EDPS investigates into contractual agreements between EU institutions and Microsoft

10. April 2019

The European Data Protection Supervisor (EDPS) is the supervisory authority for all EU institutions and therefore responsible for their compliance with data protection laws. It is currently investigating the compliance of contractual agreements between EU institutions and Microsoft as the different institutions use Microsoft products and services to conduct their day-to-day businesses including the processing of huge amounts of personal data.

The EDPS refers to a Data Processing Impact Assessment carried out last November by the Dutch Ministry of Justice and Security (we reported) in which they concluded that Microsoft collects and stores personal data of Office users on a large scale without informing them.

Wojciech Wiewiórowski, Assistant EDPS, said: “New data protection rules for the EU institutions and bodies came into force on 11 December 2018. Regulation 2018/1725 introduced significant changes to the rules governing outsourcing. Contractors now have direct responsibilities when it comes to ensuring compliance. However, when relying on third parties to provide services, the EU institutions remain accountable for any data processing carried out on their behalf. They also have a duty to ensure that any contractual arrangements respect the new rules and to identify and mitigate any risks. It is with this in mind that the contractual relationship between the EU institutions and Microsoft is now under EDPS scrutiny.”

The investigation should reveal which products and systems are used right now and whether the existing contractual agreements are compliant with current Data Protection Laws, especially the GDPR.

Category: EU · GDPR · General
Tags: ,

CNIL publishes model regulation on access control through biometric authentication at the workplace

9. April 2019

The French data protection authority CNIL has published a model regulation which regulates under which conditions devices for access control through biometric authentication may be introduced at the workplace.

Pursuant to Article 4 paragraph 14 of the General Data Protection Regulation (GDPR), biometric data are personal data relating to the physical, physiological or behavioural characteristics of a natural person, obtained by means of specific technical processes, which enable or confirm the unambiguous identification of that natural person. According to Article 9 paragraph 4 GDPR, the member states of the European Union may introduce or maintain additional conditions, including restrictions, as far as the processing of biometric data is concerned.

The basic requirement under the model regulation is that the controller proves that biometric data processing is necessary. To this end, the controller must explain why the use of other means of identification or organisational and technical safeguards is not appropriate to achieve the required level of security.

Moreover, the choice of biometric types must be specifically explained and documented by the employer. This also includes the justification for the choice of one biometric feature over another. Processing must be carried out for the purpose of controlling access to premises classified by the company as restricted or of controlling access to computer devices and applications.

Furthermore, the model regulation of the CNIL describes which types of personal data may be collected, which storage periods and conditions apply and which specific technical and organisational measures must be taken to guarantee the security of personal data. In addition, CNIL states that before implementing data processing, the controller must always carry out an impact assessment and a risk assessment of the rights and freedoms of the individual. This risk assessment must be repeated every three years for updating purposes.

The data protection authority also points out that the model regulation does not exempt from compliance with the regulations of the GDPR, since it is not intended to replace its regulations, but to supplement or specify them.

German Court’s Decision on the Right of Access

Just recently, a German Labour Court (LAG Baden-Württemberg) has decided on the extent of Article 15 of the European General Data Protection Regulation (GDPR) with regard to the information that is supposed to be handed out to the data subject in case such a claim is made.

The decision literally reflects the wording of Art. 15 (1) GDPR which, amongst other things, requires information on

  • the purposes of data processing,
  • the categories of personal data concerned,
  • the recipients or categories of recipient to whom the personal data have been or will be disclosed
  • where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period,
  • where the personal data are not collected from the data subject, any available information as to their source.

In contrast to the previous views of the local data protection authorities, which – in the context of information about recipients of personal data – deem sufficient that the data controller discloses recipient categories, the LAG Baden-Württemberg also obliged the data controller to provide the data subject with information about each individual recipient.

In addition, the LAG Baden-Württemberg ordered the data controller to make available to the data subject a copy of all his personal performance data. However, the court did not comment on the extent of copies that are to be made. It is therefore questionable whether, in addition to information from the systems used in the company, copies of all e-mails containing personal data of the person concerned must also be made available to the data subject.

Since the court has admitted the appeal to the Federal Labour Court (BAG) regarding this issue, it remains to be seen whether such an approach will still be valid after a Federal Labour Court decision.

Dutch DPA published update on policy on administrative fines

The Dutch Data Protection Authority, Autoriteit Persoonsgegevens (Dutch DPA), announced an update on its policy regarding administrative fines.

In addition to the Dutch GDPR implementation law the published policy provides insides on how the Dutch DPA will use its fining powers. According to the policy the DPA differentiats three or four categories of infringements. Each infringement is fined with a basic fine and a specific penalty bandwidth.

