to all affected users asking them to delete any copies of the email received on XX. Medtronic has re-trained affected staff to remind them of the importance of following standard email notification processes and is in the process of implementing a new automated tool to prevent this from happening in the future.”
More specifically, it was represented that "the notified incident involves the possibility for unauthorized third parties to access the email addresses of people potentially interested in diabetes products, or the email addresses of their caretakers. These email addresses are in some cases made up of a combination of name and surname which thus makes it possible to identify the subject in question, indirectly disclosing data relating to their health, i.e. a particular category of personal data pursuant to Art. 9 of the GDPR” and that “only the email addresses were visible to other recipients of the email. The content of the email did not include any personal data but reveals that the recipients are users of the MiniMed Mobile app and therefore people who may be affected by diabetes.”
In relation to the probable consequences, it was assessed that "the incident could cause phishing attempts. However, Medtronic has taken steps to recall the emails and has asked all users to delete any copies of the email they have received so that Medtronic can reasonably expect such users to comply with Medtronic's instructions and take no further action with that information."
Additionally, the Company represented that it has “a rigorous procedure for planned and unplanned server outages with several steps to follow to notify users. However, Medtronic's standard procedure was not followed in this case. Additionally, Medtronic is reviewing its current processes to further improve them, using a new automated tool to prevent this incident from occurring in the future."
The Company has also declared that:
- to remedy the breach and reduce its adverse effects on data subjects, “immediately upon discovering this issue, Medtronic took a series of corrective actions, including (1) recalling the emails; (2) instruct email recipients to (i) delete any copies of the email they receive with recipient email addresses in the “to” field and (ii) to take no further action with such information; and (3) re-train affected personnel”;
- to prevent similar future violations “is reviewing its processes to further improve them (for example, implementing additional checks before sending any email notifications). Medtronic is also implementing a new tool to prevent this from happening in the future”;
- “the same violation is reported by other subsidiaries of the Medtronic group, each as owner, to the competent data protection authorities of Belgium, the Czech Republic, Finland, Germany, the Netherlands, Norway, Spain, Sweden, France, United Kingdom".
2. The preliminary investigation activity
With specific reference to the facts involved in the aforementioned violation, the Company, with note dated XX, provided feedback to the request for information from the Office dated XX (prot. n. XX). In this context, in addition to what has already been communicated, the Company, in representing that it is part of the "Medtronic group, whose operational headquarters is located in the United States" and that "the Medtronic group is a global leader in the development and production of medical devices for the care and treatment of various pathologies, including diabetes", declared that:
- “the MiniMed™ Mobile app is a Medtronic app that connects - via Bluetooth - the MiniMed™ insulin pump to the user's smartphone, allowing the user to view pump and sensor information on their smartphone. The MiniMed™ Mobile app requires registration with CareLink™ Personal, a software classified as a medical device (…)”;
- “once a CareLink™ Personal account has been created and registration is completed, the MiniMed™ Mobile app receives data from the user's MiniMed™ insulin pump and can be, at the user's discretion, manually or automatically synchronized with the user's CareLink™ Personal account (…)” which is intended to “provide a secondary view on the user's smartphone, for self-monitoring by the user and to synchronize data with CareLink™ Personal”;
- “the processing of users' personal data through CareLink™ Personal and the related MiniMed Mobile app is described in a specific privacy policy (...). Since this is a special category of personal data (health data), the explicit consent of users is required for the provision of services, including sending users communications of an operational nature, such as server maintenance updates";
- "the information is shown to users for the first time, and consent is given by the latter, at the time of registration on CareLink™ Personal before users provide personal data" and the possibility to modify or revoke is always ensured your consent at any time by accessing your personal account (…)”;
- “the MiniMed™ Mobile app is available in various countries. In each country, the Medtronic company located therein is responsible for providing technical assistance and support to users of the MiniMed™ Mobile app resident in the country in which that company is located, including providing related communications. Consequently, the undersigned Company acts as data controller of the personal data of users of the MiniMed™ Mobile app located in Italy (...)";
- “within the Medtronic group, (…) [the Company] uses centralized helpdesk functions in order to provide technical assistance and support services. (…) provided by Medtronic MiniMed, Inc. These services include the provision by Medtronic MiniMed, Inc. of second and third level technical assistance and support, for problems that cannot be resolved locally, as well as for the dispatch of urgent communications of interruption of services, such as that which is the subject of the violation notification";
- “Medtronic MiniMed, Inc. provides these services (…) as data controller while each of these subsidiaries (including the undersigned Company) acts as an independent data controller of the personal data of users of the MiniMedTM Mobile app who are in the respective country".
With particular reference to the cross-border nature of the processing, the Company represented that:
- it and, more generally, the Medtronic group, do not have a "main plant pursuant to art. 4, par. 16, of the Regulation. The Company acts exclusively as a data controller in relation to the processing of personal data of users of the MiniMed™ Mobile app in Italy” and “has not processed the personal data of subjects located outside of Italian territory, neither on its own behalf nor for account of other subsidiaries of the Medtronic group established in other EU Member States”;
- “Medtronic group subsidiaries established in the EU territory make autonomous decisions regarding the purposes and means of processing personal data of users of the MiniMed™ Mobile app in their country”;
- "in the case in question, however, given that the email communication in question had to be sent urgently, the undersigned Company (as well as the other EU subsidiaries) made use of the services of the 24-hour technical assistance and support team 24 provided by Medtronic MiniMed, Inc. to send the communication";
- “(…) has not processed personal data of subjects located outside the Italian territory, neither on its own behalf nor on behalf of other subsidiaries of the Medtronic Group in the EU”.
In relation to the legal basis on the basis of which the personal data of the interested parties were processed and which would have allowed the sending of the email to the latter, the Company clarified that "the explicit consent of the users was requested for the processing of their data personal for the provision of services, including the sending of related communications of an operational nature, in accordance with art. 6, par. 1, letter. a), and art. 9, par. 2, letter. a), of the Regulation" and that "where the Information refers to the use of consent for other purposes, a separate and specific explicit consent is required for such purposes, such as the improvement and development of products and services and the general improvement of therapy management and the development of publications and marketing materials”.
With regards to the transfer of intragroup data, the Company highlighted that "for the performance of technical assistance and support activities it is necessary that certain personal data be transferred to the US company Medtronic MiniMed" and that "in compliance with current legislation, they have been recently stipulated the new Standard Contractual Clauses based on the Commission's Implementing Decision (EU) 2021 /914". In any case, “Medtronic's 24-hour technical assistance and support team, which actually sent the communications in question, is located in Canada, recognized by the European Commission as a country that ensures an adequate level of data protection (according to the Commission's decision of 20 December 2001)". Canadian staff on Medtronic's 24-hour technical assistance and support team received specific training on the procedure in January 2021, which was prior to the reported breach.
In order to avoid the repetition of similar events, the Company declared that it has carried out training activities for the "personnel concerned in order to underline the importance of following the standard company processes for sending notifications to users and to reiterate the need to include recipients in the “BCC” field” and to have “implemented a peer-review process such that all notifications sent to users of the Minimed TM Mobile app are double-checked by a second designated employee, to ensure that the recipients have been included only in the "BCC" field, attaching the documentation certifying the implementation of this new process and that "a new solution for sending notifications to users is being implemented, in order to reduce the steps manuals involved in the process, which are usually performed by staff. This involves automating the process to include recipients in the “BCC” field, reducing the risk of unauthorized disclosure of personal data caused by human error, when sending notifications to users of the Minimed™ Mobile app.”
