Category: General Data Protection Regulation

Decision to fine the Norwegian Public Roads Administration

23. October 2020

The Norwegian Data Protection Authority (Datatilsynet) has issued the Norwegian Public Roads Administration (Statens vegvesen) a fine of EUR 37.400 (NOK 400.000) for improprieties related to the use of the monitoring system installed on toll ways in Norway. They concerned processing personal data for purposes that were noncompliant with the originally stated and for not erasing video recordings after 7 days from their registration.

The penalized entity is the controller of a system processing personal data obtained from the area of ​​toll roads in Norway. This system records personal data which especially enable the identification of vehicles (and hence their owners) that pass through public toll stations. The primary purpose of processing these personal data was to ensure safety on public roads and to optimize the operation of the tunnel and drawbridges in the county Østfold. The Norwegian Public Roads Administration however, used the recordings particularly in order to document improper fulfilments of concluded contracts by certain subjects. According to the Norwegian Data Protection Authority, such procedure is unlawful and not compliant with the originally stated purposes.

The Norwegian Public Roads Administration was also accused of infringements related to deletion of personal data in due time. In accordance with Norwegian regulations, recordings from monitoring (and thus personal data) may be stored until the reason for its storage ceases, but no longer than 7 days from recording the material. In the course of proceedings it turned out that the monitoring system did not have the function of deleting personal data at all. Therefore, the Norwegian Public Roads Administration was not able to fulfil its obligation according to Art. 17 GDPR. The lack of this functionality additionally indicates that the controller, while implementing the monitoring system, also omitted the requirements specified in Art. 25 GDPR.

Taking into account these circumstances, the Norwegian Data Protection Authority stated a violation of the mentioned GDPR regulations.

Appeal against record fine for GDPR violation in Poland dismissed

22. October 2020

On 10th September 2019 the Polish Data Protection Commissioner imposed a record fine in the amount of more than PLN 2,8 million or the equivalent of € 660.000 on the company Morele.net for violating the implementation of appropriate technical and organisational measures as well as the lack of verifiability of the prior consents to data processing. The Krakow-based company runs various online shops and stores customer data on a central database. According to the Personal Data Protection Office (UODO), there has been 2,2 million customers affected.

Starting point were especially two incidents at the end of 2018, when unauthorised persons got access to the customer database of the company and the contained personal data. The company notified the data breach to the UODO, which accused it particularly of violation of the confidentiality principle (Articles 5 (1) lit. f, 24 (1), 25 (1), 32 (1) lit. b, d, (2) GDPR) by failing to use sufficient technical and organisational measures to safeguard the data of its customers, such as a two-factor authentication. As claimed by the UODO, the selection of the authentication mechanism should always be preceded by an adequate risk analysis with a corresponding determination of protection requirements. The company did not adequately comply with this. However, it should have been sufficiently aware of the phishing risks as the Computer Emergency Response Team (CERT Polska) had already pointed it out.

In addition, the UODO accused the company of violation of the lawfulness, fairness, transparency and accountability principles (Articles 5 (1) lit. a, (2), 6 (1), 7 (1) GDPR) by not being able to prove that (where necessary) the personal data from installment applications had been processed on the basis of consents of data subjects. Furthermore, after a risk analysis, the company deleted the corresponding data from the database in December 2018, but according to the UODO, the deletion was not sufficiently documented.

When assessing the fine, there were many aspects which played a decisive role. Most of all, the extent of the violation (2,2 million customers) and the fact that the company processes personal data professionally in the course of its business activities and therefore has to apply a higher level of security. However, mitigating circumstances were also taken into account, such as the good cooperation with the supervisory authority, no previous ascertainable violations of the GDPR and no identifiable financial advantages for the company.

On 3rd September 2020, the Provincial Administrative Court (WSA) in Warsaw issued a judgment on Morele.net’s appeal against the decision. The WSA dismissed the appeal and considered that the decision on the fine imposed on the company was justified. Furthermore, the WSA stated that the UODO had correctly assessed the facts in the case concerned and considered that the fine imposed was high but within the limits of the law and justified by circumstances. It is expected that the company will lodge a complaint with the Supreme Administrative Court of Poland.

