European Data Protection Board

Polish DPA: Withdrawal of consent shall not be impeded

The President of the Personal Data Protection Office imposed an administrative fine of over PLN 201,000 for, inter alia, obstructing the exercise of the right to withdraw consent to the processing of personal data.

The company - ClickQuickNow Sp. z o.o. did not implement appropriate technical and organizational measures that would enable easy and effective withdrawal of consent to the processing of personal data and the exercise of the right to obtain the erasure of personal data (the "right to be forgotten"). Thus, it violated the principles of lawfulness, fairness and transparency of processing of personal data, specified in the GDPR.

The President of the Personal Data Protection Office (PDPO) found that the company's actions were also inconsistent with Article 7(3) of the GDPR. The company did not take into account the principle that withdrawal of consent should be as easy as giving consent - on the contrary, it applied complicated organisational and technical solutions with regard to the withdrawal of consent. Moreover, the company did not facilitate the exercise of the subject rights, as required by Article 12(2) of the GDPR.

The proceedings of the President of PDPO established that the company violated the abovementioned provisions of the GDPR, because the mechanism of the consent withdrawal, involving the use of a link included in the commercial information, did not result in a quick withdrawal. After the link was set up, messages addressed to the person interested in withdrawing consent were misleading. Moreover, the company forced stating the reason for withdrawing consent, which is not required by the law. Furthermore, failure to indicate the reason resulted in discontinuation of the process of withdrawing consent.

In his decision, the President of the PDPO also pointed out that the company processed, without any legal basis, the data of data subjects, who are not its customers and from whom the company received objections to processing their personal data. Thus, it also violated the so-called "right to be forgotten".

When determining the amount of the administrative fine, the President of the PDPO did not take into account any mitigating circumstances affecting the final penalty. He also decided that the company's action was intentional - providing contradictory communications to the data subject interested in withdrawing consent resulted in an ineffective withdrawal of consent. In this way, the company made it difficult, or even impossible, to exercise the rights of the data subjects.

The President of PDPO not only imposed an administrative fine on the company, but also ordered it to adjust the process of processing requests for withdrawing consent to data processing to the provisions of the GDPR. ClickQuickNow Sp. z o.o. has 14 days from the date of delivery of the decision to comply with the decision. The company must also delete the data of data subjects who are not its customers and objected to processing the personal data concerning them.

To read the press release in Polish, click here

The Polish text of the decision is available here

For further information, please contact the Polish DPA: kancelaria@uodo.gov.pl 

The Romanian Supervisory Authority fines Artmark Holding SRL

Fine pursuant to Law no. 506/2004

The National Supervisory Authority has finalized an investigation with the controller Artmark Holding SRL and found that it infringed the provisions of Article 13 paragraph (1) letter q) of Law no. 506/2004, corroborated with Article 13 paragraph (5) of Law no. 506/2004 and with Article 7 of the Government Ordinance no. 2/2001.

The controller Artmark Holding SRL was sanctioned with a fine in the amount of 10,000 lei.

The sanction was applied to the controller because it did not prove that it obtained the express and unequivocal prior consent for the transmission of commercial messages by e-mail, in violation of the provisions regarding the unsolicited communications provided by Article 13 paragraph (1) letter q) of Law no. 506/2004 on the processing of personal data and the protection of privacy in the electronic communications sector.

In this context, the company was recommended to take the necessary measures to comply with the provisions of Article 12 of Law no. 506/2004, for sending commercial messages through electronic means of communication only with the express prior consent of the recipients.

Pursuant to Article 12 paragraph (1) of Law no. 506/2004 on the processing of personal data and the protection of privacy in the electronic communications sector, it is prohibited to carry out commercial communications by using automatic call and communication systems that do not require the intervention of a human operator, by fax or e-mail or by any other means that use electronic communications services for the public, unless the subscriber or user concerned has previously expressed his/her express consent to receive such communications.

