Guess it's too hard to notify users that their information got leaked. I hope they reported to all the different institutions in Europe though. The article suggests they didn't even report it to the Ireland one!
The way privacy protection laws are, especially in Germany, is kinda stupid. On one side they often doesn't protect you in practice, on the other side they effectively hinder and sometimes prevent reasonable usage.
Just a view examples:
- A local government couldn't properly inform elder people that they now can get Vaccinated for free because the interplay of various privacy protection law (and stupidity/inflexibility in other areas tbh.).
- Germany has a privacy respecting anonymized blutooth based contact tracing app (wrt. Covid). But if you do a test you first have to physical sign of that other people are anonymized informed that someone they likely had contact with has covid, then when you get the result you still need to agree again to share this information. And even this was only possible after changing regulations. (I.e. why is one initial agreement not good enough?)
- The government most likely not being able to inform the victims of such data breaches.
> But if you do a test you first have to physical sign of that other people are anonymized informed that someone they likely had contact with has covid
This is false. I've been tested about 15 times within the last year and none of the things I "signed" included any of that.
I didn't have to physically sign ANYTHING at all. What are you talking about?? It's just a click field on the online application and that only says that you're okay with your data being shared with the lab that also sends you your test results.
> then when you get the result you still need to agree again to share this information.
This is also absolutely untrue as Covid, among others, is on the list of illnesses that the local Gesundheitsamt has to be notified of. It's not even optional. It's the law. https://www.gesetze-im-internet.de/ifsg/__6.html
Honestly curious where you got that information from?
> I didn't have to physically sign ANYTHING at all. What are you talking about?? It's just a click field on the online application and that only says that you're okay with your data being shared with the lab that also sends you your test results.
If you did register a test with the covid app you had got had to sign something when doing the (not "fast"/PCR) test. If not something was legally not quite right. Also maybe in recent month this might also have been changed but it's unlikely..
> This is also absolutely untrue as Covid, among others, is on the list of illnesses that the local Gesundheitsamt has to be notified of. It's not even optional. It's the law. https://www.gesetze-im-internet.de/ifsg/__6.html
I'm speaking about the covid app, not the health agency, which yes gets reporting always but also (at least at the being of Covid) had a completely inefficient procedure which made the German health agencies in most German states at least at the middle unable to process it anywhere close in time. Like they collecting "people you had been in contact with" 3! weeks after you where found to have covid was not uncommon.
> Honestly curious where you got that information from?
People officially working on the developen of the covid app (there is a ccc talk). And various other sources which also overlap with personal experiences (like yes I personally had to give agreement on paper so that I could use the covid app).
Note that the physical confirmation is kinda hidden on a paper containing all kind of information, so meany people might not have been aware of it.
> In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.