With a subsequent note of the XX, the Company provided feedback to the Authority's further request for information (note of the XX, protocol no. XX) concerning in particular the personal data protection profiles carried out by the figures of the "Physician ” and the “Medical Center” cited in the information on the processing of personal data acquired in the proceedings. In particular, with reference to the CareLink™ Personal system, the subject of this proceeding, the Company has clarified that:
it is a medical device “consisting of a free web-based application aimed directly at people with diabetes who use compatible Medtronic medical devices (“Device Users”) and their caregivers (“Care Partners” - a Care Partner is any caregiver (family member, friend, etc.) who has received permission from an individual with diabetes to view their diabetes information on a secondary login on CareLink™ Personal)(collectively, “CareLink Users ™ Personal)”;
“CareLink™ Personal Users can register independently by creating their own CareLink™ Personal account and accessing Device User data uploaded to CareLink™ Personal (via an uploader accessed from the web platform or, for compatible devices, via the MiniMed™ Mobile app) to help them manage their disease”;
“in 2020, during the Covid-19 pandemic, (…) the additional and optional functionality available through CareLink™ Personal called “Health Partner Share” (“HPS”) was activated in Italy. The HPS feature allows Device Users, who expressly and specifically consent, to share device data uploaded to their CareLink™ Personal account only with their Healthcare Professional;
“data sharing is only possible if the Healthcare Professional has created an individual account via CareLink™ Personal”;
“The HPS feature is completely optional as Device Users can take full advantage of their CareLink™ Personal account to support their diabetes management regardless of linking to their Healthcare Professional's HPS account. Please also note that Medtronic is evaluating whether to remove the HPS functionality”;
“the “CareLink™ system” and the CareLink™Personal (…) are two different and separate systems that can communicate with each other only (i) at the discretion of the Healthcare Professional and subject to the request of the Healthcare Professional to link the “CareLink” account ™ system” to your patient's CareLink™ Personal account and (ii) if the patient expressly consents to the link”.
In relation to the personal data processing activities and the roles assumed, the Company has clarified that it is the data controller of the data related to the creation of the CareLink™ Personal user account and "the generation of reports of the data uploaded by medical devices for the purpose to support people with diabetes to better understand the management of the disease". If the user activates the HPS functionality described above, "the personal data of the Device User are processed by Medtronic and by the Healthcare Professional for their respective purposes (Medtronic: for the purpose of providing the services requested to Users of CareLink™ Personal; as to the Healthcare Professional: with the aim of providing support and supervision to patients in the management of diabetes care). Medtronic and the Healthcare Professional act as independent data controllers."
According to the Company, the HPS functionality includes the following personal data processing activities:
− “a) Creation of the Healthcare Professional's account in CareLink™ Personal: • Medtronic is the owner and the Healthcare Professional is an interested party.
− b) Linking the Healthcare Professional's HPS account to the Device User's account: • Medtronic and the Healthcare Professional are independent controllers in relation to the processing of the Device User's personal data. In fact, the Healthcare Professional will only process the CareLink™ Personal username used by their patients to link accounts (…): that username is provided by the Device User directly to their Healthcare Professional in the context of the data processing activities carried out by the Professional Healthcare for medical treatment.
− c) Viewing (and any further use as determined by the Healthcare Professional) of personal data uploaded to CareLink™ Personal and shared by the Device User with the Healthcare Professional for medical treatment purposes: • the Healthcare Professional is the sole controller”.
In relation to the legal bases of the processing, the Company has clarified that, for the creation of the CareLink™ Personal account and for the generation of reports, it must be identified in the consent of the interested parties, pursuant to articles. 6, par. 1, letter. a) and 9, par. 2 lett. a) of the Regulation.
With reference to linking the Healthcare Professional's HPS account to the device user's account, the Company stated that “the express consent of the Device User is required. An opt-in mechanism is integrated into the CareLink™ Personal software to allow the Device User to choose whether to allow Medtronic to enable the connection with the Healthcare Professional via the HPS functionality, so that the Device User's device data is viewable in the Healthcare Professional's HPS account. Device Users are free to withdraw their consent at any time by unlinking their CareLink™ Personal account from their Healthcare Professional's HPS account through their CareLink™ Personal account settings. Such a choice stops any sharing of device data with the Healthcare Professional's HPS account."
The Company also specified that to activate the connection of the healthcare professional's HPS account with that of the user (CareLink™ Personal) and therefore make their data accessible to the healthcare professional, the express consent of the patient is required which "is a requirement integrated into the CareLink™ Personal software”. In this case, “the Healthcare Professional is an independent data controller for the further processing of data on CareLink™ Personal for medical treatment purposes. As such, the Healthcare Professional is responsible for complying with the transparency obligations applicable to their patients, with whom the Healthcare Professional has a pre-existing doctor/patient relationship aimed at the provision of medical care services". It would therefore be up to the users to choose whether to allow the connection of their account and therefore share the data with healthcare professionals.
Finally, the Company described the registration processes for the Care Link™ Personal account and for the healthcare professional who intends to use the HPS functionality and the process of associating the doctor's account with that of his patient. In this regard, it was specified that this connection can occur in two ways, during the patient's visit to the healthcare professional's office or "via an invitation generated via CareLink™ Personal".
In the first case “the Healthcare Professional, who previously created his account in CareLink™ Personal, logs into his account (…) enters his patient's name and date of birth to create the patient's profile in the Professional's account Healthcare (…) select “Connect now using the patient's username and password (the patient is present and enters their credentials to connect the accounts)”. At this point “the Healthcare Professional is redirected to a page intended for their patients (…) they will read the text that appears on that page to their patient, before asking the patient to enter their CareLink™ Personal credentials on this same page. By entering their CareLink™ Personal credentials, the patient provides express consent to activate the connection; Once credentials are entered correctly, the patient's CareLink™ Personal account and the Healthcare Professional's HPS account are linked and the patient's device data can be shared with the Healthcare Professional."
In the case of remote connection “(…) the patient must provide their CareLink™ Personal username to the Healthcare Professional” who “creates an account and a patient profile in their HPS account; or the Healthcare Professional selects “Send a connection request using the patient's username (the patient will confirm the request from their CareLink™ Personal account)”; or the Healthcare Professional receives a text, which they must read before entering the patient's CareLink™ Personal username into CareLink™ Personal and clicking “Connect”; or the patient will then receive an email to the email address associated with their CareLink™Personal username, as well as a notification about their CareLink™ Personal account; the patient must log in to their CareLink™ Personal account (a link to the CareLink™ Personal web page is contained in the email) to access the connection request sent by the Healthcare Professional; o to complete the connection, the patient must read the text before accepting the connection request; or once acceptance is provided, device data uploaded to the patient's CareLink™ Personal can be viewed by the Healthcare Professional."
In both cases, the connection between the two accounts is only possible (1) following a specific assessment on the point between the Healthcare Professional and the patient, and (2) after the patient has actively provided the relevant information to allow the Company to enable the connection.
In relation to these aspects, the privacy information acquired in the proceedings specifies that: "Should you choose to share personal data with healthcare professionals in the context of medical treatment or with other parties external to Medtronic, they will be solely responsible for the use, or further processing, of personal data” (page 2 “Privacy Policy”, Annex A to the note of the XX).
On the basis of what was represented by the data controller in the violation notification act and in the notes with which he provided feedback to the requests for information, as well as the subsequent assessments carried out, the Office, with act of XX (prot. n. XX ), notified on the same date by certified email, which must be considered reproduced in full here, has initiated, pursuant to art. 166, paragraph 5, of the Code, with reference to the specific illegal situations referred to therein, a procedure for the adoption of the measures referred to in the art. 58, par. 2, of the Regulation, towards the Company, inviting it to produce defensive writings or documents to the Guarantor or to request to be heard by the Authority (art. 166, paragraphs 6 and 7, of the Code; as well as art. 18, paragraph 1, of the law n. 689 of 24/11/1981).
With the aforementioned act, the Office noted that the Company, in relation to the violation of personal data, communicated data relating to the health of approximately 732 Italian subjects to as many subjects, in the absence of a suitable legal basis and, therefore, in violation of the principles applicable to the processing of personal data, referred to in articles. 5, par. 1, letter. a) and f) and 9 of the Regulation and in the absence of adequate security measures, in violation of the art. 32 of the Regulation; with regard to the processing of personal data carried out by the Company during the registration process of the Care Link™ Personal account and that of the Healthcare Professional who intends to make use of the HPS functionality as well as the process of associating the doctor's account with that of his patient , the Company has failed to provide patients with the information relating to the legal basis by virtue of which the aforementioned communication of personal data is carried out, which constitutes a new operation of processing of personal data, including health data by professionals healthcare workers, as independent data controllers; this in violation of the aforementioned principles of correctness and transparency referred to in the articles. 5, par. 1 letter a), and the articles. 12 and 13 of the Regulation, as well as articles. 7 and 9 of the Regulation, as the aforementioned omission would have invalidated the very validity of any consent given by the patient.
