The Norwegian Data Protection Authority has asked the political parties for explanation following complaints from many people who received e-mails from political parties in the run-up to the municipal elections.

The e-mails were sent to residents of Stavanger municipality as part of the municipal elections. The authority then asked the Labour Party, on behalf of the majority parties, to provide an explanation of the purpose and legal basis for the processing. The deadline for responding to this request is 29 September 2023.

The Hong Kong Personal Data Protection Authority (PCPD) has published a guide for organisations on how to handle data breaches and how to report data breaches.

The guide covers the most common types of data breaches in Hong Kong, how the data breach process should be handled step by step, and to whom, when and how data breach notifications should be made.

CNIL, the French data protection authority, has fined SAF LOGISTICS, an air freight forwarder headquartered in China, €200,000. The reasons for the fine were excessive data collection by the company, non-compliance with the prohibition on processing sensitive personal data, convictions and personal data relating to criminal offences, and insufficient cooperation with the CNIL services.

In this context, 

• The principle of data minimisation in Article 5,
• Article 9 on the processing of sensitive personal data,
• Article 10 on the processing of data relating to convictions and criminal offences,
• Article 31 on cooperation with supervisory authorities

of the GDPR has been infringed.

The Irish Data Protection Authority (DPC) has published a summary of 126 decisions, covering the first five years of the GDPR. The summarised decisions cover topics such as complaints about data subject access requests, the accuracy principle, data breach notifications, the right to be forgotten (right to erasure), transparency and purpose limitation while processing personal data.

The US Federal Trade Commission (FTC) has fined 1Health.io, a provider of ancillary solutions to genetic testing companies, $75,000 for storing users' sensitive information on public data servers, failing to keep promises about the security and destruction of DNA results, changing its privacy policy, and failing to obtain users' consent.
 
It also ordered the company to instruct laboratories to destroy DNA samples held in third-party laboratories within 180 days.