Last week in privacy (week 43)

A massive data breach in Finland: transcriptions from psychotherapy sessions held as ransom and published online in every 24 hours


A privately-run psychotherapy company Vastaamo has been subject to a data breach. The breach became public on Wednesday when an attacker published its demands online, saying he will publish extremely sensitive details of 100 data subject’s therapy sessions in 24-hour periods until a ransom of 450 000€ is paid by Vastaamo.


The attacker called ‘ransom_man’ claims to have sensitive information on 40 000 patients and is running a Tor site on which he has already leaked psychotherapy session notes from 300 patients.


On 21 October 2020 Vastaamo published a press release confirming that the attacker has contacted the company and claims to have obtained confidential information from the patients and that the Finnish National Bureau of Investigation has started to investigate the case. On a press release dated 24 October 2020, Vastaamo confirms its databases have been accessed between November 2018 and March 2019.


On Saturday 24 October, several victims posted on social media telling they have received a black mail emails directly from the attacker stating that the victims must pay 200€ to have their information completely deleted.


The Finnish supervisory authority ordered Vastaamo to notify the data subjects personally personally.


See the Vastaamo’s press releases here
See the Finnish DPA’s order here.


Spanish DPA fines Iberia 30 000€ for unlawful cookie practices


In 2019, a complaint was lodged with the Spanish supervisory authority, the Agencia Española de Protección de Datos (“AEPD”) claiming that the data subject had no option to reject cookies and to search flights he had to accept all cookies on Iberia’s website.


Iberia responded to AEPD stating that in January 2020, the website had implemented a proper cookie banner that allows end users to configure and reject all cookies. However, the APED found that the claimed changes were not actually made and that the website still did not offer an option to refuse all cookies. In addition, the cookie policy did not meet all the information provision recommendations issued by the AEPD in its guidelines on cookies.


The APED issues a fine of 30.000€ against Iberia. In the decision, the AEPD says that issuing a warning instead of initiating the sanctioning procedure would have been ‘the right thing to do’ if Iberia had actually made the changes they claimed in January.


See the AEPD’s decision here.


Spanish DPA publishes a tool for data breach notifications


The Spanish supervisory authority, the Agencia Española de Protección de Datos (“AEPD”) published a tool to help companies to assess whether they are obliged to communicate a personal data breach to data subjects affected.


The tool is free and indicates whether there is a risk associated with the personal data breach. When completing a form, and depending on the information that has been provided, the tool offers three possible scenarios for the organisation.


See the AEPD’s press release here.

Access the breach notification tool here.


NOYB filed a complaint against Wizz Air for charging money to exercise data subject rights


On 21 October 2020 the Austrian non-profit organisation NOYB filed a GDPR complaint against the Airline Wizz Air for failing to keep personal data up-to-date and charging money to exercise the rights granted in the GDPR.


An Austrian passenger wanted to update her personal data stored by the Wizz Air and filed a ‘rectification request’ for her surname and email address with the Wizz Air’s Data Protection Officer. Customer Service told her that changing her surname online is only possible in case of a marriage and she would need to call the company’s call center, that charges 1€ per minute.


After being on a call for more than 30 minutes, only her surname was changed but the old email address was retained. As a result, information about a cancelled flight was sent to the passenger’s wrong email address.


See the complaint here.