The National Supervisory Authority imposed the sanction as a result of a petition claiming that the controller Artmark Holding SRL transmitted to the petitioner unsolicited commercial messages on his e-mail address without his consent. Thus, although the petitioner had requested the company to delete his personal data from the controller’s database as they had been obtained without his consent, he continued to receive unsolicited commercial messages from Artmark Holding SRL on his e-mail address.

For further information, please contact the Romanian Supervisory Authority: anspdcp@dataprotection.ro

The Polish supervisory authority imposed first administrative fine on a public entity

The President of the Personal Data Protection Office (“The President of the Office”) imposed first administrative fine of PLN 40,000 on a public entity for failure to comply with the GDPR. The reason for imposing the fine was that the mayor of the city did not conclude a personal data processing agreement with the entities to which he transferred data. 

The data processing agreement was not concluded with a company whose servers hosted the resources of the Public Information Bulletin (BIP) of the City Hall in Aleksandrów Kujawski. Such an agreement was also not concluded with another company, which provided software to create BIP and provided service in this area. The President of the Office concluded that Article 28 (3) of the GDPR had been violated. This provision obliges the controller, on behalf of whom personal data processing is performed by another entity, to conclude data processing agreement with him.

As a consequence of the absence of such an agreement, the mayor committed the act of sharing personal data without a legal basis, which violated the principle of lawfulness of processing (Article 5(1)(a) of the GDPR) and the principle of confidentiality (Article 5(1)(f) of the GDPR).

However, these are not the only violations established during the control procedure conducted by the President of the Office. It was also found that there were no internal procedures in place to review the resources available in the BIP in order to determine the timing of their publication. This caused, for example, that in the BIP the property declarations from 2010 were available, among others, while the period of their storage is 6 years, which results from the sectoral regulations. n. In the case of data whose retention period is not regulated by law, the controller should determine it himself in accordance with the purposes for which he is processing them. Therefore, the controller violated the principle of storage limitation, set forth in Article 5(1)(e) of the GDPR.

It was also established during the investigation that the recorded materials from the city council meetings were available in the BIP only through a link to a dedicated YouTube channel. There were no back-up copies of these recordings at the Municipal Office. Thus, in case of loss of data stored on YouTube, the controller would not have at his disposal the recordings. No risk analysis was carried out for the publication of recordings from board meetings exclusively on YouTube. Thus, the principles of integrity and confidentiality were infringed (Article 5(1)(f) of the GDPR) as well as the principle of accountability (Article 5(2) of the GDPR).

The principle of accountability was also breached in connection with the shortcomings in the register of processing activities. For example, it did not indicate all data recipients, nor did it indicate the planned date of data deletion for certain processing activities.

When imposing a penalty, the President of the Office took into account the fact that despite the irregularities found in the course of the proceedings, the controller did not remove them or implement solutions aimed at preventing future infringements. The controller also did not cooperate with the supervisory authority. Therefore, the President of the Office decided that there were no premises that could mitigate the amount of the fine.

Apart from the financial penalty, the President of the Office also ordered the controller to take action to remedy the relevant infringements within 60 days

The Romanian Supervisory Authority fines Raiffeisen Bank S.A. and Vreau Credit S.R.L.

On the 1st of October 2019, the National Supervisory Authority finalised two investigations at Raiffeisen Bank S.A. and Vreau Credit S.R.L. noting the following:

  • Raiffeisen Bank S.A. infringed the provisions of Article 32 paragraph (4) in conjunction with Article 32 paragraph (1) and paragraph (2) of the GDPR, which led to imposing an administrative fine in the amount of 150,000 Euros
  • Vreau Credit S.R.L. infringed the provisions of Article 32 paragraph (4) in conjunction with Article 32 paragraph (1) and paragraph (2) of the GDPR, as well as of Article 33 paragraph (1) of the GDPR, which led to imposing an administrative fine in the amount of 20,000 Euros.

