Tag: processing personal data

Poland: Addresses of judges, politicians and pro-life activists published on Twitter

12. November 2020

In recent days, social networks in Poland have teemed with posts containing private addresses and telephone numbers of judges of the Constitutional Tribunal, politicians and activists openly supporting the abortion sentence. In conjunction with the publication of the above on Twitter, the President of the Personal Data Protection Office (UODO) took immediate steps to protect the personal data and privacy of these persons.

Background to this was the judgement of the Constitutional Tribunal repealing the provisions allowing abortion in cases of, for example, serious genetic defects or severe impairment of the human fetus. This provoked resistance from a part of Polish society and led to a street revolution of “liberal” men and women. Unfortunately, the agitation turned into invectives, destruction of property, public disorder and personal arguments. As a result, personal data of people supporting the prohibition of abortion have been shared thousands of times on all social media too. For this reason, numerous protesters appeared at the indicated houses, covered the walls of the surrounding buildings with vulgar inscriptions, and the addressees began to receive packages, e.g. with a set of hangers.

On October 29th, 2020 the President of the UODO responded to the case:

Publishing private addresses and contact details of pro-life activists, politicians and judges by users of the Twitter social network is an action leading to the disclosure of a wide sphere of privacy, and thus posing threats to health and life, such as possible acts of violence and aggression directed against these people and their family members.

The announcement stated that the President of the UODO requested an immediate procedure by the Irish supervisory authority, which is responsible for the processing of personal data via Twitter. Pointing out the enormous scale of threats, he indicated the need to verify the response time to reported irregularities and the possibility of introducing automated solutions to prevent the rapid furtherance of such content by other portal users. He also notified the law enforcement authorities that Twitter users had committed a crime consisting in the processing of personal data without a legal basis. The lawfulness had neither been guaranteed by consent according to Art. 6 (1) lit. a GDPR nor legitimate interests pursuant to Art. 6 (1) lit. f GDPR or any other legal basis. Thus, the processing has to be seen as illegitimate as also stated by the President of the UODO. The law enforcement authorities will be obliged to examine and document both the scope of personal data disclosed in a way that violates the principles of personal data protection and to determine the group of entities responsible for unlawful data processing. The President of the UODO also applied to the Minister of Justice – Public Prosecutor General for placing this case under special supervision due to the escalation of conflict and aggression, which pose a high risk of violating the life interests of both people whose data is published on social media and their family members.

In conclusion, the President of the UODO added:

The intensification of actions of all competent authorities in this matter is necessary due to the unprecedented nature of the violations and the alarming announcements of disclosing the data of more people, as well as the deepening wave of aggression.

Experian to appeal ICO’s decision regarding handling of personal data

29. October 2020

On October 27th, 2020 the Information Commissioner’s Office (ICO) issued an enforcement notice against the credit reference agency Experian Limited, ordering it to make fundamental changes to how it handles personal data related to its direct marketing services in the United Kingdom.

An ICO investigation found that at the three largest credit reference agencies (CRAs) in the UK significant ‘invisible’ processing took place, likely affecting millions of adults in the UK. Experian, Equifax and TransUnion, were ‘trading, enriching and enhancing’ people’s personal data without their knowledge to provide direct marketing services. The data was used by commercial organisations, political parties for political campaigning, or charities for their fundraising campaigns. Some of the CRAs were also using profiling to generate new or previously unknown information about people.

While Equifax and TransUnion made adequate improvements to their marketing practices, the ICO found Experian’s efforts to be insufficient and the processing of personal data to remain non-compliant with the data protection law. As a result, Experian has been given an enforcement notice compelling it to make changes within nine months or it will face financial penalties under the GDPR.

Experian is going to appeal the decision by the ICO regarding the notice over data protection failures. In a statement, the Chief Executive Officer Brian Cassin said:

We disagree with the ICO’s decision today and we intend to appeal. At heart this is about the interpretation of GDPR and we believe the ICO’s view goes beyond the legal requirements. This interpretation also risks damaging the services that help consumers, thousands of small businesses and charities, particularly as they try to recover from the COVID-19 crisis.

We share the ICO’s goals on the need to provide transparency, maintain privacy and ensure consumers are in control of their data. The Experian Consumer Information Portal makes it very easy for consumers to fully understand the ways we work with data and to opt out of having their data processed if they wish.

 

 

Decision to fine the Norwegian Public Roads Administration

23. October 2020

The Norwegian Data Protection Authority (Datatilsynet) has issued the Norwegian Public Roads Administration (Statens vegvesen) a fine of EUR 37.400 (NOK 400.000) for improprieties related to the use of the monitoring system installed on toll ways in Norway. They concerned processing personal data for purposes that were noncompliant with the originally stated and for not erasing video recordings after 7 days from their registration.

The penalized entity is the controller of a system processing personal data obtained from the area of ​​toll roads in Norway. This system records personal data which especially enable the identification of vehicles (and hence their owners) that pass through public toll stations. The primary purpose of processing these personal data was to ensure safety on public roads and to optimize the operation of the tunnel and drawbridges in the county Østfold. The Norwegian Public Roads Administration however, used the recordings particularly in order to document improper fulfilments of concluded contracts by certain subjects. According to the Norwegian Data Protection Authority, such procedure is unlawful and not compliant with the originally stated purposes.

The Norwegian Public Roads Administration was also accused of infringements related to deletion of personal data in due time. In accordance with Norwegian regulations, recordings from monitoring (and thus personal data) may be stored until the reason for its storage ceases, but no longer than 7 days from recording the material. In the course of proceedings it turned out that the monitoring system did not have the function of deleting personal data at all. Therefore, the Norwegian Public Roads Administration was not able to fulfil its obligation according to Art. 17 GDPR. The lack of this functionality additionally indicates that the controller, while implementing the monitoring system, also omitted the requirements specified in Art. 25 GDPR.

Taking into account these circumstances, the Norwegian Data Protection Authority stated a violation of the mentioned GDPR regulations.