{"id":10255,"date":"2025-01-31T10:43:59","date_gmt":"2025-01-31T09:43:59","guid":{"rendered":"https:\/\/s8.tgin.eu\/?p=10255"},"modified":"2025-01-31T11:45:34","modified_gmt":"2025-01-31T10:45:34","slug":"data-protection-digest-31012025-the-intersection-of-information-and-operational-technologies-in-the-health-sector","status":"publish","type":"post","link":"https:\/\/techgdpr.com\/blog\/data-protection-digest-31012025-the-intersection-of-information-and-operational-technologies-in-the-health-sector\/","title":{"rendered":"Data protection digest 16-30 Jan 2025: The intersection of information and operational technologies in the health sector"},"content":{"rendered":"\n<h4 class=\"wp-block-heading\"><strong>EU Health sector<\/strong><\/h4>\n\n\n\n<p>The Commission presented an EU <a href=\"https:\/\/digital-strategy.ec.europa.eu\/en\/library\/european-action-plan-cybersecurity-hospitals-and-healthcare-providers\">Action Plan to improve health sector cybersecurity<\/a>. It will include hospitals, clinics, care homes, rehabilitation centres, various healthcare providers, the pharmaceutical, medical and biotechnology industries, medical device manufacturers, and health research institutions. A significant challenge for the cybersecurity of the health sector is the <a href=\"https:\/\/digital-strategy.ec.europa.eu\/en\/library\/european-action-plan-cybersecurity-hospitals-and-healthcare-providers\">intersection of information technology (IT) and operational technology (OT), where different security priorities meet<\/a> as regards data confidentiality, availability and reliability, and where a breach in one area can affect the other. In many cases, IT and OT are at least partly outsourced.<\/p>\n\n\n\n<p>Deficiencies are observed in key areas such as sufficient human resources, organisations\u2019 knowledge of their information and communications technology supply chains, and installation of up-to-date security features in products, (for services like IaaS, PaaS, and SaaS). The sector struggles with basic cyber hygiene and fundamental security measures, as illustrated by the fact that nearly all health organisations surveyed face challenges when it comes to performing cybersecurity risk assessments, while almost half have never performed a risk analysis.<\/p>\n\n\n\n<p><strong><a href=\"#newslettersignup\"><em>Stay up to date! Sign on to receive our fortnightly digest via email.<\/em><\/a><\/strong><\/p>\n\n\n\n<h4 class=\"wp-block-heading\"><strong>Right of access<\/strong><\/h4>\n\n\n\n<div class=\"wp-block-media-text is-stacked-on-mobile\" style=\"grid-template-columns:26% auto\"><figure class=\"wp-block-media-text__media\"><img decoding=\"async\" src=\"https:\/\/lh7-rt.googleusercontent.com\/docsz\/AD_4nXckdkQuN6kbC1l3p2I1xjuaMnijKmdS5nrgGxotbbNAz7mD4QHujC-9G5UYOg3lHRSh4UGIlIh_Txzicd5Fwi3Ynuxv-n2TfQ6C3bHguRsP9xlFUako5ydGXMWHwoDKeRY4i7Ob?key=5s9e3OPEI4CVYgNuAYfDMDiq\" alt=\"Health sector\" \/><\/figure><div class=\"wp-block-media-text__content\">\n<p><\/p>\n\n\n\n<p>The EDPB published a one-stop-shop case digest on the right of access.&nbsp;Natural persons\u2019 right to access personal data related to them is enshrined in <a href=\"https:\/\/www.edpb.europa.eu\/system\/files\/2025-01\/oss-case-digest-right-of-access_en.pdf\">Art. 8 of the EU Charter of Fundamental Rights<\/a> and is, therefore, to be considered the most essential data protection right. Art. 15 of the GDPR applies to requests for access submitted after the law became applicable. It can be divided into three components:&nbsp;<\/p>\n<\/div><\/div>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Confirmation as to whether personal data related to the data subject is processed or not.&nbsp;<\/li>\n\n\n\n<li>Access to information related to the data subject if it is processed at the time of the data subject\u2019s access request.&nbsp;<\/li>\n\n\n\n<li>Information about the processing and the data subject\u00b4s other data protection rights.<\/li>\n<\/ul>\n\n\n\n<p>The CJEU has also repeatedly stated that the practical aim of the right to access, firstly, is to enable data subjects to verify that the personal data concerning them are correct and processed lawfully. In particular, the right of access is necessary to enable the data subject to exercise their <a href=\"https:\/\/www.edpb.europa.eu\/system\/files\/2025-01\/oss-case-digest-right-of-access_en.pdf\">right to rectification, erasure, restriction and objection to processing, as well as the right of action when they suffer damage<\/a>.&nbsp;<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">More EDPB updates<\/h4>\n\n\n\n<p><strong>Pseudonymisation: <\/strong>The EDPB also awaits <a href=\"https:\/\/www.edpb.europa.eu\/our-work-tools\/documents\/public-consultations\/2025\/guidelines-012025-pseudonymisation_en\">comments<\/a> on the Guidelines on Pseudonymisation until the end of February. The GDPR does not impose a general obligation to use pseudonymisation. Similarly, the explicit introduction of pseudonymisation is not intended to preclude any other measures. However, data controllers may need to apply pseudonymisation to meet the requirements of EU data protection law, in particular, to <a href=\"https:\/\/www.edpb.europa.eu\/system\/files\/2025-01\/edpb_guidelines_202501_pseudonymisation_en.pdf\">adhere to the data minimisation principle, to implement data protection by design and by default, or to ensure a level of security appropriate to the risk<\/a>. In some specific situations, Union or Member State law may mandate pseudonymisation.&nbsp;<\/p>\n\n\n\n<p><strong>Complex algorithms: <\/strong>Finally, the EDPB also publishes an opinion piece on <a href=\"https:\/\/www.edpb.europa.eu\/our-work-tools\/our-documents\/support-pool-experts-projects\/ai-complex-algorithms-and-effective-data_en\">AI and effective data protection<\/a> supervision. This report covers techniques and methods that can be used for the effective implementation of data subject rights, specifically, <a href=\"https:\/\/www.edpb.europa.eu\/our-work-tools\/our-documents\/support-pool-experts-projects\/ai-complex-algorithms-and-effective-data_en\">the right to rectification and the right to erasure when AI systems have been developed with personal data<\/a>. However, there are several challenges:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Limited understanding<\/strong> of how each data point impacts the model;<\/li>\n\n\n\n<li><strong>Stochasticity of training<\/strong>, (random sampling of batches of data from the dataset, random ordering of the batches, and parallelisation without time-synchronisation);&nbsp;<\/li>\n\n\n\n<li>I<strong>ncremental training<\/strong> process, (updates relying on a specific training data point will affect all subsequent updates);<\/li>\n\n\n\n<li><strong>Stochasticity of learning<\/strong>, (difficult to correlate how a specific data point contributed to the \u201clearning\u201d in the model).