3. Defense briefs
With note dated XX (prot. n.XX), the Company sent its defense briefs, pursuant to art. 166, paragraph 6, of the Code without asking to be audited, also providing the elements referred to in the art. 83, par. 2 of the Regulation, in which the following was specifically represented.
3.1. Violation of personal data pursuant to art. 33 of the Regulation
The Company in relation to the violation of personal data, notified to the Guarantor, pursuant to art. 33 of the Regulation, declared that:
- “the processing of personal data of users of the CareLink™ Personal software is based on their explicit consent (…). All users of the MiniMed™ Mobile app have voluntarily downloaded the app after having been fully informed of the terms of use and the characteristics of the processing of their personal data";
- "it is obvious that the accidental "unencrypted" disclosure of users' email addresses to other users of the service, which occurred on XX, was entirely due to an unintentional human error, committed in violation of the technical and organizational measures put in place by Medtronic for the protection of users' personal data. In fact, it is necessary to differentiate the responsibility profile of the subject, Medtronic, who diligently prepared technical and organizational measures and promptly reported their violation (...) to the Authority, from that of whoever violated them, even if by mistake";
- "the erroneous communication in question occurred in extraordinary circumstances of urgency (and certainly not for promotional purposes or for other purposes of Medtronic) due to the need to warn users as soon as possible that the MiniMed™ Mobile app would be subject to of certain unscheduled maintenance interventions on the systems. It should not be forgotten that diabetic patients "live" on data: knowing their glycemic levels over a 24 hour period is of vital importance for them and, after a patient has agreed to use the MiniMed™ Mobile app, it is necessary to inform them of any connection problems”;
- "this error (...) occurred in violation of a specific procedure that had been adopted by Medtronic precisely for the purpose of preventing situations such as the one at issue in today's proceedings from occurring. Furthermore, this procedure had been the subject of specific training activities for employees and collaborators. In fact: Medtronic has adopted a specific procedure (...) aimed at regulating the preparation and sending of communications to users in the event of unscheduled maintenance interventions, which expressly provides that the e-mail addresses of the users receiving the communication must be inserted in the blind copy field (“BCC”) and not in the recipients field (“To”) and that each communication must be reviewed by a manager of the technical support division before being sent; this procedure was disseminated and trained for the members of the Medtronic Diabetes team responsible for sending communications to users (...); it is underlined that this training took place before the violation found; more generally, Medtronic has adopted a series of technical and organizational measures (...) aimed, among other things, at managing access by all authorized personnel, preventing unauthorized access, adopting all IT and physical security measures on systems, etc.”;
- “the tool of sending communications to users via e-mail is the most suitable technical solution for managing communications to users in the event of urgent and unscheduled interventions on the systems; in such cases, in fact, Medtronic may find itself having to send notices to users in a very short time and the e-mail communication tool can be activated in a very short time; the MiniMed™ Mobile app does not - at present - provide alternative functions for sending communications to users in emergency situations. Furthermore, the MiniMed™ Mobile app is part of the CareLink™ Personal software, a CE marked medical device subject to a certification process and not freely modifiable by Medtronic at its discretion, which provides that notifications to users must be sent exclusively by email; and a human error such as the one that occurred was neither foreseeable nor otherwise avoidable. As recognized by the EDPB, despite the adoption of technical and organizational measures, “it is very difficult for data controllers (...) to take measures to avoid [personal data breaches due to human error]”;
- "if it is undeniable (and indeed it was voluntarily recognized by Medtronic) that it was a data breach, it must not be forgotten that this data breach did not occur in the absence of technical and organizational measures, which indeed, until that moment , have proven to be adequate”;
- “following the event, Medtronic adopted a series of remedial actions, including: (i) the immediate attempt to recall all email messages sent; (ii) the sending of a message to all recipients, with which they are asked to delete the message previously received and not to proceed with processing of any kind with respect to the data erroneously communicated (...); (iii) the personnel concerned have undergone new targeted training to avoid the repetition of similar events (...); (iv) a new automated tool has been implemented to assist the user communication process, which will require Medtronic Diabetes staff to upload users' email addresses to a dedicated platform and which will minimize the possibility of human errors in sending of emails to the recipients, which will always be in blind copy";
- "the concrete consequences, if any, deriving from the error in sending the communication to users, appear to be particularly limited. In fact: only the users' e-mail addresses were communicated, while no other personal data, nor specific health data or data relating to the users' health were communicated; only in some cases and only indirectly could email addresses lead to the identification of a specific user: in many cases, in fact, a user's email address does not reflect the patient's name and surname; similarly, many email addresses could belong to individuals who are not patients, but simply to individuals who provide assistance to patients (whose health data have not been disclosed); Medtronic has not received any reports or requests for compensation from users affected by the erroneous communication after a year and a half".
3.2 Further complaints
With specific reference to the further violations contested in the context of the proceedings initiated pursuant to art. 166, paragraph 5, of the Code, the Company, in relation to the functionality called Health Partner Share (“HPS”), implemented during the pandemic period, which allows the patient to connect their CareLink™ Personal account with that of the healthcare professional who he is treating, stated that:
- “Medtronic has provided clear information regarding the processing which is the subject of this dispute, which – it is useful to clarify – consists only in the connection between the user's accounts and his healthcare professional (and certainly does not extend to the further processing activity carried out by the healthcare professional, as independent owner). In fact (...), first of all there are references to the connection of accounts, and the related sharing of device data with healthcare professionals, both in the September 2020 information (see page 3 of Annex A to our communication of the XX ) and in the subsequent one in 2022 (see page 2 of Annex A to our communication of the XX), and secondly there is the specific and analytical information that is provided to the user when consent is asked for connect to the doctor's account";
- "the information given to the patient when connecting his CareLink™ Personal account with the healthcare professional's CareLink™ HPS account meets the minimum content requirements for consent to be "informed";
- “specific, exhaustive and adequate information is provided to the patient when his consent is requested to connect his CareLink™ Personal account with the healthcare professional's HPS account. The process of linking the patient's CareLink™ Personal account with the healthcare professional's HPS account was described in the Medtronic note of the XX, but it may be useful to reiterate how this process works and describe the contents of the form in more depth of consent that is presented to the patient at the time of connection. As illustrated, the connection can be established in two ways: (a) during the patient's visit to their healthcare professional's office, or (b) remotely, via an invitation generated through CareLink™ Personal”;
- in describing the connection process during the patient's visit to his doctor's office: “The patient (user of the CareLink™ Personal) goes to his doctor's office at his doctor's office. The doctor – who has previously created his account in CareLink™ Personal – logs in to his account. The healthcare professional enters his patient's name and date of birth to create the patient's profile in the healthcare professional's account. The healthcare professional selects “Link patient profile to CareLink™ Personal” and “Link now using patient username and password”. Subsequently, the healthcare professional is redirected to a page intended for his patient. In practice, the healthcare professional will read the notice that appears on the page intended for the patient, before asking the patient to enter their CareLink™ Personal credentials on the same page. By entering their CareLink™ Personal credentials and clicking on the “Connect” button, the patient expresses their explicit consent to activate the connection. The notice that appears on the patient page is as follows: “Linking your patient profile to your healthcare professional's CareLink™ Personal: Linking your CareLink™ Personal account to the patient record in your healthcare provider's CareLink™ software account healthcare professional. By selecting the “Link” button, you, as the CareLink™ Personal account owner, are providing your express consent to allow Medtronic to link your CareLink™ Personal account to your healthcare professional's CareLink™ software account, in so that the latter can view the data of the devices uploaded to CareLink™ Personal. You can withdraw your consent by going to CareLink™ Personal and removing the link to your healthcare professional. For more information about how Medtronic processes your personal data, please see our privacy policy https://carelink.medtronic.eu/crs/pow/3.7/media/hsp_privacy_policy_en.pdf. Please consult your healthcare professional to find out how your healthcare professional processes your CareLink™ Personal information, including how your healthcare information is processed. Enter your username and password to connect to CareLink™ Personal”;
- "in accordance with the EDPB 05/2020 guidelines on consent, adopted on 4 May 2020, the above notice, read in combination with the information referred to therein, contains all the minimum information so that the patient's consent is "informed ", i.e.: the identity of both independent data controllers: Medtronic, on the one hand, which is identified in the information previously referred to as the data controller for the creation of the users' CareLink™ Personal account ; on the other hand, the healthcare professional, identified as the recipient of the data in the same notice; the purpose of the processing operations for which consent is requested, i.e. linking the patient's CareLink™ Personal account with the healthcare professional's HPS account, so that the healthcare professional can see the device data uploaded by the patient to the CareLink™ Personal; the types of data collected and used, i.e. device data uploaded to CareLink™ Personal; and the existence of the right to revoke consent: the notice explicitly refers to the possibility for the patient to revoke his consent by removing the link between the two accounts";
