Category: General Data Protection Regulation

CNIL publishes model regulation on access control through biometric authentication at the workplace

9. April 2019

The French data protection authority CNIL has published a model regulation which regulates under which conditions devices for access control through biometric authentication may be introduced at the workplace.

Pursuant to Article 4 paragraph 14 of the General Data Protection Regulation (GDPR), biometric data are personal data relating to the physical, physiological or behavioural characteristics of a natural person, obtained by means of specific technical processes, which enable or confirm the unambiguous identification of that natural person. According to Article 9 paragraph 4 GDPR, the member states of the European Union may introduce or maintain additional conditions, including restrictions, as far as the processing of biometric data is concerned.

The basic requirement under the model regulation is that the controller proves that biometric data processing is necessary. To this end, the controller must explain why the use of other means of identification or organisational and technical safeguards is not appropriate to achieve the required level of security.

Moreover, the choice of biometric types must be specifically explained and documented by the employer. This also includes the justification for the choice of one biometric feature over another. Processing must be carried out for the purpose of controlling access to premises classified by the company as restricted or of controlling access to computer devices and applications.

Furthermore, the model regulation of the CNIL describes which types of personal data may be collected, which storage periods and conditions apply and which specific technical and organisational measures must be taken to guarantee the security of personal data. In addition, CNIL states that before implementing data processing, the controller must always carry out an impact assessment and a risk assessment of the rights and freedoms of the individual. This risk assessment must be repeated every three years for updating purposes.

The data protection authority also points out that the model regulation does not exempt from compliance with the regulations of the GDPR, since it is not intended to replace its regulations, but to supplement or specify them.

German Court’s Decision on the Right of Access

Just recently, a German Labour Court (LAG Baden-Württemberg) has decided on the extent of Article 15 of the European General Data Protection Regulation (GDPR) with regard to the information that is supposed to be handed out to the data subject in case such a claim is made.

The decision literally reflects the wording of Art. 15 (1) GDPR which, amongst other things, requires information on

  • the purposes of data processing,
  • the categories of personal data concerned,
  • the recipients or categories of recipient to whom the personal data have been or will be disclosed
  • where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period,
  • where the personal data are not collected from the data subject, any available information as to their source.

In contrast to the previous views of the local data protection authorities, which – in the context of information about recipients of personal data – deem sufficient that the data controller discloses recipient categories, the LAG Baden-Württemberg also obliged the data controller to provide the data subject with information about each individual recipient.

In addition, the LAG Baden-Württemberg ordered the data controller to make available to the data subject a copy of all his personal performance data. However, the court did not comment on the extent of copies that are to be made. It is therefore questionable whether, in addition to information from the systems used in the company, copies of all e-mails containing personal data of the person concerned must also be made available to the data subject.

Since the court has admitted the appeal to the Federal Labour Court (BAG) regarding this issue, it remains to be seen whether such an approach will still be valid after a Federal Labour Court decision.

Dutch DPA published update on policy on administrative fines

The Dutch Data Protection Authority, Autoriteit Persoonsgegevens (Dutch DPA), announced an update on its policy regarding administrative fines.

In addition to the Dutch GDPR implementation law the published policy provides insides on how the Dutch DPA will use its fining powers. According to the policy the DPA differentiats three or four categories of infringements. Each infringement is fined with a basic fine and a specific penalty bandwidth.

The DPA calculates the fine in two steps. First the basic fine is applied, second the basic fine is increased or decreased according to the classification to the different categories. Various aspects are included in the calculation of the fine, such as:

  • the nature, the seriousness and duration of the violation,
  • the number of data subjects affected,
  • the extent of the damage and of the data compromised,
  • the intentional or negligent nature of the violation,
  • the measures adopted to mitigate the damages,
  • the measures that were implemented to ensure compliance with the GDPR, including information security measures,
  • prior violations,
  • the level of cooperation with the DPA,
  • the types of data involved,
  • how the DPA became aware of the violation, including whether (and if so, to what extent) the data controller or processor reported the violation,
  • adherence to approved codes of conduct an certification mechanisms,
  • any other applicable aggravating or mitigating factors.

The maximum amount in general is €1.000.000,00, but the fine can be higher in case the Dutch DPA decides that the calculated maximum amount is inappropriate in the particular case.