<\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\"><strong>AI prohibitions in the EU<\/strong><\/h4>\n\n\n\n<div class=\"wp-block-media-text has-media-on-the-right is-stacked-on-mobile\" style=\"grid-template-columns:auto 26%\"><div class=\"wp-block-media-text__content\">\n<p><\/p>\n\n\n\n<p>From 2 February, for any organisations that offer or operate AI systems, the first <a href=\"https:\/\/eur-lex.europa.eu\/legal-content\/EN\/TXT\/HTML\/?uri=OJ:L_202401689#art_4\">key provisions of the AI Act will apply<\/a>: the ban on certain AI practices in both public and private sectors, <a href=\"https:\/\/datenschutz-hamburg.de\/news\/ki-vo-diese-pflichten-und-verbote-gelten-ab-februar-2025\">(mass surveillance, social scoring, behavoural and emotional analysis)<\/a>, and obligations to ensure that employees have sufficient AI skills. Additionally, manipulative AI practices that exploit human vulnerabilities are now prohibited. Particular focus is placed on protecting vulnerable groups such as children and adolescents. <\/p>\n<\/div><figure class=\"wp-block-media-text__media\"><img decoding=\"async\" src=\"https:\/\/lh7-rt.googleusercontent.com\/docsz\/AD_4nXf2cPijMEQlwf9FqKEym76oHD3FRQX2cRzBsd3dhbrYh3KseLEDbzxL4zuvVNKpoQklWpOvC2pVydYqOj-xTfHfWYP-KT8w4eU2ohwQO-e6D6oejqqjH_m_UIyYQcwd7VlVRXl8lw?key=5s9e3OPEI4CVYgNuAYfDMDiq\" alt=\"\" \/><\/figure><\/div>\n\n\n\n<p>From now on, such violations can not only lead to sanctions under the AI \u200b\u200bAct but also trigger action from data protection authorities.&nbsp;<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">More legal updates worldwide<\/h4>\n\n\n\n<p><strong>China cross-border transfers: <\/strong>At the beginning of January, the Cyberspace Administration of China released for public consultation the draft certification measures to legitimize cross-border transfers of personal data outside of China, (CBDTs), DLA Piper reports. Chinese law requires data controllers to take one of the following <a href=\"https:\/\/privacymatters.dlapiper.com\/2025\/01\/7523\/\">three routes: a) mandatory security assessment; b) Standard Contractual Clauses filing; or c) certification<\/a>.&nbsp;&nbsp;<\/p>\n\n\n\n<p>The certification route is available to data controllers inside China and outside the country if they fall under the extraterritorial jurisdiction of the Personal Information Protection Law, (eg, processing data of residents in China to provide products or services to them or analyse or evaluate their behaviour). Regardless of the chosen route, data controllers must implement other compliance measures for CBDTs, including consent requirements, impact assessments, and maintaining records of processing activities.&nbsp;<\/p>\n\n\n\n<p><strong>US Child privacy: <\/strong>On 16 January, the FTC finalized <a href=\"https:\/\/www.ftc.gov\/legal-library\/browse\/federal-register-notices\/16-cfr-part-312-coppa-final-rule-amendments\">changes to children\u2019s privacy rules<\/a>, (COPPA). By requiring parents to opt into targeted advertising practices, this final rule prohibits platforms and service providers from sharing and monetising children\u2019s data without active permission. It requires certain websites and online services to proactively <a href=\"https:\/\/www.ftc.gov\/news-events\/news\/press-releases\/2025\/01\/ftc-finalizes-changes-childrens-privacy-rule-limiting-companies-ability-monetize-kids-data\">obtain verifiable parental consent before collecting<\/a>, using or disclosing personal information from children under 13, provides the right to require deletion of these data and establishes data minimization and data retention requirements. Entities will have one year from the publication date to come into full compliance.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\"><strong>Open Data<\/strong><\/h4>\n\n\n\n<p>The French CNIL alerts data controllers who use databases freely made available on the Internet or provided by a third party that they must verify that their creation, sharing or re-use is legal. These include such areas as&nbsp; <a href=\"https:\/\/www.cnil.fr\/fr\/reutilisation-de-bases-de-donnees-les-verifications-necessaires-pour-respecter-la-loi\">scientific research, development of artificial intelligence systems, commercial prospecting, as well as data brokers<\/a>. To initiate and define compliance process data controllers will need to &#8211;<strong> identify<\/strong> legal basis<strong>, inform<\/strong> individuals, <strong>minimize<\/strong> data<strong>, <\/strong>obtain explicit <strong>consent <\/strong>for the processing of sensitive data<strong>, <\/strong>maintain up to&nbsp; date data processing <strong>agreements<\/strong> and other core <strong>documentation <\/strong>and conduct impact <strong>assessments<\/strong>.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\"><strong>SDK and app privacy<\/strong><\/h4>\n\n\n\n<div class=\"wp-block-media-text is-stacked-on-mobile\" style=\"grid-template-columns:26% auto\"><figure class=\"wp-block-media-text__media\"><img decoding=\"async\" src=\"https:\/\/lh7-rt.googleusercontent.com\/docsz\/AD_4nXepkDKKedz9Qvaf0-pBwta6XM93YoFiBqoQsWphV00WCWlAMRV92FXkcH4H5ws1-uOsRFLntzEqoPlC887AT5VjuaRhhhVP3HtvS3brbv0AWXXiUPto0xqwqjEJEaffDCJeiw6i?key=5s9e3OPEI4CVYgNuAYfDMDiq\" alt=\"\" \/><\/figure><div class=\"wp-block-media-text__content\">\n<p><\/p>\n\n\n\n<p>Software Development Kit, (SDK), plays a central role in how mobile apps work. The French CNIL has made recommendations on how to integrate SDKs and conduct controls to ensure their compliance with the GDPR. The most popular SDKs offer tools for software error management, audience measurement, ad monetization, notification management, and more.&nbsp;<\/p>\n<\/div><\/div>\n\n\n\n<p>The SDK code embedded within the app has the same level of software access as the rest of the code written by the app developer. If permission is granted to the application, all built-in SDKs have, by default, the technical capability to access the data. This <a href=\"https:\/\/www.cnil.fr\/fr\/applications-mobiles-comment-integrer-des-sdk-et-respecter-la-vie-privee-des-utilisateurs\">access by the SDK can then escape the developer&#8217;s control and infringe on the privacy<\/a> of the users of the application. It is therefore important that the publisher gives clear instructions to the developer as to the process to be implemented for the selection and configuration of the in-app SDKs.