H&M receives record-breaking 35 Mio Euro GDPR Fine in Germany

21. October 2020

In the beginning of October, the Hamburg Data Protection Commissioner (“HmbBfDI”) imposed a record-breaking 35,258,707.95 Euro GDPR fine on the German branch of the Swedish clothing-retail giant H&M. It is the highest fine, based on a GDPR violation, a German Data Protection Authority has ever issued.

Since 2014, the management of the H&M service centre in Nuremberg extensively monitored the private lives of their employees in various ways. Following holidays and sick leaves of employees, team leaders would conduct so-called “Welcome Back Talks” in which they recorded employees’ holiday experiences, symptoms of illnesses and medical diagnoses. Some H&M supervisors gathered a broad data base of their employees’ private lives as they recorded details on family issues and religious beliefs from one-on-one talks and even corridor conversations. The recordings had a high level of detail and were updated over time and in some cases were shared with up to 50 other managers throughout the whole company. The H&M supervisors also used this Personal Data to create profiles of their employees and to base future employment decisions and measures on this information. The clandestine data collection only became known as a result of a configuration error in 2019 when the notes were accessible company-wide for a few hours.

After the discovery, the H&M executives presented the HmbBfDI a comprehensive concept on improving Data Protection at their Nuremberg sub-branch. This includes newly appointing a Data Protection coordinator, monthly Data Protection status updates, more strongly communicated whistleblower protection and a consistent process for granting data subject rights. Furthermore, H&M has apologised to their employees and paid the affected people a considerable compensation.

With their secret monitoring system at the service centre in Nuremberg, H&M severely violated the GDPR principles of lawfulness, fairness, and transparency of processing pursuant to Art. 5 no. 1 lit. a) and Art. 6 GDPR because they did not have a legal basis for collecting these Personal Data from their employees. The HmbBfDI commented in his statement on the magnitude of the fine saying that “the size of the fine imposed is appropriate and suitable to deter companies from violating the privacy of their employees”.

Privacy Activist Schrems unleashes 101 Complaints

21. September 2020

Lawyer and privacy activist Maximilian Schrems has become known for his legal actions leading to the invalidation of “Safe Harbor” in 2015 and of the “EU-U.S. Privacy Shield” this year (we reported). Following the landmark court decision on the “EU-U.S. Privacy Shield”, Schrems recently announced on the website of his NGO “noyb” (non-of-your-business) that he has filed 101 complaints against 101 European companies in 30 different EU and EEA countries with the responsible Data Protection Authorities. Schrems exercised the right to lodge a complaint with the supervisory authority that every data subject has if he or she considers that the processing of personal data relating to him or her infringes the Regulation, pursuant to Art. 77 GDPR.

The complaints concern the companies’ continued use of Google Analytics and Facebook Connect that transfer personal data about each website visitor (at least IP-address and Cookie data) to Google and Facebook which reside in the United States and fall under U.S. surveillance laws, such as FISA 702. Schrems also published a list of the 101 companies which include Sky Deutschland, the University of Luxembourg and the Cyprus Football Association. With his symbolic action against 101 companies, Schrems wanted to point to the widespread inactivity among many companies that still do not take the data protection rights of individuals seriously despite the recent ruling by the Court of Justice of the European Union.

In response, the European Data Protection Board (“EDPB”) has set up a “task force” to handle complaints against European companies using Google Analytics and Facebook services. The taskforce shall analyse the matter and ensure a close cooperation among the members of the Board which consists of all European supervisory authorities as well as the European Data Protection Supervisor.

South Africa’s Data Protection Act comes into force

9. July 2020

On July 1, 2020, South Africa’s Protection of Personal Information Act 2013 finally came into effect. The Act had been in planning for the last seven years, with parts of it already published in 2014, and will fully come into effect with oversight provisions in June 2021, allowing for a 12 months period to enable companies to become compliant with the new regulations.

Due to its long planning period, most companies already have organised compliancy. On the other side, a lot of businesses haven’t taken the necessary steps yet, as they have been waiting for the final push to see if the Act would even come into effect. Full enforcement will be enacted on July 1, 2021, giving those companies a countdown to become compliant.

The initial draft made in 2013 was mainly based on the EU Data Protection Directive 95/46/EC, with some changes for stricter provisions. The partial enforcement in 2014 allowed for the establishment of an Information Regulator in 2016, which has released Guidances in light of the future enforcement of the Act.