- when describing the remote connection process (via invitation) “the healthcare professional and patient discussed the possibility of connecting the patient's CareLink™ Personal account with the healthcare professional's HPS account remotely. To ensure that the healthcare professional's account is linked to the patient's correct CareLink™ Personal account (when doing so remotely), the patient must provide the healthcare professional with their CareLink™ Personal username. The healthcare professional creates their own account and patient profile in their HPS account. The healthcare professional selects “Link patient profile to CareLink™ Personal” and “Send link request using patient username”. The healthcare professional receives a warning that they must read before entering the patient's CareLink™ Personal username and clicking “Connect”. The alert is as follows: Linking the patient's profile to CareLink™ Personal: Linking the patient's profile in your account to the patient's CareLink™ Personal account. By entering the patient's CareLink™ Personal username and clicking the “Link” button, you invite the patient to link their CareLink™ Personal account to this CareLink™ software account. Once the linking process is complete, you will be able to view data from the patient's Medtronic devices that are connected and have been uploaded to the patient's CareLink™ Personal account to this CareLink™ software account. Once the linking process is complete, you will be able to view data from the patient's connected Medtronic devices that have been uploaded to the patient's CareLink™ Personal account. You, as the patient's healthcare professional, represent that you have informed the patient of your request to connect to the patient's CareLink™ Personal account and that you have used the patient's username for this purpose. Do not copy or store the patient's username once the connection is established. By entering your patient's CareLink™ Personal username and clicking the “Connect” button, you agree that you 1. Are a licensed healthcare professional; 2. Request that your CareLink™ software account be linked to the selected patient's CareLink™ Personal account and that you understand that the patient must provide consent to such linking to enable data sharing between accounts - Terms of Use - Privacy Policy. Enter the patient's CareLink™ Personal username”;
- “the patient subsequently receives an email to the address associated with their CareLink™ Personal username and a notification on their CareLink™ Personal account. The email sent to the patient is as follows: “Dear…, Your healthcare professional would like to link your CareLink™ Personal account to your CareLink™ software account. Once the two accounts are linked, your healthcare professional will be able to view the data collected from your connected medical devices and which has been uploaded to your CareLink™ Personal account, even at times other than those of in-person visits with your healthcare professional. The connection may allow your healthcare professional to view a more complete set of data generated by your medical devices and provide you with remote care. The connection is voluntary. If you would like to link your account, log in to your CareLink™ Personal account at https://carelink-stage2.mimimed.eu and respond to this request on the settings page. Kind regards, The Medtronic  CareLink™ Team”;
- “the patient then logs in to their CareLink™ Personal account (a link to the CareLink™ Personal web page is contained in the email received from the patient) in order to access the connection request sent by the healthcare professional. To complete the connection, the patient must read the following notice before accepting the connection request: “Sharing with healthcare professionals - Your healthcare professional has requested to connect to your CareLink™ Personal account. Once the connection process is completed, your healthcare professional will be able to view the data collected from your connected medical devices and which have been uploaded to your CareLink™ Personal account, even at times other than those of in-person visits with the Your healthcare professional. The link is voluntary and you can, therefore, choose not to link your account. A decision not to link your account will not affect your ability to obtain Medtronic Diabetes products and services, or your ability to obtain treatment, benefits, or payments. You can unlink your account at any time by logging into your CareLink™ Personal account and selecting “Stop Sharing” with your designated healthcare professional. By doing so, you will stop any further sharing of your CareLink™ Personal data with the relevant healthcare professional's CareLink™ software account; this, however, will not result in the removal of data already shared by you. By clicking “Approve,” you authorize Medtronic to link your CareLink™ Personal account to your healthcare provider's CareLink™ software account. For more information on how Medtronic processes your personal data, please see our Privacy Policy”;
- also in this case, the previous notice, read in combination with the information referred to therein, contains all the minimum information for the patient's consent to be "informed": the identity of both independent data controllers: Medtronic, on the one hand, who is identified in the context of the information mentioned above and the healthcare professional, who receives the data and is identified in the context of the same notice; Please note that you must clearly see the name of your healthcare professional before allowing your CareLink™ Personal account to be linked to your healthcare professional's HPS account; the purpose of the processing operations for which consent is requested: link the patient's CareLink™ Personal account with the healthcare professional's HPS account, so that the healthcare professional can see the device data uploaded to the CareLink™ Personal ; the types of data collected and used: device data uploaded to CareLink™ Personal; and the existence of the right to revoke consent: explicit reference is made to the possibility for the patient to interrupt the connection at any time, revoking their consent";
- "in both cases, regardless of which connection process is followed (at the healthcare professional's office or remotely), the request for consent to data sharing is sufficiently explicit to make the patient-user aware, in clear and simple, of the fact that the legal basis of such processing is constituted precisely by consent";
- "the processing of data by Medtronic consists of and is limited solely and exclusively to the connection of the patient's CareLink™ Personal account to the healthcare professional's HPS account and the consequent sharing of device data, subject to the patient's consent. Afterwards, as a result of sharing, (...) the further processing of the data is carried out by a different owner (the healthcare professional), who will have full and exclusive responsibility for providing the necessary information to the patient in relation to the processing of the patient's healthcare data. patient. In other words, the purposes of the processing by Medtronic, legitimated by explicit consent, are only to allow such a connection, and the same are perfectly explained by the information provided to the patient at the time of connection (where we read that " once the connection procedure is completed, your healthcare professional will be able to view the data collected by your connected medical devices and which have been uploaded to your CareLink™️ Personal account, even at times other than those of in-person visits with the Your healthcare professional.”). In fact, Medtronic, the owner of a completely autonomous data processing, cannot be asked to inform the patient about the purposes underlying the data processing by the healthcare professional (who acts as an independent data controller);
- “the recipient of the sharing of personal data is not just any healthcare professional, but rather the healthcare professional who is already dealing with the patient-user's therapy and who initiates the request to have his HPS account linked to the CareLink™ Personal account of the patient. Well, this healthcare professional, in addition to being, as already mentioned, explicitly identified in the screen preceding the connection, is already absolutely known to the patient as his doctor. The use of the MiniMed™ Mobile app, in fact, is only the last phase of a long treatment process that begins with the diagnosis of diabetes and continues with the prescription of an insulin pump by the doctor; furthermore, as previously mentioned, the sharing of data with the healthcare professional usually takes place in his presence or, following a discussion with the healthcare professional in this regard, remotely. It is therefore reasonable to assume that the healthcare professional in charge, with regard to the treatment activities that are his responsibility, has already provided adequate information to the patient at the time of the first establishment of the treatment relationship, or that in any case he intends to provide it at a later time, in compliance and within the limits expressly provided for by the art. 14 paragraph 3 of the GDPR (which, in the case of an owner who receives personal data from subjects other than the interested party, provides for the possibility of providing the information at a later time)";
- “Medtronic, in making the information linked to the request for consent for the processing it is responsible for, certainly cannot replace the healthcare professional with respect to the obligation to provide the information linked to the data processing carried out by the latter in the course of care activity. This would conflict with the principle of accountability (art. 5 paragraph 2 of the GDPR) and with the role of independent data controller covered by the healthcare professional, which has never been questioned. Furthermore, the details of the data processing carried out by the healthcare professional are not even known to Medtronic, as they are subject to an obligation of professional secrecy";
- “it should be underlined that only the data collected from the user's device (e.g. measurements and parameters recorded by the device itself) are shared with the user's healthcare professional following the linking of the user's CareLink™ Personal account with the healthcare professional's HPS account; no other data or information, such as data, notes or information manually uploaded by you to your CareLink™ Personal account, is shared with the healthcare professional”;
- "the fact that an underlying professional relationship already exists between the healthcare professional who requests sharing and the patient-user who consents to it (which, once again, Medtronic assumes has been established in compliance with the necessary information obligations), and that the processing carried out by Medtronic constitutes nothing more than a tool to further facilitate this pre-existing care relationship, it would even exempt Medtronic from providing any type of information in relation to this activity, in accordance with the provisions of the art. 13 paragraph 4 of the GDPR. The information whose absence (... ) the Authority disputes is, in essence, already (or at least should already be) in the possession of the patient-user";
- "the information provided to the user is not lacking with respect to (a) the "legal basis on which the communication is based", (b) "the identity of the owner" and (c) "the purposes of the processing" in how much: without the patient's consent, no data sharing is possible. The HPS functionality concretely implements the principle of patient "empowerment" in the management of their disease and their data, absolutely in line with the principles that inspire the GDPR, as well as contemporary medicine. The HPS functionality itself was designed based on this fundamental principle: it is explained to the user in simple and clear terms that their consent is necessary for data sharing and can be revoked at any time. The activation of the HPS functionality is conditional on the user's consent, who decides how and with whom to share their data; Furthermore, the legal basis for sharing data through the HPS functionality is made clear to the patient-user; the notice that appears before data sharing clarifies the identity of the new data controller in the event that the user opts for data sharing: this is, moreover, a person already known to the user as his doctor carer; regarding the purposes of the processing, Medtronic informs the user in advance that the consent to activate the HPS functionality allows the connection between the patient's CareLink™ Personal account and the healthcare professional's HPS account. Medtronic cannot provide information regarding the "purposes of the processing for which the personal data are intended" as they pertain to the autonomous decision of a different data controller, who is responsible for the relevant information obligations (Medtronic does not treat patients, but markets medical devices for diabetes treatment). In light of the foregoing, Medtronic believes that the patient's consent is informed and, therefore, valid."