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">More official guidance<\/h4>\n\n\n\n<p><strong>Medical wearables: <\/strong>The Federal Office for Information Security, (BSI), in Germany has published the results of its project on the &#8220;<a href=\"https:\/\/www.bsi.bund.de\/SharedDocs\/Downloads\/DE\/BSI\/DigitaleGesellschaft\/SiWamed_Abschlussbericht.html#Download=1\">Security of wearables with partial medical functionalities<\/a>&#8220;. The project deals with the security of wearables, (marketed in Germany), that use sensors to record health and fitness status. These sensors can be used to measure or calculate heart rate, blood oxygen saturation, sleep patterns, and calorie consumption, among other things.&nbsp;Many of these devices use mobile apps to evaluate sensitive data and create statistics. Vulnerabilities in devices used to record health and fitness data open up a new form of personal cybercrime for criminals. On the one hand, it is conceivable that wearables could be used specifically to attack people who have the appropriate sensors. <a href=\"https:\/\/www.bsi.bund.de\/SharedDocs\/Downloads\/DE\/BSI\/DigitaleGesellschaft\/SiWamed_Abschlussbericht.html#Download=1\">Targeted attacks could also be made on recovery processes<\/a>, for example, when sick people adjust their medication based on sensor data.&nbsp;<\/p>\n\n\n\n<p><strong>Financial apps: <\/strong>&nbsp;In parallel, the BSI published the <a href=\"https:\/\/www.bsi.bund.de\/DE\/Service-Navi\/Presse\/Alle-Meldungen-News\/Meldungen\/TR-03174_Cybersicherheit_Finanzwesen_241217.html\">technical guidelines on &#8220;Requirements for applications in the financial sector&#8221;<\/a> &#8211; fintech companies, such as banks, financial service providers or start-ups in the field of financial technology. The aim is to achieve a uniformly high level of security for existing banking apps and payment services &#8211; but also for <a href=\"https:\/\/techgdpr.com\/blog\/navigating-the-dora\/\">financial services<\/a> on smartphones or smartwatches. These may include apps that users can use to pay in the supermarket or manage accounts, but also crowdfunding platforms or microcredit initiatives, etc. The <a href=\"https:\/\/www.bsi.bund.de\/DE\/Themen\/Unternehmen-und-Organisationen\/Standards-und-Zertifizierung\/Technische-Richtlinien\/TR-nach-Thema-sortiert\/tr03174\/TR-03174_node.html\">guide in German can be found here<\/a>.<\/p>\n\n\n<div id=\"newslettersignup\"><\/div>\n<div id=\"role-block_2bda5ab3c1ed966237d2c35fa68b6980\" class=\"text-t-black bg-t-pink p-6 md:p-12 rounded-tr-50 rounded-bl-50 mb-4 lg:mb-12 text-center role\">\n  \n      <h2 class=\"text-xl lg:text-2xl max-w-screen-lg mx-auto text-t-black font-display mb-4\">\n      Receive our digest by email     <\/h2>\n        <h3 class=\"text-base max-w-screen-lg mx-auto text-t-black font-body mb-4\">Sign up to receive our digest by email every 2 weeks<\/h3>\n  \n  <div id=\"rmOrganism\">\n    <div class=\"rmEmbed rmLayout--vertical rmBase\">\n      <div data-page-type=\"formSubscribe\" class=\"rmBase__body rmSubscription\">\n                  <form method=\"post\" action=\"https:\/\/mailing.techgdpr.com\/145\/6351\/5e9fc3cdda\/subscribe\/form.html?_g=1698845230\" class=\"rmBase__content\">\n                  <div class=\"rmBase__container mx-auto max-w-screen-sm\">          \n            <div class=\"rmBase__section\">\n              <div class=\"text-left rmBase__el rmBase__el--input rmBase__el--label-pos-none\" data-field=\"email\">\n                <label for=\"email\" class=\"rmBase__compLabel rmBase__compLabel--hideable hidden\">\n                  Email address\n                <\/label>\n                <div class=\"rmBase__compContainer mb-2\">\n                  <input type=\"text\" name=\"email\" id=\"email\" placeholder=\"Email\" value=\"\" class=\"p-4 border rounded border-gray-400 w-full rmBase__comp--input comp__input\">\n                  <div class=\"rmBase__compError text-left font-display font-bold text-xs\"><\/div>\n                <\/div>\n              <\/div>\n            <\/div>\n            <div class=\"rmBase__section mb-4\">\n              <div class=\"rmBase__el rmBase__el--consent\" data-field=\"consent_text\">\n                <div class=\"rmBase__comp--checkbox\">\n                  <label for=\"consent_text\" class=\"flex space-x-2 items-baseline text-left vFormCheckbox comp__checkbox\">\n                    <input type=\"checkbox\" value=\"yes\" name=\"consent_text\" id=\"consent_text\" class=\"vFormCheckbox__input\">\n                    <div class=\"vFormCheckbox__indicator hidden\"><\/div>\n                    <div class=\"vFormCheckbox__label\">\n                                              I consent to the processing of my data, and to receiving regular updates from TechGDPR. Data is processed according to our <a href=\"https:\/\/techgdpr.com\/privacy-policy\/\"> Privacy Notice<\/a>.\r\n                                          <\/div>\n                  <\/label>\n                <\/div>\n                <div class=\"rmBase__compError text-left font-display font-bold text-xs\"><\/div>\n              <\/div>\n            <\/div>\n            <div class=\"rmBase__section\">\n              <div class=\"rmBase__el rmBase__el--cta\">\n                <button type=\"submit\" class=\"inline-flex items-center justify-center px-8 py-3 text-white visited:text-white font-bodybold rounded-md bg-t-navy border-3 border-t-navy hover:border-t-navy hover:bg-transparent hover:text-t-navy transition-all hover:text-white cursor-pointer rmBase__comp--cta\">\n                  Subscribe\n                <\/button>\n              <\/div>\n            <\/div>\n          <\/div>\n        <\/form>\n      <\/div>\n      <div data-page-type=\"pageSubscribeSuccess\" class=\"rmBase__body rmSubscription hidden\">\n        <div class=\"rmBase__content\">\n          <div class=\"rmBase__container\">\n            <div class=\"rmBase__section\">\n              <div class=\"rmBase__el rmBase__el--heading\">\n                <div class=\"rmBase__comp--heading\">\n                  Thank you for your subscription!\n      <!-- this linebreak is important, don't remove it! this will force trailing linebreaks to be displayed -->\n                  <br>\n                <\/div>\n              <\/div>\n            <\/div>\n            <div class=\"rmBase__section\">\n              <div class=\"rmBase__el rmBase__el--text\">\n                <div class=\"rmBase__comp--text\">\n                  We have sent you an email &#8211; please confirm your email address by clicking the activation link in it.