As regards Raiffeisen Bank S.A., the National Supervisory Authority has initiated an investigation, following the notification of a personal data breach to the supervisory authority, by filling in the form on the personal data breach in compliance with Regulation (EU) 2016/679.

The breach of security consisted in the fact that two employees of Raiffeisen Bank S.A., using the data from the identity documents of some natural persons, transmitted by the employees of the company Vreau Credit S.R.L. through the WhatsApp mobile application, performed queries to the Credit Bureau system to obtain the necessary data in order to determine the eligibility to credit of the respective individuals, through prescoring simulations. In this respect, 1194 simulations were performed, with regards to 1177 individuals.

Also, for 124 individuals, the database of the National Agency for Fiscal Administration (NAFA) was also consulted.

The above mentioned prescoring simulations were performed through the computer application used by Raiffeisen Bank S.A. in the crediting activity, and the negative crediting decision was communicated by the employees of Raiffeisen Bank S.A. to the employees of Vreau Credit S.R.L., with the infringement of the internal procedures.

The sanction was imposed to the controller due to the fact that it did not implement the appropriate measures in order to ensure that any natural person acting under its authority and who has access to personal data processes the data only following its request, except for the case where this obligation rests with them under the Union or national law.

Also, the controller did not implement adequate technical and organisational measures in order to ensure an adequate level of security and did not evaluate the risks presented by the processing.

This situation led to the unauthorized access to the personal data processed through the computer application used by Raiffeisen Bank S.A. in the crediting activity and to the unauthorized disclosure of personal data by the employees of the bank.

Concerning the controller Vreau Credit S.R.L., it was also sanctioned for the breach of data security, but also for the fact that until the end of the investigation it did not notify the supervisory authority of the personal data breach, without undue delay, although it has become aware of this security incident since December 2018, which led to the breach of the confidentiality of the personal data of their clients (the data subjects) and to the unauthorized/illegal processing of their personal data.

For further information, please contact the Romanian Supervisory Authority: anspdcp@dataprotection.ro

The Romanian Supervisory Authority fines Elefant Online S.A.

The National Supervisory Authority has finalized an investigation with the controller Elefant Online S.A. and found that it infringed the provisions of Article 13 paragraph (1) letter q) of Law no. 506/2004, corroborated with Article 13 paragraph (5) of Law no. 506/2004 and with Article 7 of the Government Ordinance no. 2/2001.

The controller Elefant Online S.A. was sanctioned with a fine in the amount of 10,000 lei.

The sanction was applied to the controller because it did not prove that it obtained the express and unequivocal prior consent for the transmission of commercial messages by e-mail, in violation of the provisions regarding the unsolicited communications provided by Article 13 paragraph (1) letter q) of Law no. 506/2004 on the processing of personal data and the protection of privacy in the electronic communications sector.

In this context, the company was recommended to take the necessary measures to comply with the provisions of Article 12 of Law no. 506/2004, for sending commercial messages through electronic means of communication only with the express prior consent of the recipients.

Autoritatea Naţională de Supraveghere a aplicat sancțiunea ca urmare a unei plângeri prin care se reclama faptul că operatorul Elefant Online S.A. a transmis petentului mesaje comerciale nesolicitate pe adresa de e-mail a acestuia fără consimțământul său. Astfel, deși petentul se dezabonase atât pe site-ul operatorului, cât și prin link-urile de dezabonare din newslettere, acesta a continuat să primească din partea Elefant Online S.A. mesaje comerciale nesolicitate pe adresa sa de e-mail.

The National Supervisory Authority imposed the sanction as a result of a petition claiming that the controller Elefant Online S.A. transmitted to the petitioner unsolicited commercial messages on his e-mail address without his consent. Thus, although the petitioner had unsubscribed both on the controller’s website and through the unsubscribe links in the newsletters, he continued to receive unsolicited commercial messages on his e-mail address from Elefant Online S.A..