The DPA calculates the fine in two steps. First the basic fine is applied, second the basic fine is increased or decreased according to the classification to the different categories. Various aspects are included in the calculation of the fine, such as:

  • the nature, the seriousness and duration of the violation,
  • the number of data subjects affected,
  • the extent of the damage and of the data compromised,
  • the intentional or negligent nature of the violation,
  • the measures adopted to mitigate the damages,
  • the measures that were implemented to ensure compliance with the GDPR, including information security measures,
  • prior violations,
  • the level of cooperation with the DPA,
  • the types of data involved,
  • how the DPA became aware of the violation, including whether (and if so, to what extent) the data controller or processor reported the violation,
  • adherence to approved codes of conduct an certification mechanisms,
  • any other applicable aggravating or mitigating factors.

The maximum amount in general is €1.000.000,00, but the fine can be higher in case the Dutch DPA decides that the calculated maximum amount is inappropriate in the particular case.

Poland: First GDPR-fine imposed

29. March 2019

The President of the Polish Supervisory Authority (Personal Data Protection Office, UODO) imposed the first fine for the amount of PLN 943,000, which is around € 220,000.

A Warsaw-based company received this fine for not being compliant with GDPR, particularly for failure to meet the information obligation of Article 14. The fined company commercially processes data from more than six million entrepreneurs, which it obtained from publicly available sources, such as the Central Electronic Register and Information on Economic Activity (CEIDG). The company’s database is often used by banks to verify the creditworthiness of the data subjects. According to the Polish Authority, the company did not provide the data subjects with the information requested in Art. 14 para 1-3 GDPR (e.g. the source of their data, the purpose of the data processing, the data subject’s rights under GDPR), hence the data subjects had no possibility to object to further processing of their data or to request their rectification or erasure.

Out of the six million data subjects only 90 000 were informed by the company via e-mail (more than 12 000 of them objected to the processing of their data). For the remaining subjects (whose e-mails were unknown) the company only presented the information clause on its website and therefore failed to comply with Art. 14 GDPR.

“The controller was aware of its obligation to provide information. Hence the decision to impose a fine of this amount on this entity”, said Dr Edyta Bielak-Jomaa, President of UODO. The company claimed that information by registered mail would be associated with disproportionate costs and thus relies on the vaguely worded exception of Art. 14 (5) GDPR, which states that the provision of such information proves impossible or would involve a disproportionate effort. The supervisory authority however, finds this explanation insufficient as they could have called the data subjects or inform them by regular mail.

Advocate General: No Valid Cookie Consent When Checkbox Is Pre-ticked

25. March 2019

On 21 of March Maciej Szpunar, Advocate General of the European Court of Justice, delivered his Opinion in the case of Planet24 GmbH against Bundesverband Verbraucherzentralen und Vebraucherverbände – Verbaucherzentrale Bundesverband e.V. (Federal Association of Consumer Organisations). In the Opinion, Szpunar explains how to obtain valid consent for the use of cookies.

In the case in question, Planet24 GmbH has organised a lottery campaign on the internet. When registering to participate in the action lottery, two checkboxes appeared. The first checkbox, which did not contain a pre-selected tick, concerned permission for sponsors and cooperation partners to contact the participant in order to inform him of their offers. The second checkbox, which was already ticked off, concerned the consent to the setting of cookies, which evaluate the user’s surfing and usage behaviour.

The Federal Association held that the clauses used infringed german law, in particular Article 307 of the BGB, Article 7(2), point 2, of the UWG and Article 12 et seq. of the TMG and filed a lawsuit in 2014 after an unsuccessful warning.

In the course of the instances, the case ended up at the German Federal Supreme Court in 2017. The German Federal Court considers that the success of the case depends on the interpretation of Articles 5(3) and 2(f) of Directive 2002/58, read in conjunction with Article 2(h) of Directive 95/46, and of Article 6(1)(a) of Regulation 2016/679. For that reason, it asked the European Court of Justice the following questions for a preliminary ruling:

(1) Does consent given on the basis of a pre-ticked box meet the requirements for valid consent under the ePrivacy Directive, the EU Data Protection Directive and the EU General Data Protection Regulation (the GDPR)?

(2) What information does the service provider have to provide to the user and does this include the duration of the use of cookies and whether third parties have access to the cookies?

According to the Advocate General, there is no valid consent if the checkbox is already ticked. In such case, the user must remove the tick, i.e. become active if he/she does not agree to the use of cookies. However, this would contradict the requirement of an active act of consent by the user. It is necessary for the user to explicitly consent to the use of cookies. Therefore, it is also not sufficient if one checkbox is used to deal with both the use of cookies and participation in the action lottery. Consent must be given separately. Otherwise the user is not in the position to freely give a separate consent.

In addition, Szpunar explains that the user must be provided with clear and comprehensive information that enables the user to easily assess the consequences of his consent. This requires that the information provided is unambiguous and cannot be interpreted. For this purpose, the information must contain details such as the duration of the operation of cookies, as well as whether third parties have access to the cookies.