\n      <!-- this linebreak is important, don't remove it! this will force trailing linebreaks to be displayed -->\n                  <br>\n                <\/div>\n              <\/div>\n            <\/div>\n          <\/div>\n        <\/div>\n      <\/div>\n    <\/div>\n  <\/div>\n\n      <script src=\"https:\/\/mailing.techgdpr.com\/form\/145\/6069\/8a53c9178b\/embedded.js\" async><\/script>\n  \n<\/div>\n\n\n\n<h4 class=\"wp-block-heading\"><strong>Selling drivers location and behaviour data<\/strong><\/h4>\n\n\n\n<div class=\"wp-block-media-text is-stacked-on-mobile\" style=\"grid-template-columns:26% auto\"><figure class=\"wp-block-media-text__media\"><img decoding=\"async\" src=\"https:\/\/lh7-rt.googleusercontent.com\/docsz\/AD_4nXeOIAs4F3T5JxohoNI-_mkHrdHJKcB-B9iNPbId1rP0GGjA_G9OxfLlJHu_MieIFk_e0PY8w3cJ_4NgPy7zSkZFc3z1kSlN8Nt_UkApfpTkDb2YgpKVgAkR_dRNYs8joz4NuDci?key=5s9e3OPEI4CVYgNuAYfDMDiq\" alt=\"\" \/><\/figure><div class=\"wp-block-media-text__content\">\n<p><\/p>\n\n\n\n<p>In the US, the FTC is taking action against General Motors over allegations they collected, used, and <a href=\"https:\/\/www.ftc.gov\/news-events\/news\/press-releases\/2025\/01\/ftc-takes-action-against-general-motors-sharing-drivers-precise-location-driving-behavior-data\">sold drivers\u2019 precise geolocation data and driving behavior information from millions of vehicles\u2014data that can be used to set insurance rates<\/a>\u2014without adequately notifying consumers and obtaining their affirmative consent. When consumers bought a vehicle, they were encouraged to sign up for a feature which they were often told would be used to help them assess their driving habits.&nbsp;<\/p>\n<\/div><\/div>\n\n\n\n<p>The information notice was confusing and misleading. GM failed to clearly disclose to consumers the types of information it collected, including their geolocation and driving behavior data, such as hard braking, late night driving, and speeding, or that it would be sold to consumer reporting agencies. These consumer reporting agencies used the sensitive information GM provided to compile credit reports on consumers, which were then used by insurance companies to deny insurance and set rates. Additionally, through faulty claims on its websites and in email and social media ads, the company claimed that it deployed reasonable security and that it was in compliance with the previous EU-US and Swiss-US Privacy Shield Frameworks.&nbsp;<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">More enforcement decisions<\/h4>\n\n\n\n<p><strong>Loan promotion: <\/strong>The UK\u2019s ICO meanwhile fined ESL Consultancy Services Ltd 200,000 pounds for knowingly sending unlawful loan promotion nuisance text messages to people who had not consented to receive them. The regulator found that in 2022 and 2023, ESL used a third party to send marketing text messages without ensuring valid consent was in place to send promotional materials. ESL also took steps to try and conceal the identity of the sender of the messages by using unregistered SIM cards. As a result the <a href=\"https:\/\/ico.org.uk\/about-the-ico\/media-centre\/news-and-blogs\/2025\/01\/company-fined-200-000-for-instigating-unlawful-loan-promotion-nuisance-texts\/\">ICO received 37,977 complaints<\/a>.&nbsp;<\/p>\n\n\n\n<p><strong>Failed internal policies: <\/strong>An investigation of the Romanian supervisory authority revealed that the telecoms operator Vodafone Romania repeatedly &nbsp;<a href=\"https:\/\/www.dataprotection.ro\/index.jsp?page=Comunicat_Presa_20_01_2025&amp;lang=ro\">failed to ensure the confidentiality of data belonging to several customers as a result of non-compliance with internal policies<\/a>. For these acts the operator had to pay an approx. 15,000 euro fine. The data security breach was caused by:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>unauthorised transmission of a picture of a data subject&#8217;s invoice to a third party;<\/li>\n\n\n\n<li>not hiding recipients&#8217; email addresses and not selecting the &#8220;BCC&#8221; option when informing data subjects of changes;<\/li>\n\n\n\n<li>sending via WhatsApp by an employee of an authorised representative of the operator, a photo containing a screenshot of data displayed in the app interface.<\/li>\n<\/ul>\n\n\n\n<p><strong>Failed erasure request: <\/strong>The Romanian regulator also fined Orange Romania approx. 40,000 euros for a failed data erasure request. After an unsuccessful attempt to subscribe to the mobile services offered by the operator, a request was made to delete all personal data. During the correspondence, the operator requested more personal data and no complete and adequate responses were provided to the requests received. Moreover, the operator had <a href=\"https:\/\/www.dataprotection.ro\/index.jsp?page=Comunicat_Presa_27_01_2025&amp;lang=ro\">excessively collected and stored scanned copies of documents, although they were no longer necessary<\/a> for the purpose of identification related to the conclusion of a subscription contract.&nbsp;<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">Data security<\/h4>\n\n\n\n<div class=\"wp-block-media-text has-media-on-the-right is-stacked-on-mobile\" style=\"grid-template-columns:auto 26%\"><div class=\"wp-block-media-text__content\">\n<p><\/p>\n\n\n\n<p><strong>Hosting services: <\/strong>America&#8217;s FTC reminds us that a business website is one of the most important sales and marketing tools. It is not only the&nbsp; virtual storefront, but also <a href=\"https:\/\/www.ftc.gov\/business-guidance\/blog\/2025\/01\/go-ask-your-web-host-some-questions-tips-businesses-godaddy-settlement\">a repository for data \u2013 yours and your customers<\/a>. Thus, when you go looking for a web host \u2013 the company that\u2019ll store your site on its servers \u2013 security is non-negotiable. The recent FTC <a href=\"https:\/\/www.ftc.gov\/news-events\/news\/press-releases\/2025\/01\/ftc-takes-action-against-godaddy-alleged-lax-data-security-its-website-hosting-services\">settlement with GoDaddy<\/a>, one of the largest web hosting companies in the world, shows what can happen when security slips.<\/p>\n<\/div><figure class=\"wp-block-media-text__media\"><img decoding=\"async\" src=\"https:\/\/lh7-rt.googleusercontent.com\/docsz\/AD_4nXcqymWzVpmV6tJeUYp_yEz1SGC70BcwQaJVon6Esead7hV9M8QdGzrd_giRwstF3LETfE7Lk8SQPFjsd_aa6eoISm5N_7zc9cA6FNSbXC7BSKjcqtuJxyN1qDclzy8DaGsOP3Uoqw?key=5s9e3OPEI4CVYgNuAYfDMDiq\" alt=\"Health sector\" \/><\/figure><\/div>\n\n\n\n<p>In particular, when the hosting provider neglects to inventory its assets, manage software updates, use multifactor authentication, and appropriately monitor for security threats.