For further information, please contact the Romanian Supervisory Authority: anspdcp@dataprotection.ro

The Romanian Supervisory Authority fines INTELIGO MEDIA SA

On the 26th of September 2019, the National Supervisory Authority completed an investigation at INTELIGO MEDIA SA, finding the following:

Violation of the provisions of Article 5 paragraph (1) letters a) and b), Article 6 paragraph (1) letter a) and Article 7 of the GDPR, which led to imposing an administrative fine in the amount of 9000 Euros.

The sanction was imposed as a result of an intimation indicating that for the creation of a new account on the website avocatnet.ro - belonging to the controller Inteligo Media SA, an unchecked box will be displayed, with a text having the following content: «I do not want to receive “Personal Update”, the information sent daily, free of charge, by email, by avocatnet.ro».

According to these conditions established by the controller, to the extent that a user omits the check this box, he/she is automatically subscribed, respectively his/her e-mail is entered automatically in the subscriber database to this information.

Thus, the subscription took place in the absence of a manifestation of will on the part of the users, which clearly indicates the acceptance of the processing for the purpose established by the controller.

During the investigation, the controller could not prove that it obtained an explicit consent, under the conditions provided by Article 7 of the GDPR, for a number of 4357 users, for which it processed their personal data.

Also, for the transmission of daily information by e-mail, the controller processed the data on the basis of a legal basis that is not appropriate for the purpose, namely the “execution of a contract”.

In this context, we emphasize that according to Article 7 of the GDPR, if the processing is based on consent, the controller must be able to demonstrate that the data subject has given his/her consent for the processing of his/her personal data.

At the same time, recital (32) of the same regulation states:

“Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject's agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement. This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject's acceptance of the proposed processing of his or her personal data. Silence, pre-ticked boxes or inactivity should not therefore constitute consent. Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them. If the data subject's consent is to be given following a request by electronic means, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided.”

For further information, please contact the Romanian Supervisory Authority: anspdcp@dataprotection.ro

Criminal proceedings of the Austrian data protection authority against Österreichische Post AG (Austrian Postal Service)

The Austrian data protection authority (DPA) imposed an administrative fine of 18 million euros on Österreichische Post AG (ÖPAG) after conducting administrative fine proceedings.

After carrying out an oral hearing, the Austrian DPA considered it established on the basis of the evidence that ÖPAG had violated the GDPR by processing personal data on the alleged political affinity of affected data subjects.

In addition, another violation was determined due to the further processing of data on package frequency and the frequency of relocations for the purpose of direct marketing, as this is not covered by the GDPR.

These violations of the GDPR were committed unlawfully and culpably, which is why the above-mentioned administrative fine is appropriate to prevent other or similar violations.

The penalty is not final, as it can be challenged before the Federal Administrative Court within four weeks after the delivery of the penalty notice.

New Rules for Credit Reporting Systems in the Digital Economy

The main novelties for consumer credit, loans and new types of financing

Greater safeguards for consumers registered in credit databases, transparency on the functioning of algorithms that analyse financial risk, openness to new technologies and fintech services.

These are some of the innovations laid down in the new ‘Code of conduct for credit reporting systems operated by private entities regarding consumer credit, creditworthiness and punctuality in payments’, proposed by the trade associations and approved by the Italian Garante after a complex review of the old Code of Ethics, which has been rendered obsolete by the changes introduced by the European and national legislation on privacy.

The new rules for credit risk analysis — in order to adapt to the challenges posed by the digital economy — do not only concern data on loans and mortgages, but also those relating to different forms of leasing, long-term rental and the most innovative forms of loan between private entities (‘peer-to-peer lending’) managed through fintech platforms.

