Tag: Art. 28 GDPR
29. July 2021
France’s data protection authority, the Commission Nationale de l’Informatique et des Libertés (CNIL), imposed a fine of 400,000 € on the U.S.-based biotechnology corporation Monsanto Company for contravention of Article 14 GDPR regarding the information of data subjects about the collection of their personal data and Article 28 GDPR concerning contractual guarantees which lay down relations with a data processor.
In May 2019, several media outlets revealed that Monsanto was in possession of a file containing personal data of more than 200 political figures or members of civil society (e.g. journalists, environmental activists, scientists or farmers). The investigations carried out by the CNIL disclosed that the information had been collected for lobbying purposes. The individuals named on this “watch list” were Monsanto’s opponents and critics from several European countries, meant to be “educated” or “monitored”. This strategy should have influenced the debate and public opinion on the renewal of the authorization of glyphosate in Europe, a controversial active substance contained in Monsanto’s best-known product for weed control. The reason for the still current scientific controversy is the causation of diseases by glyphosate, most notably cancer.
The file included, for each of the individuals, personal data such as organization, position, business address, business phone number, cell phone number, business email address, and in some cases Twitter accounts. In addition, each person was given a score from 1 to 5 to evaluate their influence, credibility, and support for Monsanto on various issues such as pesticides or genetically modified organisms.
It should be noted that the creation of contact files by stakeholders for lobbying purposes is not illegal per se. While it is not necessary to obtain the consent of the data subjects, the data have to be lawfully collected and the individuals have to be informed of the processing.
In imposing the penalty, the CNIL considered that Monsanto had failed to comply with the provisions of the GDPR by not informing the data subjects about the storage of their data, as required by Article 14 GDPR. In addition, none of the exceptions provided in Article 14 para. 5 GDPR were applicable in this case. The data protection authority stressed that the aforementioned obligation is a key measure under the GDPR insofar as it allows the data subjects to exercise their other rights, in particular the right to object.
Furthermore, Monsanto violated its obligations under Article 28 GDPR. As a controller, the company was required to establish a legal framework for the processing carried out on its behalf by its processor, in particular to provide data security guarantees. However, in the CNIL’s opinion, none of the contracts concluded between the two companies complied with the requirements of Article 28 para. 4 GDPR.
6. July 2020
On June 30th, 2020, the Vienna Regional Court passed judgement in the case of Max Schrems against Facebook Ireland Limited, in the case number 3 Cg 52/14k-91 (in German). In the following, we will be presenting the case and the court’s judgement.
Facts of the case
In the years 2011, 2012, 2013, 2015 and 2019, the plaintiff submitted requests for information in accordance with Art. 15 GDPR. The defendant initially responded to these requests with an 18-page pdf file dated 09.06.2011 and a CD with further pdf files of 1,222 A4 pages. Despite the information provided, the plaintiff felt that his rights as stated by the GDPR had been violated, as none of the consecutive requests had been answered. From his point of view, the information provided was neither sufficient in terms of content nor was the number of responses in relation to the number of requests made sufficient for him.
Furthermore, the plaintiff was concerned by the data processing by third parties, about which he received no clear information. He also stated that he was “Controller” in the sense of the GDPR. The defendant had not fulfilled the resulting requirements, as Data Processor, of concluding a Data Processing Agreement with the plaintiff. Finally, the defendant had violated Art. 9 GDPR by failing to obtain consent in respect of his interests and further sensitive data, for which the plaintiff demanded injunction for future data processing.
Guiding principles of the judgement
The Regional Court judged on the following guiding principles in the case:
- the defendant must provide the plaintiff with complete information in writing and free of charge within fourteen days about all personal data of the plaintiff processed by it, stating the exact origin and, if applicable, the exact recipients of the data,
- and pay the applicant the sum of EUR 500 in damages within fourteen days.
Reason for decision
The regional court’s guiding principles on the case were the only points in the plaintiff’s claim in which they judged in his favour. The court has stated that the tools used and information given by the defendant to inform the plaintiff about the processed personal data is not enough to meet the requirements of Art. 15 GDPR’s right of access. This results in a lack of control of the plaintiff over his own personal data, which goes against his fundamental right to data privacy. Therefore, the court has ruled damages in the sum of EUR 500 as adequate compensation for the infringement of Mr. Schrems’ privacy.
Regarding Mr. Schrems’ other points, the court ruled that because the plaintiff uses the Facebook platform in light of private/family activities, he cannot be a Controller of the processed personal data due to the fact that according to Art. 2 II lit.c GDPR, the regulation does not apply to him. This also applies to social media and online networks, as mentioned in Recital 18. Therefore, Facebook is not a Data Processor in the terms of those private activities and purposes, which negates the requirement of a Data Processing Agreement according to Art 28 GDPR.
Further, the court sees no sensitive data in the lines of Art. 9 GDPR to be at risk. In light of the personalisation of the platform, such as personalized ads and suggestions, the court stated that this belongs to the core of the defendant’s business activities. As such, there is no consent needed, as the defendant states that the processing of the data is for the purpose of a contract. The plaintiff, according to the court, has entered into such a contract knowing of the terms of service and on his own behalf in order to use the platform’s services. An injunction regarding the future processing of such personal data is therefore not to be applied.
Assessment
Overall, the Regional Court’s judgement has only a minimal practical relevance, as it is hard to fully assess the consequences of the passed judgement. One can neither say how the conduct will affect the future management of the company, nor is it certain whether the judgement will even become final in the first place. However, the plaintiff has already announced on NOYB’s homepage that he will lodge an appeal, and it therefore will remain to be seen what practical relevance can be drawn from the case in the future.
10. January 2020
To date, the Polish Data Protection Authority (DPA) have issued 134 decisions and imposed GDPR fines in 5 cases. In 4 cases, the Polish DPA fined private companies and in one case, it fined a public institution.
The fines for the companies ranged from 13.000€ to 645.000€. Reasons for the fines were failures in protecting personal data on websites resulting in the unauthorised access of personal data, inadequate technical and organisational measures, and an insufficient fulfilment of information obligations according to Art. 14 GDPR.
It is also noteworthy that the Polish DPA has imposed a 9.350€ fine on the Mayor of a Polish small town. Under Art. 83 (7) GDPR, each member state of the EU may lay down rules on whether and to what extent administrative fines may be imposed on public authorities. The Polish legislators decided that non-compliant public authorities may receive a GDPR fine of up to 23.475€.
The Mayor received the GDPR fine since he failed to conclude a data processing agreement with the entities to which he transferred data in violation of Art. 28 (3) GDPR. Moreover, the Mayor violated the principle of storage limitation, the principles of integrity and confidentiality, the principle of accountability and furthermore kept an incomplete record of processing activities.
Recently, the Polish DPA also published the EU Project T4DATA’s Handbook for Data Protection Officers (DPO) in order to help define a DPO’s role, their competencies and main responsibilities.