Advocate General: No Valid Cookie Consent When Checkbox Is Pre-ticked

25. March 2019

On 21 of March Maciej Szpunar, Advocate General of the European Court of Justice, delivered his Opinion in the case of Planet24 GmbH against Bundesverband Verbraucherzentralen und Vebraucherverbände – Verbaucherzentrale Bundesverband e.V. (Federal Association of Consumer Organisations). In the Opinion, Szpunar explains how to obtain valid consent for the use of cookies.

In the case in question, Planet24 GmbH has organised a lottery campaign on the internet. When registering to participate in the action lottery, two checkboxes appeared. The first checkbox, which did not contain a pre-selected tick, concerned permission for sponsors and cooperation partners to contact the participant in order to inform him of their offers. The second checkbox, which was already ticked off, concerned the consent to the setting of cookies, which evaluate the user’s surfing and usage behaviour.

The Federal Association held that the clauses used infringed german law, in particular Article 307 of the BGB, Article 7(2), point 2, of the UWG and Article 12 et seq. of the TMG and filed a lawsuit in 2014 after an unsuccessful warning.

In the course of the instances, the case ended up at the German Federal Supreme Court in 2017. The German Federal Court considers that the success of the case depends on the interpretation of Articles 5(3) and 2(f) of Directive 2002/58, read in conjunction with Article 2(h) of Directive 95/46, and of Article 6(1)(a) of Regulation 2016/679. For that reason, it asked the European Court of Justice the following questions for a preliminary ruling:

(1) Does consent given on the basis of a pre-ticked box meet the requirements for valid consent under the ePrivacy Directive, the EU Data Protection Directive and the EU General Data Protection Regulation (the GDPR)?

(2) What information does the service provider have to provide to the user and does this include the duration of the use of cookies and whether third parties have access to the cookies?

According to the Advocate General, there is no valid consent if the checkbox is already ticked. In such case, the user must remove the tick, i.e. become active if he/she does not agree to the use of cookies. However, this would contradict the requirement of an active act of consent by the user. It is necessary for the user to explicitly consent to the use of cookies. Therefore, it is also not sufficient if one checkbox is used to deal with both the use of cookies and participation in the action lottery. Consent must be given separately. Otherwise the user is not in the position to freely give a separate consent.

In addition, Szpunar explains that the user must be provided with clear and comprehensive information that enables the user to easily assess the consequences of his consent. This requires that the information provided is unambiguous and cannot be interpreted. For this purpose, the information must contain details such as the duration of the operation of cookies, as well as whether third parties have access to the cookies.

Dutch DPA: Cookie walls do not comply with GDPR

11. March 2019

The Dutch data protection authority, Autoriteit Persoonsgegevens, clarified on 7th of March 2019 that the use of websites must remain accessible when tracking cookies are not accepted. Websites that allow users to access only if they agree to the use of tracking cookies or other similar means to track and record their behavior do not comply with the General Data Protection Regulation, GDPR.

The Dutch DPA’s decision was prompted by numerous complaints from website users who no longer had access to the websites after refusing the usage of tracking cookies.

The Dutch DPA noted that the use of tracking software is generally allowed. Tracking the behaviour of website users, however, must be based on sufficient consent. In order to be compliant with the GDPR, permission must be given freely. In the case of so-called cookie walls the user has no access to the website if he does not agree to the setting of cookies. In this way, pressure is exerted on the user to disclose his personal data. Nevertheless, according to the GDPR a consent has not been given voluntarily if no free or no real choice exists.

With publication of the explanation the Dutch DPA demands organizations to make their practice compliant with the GDPR. The DPA has already written to those organisations about which the users have complained the most. In addition, it announced that it would intensify its monitoring in the near future in order to examine whether the standard is applied correctly in the interest of data protection.

EDPB publishes information note on data transfer in the event of a no-deal Brexit

25. February 2019

The European Data Protection Board has published an information note to explain data transfer to organisations and facilitate preparation in the event that no agreement is reached between the EEA and the UK. In case of a no-deal Brexit, the UK becomes a third country for which – as things stand at present – no adequacy decision exists.

EDPB recommends that organisations transferring data to the UK carry out the following five preparation steps:

• Identify what processing activities will imply a personal data transfer to the UK
• Determine the appropriate data transfer instrument for your situation
• Implement the chosen data transfer instrument to be ready for 30 March 2019
• Indicate in your internal documentation that transfers will be made to the UK
• Update your privacy notice accordingly to inform individuals

In addition, EDPB explains which instruments can be used to transfer data to the UK:
– Standard or ad hoc Data Protection Clauses approved by the European Commission can be used.
– Binding Corporate Rules for data processing can be defined.
– A code of conduct or certification mechanism can be established.