In order to facilitate the proper functioning of the financial and credit market, the records may be processed without the data subjects’ consent, on the basis of the so-called legitimate interest of the companies participating in the credit reporting systems, while guaranteeing the wider rights set out in the European Data Protection Regulation. Only necessary, relevant data not exceeding the credit risk assessment purposes may be processed, by providing complete and timely information to the data subjects. For example, if you apply for a mortgage and your application is rejected, you will be able to know if the decision was taken also on the basis of the risk scoring given to you by an algorithm and, if so, to request to know the underlying logic.

In addition, the statistical analysis models as well as the algorithms used should be reviewed and updated at least every two years. Particular attention has been given to the security measures taken to protect the data from unlawful access and to ensure reliability of the systems. New forms of contact, such as those enabled by instant messaging systems used on smartphones, have also been identified in order to simplify the arrangements for informing data subjects prior to their registration in a credit reporting system (prior notice).

Some of the main novelties are listed below:
-    Rights: enhanced rights to protect the privacy of data subjects
-    Disclosure: more complete information about the data processed by the participating companies
-    Monitoring body: an independent body must be established to oversee the work of credit reporting systems
-    New forms of contact: subject to agreement with the data subjects, ‘alert notices’ may also be sent by means of instant messaging systems that ensure traceability of the delivery.
-    New credit categories: the scope of registered data was extended to include various forms of leasing, hire, lending between private parties (peer to peer lending)
-    Longer positive data series: positive historical data on clients may be stored for 60 months to protect credit and to meet the demand coming from supervisory bodies
-    Transparency in decisions: in the event of a denial of credit based on automated analysis, the data subject may request to know the logic underlying operation of algorithms
-    Pseudonymised data for the training of algorithms: algorithms may be ‘trained’ with pseudonymised data, i.e. data that can no longer be related to a specific entity
-    Security: additional measures are envisaged to protect data security and against unlawful access

In the approval decision, the Italian Garante nevertheless required credit reporting systems to make some changes to the functioning of the monitoring body established by the Code in order to strengthen its   independence and autonomy from sector-related companies.

The members of the new Code of Conduct have committed themselves to comply forthwith with the rules and principles, even if the text will become fully effective only upon completion of the accreditation procedure of the monitoring body which requires the favourable opinion the EU Data Protection Board (EDPB).

The Spanish Data Protection Authority fined the company Vueling for the cookie policy used on its website with 30,000 euros

Users who access the Vueling company’s website do not have the ability to configure the cookies that are installed on their computers.

When accessing online the cookie policy of the URL page: https://www.vueling.com/es , users are informed about what cookies are and what cookies they use. It also communicates that Vueling can use the information by itself or through third parties such as, beacons, Pixel tags and Local storage, evaluations  and  statistical calculations on anonymous data, indicating  "such information will not be used for any other purpose". They also report that they may use third-party analytics cookies.

However, on the management of cookies, the company merely indicates that: "you can configure the browser to accept or reject by default all cookies or to receive an on-screen notice of the reception of each cookie and decide at that time its implementation or not on your hard drive. You can also use "do not track" tracking cookie blocking tools. It is also noted that, "you can revoke at any time the consent given for the use of cookies by Vueling, configuring the browser for this purpose and that you can adjust the browser settings to prevent the installation of cookies websites or third parties in general."

What the company does not provide is a management system or cookie configuration panel that allows the user to delete them in a granular way. To facilitate this selection the panel would have to enable a mechanism or button to reject all cookies, another to enable all cookies or to be able to do it in a granular way in order to manage the preferences of each user. On this subject, it is considered that the information offered on the tools provided in the browsers of the computers to configure cookies would be complementary to the previous one, but insufficient for the intended purpose of allowing you to configure preferences in granular or selective form.

These facts constitute an infringement of Section 22.2 of the LSSI  (Spanish Law on Information Society Services and Electronic Commerce), according to which:  "Service providers may use of data storage and retrieval devices on recipients' terminal equipment, provided that they have given their consent after they have been provided with clear and complete information on their use, in particular , on the purposes of data processing".

