Senseonics Inc.

Description

The Italian DPA has imposed a fine of EUR 45,000 on Senseonics Inc. The company had reported a data breach to the DPA pursuant to Art. 33 GDPR, involving an employee accidentally sending an information campaign by email to a large number of recipients in an open distribution list. This made it possible for all recipients to view the email addresses of the other recipients. The recipients of the e-mails were diabetic patients, making it possible to obtain information about the health status of the data subjects via the e-mails. In the course of its investigation, the DPA also identified other privacy violations involving the glucose monitoring system produced by the company. By downloading the monitoring app, users were required to accept both the contractual terms of use and the content of the privacy policy with a single 'click.' This did not allow them to separately give their consent to the individual processing operations, including the processing of health data. Further, the DPA found that the company had violated the principles of fairness and transparency by providing users with confusing and sometimes erroneous information regarding the processing of personal data. In addition, the company failed to designate its representative in the European Union as the contact person for all data protection issues.