[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fkUlo2ANGA1CiqVojutq1z7ITPg0-LB5ytGy6RgQ24qI":3},{"lesson":4},{"id":5,"slug":6,"article_id":7,"title":8,"body":9,"prevention":10,"framework_refs":11,"status":23,"created_at":24,"published_at":25,"article":26,"tags":29},"8877b135-940c-428b-81d5-6ccdc653a248","emirates-fined-180000-for-gdpr-violations-over-health-data-transparency-and-excessive-retention","802fa0a6-44ac-4903-8e9e-4bc769e81c02","Emirates Fined €180,000 for GDPR Violations Over Health Data Transparency and Excessive Retention","Emirates failed to adequately inform passengers with reduced mobility about how their sensitive health data collected via the MEDIF form was being processed, violating GDPR's transparency requirements under Article 13\u002F14. Compounding this, the airline retained health data for 7 years without a lawful justification for that retention period, breaching the data minimisation and storage limitation principles. This case highlights that even when the underlying data processing is lawful, failures in transparency and retention governance can independently trigger significant regulatory penalties. Organisations handling special category data (such as health information) face heightened obligations and must ensure both clear communication to data subjects and strict enforcement of data lifecycle policies.","**Immediate actions:**\n- Audit all data collection forms involving special category data (health, biometric, etc.) to verify that privacy notices are complete, plain-language, and GDPR-compliant.\n- Review current retention schedules for sensitive personal data and immediately purge records held beyond any justifiable retention period.\n\n**Long-term improvements:**\n- Establish and enforce a formal Data Retention and Disposal Policy with automated controls that flag or delete records at defined lifecycle endpoints.\n- Embed Data Protection Impact Assessments (DPIAs) into any process that collects special category data, ensuring lawful basis, necessity, and transparency are documented before go-live.\n- Appoint or empower a Data Protection Officer (DPO) to conduct annual reviews of privacy notices and retention schedules across all business units.\n\n**Detection & compliance measures:**\n- Implement a Privacy Information Management System (PIMS) or Records of Processing Activities (RoPA) tool to maintain real-time visibility of what data is held, for how long, and under what lawful basis.\n- Schedule periodic third-party GDPR compliance audits focused on special category data handling to identify transparency and retention gaps before regulators do.",[12,13,14,15,16,17,18,19,20,21,22],"GDPR Article 5(1)(a) – Lawfulness, fairness and transparency","GDPR Article 5(1)(e) – Storage limitation","GDPR Article 9 – Processing of special categories of personal data","GDPR Article 13\u002F14 – Information to be provided to the data subject","GDPR Article 30 – Records of processing activities","GDPR Article 35 – Data Protection Impact Assessment (DPIA)","NIST Privacy Framework PR.PO-P1 – Policies and procedures for data processing","NIST SP 800-53 IP-3 – Personally Identifiable Information Retention and Disposal","CIS Control 3 – Data Protection (Data Management Lifecycle)","ISO\u002FIEC 27701:2019 – Privacy Information Management System (PIMS)","ITIL Service Design – Information Security and Data Governance Policies","published","2026-06-18T16:21:16.727499+00:00","2026-06-18T16:21:16.618+00:00",{"id":7,"url":27,"title":28},"https:\u002F\u002Fgdprhub.eu\u002Findex.php?title=Garante_per_la_protezione_dei_dati_personali_(Italy)_-_347\u002F2026&diff=51919&oldid=0","Garante per la protezione dei dati personali (Italy) - 347\u002F2026",[30,36],{"id":31,"name":32,"slug":33,"description":34,"color":35},"c0dcc566-3654-4d70-8ede-262a198e732f","Regulatory Compliance","regulatory-compliance","GDPR, NIS2, DORA, sector-specific violations","#ec4899",{"id":37,"name":38,"slug":39,"description":40,"color":41},"c8b843a5-d5a7-41d1-8d3b-cabded09d2ef","Data Protection","data-protection","Unencrypted data, missing DLP, poor classification","#3b82f6"]