The EU Commission fined Google 1.49 billion euros regarding antitrust case

21. March 2019

On Wednesday Google was fined 1.49 billion euros by the European Commission in connection with hindering competitors in the online advertising business.

The accusation is that Google has illegally made use of its market dominance.The company inflicted a number of exclusivity clauses in contracts with third-party websites which prevented the company’s competitors from positioning their search adverts on these websites. This concerns a small area in Google’s “advertising machinery”. But still, as a result, other advertisers and website owners “had less choice and likely faced higher prices that would be passed on to consumers,” claimed the EU’s competition commissioner, Margrethe Vestager.

In the last two years, this represents the third time that Europe’s antitrust regulators, lead by Danish competition commissioner Margarethe Vestagers, fined the tech company. Google has appealed against the two previous fines. The first fine (2.42 billions euros) was for manipulating online shopping results and directing visitors to its comparison-shopping service at the expense of its contestants. The second one amounting to 4.34 billion euros concerned mobilephone producers that were forced to use Google’s Android operating system to install the company’s search and browser apps.

Category: EU · EU Commission · European Union · General
Tags:

Cookiebot publishes „Ad Tech Surveillance on the Public Sector Web“

20. March 2019

The website Cookiebot recently published a report of its “Ad Tech Surveillance on the Public Sector Web”. They used their scanning technology to analyse tracking across official government websites and public health service websites in all 28 European Union member states. More than 100 advertising technology companies track EU citizens who visit those public sector websites by gaining access through free third-party services such as video plug-ins and social sharing buttons.

Said ad trackers were found on 25 out of the 28 official government websites in the EU. Only the Dutch, German and the Spanish websites had no commercial trackers. Most of them were found on the French website (52 trackers) followed by the Latvian website (27 trackers).

Cookiebot also investigated the tracking on Public Health Service Sites and found out that 52% of landing pages with health information contained ad trackers. The worst ranked one was the Irish health service with 73% of landing pages containing trackers. The lowest ranked country – Germany – still hat one third of its landing pages held trackers.

Those trackers got in via free third-party website plugins. For example, Ireland’s public health service (Health Service Executive (HSE)) installed the sharing tool ShareThis, which is like a Trojan horse that releases more than 20 ad tech companies into every Website it’s installed on.

Most of the tracking tools are controlled by Google. It controls the top three domains found and therefore tracks the visits to 82% of the main government websites of the EU. A complete list of all the trackers can be find in the published report.

Draft of a new data protection law in Thailand

15. March 2019

Thailand’s National Legislative Assembly approved and endorsed a draft of a new data protection law called Personal Data Protection Act (PDPA).The legislative process will be completed within the next weeks. The process includes that the draft will be submitted for royal endorsement and publicated in the Government Gazette.

The draft provides a one year period for implementation of the new requirements. This grace period should help the business operaters to prepare and implement the new obligations.

The draft of the PDPA has followed and replicated the provisions of the European General Data Protection Regulation (GDPR) to demonstrate that Thailand has an adequate level of data protection. This is necessary for the adoption of an adequacy decision of the European Commission. The adequacy decision requires that the exchange of personal data is based on strong safeguards in regard of EU standards. In case the  European Commission adopts an adequacy decision, as they recently did with Japan, the data flows to Thailand as a third country in terms of the GDPR will be much easier for European companies.

GPEN publishes annual Sweep

14. March 2019

On May 9th, 2019, the „GPEN“(„Global Privacy Enforcement Network“) shared its “2018 Sweep”, an annual intelligence gathering that looked at how well organisations have implemented data privacy accountability into their internal privacy policies and programmes.

GPEN is a global network of more than 60 data protection agencies. The 2018 Sweep was a collaboration between  New Zealand’s (New Zealand Office of the Privacy Commissioner, “OPC”) and  UK’s (UK Information Commissioner’s Office, “ICO”) data protection authorities and was carried out by several data protection authorities across the globe.

The participating authorities reached out to 667 companies with a set of pre-determined questions that focus on key elements of responsible data protection. Those elements were:

  • The importance of internal policies and procedures for data governance;
  • Training and awareness;
  • Transparency about data practices;
  • The assessment and mitigation of risk;
  • Incident Management.

Of the 667 organisations contacted, only 53% (356) provided substantive responses and a large point of those had appointed an individual or a team to ensure compliance with relevant data protection regulations.

The 2018 Sweep shows that many organisations are quite good at providing data protection training to their employees but companies have to ensure that those training are offered to all employees and happen on a regular basis. It was also found that several organisations have processes in place on how to deal with data subject complaints and how to handle data breaches.

Overall, most organisations are aware of data protection and have a good understanding of it. Nevertheless, they have to make sure that they have clear policies and procedures in place and monitor their performance regarding the relevant laws and regulations.

Pages: Prev 1 2 3 4 5 6 7 8 9 10 ... 32 33 34 Next
1 2 3 4 34