&nbsp;<\/p>\n\n\n\n<p><strong>New security measures listed<\/strong>: The Danish data protection regulator published two new measures in its technical catalogue, both of which deal with <a href=\"https:\/\/www.datatilsynet.dk\/presse-og-nyheder\/nyhedsarkiv\/2025\/jan\/to-nye-sikkerhedsforanstaltninger-om-sikker-transmission\">\u2018secure data transmission\u2019<\/a>. If two or more parties use external networks, such as the Internet and telecommunications networks, they often do not have the same control and protection as when rising their own networks. In such cases, the parties must assess whether the data transmission should be protected with encryption.&nbsp;However, encryption of data transmission can also be used to <a href=\"https:\/\/www.datatilsynet.dk\/regler-og-vejledning\/behandlingssikkerhed\/katalog-over-foranstaltninger\/sikker-transmission\">protect against \u201cinsider threats\u201d or physical intrusion<\/a> into one\u2019s own networks. During transmission, there may also be a risk that data may become known to unauthorized persons. <a href=\"https:\/\/www.datatilsynet.dk\/regler-og-vejledning\/behandlingssikkerhed\/katalog-over-foranstaltninger\/sikker-transmission-med-valideret-afsender-modtager-indhold\">Validation of sender, recipient and content<\/a> is thus a preventive measure that reduces the likelihood of data being read by unauthorized parties. At the same time, it can ensure non-repudiation and validation of the sender.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\"><strong>Valio data breach investigation in Finland<\/strong><\/h4>\n\n\n\n<p> The data protection ombudsman is investigating a data security <a href=\"https:\/\/tietosuoja.fi\/-\/tietosuojavaltuutetun-toimisto-selvittaa-valion-tietoverkkoon-kohdistunutta-tietoturvaloukkausta\">breach targeting Valio&#8217;s, (country\u2019s largest milk processor), information network<\/a>. The attacker had obtained the personnel data of Valio and its subsidiaries operating in Finland, as well as milk purchasing cooperatives. Former employees of Valio have also been targeted. In addition, the breach targeted data in the databases of the Valio Mutual Insurance Company and Valio Pension Fund. The data breach targeted a significantly larger amount of personal data than initially estimated by the data controller.&nbsp;<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">Big Tech<\/h4>\n\n\n\n<div class=\"wp-block-media-text is-stacked-on-mobile\" style=\"grid-template-columns:26% auto\"><figure class=\"wp-block-media-text__media\"><img decoding=\"async\" src=\"https:\/\/lh7-rt.googleusercontent.com\/docsz\/AD_4nXdSk-WL8zx-xMu4n1UcXsDUUd-SpDONBcr3r9o9HSFMKaTIzHFr9JAnCBgYA6LdOQs1-NeES3BEVXhx6mvNB9l24YjG5We1hzquxvLw1BLkF5730gXrhHYcw1d7Stg-ZXKXfK9EEg?key=5s9e3OPEI4CVYgNuAYfDMDiq\" alt=\"\" \/><\/figure><div class=\"wp-block-media-text__content\">\n<p><\/p>\n\n\n\n<p><strong>Meta AI: <\/strong>Meta began to gradually roll out a new feature that lets its <a href=\"https:\/\/about.fb.com\/news\/2025\/01\/building-toward-a-smarter-more-personalized-assistant\/\">AI tool remember certain details that you share with it<\/a> in 1:1 chats on WhatsApp and Messenger. The company is also rolling out a greater level of personalisation for Meta AI on Facebook, Messenger and Instagram, (by tracking and memorising details about you, including information about your personal life, ethnicity, health and family). <\/p>\n<\/div><\/div>\n\n\n\n<p>The changes so far only concern users in the US and Canada. The new policy promises to \u201donly remember certain things you tell it in personal conversations, (not group chats), and you can delete its memories at any time\u201d.&nbsp;<\/p>\n\n\n\n<p><strong>DeepSeek data whereabouts: <\/strong>Italy&#8217;s data protection regulator Garante is requesting answers from, (and <a href=\"https:\/\/www.garanteprivacy.it\/home\/docweb\/-\/docweb-display\/docweb\/10097450\">temporarily blocks<\/a>), the Chinese AI model DeepSeek, supposedly a low-cost and open-source alternative to US rivals, over its usage of personal data. What information has been collected, from which <a href=\"https:\/\/www.reuters.com\/technology\/artificial-intelligence\/italy-regulator-seeks-info-deepseek-data-protection-2025-01-28\/\">sources, for what purposes, on what legal basis, and whether it is stored in China<\/a>? Other reports claim DeepSeek <a href=\"https:\/\/www.theguardian.com\/technology\/2025\/jan\/28\/experts-urge-caution-over-use-of-chinese-ai-deepseek\">spreads misinformation, bans political prompts<\/a>, and how the Chinese state might exploit users\u2019 data.&nbsp;<\/p>\n\n\n\n<p>Open AI meanwhile warns that Chinese startups are \u2018constantly\u2019 using its technology to develop competing products. The company is reviewing allegations that DeepSeek used the ChatGPT maker\u2019s AI models to create a rival chatbot, through a technique known as \u201cdistillation\u201d &#8211; <a href=\"https:\/\/www.theguardian.com\/technology\/2025\/jan\/29\/openai-chatgpt-deepseek-china-us-ai-models\">boosting the performance of smaller models by using larger, more advanced ones to achieve similar results<\/a>, summed up in this Guardian article.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>EU Health sector The Commission presented an EU Action Plan to improve health sector cybersecurity. It will include hospitals, clinics, care homes, rehabilitation centres, various healthcare providers, the pharmaceutical, medical and biotechnology industries, medical device manufacturers, and health research institutions. A significant challenge for the cybersecurity of the health sector is the intersection of information [&hellip;]<\/p>\n","protected":false},"author":21,"featured_media":10256,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"inline_featured_image":false,"footnotes":""},"categories":[94],"tags":[51,129,122,58,258,79,180,231],"class_list":["post-10255","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-data-protection-digest","tag-artificial-intelligence","tag-consumer-data-protection","tag-data-subject-access-requests","tag-gdpr-compliance","tag-health-related-data","tag-international-transfers","tag-pseudonymisation","tag-toms"],"acf":[],"featured_image_urls":{"full":["https:\/\/techgdpr.com\/wp-content\/uploads\/2025\/01\/mood-7529903_1280.png",1280,853,false],"thumbnail":["https:\/\/techgdpr.com\/wp-content\/uploads\/2025\/01\/mood-7529903_1280-150x150.png",150,150,true],"medium":["https:\/\/techgdpr.com\/wp-content\/uploads\/2025\/01\/mood-7529903_1280-300x200.png",300,200,true],"medium_large":["https:\/\/techgdpr.com\/wp-content\/uploads\/2025\/01\/mood-7529903_1280-768x512.png",640,427,true],"large":["https:\/\/techgdpr.com\/wp-content\/uploads\/2025\/01\/mood-7529903_1280-1024x682.png",640,426,true],"1536x1536":["https:\/\/techgdpr.com\/wp-content\/uploads\/2025\/01\/mood-7529903_1280.png",1280,853,false],"2048x2048":["https:\/\/techgdpr.com\/wp-content\/uploads\/2025\/01\/mood-7529903_1280.png",1280,853,false],"image-200-200":["https:\/\/techgdpr.com\/wp-content\/uploads\/2025\/01\/mood-7529903_1280-200x200.png",200,200,true]},"post_excerpt_stackable":"<p>EU Health sector The Commission presented an EU Action Plan to improve health sector cybersecurity. It will include hospitals, clinics, care homes, rehabilitation centres, various healthcare providers, the pharmaceutical, medical and biotechnology industries, medical device manufacturers, and health research institutions. A significant challenge for the cybersecurity of the health sector is the intersection of information technology (IT) and operational technology (OT), where different security priorities meet as regards data confidentiality, availability and reliability, and where a breach in one area can affect the other. In many cases, IT and OT are at least partly outsourced. Deficiencies are observed in key&hellip;<\/p>\n","category_list":"<a href=\"https:\/\/techgdpr.com\/blog\/category\/data-protection-digest\/\" rel=\"category tag\">Data Protection Digest<\/a>","author_info":{"name":"Olya Vasylyk","url":"https:\/\/techgdpr.com\/blog\/author\/olyav\/"},"comments_num":"0 comments","featured_image_urls_v2":{"full":["https:\/\/techgdpr.com\/wp-content\/uploads\/2025\/01\/mood-7529903_1280.png",1280,853,false],"thumbnail":["https:\/\/techgdpr.com\/wp-content\/uploads\/2025\/01\/mood-7529903_1280-150x150.png",150,150,true],"medium":["https:\/\/techgdpr.com\/wp-content\/uploads\/2025\/01\/mood-7529903_1280-300x200.png",300,200,true],"medium_large":["https:\/\/techgdpr.com\/wp-content\/uploads\/2025\/01\/mood-7529903_1280-768x512.png",640,427,true],"large":["https:\/\/techgdpr.com\/wp-content\/uploads\/2025\/01\/mood-7529903_1280-1024x682.png",640,426,true],"1536x1536":["https:\/\/techgdpr.com\/wp-content\/uploads\/2025\/01\/mood-7529903_1280.png",1280,853,false],"2048x2048":["https:\/\/techgdpr.com\/wp-content\/uploads\/2025\/01\/mood-7529903_1280.png",1280,853,false],"image-200-200":["https:\/\/techgdpr.com\/wp-content\/uploads\/2025\/01\/mood-7529903_1280-200x200.png",200,200,true]},"post_excerpt_stackable_v2":"<p>EU Health sector The Commission presented an EU Action Plan to improve health sector cybersecurity. It will include hospitals, clinics, care homes, rehabilitation centres, various healthcare providers, the pharmaceutical, medical and biotechnology industries, medical device manufacturers, and health research institutions. A significant challenge for the cybersecurity of the health sector is the intersection of information technology (IT) and operational technology (OT), where different security priorities meet as regards data confidentiality, availability and reliability, and where a breach in one area can affect the other. In many cases, IT and OT are at least partly outsourced. Deficiencies are observed in key&hellip;<\/p>\n","category_list_v2":"<a href=\"https:\/\/techgdpr.com\/blog\/category\/data-protection-digest\/\" rel=\"category tag\">Data Protection Digest<\/a>","author_info_v2":{"name":"Olya Vasylyk","url":"https:\/\/techgdpr.com\/blog\/author\/olyav\/"},"comments_num_v2":"0 comments","yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.4 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Data protection digest 16-30 Jan 2025: The intersection of information and operational technologies in the health sector - TechGDPR<\/title>\n<meta name=\"description\" content=\"TechGDPR\u2019s review of the most important data-related stories: the intersection of Information and Operational Technology in the Health sector\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/techgdpr.com\/blog\/data-protection-digest-31012025-the-intersection-of-information-and-operational-technologies-in-the-health-sector\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Data protection digest 16-30 Jan 2025: The intersection of information and operational technologies in the health sector - TechGDPR\" \/>\n<meta property=\"og:description\" content=\"TechGDPR\u2019s review of the most important data-related stories: the intersection of Information and Operational Technology in the Health sector\" \/>\n<meta property=\"og:url\" content=\"https:\/\/techgdpr.com\/blog\/data-protection-digest-31012025-the-intersection-of-information-and-operational-technologies-in-the-health-sector\/\" \/>\n<meta property=\"og:site_name\" content=\"TechGDPR\" \/>\n<meta property=\"article:published_time\" content=\"2025-01-31T09:43:59+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-01-31T10:45:34+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/techgdpr.com\/wp-content\/uploads\/2025\/01\/mood-7529903_1280.png\" \/>\n\t<meta property=\"og:image:width\" content=\"1280\" \/>\n\t<meta property=\"og:image:height\" content=\"853\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Olya Vasylyk\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@techgdpr\" \/>\n<meta name=\"twitter:site\" content=\"@techgdpr\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Olya Vasylyk\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"1 minute\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/techgdpr.com\\\/blog\\\/data-protection-digest-31012025-the-intersection-of-information-and-operational-technologies-in-the-health-sector\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/techgdpr.com\\\/blog\\\/data-protection-digest-31012025-the-intersection-of-information-and-operational-technologies-in-the-health-sector\\\/\"},\"author\":{\"name\":\"Olya Vasylyk\",\"@id\":\"https:\\\/\\\/techgdpr.com\\\/#\\\/schema\\\/person\\\/07e9c14fd01b25bd2c1907537e8547e8\"},\"headline\":\"Data protection digest 16-30 Jan 2025: The intersection of information and operational technologies in the health