Finally, the Company provided a series of elements considered useful, within those identified by the art. 83, par. 2 of the Regulation, both in relation to the contestation of the violation of personal data concerning the aforementioned communication of health data through the sending of "carbon copy" emails to multiple recipients, and in relation to the contestation of the violation concerning the obligations information and the acquisition of the relevant consent.
In particular, in relation to the first profile, the Company highlighted that:
- “the violation notified by Medtronic is characterized by a low level of severity. In this sense the following elements are relevant:
“(…) the disputed violation essentially derives from a single isolated event, attributable to an evident human error, which affected a limited number of subjects (i.e. the 732 recipients of the unscheduled server maintenance communication), and which cannot be repeated, also in consideration of the implementation of an automated procedure for urgent communication relating to interruptions - maintenance;
(...) the violation occurred in the context of a treatment which, in addition to having been expressly consented to by the interested parties, has the sole and exclusive purpose of informing and guaranteeing the safety of the patient, preventing any malfunctions of the CareLink™ Personal software, which could have repercussions about your health or treatment;
the violation did not cause any damage to the interested parties involved, neither of a physical/material nature, nor of an immaterial or reputational nature. This is even more evident if one considers that none of the parties affected by the violation have proposed any complaint, nor any dispute against Medtronic, nor have they taken action to request any compensation for damages";
- "the disputed violation is undoubtedly negligent and not malicious, being characterized by the absence of volition in relation to the causation of the data breach. (...) the violation resulted from an unintentional human error, which resulted from the failure of a member of the Medtronic Diabetes team to apply the rules and procedures adopted by Medtronic specifically for the purpose of preventing events such as the one that is the subject of the dispute . If this employee had followed internal procedures, the violation would not have occurred. (…). Now, also pursuant to the provisions of the Sanctions Guidelines ("Guidelines 01/2021 on examples regarding the notification of a personal data breach" adopted on 14 December 2021 by the European Data Protection Committee), the error human, failure to read and failure to comply with existing procedures, as well as their failure to apply, are all symptoms of negligence of the individual operator (not of Medtronic), which exclude the existence of any voluntariness";
- “it is completely undeniable that Medtronic, acting diligently, took immediate action to mitigate, if not even sterilize, the harmful effects resulting from the data breach. In fact, in addition to being able to immediately identify the violation committed, Medtronic: promptly notified the violation to the Authority; immediately recalled sent emails; sent, always promptly, to the recipients of the communication, a new message with the invitation to (i) delete any copy of the email received, and (ii) not take further action with the information contained therein; and provided internal staff with new training sessions";
- “Medtronic has implemented a new automated system, which minimizes the risk of error in the future. The new automated system, in fact, excludes the operator from having to choose between a list of recipients' e-mail addresses in plain text or in blind copy, automatically sending a communication via e-mail with the recipients in blind copy";
- "from these measures adopted it can be deduced that Medtronic acted immediately with great promptness, responsibility and transparency, doing everything in its power to correct its actions and indeed trying in any way to eliminate any harmful effects, "taking on the responsibility of correct or limit the impact of his actions” (see Sanctions Guidelines, chapter III l. c) last paragraph)”;
- "in order to prevent events of the type that occurred, Medtronic had previously drawn up a specific internal procedure (...) aimed at regulating in detail the procedure that must be followed by its employees and collaborators in cases where, for reasons of urgency, it is necessary to proceed with a communication to users of an unscheduled interruption of the service. This procedure was, as proven by tabulas, duly disseminated, and all employees and collaborators were also subjected to specific training courses";
- “it is important to remember that the articles. 25 and 32 of the GDPR, in imposing the adoption of adequate technical and organizational measures, establish an "obligation of means and not of result" (see, on this point, Sanctions Guidelines, chapter III, l. d) third paragraph), with the consequence that the occurrence of a violation is not sufficient to deem the system of organizational measures unsuitable, instead having to analyze the abstract adequacy of such measures to guarantee a level of security adequate to the risk: adequacy which, given the specificity of the internal procedures, the training on them and the fact that the human error occurred on only one occasion, certainly cannot be considered non-existent";
- “Medtronic immediately made itself entirely available to the Authority in order to remedy the violation, promptly providing, in an exhaustive and transparent manner, all the information that was requested (…)”;
- “it is questionable whether the violation concerned data relating to health pursuant to the provisions of the art. 9 of the GDPR, since the subject of the data breach were only the email addresses of the recipients of the communication made visible to other recipients, which do not always allow the owner to be identified (not all addresses, in fact, correspond to name.surname @), nor do they allow the recipients of the communication (where identifiable) to be automatically associated with patients suffering from diabetes, given that the email addresses may well refer to subjects other than the patient, such as care-givers or parents, in the case of users under age. No data directly connected with health (such as information on users' blood sugar levels, clinical therapies or the use of devices connected to CareLink™ Personal) has been disclosed or communicated to third parties";
- “the violation was notified by Medtronic spontaneously and within the deadlines set by the art. 33 of the GDPR. It was therefore the writer herself who made the Authority aware of the data breach and, although the presentation of the relevant notification in the event of a data breach constitutes the subject of an independent legal obligation on the owner pursuant to the provisions of the GDPR, it certainly denotes Medtronic's full intention to make itself available to this Authority in order to collaborate in managing the consequences of the violation";
- "must have autonomous mitigating value: the adoption by Medtronic of a code of ethics and an organizational model pursuant to Legislative Decree 231/2001 which also aim to prevent illicit conduct in relation to personal data, as well as continuous training on both; the particular social value of the purposes connected to the processing, and the correlative absence of any advantage in favor of Medtronic as a consequence of the alleged violation. The one in question, upon closer inspection, is in fact a treatment necessary for the sole and exclusive purpose of guaranteeing the highest level of safety in relation to the use of CareLink™ Personal (...), safeguarding the health of patients. All this, to the exclusive and undoubted benefit of the interested party alone, given that Medtronic does not obtain any economic advantage from this data processing; it is specified that CareLink™ Personal is offered free of charge to users who are already users of a Medtronic device; the same violation has already been notified by the respective Medtronic subsidiaries to the Guarantor Authorities of their respective countries (Belgium, Czech Republic, Finland, Germany, Netherlands, Norway, Spain, Sweden, France, United Kingdom), and the authorities themselves concluded the investigation by dismissing the report".