The right to privacy has been a fundamental right since 1996, and the act aims to promote the protection of personal data for any business processing personal information in South Africa. However, different from a lot of other Data protection Regulations around the world, the South African Protection of Personal Information Act also includes protection of the juristic person, such as companies, banks, trusts, etc.

One of the bigger changes in regards to South Africa’s previous handling of protection of personal data represents the obligation to notify a data breach to the authorities and, in some cases, to the data subjects. It also includes further requirements for international data transfers, as well as finally detailing data subjects’ rights.

German State Data Protection Commissioner imposes 1.2 million € GDPR fine

1. July 2020

The German State Data Protection Commissioner of Baden-Württemberg (“LfDI Ba-Wü”)  imposed a GDPR fine of 1.240.000€ on the German statutory health insurance provider AOK Baden-Württemberg (“AOK”). The fine was a result of the health insurance’s lack of technical and organisational measures pursuant to Art. 32 GDPR. It is the highest fine the LfDI Ba-Wü has ever imposed.

Between 2015 and 2019 the AOK organised lotteries on various occasions and collected personal data of the participants, including their contact details and current health insurance affiliations. The AOK wanted to use the data of the lottery participants for advertising purposes, insofar as the participants gave their consent to this. To ensure the security of processing, the AOK implemented internal guidelines and data protection training of their staff as technical and organisatioal measures. However, these measures were not sufficient to comply with Art. 32 GDPR because AOK staff used the personal data of more than 500 lottery participants for advertising purposes without their prior consent.

Following the investigation of the LfDI Ba-Wü, the AOK immediately stopped all marketing activities in order to revise their internal policies and processes against the GDPR. The LfDI Ba-Wü explained that in determining the extent of the fine, it considered the following mitigating factors:

  • the cooperation of the AOK with the Data Protection Authority,
  • the fact that the AOK as a statutory health insurance provider is an important part of the German healthcare system, and
  • the burdens of the current Corona-Pandemic on the healthcare system.

Finally, the Commissioner pointed out that technical and organisational measures must be regularly adjusted to the actual conditions of each processing activity, in order to ensure an adequate level of data protection in the long term.

EDPB releases new official register of Art. 60 GDPR decisions

29. June 2020

On 25 June 2020, the European Data Protection Board (“EDPB”) released a new register of final decisions by national European Data Protection Authorities (Supervisory Authorities) cooperating with one another pursuant to Art. 60 GDPR. The register provides access to the decisions themselves, summaries of the decisions in English, and information on the identity of the cooperating Lead Supervisory Authority and Concerned Supervisory Authorities.

The GDPR postulates that Supervisory Authorities have to cooperate in potential cases of GDPR violations that include cross-border data processing activities. During this cooperation, the Lead Supervisory Authority will be in charge of preparing the draft decision and involving the Concerned Supervisory Authorities, and will act as the sole interlocutor of the Controller or Processor (“One-Stop-Shop”-Principle), Art. 56 and Art. 60 GDPR.

To date, the new EDPB register contains 110 final decisions. The EDPB states in its announcement that ‘the register will be valuable to data protection practitioners who will gain access to information showcasing how SAs work together to enforce the GDPR in practice.’

DPA Liechtenstein published a description on the procedure for data protection inspections

24. June 2020

The Data Protection Authority of Liechtenstein (DPA) – Datenschutzstelle Fürstentum Liechtenstein –  recently published a description on the procedure for data protection inspections conducted by the DPA to provide transparent information on the process from the first contact until the completion of the audit.

The DPA distinguishes five kind of inspections:

  1. Investigations in individual cases on the basis of complaints or indications;
  2. Preventive or unprompted investigations in the form of data protection checks;
  3. Investigations at the request of a responsible person or processor;
  4. Investigations based on a legal mandate;
  5. Coordinated joint investigations.

According to the published statement the purpose of a data protection inspections is to assess the actual situation (current status) established by the reviewed organisation and, if necessary, to bring data processing activities into compliance with the GDPR or the DSG  in a specific way and within a specific period of time, in particular by giving instructions (target status).

The process depends on the individual case and the individual steps can be repeated or may be executed in a different order, but basically the process contains 6 steps:

  1. Contact and announcement;
  2. Document check;
  3. (optional);
  4. Audit report;
  5. Exercise of remedial powers and injunction;
  6. follow-up test.