Read the decision in Spanish here
For further information, please contact the Spanish DPA: prensa@aepd.es

European Data Protection Board - Fourteenth Plenary session

On October 8th and 9th, the EEA Data Protection Authorities and the European Data Protection Supervisor, assembled in the European Data Protection Board, met for their fourteenth plenary session. During the plenary a wide range of topics were discussed.
 
Guidelines on the lawful basis for processing for online services based on contracts (Art. 6 (1) (b))
The EDPB adopted a final version of the guidelines on the scope and application of Article 6(1)(b) GDPR in the context of information society services. Following public consultation, points of clarification were included in the text. In its guidelines, the Board makes general observations regarding data protection principles and the interaction of Article 6(1)(b) with other lawful bases. In addition, the guidelines contain guidance on the applicability of Article 6(1)(b) in case of bundling of separate services and termination of contract.

Article 64 Opinion on Equinix BCRs
The EDPB adopted its opinion on the draft decision regarding Equinix Binding Corporate Rules (BCRs), submitted to the Board by the UK’s Information Commissioner’s Office (ICO). The EDPB is of the opinion that the Equinix BCRs contain all elements required under article 47 GDPR and WP256 rev01 and contain the appropriate safeguards.

Passenger Name Records (PNR)
The EDPB adopted a letter in response to MEP Sophie in’t Veld’s letter regarding the renegotiated draft PNR agreement with Canada and its impact on other PNR agreements. In its response, the EDPB notes that the draft agreement has not yet been shared with the Board, but that the EDPB stands ready to issue an opinion. The letter further refers to a previous letter sent to the European Commission by the Article 29 Working Party (WP29), following the opinion of the European Court of Justice (CJEU) on the first draft PNR agreement with Canada.

Response to the Council Working Party on Sports Anti-Doping Code (WADA)
The EDPB adopted its response to the Council Working Party on Sports’ request regarding the ongoing review process of the World Anti-Doping Code. In its letter, the Board recalls two WP29 opinions on the previous versions of the WADA code. The letter points out that progress has been made in relation to the safeguards on privacy and data protection provided by the new version of the Code and its Standards, but that some important concerns remain.

Note to editors:
Please note that all documents adopted during the EDPB Plenary are subject to the necessary legal, linguistic and formatting checks and will be made available on the EDPB website once these have been completed.

Administrative fines imposed on a telephone service provider

Administrative fines imposed on a telephone service provider

(1) Imposition of a fine for breach of the principle of accuracy and data protection by design when keeping personal data of subscribers

The Hellenic DPA has received complaints from telephone subscribers of the Hellenic Telecommunications Organization (“OTE”) who, although registered in the OTE’s do-not-call register (according to Article 11 of Law 3471/2006), they received unsolicited calls from third companies for the promotion of products and services.

The investigation of the case showed that those subscribers had submitted a portability request for the transfer of their subscription to another provider. As a consequence, OTE deleted their entries from the do-not-call register. However, when those subscribers cancelled their portability request, there was no proper procedure to cancel their removal from the register. Subscribers were listed as registrants in the internal system of the provider’s customer service, but their telephone numbers were not included in the register sent by OTE to the advertisers, as the two systems, due to the error in their interconnection, did not have the same content.

The Authority found that this incident affected a large number of individual subscribers, as there was an infringement of Article 25 (data protection by design) and Article 5 (1) (c) (principle of accuracy) of the General Data Protection Regulation (GDPR). It therefore imposed an administrative fine of EUR 200.000 on the basis of the criteria laid down in Article 83 (2) of the Regulation.

Decision 31/2019 is available in Greek on www.dpa.gr Decisions”

(2) Imposition of a fine for failure to satisfy the right to object and the principle of data protection by design when keeping personal data of subscribers

The Hellenic DPA has received complaints from the recipients of advertising messages from OTE concerning their lack of ability to unsubscribe from the list of recipients of advertising messages. In the course of the examination of the complaints it emerged that from 2013 onwards, due to a technical error, the removal from the lists of recipients of advertising messages did not operate for those recipients who used the “unsubscribe” link. OTE did not have the appropriate organisational measure, i.e. a defined procedure by which it could detect that the data subject’s right to object could not be satisfied.