sector\",\"datePublished\":\"2025-01-31T09:43:59+00:00\",\"dateModified\":\"2025-01-31T10:45:34+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/techgdpr.com\\\/blog\\\/data-protection-digest-31012025-the-intersection-of-information-and-operational-technologies-in-the-health-sector\\\/\"},\"wordCount\":2555,\"publisher\":{\"@id\":\"https:\\\/\\\/techgdpr.com\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/techgdpr.com\\\/blog\\\/data-protection-digest-31012025-the-intersection-of-information-and-operational-technologies-in-the-health-sector\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/techgdpr.com\\\/wp-content\\\/uploads\\\/2025\\\/01\\\/mood-7529903_1280.png\",\"keywords\":[\"Artificial Intelligence\",\"consumer data protection\",\"data subject access requests\",\"GDPR Compliance\",\"health-related data\",\"International transfers\",\"pseudonymisation\",\"TOMs\"],\"articleSection\":[\"Data Protection Digest\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/techgdpr.com\\\/blog\\\/data-protection-digest-31012025-the-intersection-of-information-and-operational-technologies-in-the-health-sector\\\/\",\"url\":\"https:\\\/\\\/techgdpr.com\\\/blog\\\/data-protection-digest-31012025-the-intersection-of-information-and-operational-technologies-in-the-health-sector\\\/\",\"name\":\"Data protection digest 16-30 Jan 2025: The intersection of information and operational technologies in the health sector - TechGDPR\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/techgdpr.com\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/techgdpr.com\\\/blog\\\/data-protection-digest-31012025-the-intersection-of-information-and-operational-technologies-in-the-health-sector\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/techgdpr.com\\\/blog\\\/data-protection-digest-31012025-the-intersection-of-information-and-operational-technologies-in-the-health-sector\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/techgdpr.com\\\/wp-content\\\/uploads\\\/2025\\\/01\\\/mood-7529903_1280.png\",\"datePublished\":\"2025-01-31T09:43:59+00:00\",\"dateModified\":\"2025-01-31T10:45:34+00:00\",\"description\":\"TechGDPR\u2019s review of the most important data-related stories: the intersection of Information and Operational Technology in the Health sector\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/techgdpr.com\\\/blog\\\/data-protection-digest-31012025-the-intersection-of-information-and-operational-technologies-in-the-health-sector\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/techgdpr.com\\\/blog\\\/data-protection-digest-31012025-the-intersection-of-information-and-operational-technologies-in-the-health-sector\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/techgdpr.com\\\/blog\\\/data-protection-digest-31012025-the-intersection-of-information-and-operational-technologies-in-the-health-sector\\\/#primaryimage\",\"url\":\"https:\\\/\\\/techgdpr.com\\\/wp-content\\\/uploads\\\/2025\\\/01\\\/mood-7529903_1280.png\",\"contentUrl\":\"https:\\\/\\\/techgdpr.com\\\/wp-content\\\/uploads\\\/2025\\\/01\\\/mood-7529903_1280.png\",\"width\":1280,\"height\":853,\"caption\":\"health sector\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/techgdpr.com\\\/blog\\\/data-protection-digest-31012025-the-intersection-of-information-and-operational-technologies-in-the-health-sector\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/techgdpr.com\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Data protection digest 16-30 Jan 2025: The intersection of information and operational technologies in the health sector\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/techgdpr.com\\\/#website\",\"url\":\"https:\\\/\\\/techgdpr.com\\\/\",\"name\":\"TechGDPR\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/techgdpr.com\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/techgdpr.com\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/techgdpr.com\\\/#organization\",\"name\":\"TechGDPR\",\"url\":\"https:\\\/\\\/techgdpr.com\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/techgdpr.com\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/staging.techgdpr.com\\\/wp-content\\\/uploads\\\/2018\\\/04\\\/TGDPR_logo_500px.png\",\"contentUrl\":\"https:\\\/\\\/staging.techgdpr.com\\\/wp-content\\\/uploads\\\/2018\\\/04\\\/TGDPR_logo_500px.png\",\"width\":501,\"height\":334,\"caption\":\"TechGDPR\"},\"image\":{\"@id\":\"https:\\\/\\\/techgdpr.com\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/techgdpr\",\"https:\\\/\\\/www.linkedin.com\\\/company\\\/techgdpr\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/techgdpr.com\\\/#\\\/schema\\\/person\\\/07e9c14fd01b25bd2c1907537e8547e8\",\"name\":\"Olya Vasylyk\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/techgdpr.com\\\/wp-content\\\/uploads\\\/2021\\\/10\\\/readyIMG_3694-1-2-150x150.jpg\",\"url\":\"https:\\\/\\\/techgdpr.com\\\/wp-content\\\/uploads\\\/2021\\\/10\\\/readyIMG_3694-1-2-150x150.jpg\",\"contentUrl\":\"https:\\\/\\\/techgdpr.com\\\/wp-content\\\/uploads\\\/2021\\\/10\\\/readyIMG_3694-1-2-150x150.jpg\",\"caption\":\"Olya Vasylyk\"},\"description\":\"Creator and editor of TechGDPR\u2019s weekly Digest. Postgraduate masters Diploma in Data Protection, Digital law and Management. Over a decade Olga previously was a broadcast journalist in Ukraine and France specializing in international affairs.\",\"url\":\"https:\\\/\\\/techgdpr.com\\\/blog\\\/author\\\/olyav\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Data protection digest 16-30 Jan 2025: The intersection of information and operational technologies in the health sector - TechGDPR","description":"TechGDPR\u2019s review of the most important data-related stories: the intersection of Information and Operational Technology in the Health sector","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/techgdpr.com\/blog\/data-protection-digest-31012025-the-intersection-of-information-and-operational-technologies-in-the-health-sector\/","og_locale":"en_US","og_type":"article","og_title":"Data protection digest 16-30 Jan 2025: The intersection of information and operational technologies in the health sector - TechGDPR","og_description":"TechGDPR\u2019s review of the most important data-related stories: the intersection of Information and Operational Technology in the Health sector","og_url":"https:\/\/techgdpr.com\/blog\/data-protection-digest-31012025-the-intersection-of-information-and-operational-technologies-in-the-health-sector\/","og_site_name":"TechGDPR","article_published_time":"2025-01-31T09:43:59+00:00","article_modified_time":"2025-01-31T10:45:34+00:00","og_image":[{"width":1280,"height":853,"url":"https:\/\/techgdpr.com\/wp-content\/uploads\/2025\/01\/mood-7529903_1280.png","type":"image\/png"}],"author":"Olya Vasylyk","twitter_card":"summary_large_image","twitter_creator":"@techgdpr","twitter_site":"@techgdpr","twitter_misc":{"Written by":"Olya Vasylyk","Est. reading