The DPA also focuses on the accountability and cooperation obligations of the controller and explains which documents are usually requested and reviewed and which have an impact on the report.

Inter alia, the following documents are requested:

  • Records of Processing Activities;
  • Information of the Data Subjects;
  • Model consent form;
  • Information on Data Protection Trainings of employees;
  • Contracts regarding Data Processing on behalf;
  • Data Protection Impact Assessments.

Furthermore, the DPA also requests documents to be able to evaluate the effectiveness of the implemented technical and organisational measures, like:

  • Organization Chart;
  • Authorization Concept;
  • Confidentiality and Non Disclosure Agreements;
  • Data Deletion and Retention Concept.

To assess the current status, an evaluation scale is used to assess the degree of implementation of the respective measure. This ranges from ‘Not available’ to ‘Optimized’.

The duration of the assessment depends on the individual case and may take several months.

The statement is accessible in German only.

France’s supreme court, the Conseil d’État, restricts the CNIL’s Cookie Guidelines

22. June 2020

On June 19th, 2020, the French Conseil d’État has ordered the Commission Nationale de l’Informatique et des Libertés (CNIL) in a court decision to dismiss particular provisions made in its Guidelines on the subject of cookies and other tracers, which it published in 2019.

The Conseil d’État has received several complaints by businesses and professional associations, who turned to the supreme court in order to have the CNIL’s Guidelines refuted.

The main focus of the decision was the ban on cookie walls. Cookie walls are cookie consent pages which, upon declining consent to the processing of the cookies used for the website, deny the user access to the website. In their Guideline on cookies and other tracers from 2019, the CNIL had declared that such cookie walls were not in accordance with the principles of the General Data Protection Regulation (GDPR), causing a lot of businesses to appeal such a provision in front of the Conseil d’État.

In their decision on the matter, the Conseil d’État has declared that the CNIL, as only having suggestive and recommendatory competence in data protection matters, did not have the competence to issue a ban on cookie walls in the Guidelines. The Conseil d’État focused on the fact that the CNIL’s competence was only recommendatory, and did not have the finality to issue such a provision.

However, in its decision, the supreme court did not put to question whether the ban of cookie walls was in itself lawful or not. The Conseil d’État refrained from giving any substantive statement on the matter, leaving that question unanswered for the moment.

The Conseil d’État has further stated in its decision that in the case of the ability of data subjects to give their consent to processing activities, it is indeed necessary, in order to form free and informed consent, that the data subject is informed individually about each processing activity and its purpose before giving consent. However, business have the margin to decide if they collect the data subject’s consent througha one time, global consent with specifically individualized privacy policies, or over individual consent for each processing activity.

In the rest of its decision, the Conseil d’État has confirmed the remainder of the CNIL’s guidelines and provision on the matter as being lawful and applicable, giving the complainants only limited reason to rejoice.

Thailand postpones Enforcement of new Personal Data Protection Act

In response to the European General Data Protection Regulation (“GDPR”) becoming applicable in 2018, Thailand adopted its first-ever Personal Data Protection Act (“PDPA”) into law on 28 May 2019. As it is fashioned after the GDPR, the PDPA is built around principles that vastly align with the GDPR, especially in the areas of data protection principles, legal bases, and data subject rights. Originally, it was determined that the PDPA would start its applicability one year after its adoption, on 27 May 2020.

Now, the Thai Government has approved of a draft decree by the Ministry of Digital Economy and Society (“MDES”) to postpone the enforcement of most sections of the PDPA to 31 May 2021. The MDES explained that the reasons for delay are the current Corona pandemic and its strain on businesses, as well as many businesses not being prepared for PDPA compliance. Notably, Brasil also postponed the enforcement of its new Data Protecion Law (“LGPD”) for similar reasons (we reported).

The only sections of the PDPA that will be enforced as originally planned include the appointment of the Personal Data Protection Committee members and the establishment of the Office of the Personal Data Protection Committee. Whilst the delay allows companys more time to become PDPA compliant, the lack of enforcement regarding data subject rights in the meantime are a big concern of critics, especially in light of the recent adoption of Thailand’s controversial new cybersecurity law.

Pages: 1 2 3 4 5 6 7 8 9 10 11 12 Next
1 2 3 12