Derogations are possible in the cases mentioned by article 49 GDPR. However, they are interpreted very restrictively and mainly relate to processing activities that are occasional and non-repetitive. Further explanations on available derogations and how to apply them can be found in the EDPB Guidelines on Article 49 of GDPR.

The French data protection authority CNIL has published an FAQ based on the information note of the EDPB, explaining the consequences of a no-deal Brexit for the data transfer to the UK and which preparations should be made.

The European Data Protection Board presents Work Program for 2019/2020

14. February 2019

On February 12, 2019 the European Data Protection Board (EDPB) released on their website a document containing a two-year Work Program.

The EDPB acts as an independent European body and is established by the General Data Protection Regulation (GDPR). The board is formed of representatives of the national EU and EEA EFTA data protection supervisory authorities, and the European Data Protection Supervisor (EDPS).

The tasks of the EDPB are to issue guidelines on the interpretation of key ideas of the GDPR as well as the ruling by binding decisions on disputes regarding cross-border processing activities. Its objective is to ensure a consistent application of EU rules to avoid the same case potentially being dealt with differently across various jurisdictions. It promotes cooperation between EEA EFTA and the EU data protection supervisory authorities.

The EDPB work program is based on the needs identified by the members as priority for individuals, stakeholders, as well as the EU legislator- planned activities. It contains Guidelines, Consistency opinions, other types of activities, recurrent activities and possible topics.

Furthermore, the EDPB released an information note about data transfers if a no-deal Brexit occurs. As discussed earlier, in this case the UK will become a so-called “third country” for EU member countries beginning from March 30. According to the UK Government, the transfer of data from the UK to the EEA will remain unaffected, permitting personal data to flow freely in the future.

Austria: Deletion does not necessarily mean destruction

12. February 2019

Article 17 of the General Data Protection Regulation (GDPR) stipulates the data subject the right to erasure, also called right to be forgotten. The Austrian Data Protection Authority decided that the right to erasure not necessarily mean destruction of the stored data. According to the Authority anonymization may be sufficient.

The decision is based on a complaint of an Austrian who request his former insurance company to delete all stored data. The insurance company deleted his e-mail address and phone number as well as insurance offers and stopped all advertising. However, name and address of the data subject were anonymized and the insurance company told the data subject that the data would be destructed in March 2019.

The Austrian Data Protection Authority proved the company right. According to Art. 4 Nr. 2 GDPR the company can choose whether it deletes or destructs the stored data, it only had to “be ensured that neither the person responsible himself nor a third party can restore a personal reference without disproportionate effort”, explained the Authority.

GDPR in numbers

6. February 2019

The European Commission lately posted an infographics about the impact of the General Data Protection Regulation (GDPR) since its entering into force on May 25, 2018. The graphic looks at complying, enforcement and awareness of the GDPR. It illustrates inter alia that:

  • In total 95.180 complaints to Data Protection Authorities came from individuals who believe their rights under GDPR have been violated. Most of the complaints were related to CCTV, telemarketing or promotional e-mails.
  • Until January, the number of notifications of data breaches has increased up to 41.502. The data controllers have to notify data breaches within 72 hours to their national supervisory authority.
  • Data Protection Authorities have initiated 225 investigations in cross border cases.
  • In Europe, 23 countries have adopted their national data protection law since the GDPR came into force. Bulgaria, Greece, Slovenia, Portugal and Czech Republic are still in progress doing so.
  • So far, three fines have been issued under GDPR. In Germany, a social network operator was fined € 20.000 for not securing its users data. In France, Google was fined € 50 million for lack of transparency, inadequate information and lack of valid consent regarding the ads personalization (we reported) and in Austria, a sports betting café was fined € 5.280 for unlawful video surveillance.

Aetna to pay fine for HIV privacy breach

31. January 2019

Healthcare insurer Aetna will have to pay a 935,000$ fine after letters had been sent to nearly 12.000 patients in 2017, disclosing highly sensitive information on the windows of the envelopes.

The information revealed that the recipients were taking HIV-related medications.

In addition, the insurance company will have to complete privacy risk assessments annualy for three years.

The patients have received compensation through a private class action settlement.

 

Pages: Prev 1 2 3 4 5 6 7 8 9 Next
1 2 3 4 9