In relation to the second profile, relating to the dispute of the violation regarding the information obligations and the acquisition of the related consent, the Company highlighted that:
- "the purpose of the processing (...) consists in the possibility of creating a connection between the patient's account and that of his healthcare professional, which can be found at the link: https://www.medtronic.com/content/dam/medtronic- com/it-it/corporate/documents/Codice-Condotta-Compass-Bussola-12-2020.pdf allowing the user/patient subject to certain therapies (or their care-giver) to share in a simple, rapid and direct way the data relating to your illness with the healthcare professional who is already in charge of managing the relevant therapy, thus allowing him to access your patient's blood sugar data. Once again, the only purpose connected to the treatment in question is to facilitate the therapeutic path and to increase doctors' control over the therapies they assign to their patients. All of this, of course, subject to the consent of the relevant patient. Medtronic does not communicate any data to healthcare professionals who are not already your doctors;
- the patient data would concern only the patient concerned, and would be communicated only to his healthcare professional (who, moreover, having already treated the patient, is likely to already possess - or in any case be able to obtain aliunde - the data object of the communication) ;
- the alleged violation did not cause any damage to the interested parties involved, neither of a physical/material nature, nor of an immaterial or reputational nature (indeed, it entails an undoubted clinical advantage). This is even more evident if we consider that none of the patients using CareLink™ Personal have made any complaint, nor any direct dispute against Medtronic in relation to the HPS functionality, nor have they taken action to request any compensation for the harm. Indeed, the treatment in question has made it possible to optimize the therapeutic paths connected to the treatment of particularly disabling diseases, such as diabetes, obtaining the favor (and consent) of the relevant users;
- “(…), Medtronic regularly reviews and updates its communications and privacy policies. Although Medtronic believes that patient consent to share data with their healthcare professionals through the HPS functionality is sufficiently informed and valid, Medtronic has updated its privacy policy (July 2022 version) to further enhance the level of transparency made to CareLink™ Personal users and satisfy any questions regarding it. As updated, the privacy policy makes explicit reference to the legal basis (i.e. explicit consent) for the aforementioned data processing. The updated version of the privacy information (...) in the paragraph called "Consent (Explicit)": reports the following "Processing of health data - With the user's explicit consent we will process health data for the specific purposes set out below : - Create the CareLink™ Personal account, in order to upload device data and generate CareLink™ Personal reports; - aggregate health data in a way that does not directly identify users. We will use this information to generate internal reports to conduct further research and develop new products and services for diabetes management and improve existing products and services and/or develop materials presented to physicians and government agencies and at conferences to showcase the product performance and enable Medtronic to improve education, training and support programs; - where applicable, in order to enable the connection of your CareLink™ Personal account to the CareLink™ account used by your healthcare professional in the context of medical treatment” (art. 83, par. 2 letter a) of the Regulation);
- "culpable nature of the alleged violation, which, according to the letter of the complaint, lacked sufficient information. This alleged insufficiency, even if deemed to exist, could only result in mere negligence on the part of Medtronic" (art. 83, par. 2 letter b) of the Regulation);
- “Medtronic believes that the wording of the consent to the processing of personal data within the HPS functionality is sufficiently clear and that the processing in question is completely legitimate and compliant with the articles. 5(1)(a), 7, 9, 12 and 13 of the GDPR. However, as mentioned in paragraph 3.2(a)(iv) above, in order to meet the Authority's findings in relation to the information contained in the privacy policy regarding the legal basis of the processing, Medtronic has further updated its information privacy in order to guarantee ever greater transparency” (art. 83, par. 2 letter c) of the Regulation);
- “Medtronic has always complied with the obligations imposed on it pursuant to articles. 25 and 32 of the GDPR. And so, in the phase of obtaining consent from the user/patient for sharing data with healthcare professionals, the principles of privacy by default and privacy by design (art. 25 of the GDPR) must be considered respected, as the provision of consent is not a pre-selected option, and the sharing of data could not take place in the absence of the prior consent of the interested party” (art. 83, par. 2 letter d) of the Regulation);
- “Medtronic has not in the past committed and/or notified any violation of the type at issue in today's proceedings. This, in addition to having an autonomous mitigating value, constitutes a further element of evidence of the adequacy of Medtronic's organizational structure with respect to the protection of the personal data of which it is the owner" (art. 83, par. 2 letter e) of the Regulation) ;
- "also in relation to the existence of this element and its mitigating relevance, Medtronic immediately made itself fully available to the Authority in order to understand and remedy the violation, promptly providing, in an exhaustive and transparent manner, all the information that has been requested, and proposing immediately to implement remedial measures" (art. 83, par. 2 letter f) of the Regulation);
- "the disputed processing concerns data attributable to the genus "health data" (i.e. data connected to the use of medical devices associated with CareLink™ Personal). However, please note that only data collected from your device (e.g. measurements and parameters recorded by the device itself) are shared with your healthcare professional following the linking of your CareLink™ Personal account with your healthcare professional's HPS account; no other data or information, such as data, notes or information manually uploaded by the user into his CareLink™ Personal account, are shared with the healthcare professional" (art. 83, par. 2 letter g) of the Regulation);
- "(...) the specific details relating to the functionality of the connection functionality of the patient's CareLink™ Personal with that of the healthcare professional (in which, in the opinion of this Authority, the violation lies) were communicated by Medtronic in a transparent manner, exhaustive and timely" (art. 83, par. 2 letter h) of the Regulation).
The Company, therefore, in believing that the disputed violations do not exist, asked, in the event of a different opinion from the Authority, to consider such violations as "minor" "in the sense of recital 148 of the GDPR" and to consider "that the corrective measure that best suits the specific case, if ever there were one, is that of a warning".
4. Outcome of the preliminary investigation
4.1 Violation of personal data pursuant to art. 33 of the Regulation
In relation to the violation of personal data, pursuant to art. 33 of the Regulation, it is preliminarily noted that:
“personal data” means “any information relating to an identified or identifiable natural person (“data subject”)”; an identifiable natural person is one who can be identified directly or indirectly, with particular reference to an identifier such as the name (...) and for "data relating to health" "personal data relating to the physical or mental health of a natural person, including the provision of health care, which reveal information relating to your state of health" (art. 4, par. 1, nos. 1 and 15 of the Regulation);
Recital n. 35 of the Regulation specifies that data relating to health "include information on the natural person collected during his registration for the purpose of receiving health care services"; “a number, symbol or specific element attributed to a natural person to uniquely identify him or her for health purposes”;
personal data must be "processed in a lawful, correct and transparent manner" (principle of "lawfulness, correctness and transparency") and "in a manner that guarantees adequate security (...), including protection, through adequate technical and organizational measures, from unauthorized or illicit processing and from accidental loss, destruction or damage (principle of “integrity and confidentiality”)” (art. 5, par. 1, letters a) and f) of the Regulation);
the data controller must implement adequate technical and organizational measures to guarantee a level of security appropriate to the risk, taking into account the state of the art and implementation costs, as well as the nature, object, context and purposes of the treatment, as well as the risk of varying probability and severity for the rights and freedoms of natural persons (art. 32 of the Regulation);
the regulations on the protection of personal data provide - in the healthcare sector - that information on the state of health can be communicated only to the interested party and can be communicated to third parties only on the basis of a suitable legal basis or upon indication of the interested party himself subject to written authorization from the latter (art. 9 of the Regulation);
Given the above, in light of the definition of personal data referred to above, email addresses can be traced back to this notion (see on the linkage of the email address to the notion of personal data, provision dated 25 June 2002, web doc. no. 29864).
Furthermore, with regard to the specific case, the information covered by the notification, contained in the aforementioned email, although referring to a service communication, being addressed to users of the MiniMed Mobile app located in Italy, which connects - via Bluetooth - the pump for MiniMed™ insulin to the user's smartphone, constitute personal data relating to health. In fact, this system is intended for people who wish to actively manage their diabetes simply and safely, via the MiniMed™ insulin pump which sends the data to the aforementioned smartphone application (see numerous provisions of the Authority on this point, including which: provision dated 9 January 2020, no. 1, web doc. no. 9261234; provision dated 16 September 2021, no. 328, web doc. no. 9722297, provision dated 13 May 2021, no. 206, web doc. no. 9688020; provision 28 April 2022, no. 164, web doc. no. 9779057, provision 7 July 2022, no. 242, web doc. 9809998, provision 11 January 2023, no. 7, web doc. no. .9861356).
