Tag: Art. 13 GDPR

EU Advocate General : Member States may allow consumer protection associations to bring representative actions against infringements of the protection of personal data

16. December 2021

On December 2nd, EU Advocate General Richard de la Tour published an opinion in which he stated that EU member states may allow consumer protection associations to bring representative actions against infringements of rights that data subjects derive directly from the General Data Protection Regulation (“GDPR”). In doing so, he agrees with the legal opinion of the Federation of the Bundesverband der Verbraucherzentralen und Verbraucherverbände – Verbraucherzentrale Bundesverband e.V. (Federation of German Consumer Organisations (“vzbv”)), which has filed an action for an injunction against Facebook in German courts for non-transparent use of data.

The lawsuit of the vzbv is specifically about third-party games that Facebook offers in its “App Center”. In order to play games like Scrabble within Facebook, users must consent to the use of their data. However, Facebook had not provided information about the use of the data in a precise, transparent and comprehensible manner, as required by Article 13 GDPR. The Federal Court of Justice in Germany (“Bundesgerichtshof”) already came to this conclusion in May 2020, but the Bundesgerichtshof considered it unclear whether associations such as the vzbv have the legal authority to bring data protection violations to court. It argues, inter alia, that it can be inferred from the fact that the GDPR grants supervisory authorities extended supervisory and investigatory powers, as well as the power to adopt remedial measures, that it is primarily the task of those authorities to monitor the application of the provisions of the Regulation. The Bundesgerichtshof therefore asked the Court of Justice of the European Union (“CJEU”) to interpret the GDPR. The Advocate General now affirms the admissibility of such an action by an association, at least if the EU member state in question permits it. The action for an injunction brought by the vzbv against Facebook headquarters in Ireland is therefore deemed admissible by the EU Advocate General.

The Advocate General states, that

the defence of the collective interests of consumers by associations is particularly suited to the objective of the General Data Protection Regulation of establishing a high level of personal data protection.  

The Advocate General’s Opinion is not legally binding on the CJEU. The role of the Advocate General is to propose a legal solution for the cases to the CJEUin complete independence. The judges of the Court will now begin their consultations in this case.

AEPD issues highest fine for GDPR violations

5. March 2021

The Spanish Data Protection Authority, the Agencia Española de Protección de Datos (AEPD), imposed a fine of EUR 6.000.000 on CaixaBank, Spain’s leading retail bank, for unlawfully processing customers’ personal data and not providing sufficient information regarding the processing of their personal data. It is the largest financial penalty ever issued by the AEPD under the GDPR, surpassing the EUR 5.000.000 fine imposed on BBVA in December 2020 for information and consent failures.

In the opinion of the AEPD, CaixaBank violated Art. 6 GDPR in many regards. The bank had not provided sufficient justification of the legal basis for the processing activities, in particular with regard to those based on the company’s legitimate interest. Furthermore, deficiencies had been identified in the processes for obtaining customers’ consent to the processing of their personal data. The bank had also failed to comply with the requirements established for obtaining valid consent as a specific, unequivocal and informed expression of intention. Moreover, the AEPD stated that the transfer of personal data to companies within the CaixaBank Group was considered an unauthorized disclosure. According to Art. 83 (5) lit. a GDPR, an administrative fine of EUR 4.000.000 EUR was issued.

Additionally, the AEPD found that CaixaBank violated Art. 13, 14 GDPR. The bank had not complied with the information obligations since the information regarding the categories of personal data concerned had not been sufficient and the information concerning the purposes of and the legal basis for the processing had been missing entirely. What’s more, the information provided in different documents and channels had not been consistent. The varying information concerned data subjects’ rights, the possibility of lodging a complaint with the AEPD, the existence of a data protection officer and his contact details as well as data retention periods. Besides, the AEPD disapproved of the use of inaccurate terminology to define the privacy policy. Following Art. 83 (5) lit. b GDPR, a fine of EUR 2.000.000 was imposed.

In conclusion, the AEPD ordered CaixaBank to bring its data processing operations into compliance with the legal requirements mentioned within six months.