time":"1 minute"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/techgdpr.com\/blog\/data-protection-digest-31012025-the-intersection-of-information-and-operational-technologies-in-the-health-sector\/#article","isPartOf":{"@id":"https:\/\/techgdpr.com\/blog\/data-protection-digest-31012025-the-intersection-of-information-and-operational-technologies-in-the-health-sector\/"},"author":{"name":"Olya Vasylyk","@id":"https:\/\/techgdpr.com\/#\/schema\/person\/07e9c14fd01b25bd2c1907537e8547e8"},"headline":"Data protection digest 16-30 Jan 2025: The intersection of information and operational technologies in the health sector","datePublished":"2025-01-31T09:43:59+00:00","dateModified":"2025-01-31T10:45:34+00:00","mainEntityOfPage":{"@id":"https:\/\/techgdpr.com\/blog\/data-protection-digest-31012025-the-intersection-of-information-and-operational-technologies-in-the-health-sector\/"},"wordCount":2555,"publisher":{"@id":"https:\/\/techgdpr.com\/#organization"},"image":{"@id":"https:\/\/techgdpr.com\/blog\/data-protection-digest-31012025-the-intersection-of-information-and-operational-technologies-in-the-health-sector\/#primaryimage"},"thumbnailUrl":"https:\/\/techgdpr.com\/wp-content\/uploads\/2025\/01\/mood-7529903_1280.png","keywords":["Artificial Intelligence","consumer data protection","data subject access requests","GDPR Compliance","health-related data","International transfers","pseudonymisation","TOMs"],"articleSection":["Data Protection Digest"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/techgdpr.com\/blog\/data-protection-digest-31012025-the-intersection-of-information-and-operational-technologies-in-the-health-sector\/","url":"https:\/\/techgdpr.com\/blog\/data-protection-digest-31012025-the-intersection-of-information-and-operational-technologies-in-the-health-sector\/","name":"Data protection digest 16-30 Jan 2025: The intersection of information and operational technologies in the health sector - TechGDPR","isPartOf":{"@id":"https:\/\/techgdpr.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/techgdpr.com\/blog\/data-protection-digest-31012025-the-intersection-of-information-and-operational-technologies-in-the-health-sector\/#primaryimage"},"image":{"@id":"https:\/\/techgdpr.com\/blog\/data-protection-digest-31012025-the-intersection-of-information-and-operational-technologies-in-the-health-sector\/#primaryimage"},"thumbnailUrl":"https:\/\/techgdpr.com\/wp-content\/uploads\/2025\/01\/mood-7529903_1280.png","datePublished":"2025-01-31T09:43:59+00:00","dateModified":"2025-01-31T10:45:34+00:00","description":"TechGDPR\u2019s review of the most important data-related stories: the intersection of Information and Operational Technology in the Health sector","breadcrumb":{"@id":"https:\/\/techgdpr.com\/blog\/data-protection-digest-31012025-the-intersection-of-information-and-operational-technologies-in-the-health-sector\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/techgdpr.com\/blog\/data-protection-digest-31012025-the-intersection-of-information-and-operational-technologies-in-the-health-sector\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/techgdpr.com\/blog\/data-protection-digest-31012025-the-intersection-of-information-and-operational-technologies-in-the-health-sector\/#primaryimage","url":"https:\/\/techgdpr.com\/wp-content\/uploads\/2025\/01\/mood-7529903_1280.png","contentUrl":"https:\/\/techgdpr.com\/wp-content\/uploads\/2025\/01\/mood-7529903_1280.png","width":1280,"height":853,"caption":"health sector"},{"@type":"BreadcrumbList","@id":"https:\/\/techgdpr.com\/blog\/data-protection-digest-31012025-the-intersection-of-information-and-operational-technologies-in-the-health-sector\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/techgdpr.com\/"},{"@type":"ListItem","position":2,"name":"Data protection digest 16-30 Jan 2025: The intersection of information and operational technologies in the health sector"}]},{"@type":"WebSite","@id":"https:\/\/techgdpr.com\/#website","url":"https:\/\/techgdpr.com\/","name":"TechGDPR","description":"","publisher":{"@id":"https:\/\/techgdpr.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/techgdpr.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/techgdpr.com\/#organization","name":"TechGDPR","url":"https:\/\/techgdpr.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/techgdpr.com\/#\/schema\/logo\/image\/","url":"https:\/\/staging.techgdpr.com\/wp-content\/uploads\/2018\/04\/TGDPR_logo_500px.png","contentUrl":"https:\/\/staging.techgdpr.com\/wp-content\/uploads\/2018\/04\/TGDPR_logo_500px.png","width":501,"height":334,"caption":"TechGDPR"},"image":{"@id":"https:\/\/techgdpr.com\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/techgdpr","https:\/\/www.linkedin.com\/company\/techgdpr"]},{"@type":"Person","@id":"https:\/\/techgdpr.com\/#\/schema\/person\/07e9c14fd01b25bd2c1907537e8547e8","name":"Olya Vasylyk","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/techgdpr.com\/wp-content\/uploads\/2021\/10\/readyIMG_3694-1-2-150x150.jpg","url":"https:\/\/techgdpr.com\/wp-content\/uploads\/2021\/10\/readyIMG_3694-1-2-150x150.jpg","contentUrl":"https:\/\/techgdpr.com\/wp-content\/uploads\/2021\/10\/readyIMG_3694-1-2-150x150.jpg","caption":"Olya Vasylyk"},"description":"Creator and editor of TechGDPR\u2019s weekly Digest. Postgraduate masters Diploma in Data Protection, Digital law and Management. Over a decade Olga previously was a broadcast journalist in Ukraine and France specializing in international affairs.","url":"https:\/\/techgdpr.com\/blog\/author\/olyav\/"}]}},"_links":{"self":[{"href":"https:\/\/techgdpr.com\/wp-json\/wp\/v2\/posts\/10255","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/techgdpr.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/techgdpr.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/techgdpr.com\/wp-json\/wp\/v2\/users\/21"}],"replies":[{"embeddable":true,"href":"https:\/\/techgdpr.com\/wp-json\/wp\/v2\/comments?post=10255"}],"version-history":[{"count":26,"href":"https:\/\/techgdpr.com\/wp-json\/wp\/v2\/posts\/10255\/revisions"}],"predecessor-version":[{"id":10283,"href":"https:\/\/techgdpr.com\/wp-json\/wp\/v2\/posts\/10255\/revisions\/10283"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/techgdpr.com\/wp-json\/wp\/v2\/media\/10256"}],"wp:attachment":[{"href":"https:\/\/techgdpr.com\/wp-json\/wp\/v2\/media?parent=10255"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/techgdpr.com\/wp-json\/wp\/v2\/categories?post=10255"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/techgdpr.com\/wp-json\/wp\/v2\/tags?post=10255"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}