The circumstance that among the recipients there may be not only patients but also their assistants (caretakers) does not determine a different qualification of such information as belonging to the particular categories of data, given that the content of the email unequivocally referred to the presence of a diabetic pathology and that the addresses of the recipients were those provided by the patients. It is also highlighted that the Company itself in the violation notification characterized this information as relating to health.
In relation to the principle of integrity and confidentiality referred to in art. 5, par. 1, letter. f) and the safety obligations referred to in art. 32 of the Regulation, in this case, the technical and organizational measures adopted by the Company were not found to be suitable to guarantee a level of security adequate to the risk given the violation of personal data notified by the data controller and considering the relevant number of email addresses (and therefore recipients) contained in a single notification (see par. 6.2 of Guidelines 01/2021 "on examples regarding the notification of a personal data breach", adopted on 14 January 2021; provision of 13 May 2021, web doc. 9688020; provision of 16 September 2021, web doc. 9722297 and provision of 7 July 2022, cit.). Moreover, during the investigation, the Company itself envisaged the adoption of further organizational measures precisely in order to avoid the repetition of events similar to the one that occurred.
Therefore, the sending of communications via email notifications to a multiple number of recipients (of which 732 in Italy), who have been included in the carbon copy (cc) field, has, in fact, without justified reason and in the absence of a suitable prerequisite legal, mutually disclosed to the recipients of the communications, the health status of the other interested parties, therefore constituting a processing of health data in violation of the articles. 5, par. 1 letter a) and f), 9 and 32 of the Regulation.
4.2. Further violations
In relation to the sharing of the patient's clinical data with the healthcare professional through the "Health Partner Share" functionality, which allows the patient to connect his CareLink™ Personal account with that of the healthcare professional who is treating him, and to the dispute relating to subject to the violation of the information obligations and the acquisition of the relevant consent to the processing of personal data carried out by the Company on the occasion of the aforementioned connection, it is noted that:
personal data must be processed in compliance with the principles applicable to processing, and of "accountability", according to which the data controller must be able to demonstrate compliance with the aforementioned principles, with logical reasoning, concrete evidence and proactive behavior (art. 5, par. 1 and 2 and art. 24 of the Regulation);
in this context, in particular, the aforementioned principle of lawfulness is important, according to which any processing of personal data must be based on a specific legal basis (art. 5, par. 1, letter a) of the Regulation);
in the event that the condition of lawfulness is represented by consent, it must be free, specific, informed and unequivocal in relation to the processing of personal data concerning the interested party (Recital nos. 32, 42 and 43, articles 5, 6, paragraphs 1, letter a) and 7 of the Regulation and Guidelines 5/2020 on consent pursuant to Regulation (EU) 2016/679, adopted by the European Committee for the Protection of Personal Data, on 4 May 2020; sent. C-673/17, of 1 October 2019 and C-61/19, of 11 November 2020);
consent, to be freely given, must be informed; for this to be the case, "the interested party should be made aware of at least the identity of the data controller and the purposes of the processing for which the personal data are intended" (art. 7 of the Regulation and Recital no. 42; see, also, paragraphs 3.3.1 and 3.3.2 and in particular point 64 of Guidelines 5/2020 on consent pursuant to Regulation (EU) 2016/679, version 1.1 adopted on 4 May 2020 according to which "to obtain valid consent at least the following information is necessary [to be provided to the interested party]: i. the identity of the data controller; ii. the purpose of each of the treatments for which consent is required; iii. which (types of) data will be collected and used; iv. the existence of the right to withdraw consent (...)";
personal data must also be processed in compliance with the principle of transparency (art. 5, par. 1 letter a) of the Regulation) by providing the interested parties with the information referred to in the art. 13 of the Regulation, in the case of data collected directly from them, or pursuant to art. 14, in case of data collected from third parties. This principle requires that information and communications relating to the processing of personal data be made in a concise, transparent, intelligible and easily accessible form, with simple and clear language (Recital nn. 39, 58 and art. 12 of the Regulation);
according to the Guidelines on transparency pursuant to Regulation 2016/679, adopted on 29 November 2017 in the amended version adopted on 11 April 2018, "the element of "easy accessibility" implies that the interested party is not forced to search for the information , but rather that it is immediately clear to him where and how it is accessible, for example because it is provided directly to him, a link directs him to it or the information is clearly marked or because the information is configured as an answer to a question in natural language (e.g. in a layered online privacy statement/policy, in FAQs, through contextual pop-ups that are activated when the data subject fills out an online form or, in an interactive digital context, through a chatbot interface, etc.)” (par. 11 and also par. 33-40);
in the context of applications that are capable of collecting large amounts of data from the device (e.g. data stored by the user and data from different sensors, including geolocation), the end user has the right to know what kind of personal data are being processed, for what purposes they are intended to be used and on the basis of which legal assumptions (see Opinion 02/2013 (WP202), on applications for intelligent devices adopted on 27 February 2013 by the “Art. 29” Working Group);
in compliance with the principle of transparency, both the purposes and the corresponding legal bases of the processing must be clear before the processing begins.
Given the above, from the documentation in the documents, it emerges that the "privacy information", even in the July 2022 version, although modified compared to the previous version of 24 September 2020, does not contain clear information, in particular, on the processing of personal data carried out during the process of linking the CareLink™ Personal accounts of the patient and the healthcare professional, if the former intends to use the HPS function.
This, taking into account that, in relation to the processing in question as described above, this connection - created through the technical functions made available by the Company - involves a communication of personal data between different owners, with respect to which it must be indicated, in the aforementioned information, the legal basis on which it is based, involving a new operation of processing of personal data, including health data, by healthcare professionals, as independent data controllers.
In fact, the information, in the September 2020 version, does not contain any information in this regard, while, in the July 2022 version, it simply represents to the patient that "Should he choose to share personal data with healthcare professionals as part of the medical treatment or with other parties outside of Medtronic, they will be solely responsible for the use, or further processing, of the personal data”.
Added to this is that the aforementioned information is not provided even when the patient is about to make the aforementioned connection. In fact, in the final account connection screen the patient is only informed of the circumstance which, by typing the "accept" button, authorizes Medtronic to carry out the aforementioned connection; on the same screen the patient is informed that if he is interested in receiving more information on the processing of personal data by Medtronic he can consult the privacy information accessible directly from the same page through a hypertext link, lacking indications regarding the legal basis on which it is grounds this processing operation.
Therefore, both in the document containing the information prepared in September 2020 and in the one updated in July 2022, the Company failed to provide the information element relating to the legal basis by virtue of which the aforementioned communication of personal data is carried out; this, in violation of the aforementioned principles of correctness and transparency referred to in the articles. 5, par. 1 letter a), as well as articles. 12 and 13 of the Regulation.
Only in the latest version of the document containing the "Privacy Policy", which entered into force on 20 January 2023, is the legal basis of consent for the processing of health data indicated "(...), in order to enable the connection of your CareLink account ™ Personal to the CareLink™ account used by your healthcare professional as part of your medical treatment”.
5. Conclusions
In light of the assessments mentioned above, taking into account the declarations made by the data controller during the investigation and considering that, unless the fact constitutes a more serious crime, anyone, in proceedings before the Guarantor, falsely declares or certifies information or circumstances or produces false deeds or documents and is liable pursuant to art. 168 of the Code "False statements to the Guarantor and interruption of the execution of the tasks or exercise of the powers of the Guarantor", the elements provided by the data controller in the defense statement referred to above and during the investigation, although worthy of consideration, do not allow us to fully overcome the findings notified by the Office with the aforementioned act initiating the procedure, since, moreover, none of the cases provided for by the art. 11 of the Guarantor's regulation no. 1/2019.
For these reasons, the preliminary assessments of the Office are confirmed and the illegality of the processing of personal data carried out by the company Medtronic Italia S.p.a. is noted, in violation of the articles. 5, par. 1, letter. a), f), 9, 12, 13 and 32 of the Regulation. Violation of the aforementioned provisions also makes it applicable, pursuant to art. 58, par. 2, letter. i), the administrative sanction provided for by art. 83, par. 4 and 5 of the Regulation, pursuant to articles. 58, par. 2, letter. i), and 83, par. 3 of the Regulation itself.
In this framework - considering, in any case, that the conduct has exhausted its effects, taking into account that the Company has declared that, in addition to re-training the personnel involved in sending emails, it intends, in reviewing the procedures adopted, to use a new automated tool to avoid the occurrence of the incident described in the future, also by implementing further checks before sending any email notification and taking note that the same Company has taken steps to integrate the information, which came into force in January 2023, in the terms above described - the conditions for the adoption of measures, of a prescriptive or injunctive nature, referred to in the art. 58, par. 2, of the Regulation.
6. Adoption of the injunction order for the application of the pecuniary administrative sanction and accessory sanctions (articles 58, paragraph 2, letters i and 83 of the Regulation; article 166, paragraph 7, of the Code).
The Guarantor, pursuant to articles. 58, par. 2, letter. i) and 83 of the Regulation, as well as art. 166 of the Code, has the power to "impose a pecuniary administrative sanction pursuant to article 83, in addition to the [other] [corrective] measures referred to in this paragraph, or in place of such measures, depending on the circumstances of each single case" and, in this framework, "the Board [of the Guarantor] adopts the injunction order, with which it also provides for the application of the additional administrative sanction of its publication, in full or in extract, on the website of the Guarantor pursuant to article 166, paragraph 7, of the Code” (art. 16, paragraph 1, of the Guarantor Regulation no. 1/2019).
In this case, the Company has implemented two distinct behaviors, which must be considered separately for the purposes of quantifying the administrative sanction to be applied.
6.1. The conduct referred to in paragraph 4.1
Taking into account that the violation of the provisions cited in the previous paragraph 4.1, concerning the sending of communications via email notifications to a multiple number of recipients, who have been included in the carbon copy field (cc), in the absence of a suitable legal basis, took place as a result of a single conduct (same treatment or related treatments), art. applies. 83, par. 3 of the Regulation, pursuant to which the total amount of the administrative fine does not exceed the amount specified for the most serious violation. Considering that, in this case, the most serious violation concerns the articles. 5, par. 1, letter. a) and f) and 9 of the Regulation, the total amount of the sanction is to be quantified up to 4% of the turnover if the balance sheet, as in the case in question, exceeds the amount of 20,000,000 euros (so-called "static" statutory maximum ).
The aforementioned pecuniary administrative sanction imposed, depending on the circumstances of each individual case, must be determined in the amount taking due account of the elements provided for by the art. 83, par. 2, of the Regulation.
With specific regard to the violations committed by the Company, it is highlighted that the level of severity was considered medium, taking into account the number of interested parties involved, the duration of the violation as well as the categories of personal data involved (health data) and the non-intentional nature ( art. 83, par. 2, letters a) and b) of the Regulation; see European Data Protection Board, “Guidelines 04/2022 on the calculation of administrative fines under the GDPR” of 23 May 2023, point 60).
The further elements provided for by the art. were then considered. 83, par. 2 of the Regulation and in particular that:
no complaints or reports have been received to the Guarantor regarding the incident (art. 83, par. 2, letter k) of the Regulation);
the Company has taken charge of the findings raised by the Office by reviewing the procedures adopted in order to reduce the replicability of the incidents that occurred).
On the basis of the aforementioned elements, evaluated as a whole, it is decided to determine the amount of the pecuniary sanction in the amount of 250,000 euros (two hundred and fifty thousand) for the violation of the articles. 5, par. 1, letter. a) and f) and 9 of the Regulation.
Due to the particular sensitivity of the data processed, it is also believed that the additional sanction of publication of this provision on the Guarantor's website, provided for by art., should be applied. 166, paragraph 7 of the Code and art. 16 of the Guarantor Regulation n. 1/2019.
Finally, it is noted that the conditions set out in art. 17 of Regulation no. 1/2019.
6.2. The conduct referred to in paragraph 4.2
The violation of the provisions cited in the previous paragraph 4.2, resulting from the failure to indicate - both in the document containing the information prepared in September 2020 and in the one updated in July 2022 - the information element relating to the legal basis by virtue of which the communication is made of personal data to healthcare professionals, took place as a result of a further single conduct (same treatment or related treatments). In the present case, the violation of the articles. 5, par. 1, letter. a), 12 and 13 of the Regulation entails the application of art. 83, par. 5 of the Regulation according to which the amount of the sanction is to be quantified up to 4% of the turnover, if the balance sheet, as in the case in question, exceeds the amount of 20,000,000 euros (so-called "static" statutory maximum).
The aforementioned pecuniary administrative sanction imposed, depending on the circumstances of each individual case, must be determined in the amount taking due account of the elements provided for by the art. 83, par. 2, of the Regulation.
With specific regard to the violations committed by the Company, it is highlighted that the level of severity was considered low, taking into account that the violation concerned the absence only of a specific information element referred to in the art. 13 of the Regulation and the non-intentional nature of the conduct (art. 83, par. 2, letters a) and b) of the Regulation; see European Data Protection Board, “Guidelines 04/2022 on the calculation of administrative fines under the GDPR” of 23 May 2023, point 60).
Finally, the further elements provided for by the art. were considered. 83, par. 2 of the Regulation and in particular that:
no complaints or reports have been received to the Guarantor regarding the incident (art. 83, par. 2, letter k) of the Regulation);
the Company took steps to integrate the information (art. 83, par. 2, letter c) of the Regulation) and demonstrated a high degree of cooperation with the Authority during the investigation (art. 83, par. 2 , letter f) of the Regulation).
On the basis of the aforementioned elements, evaluated as a whole, it is considered to determine the amount of the pecuniary sanction in the amount of 50,000 (fifty thousand) euros for the violation of the articles. 5, par. 1, letter. a), 12 and 13 of the Regulation.
Due to the particular sensitivity of the data processed, it is also believed that the additional sanction of publication of this provision on the Guarantor's website, provided for by art., should be applied. 166, paragraph 7 of the Code and art. 16 of the Guarantor Regulation n. 1/2019.
Finally, it is noted that the conditions set out in art. 17 of Regulation no. 1/2019.
ALL THIS CONSIDERING THE GUARANTOR
declares the unlawfulness of the processing of personal data carried out by the company Medtronic Italia S.p.a. for the violation of the articles. 5, par. 1, letter. a) and f), 9, 12, 13 and 32 of the Regulation, within the terms set out in the justification.
ORDER
pursuant to the articles 58, par. 2, letter. i) and 83 of the Regulation, as well as art. 166 of the Code, to the company Medtronic Italia S.p.a., with registered office in Milan, via Varesina, 162, postal code. 20156, Tax Code and VAT number 09238800156, in the person of the legal representative pro tempore, to pay the total sum of 300,000 (three hundred thousand) euros as a pecuniary administrative sanction for the violations indicated in this provision; it is represented that the offender, pursuant to art. 166, paragraph 8, of the Code, has the right to settle the dispute by paying, within 30 days, an amount equal to half of each of the sanctions imposed.
ORDERS
to the aforementioned company Medtronic Italia S.p.a., in the event of failure to settle the dispute pursuant to art. 166, paragraph 8, of the Code, to pay the sum of 300,000 (three hundred thousand) euros according to the methods indicated in the annex, within 30 days of notification of this provision, under penalty of the adoption of the consequent executive acts in accordance with the art. 27 of law no. 689/1981.
HAS
pursuant to art. 166, paragraph 7, of the Code, the publication in full of this provision on the Guarantor's website and believes that the conditions set out in the art. 17 of Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor.
Pursuant to art. 78 of the Regulation, of the articles. 152 of the Code and 10 of Legislative Decree no. 150/2011, it is possible to lodge a judicial appeal against this provision before the ordinary judicial authority, under penalty of inadmissibility, within thirty days from the date of communication of the provision itself or within sixty days if the appellant resides abroad.
Rome, 8 February 2024
PRESIDENT
Stantion
THE SPEAKER
Zest
THE VICE  GENERAL SECRETARY
Philippi