Subsequently, OTE removed around 8.000 persons from the addressees of the messages, who had unsuccessfully attempted to withdraw from 2013 onwards. The Authority has found an infringement of the right to object to the processing for direct marketing purposes (Article 21 (3) of the GDPR) as well as Article 25 (data protection by design) of the GDPR and imposed an administrative fine of EUR 200.000 on the basis of the criteria of Article 83 (2) of the Regulation.

Decision 34/2019 is available in Greek on www.dpa.gr  Decisions”

Communications Department

For further information, please contact the Greek SA directly: contact@dpa.gr

EDPB Stakeholder Event on Data Subject Rights

On November 4th, the EDPB is organising a stakeholders’ event on the topic of Data Subjects Rights. Representatives from, among others, individual companies, sector organisations, NGOs, law firms and academia are welcome to express interest in attending. Places will be allocated on a first come, first served basis, depending on availability.

Detailed information and the programme of the event can be found on the registration page.

As we would like to have a balanced and representative audience, participation will be limited to one participant per organisation.

Registration for expression of interest is now open:  https://ec.europa.eu/eusurvey/runner/CallForExpressionOfInterest_Open

When? November 4th 2019, from 08:30 - 16:00

Where? CCAB - Centre Albert Borschette
             Rue Froissart, 36, 1040 Brussels

Polish DPA imposes €645,000 fine for insufficient organisational and technical safeguards

The President of the Personal Data Protection Office imposed a fine of an amount higher than PLN 2.8 million (ca. 645,000 euros) on Morele.net.

The company’s organisational and technical measures for the protection of personal data were not appropriate to the risk posed by the processing of personal data, which means that data of about 2.2 million people have fallen into the wrong hands. There was a lack of appropriate response procedures to deal with the emergence of unusual network traffic, concluded the President of the Personal Data Protection Office (UODO).

While imposing the fine, the supervisory authority concluded that the breach which took place in this case was of considerable importance and of serious character, and concerned a large number of persons. In its decision, the supervisory authority also pointed out that, as a result of the infringement, there was a high risk of adverse effects on persons whose personal data fell into the wrong hands, such as identity theft.

The data concerned included: name and surname, phone number, email, delivery address. However, in the case of about 35,000 people, the data leaked from their installment loan application. The scope of the data comprised the personal ID number (PESEL number), the series and the number of the identity document, educational background, registered address, correspondence address, source of income, amount of net income, the cost of living of the household, marital status, as well as the amount of credit commitments or maintenance obligations.

In the decision imposing the fine, the President of UODO concluded that the company by failing to comply with the required technical means of data protection, has breached, inter alia, the principle of confidentiality, as set out in Article 5 (1)(f) of the GDPR. Therefore, there has been unauthorised access to and obtaining of customers’ data. The authority considered that unsuccessful measures for the authentication of data access were put in place. The company had implemented additional technical security measures after the breach.

The investigation revealed that the infringement occurred also because of ineffective monitoring of potential risks. The investigation further revealed other misconduct, but it was the lack of appropriate technical (insufficient safeguards) and organisational measures (on the monitoring of potential risks related to atypical online behaviour) that led to imposing a fine. In determining its amount, however, the President of UODO took account of mitigating circumstances, such as: action taken by the company to put an end to the infringement, good cooperation with the controller and the fact that the company has not breached the  personal data protection law before.

To read the full press release in Polish, click here

The Polish text of the decision is available here

For further information, please contact the Polish DPA: kancelaria@uodo.gov.pl

The Belgian data protection authority imposes a fine of € 10,000

The Belgian data protection authority imposed a fine of €10,000 on a merchant for the disproportionate use of the electronical identity card for the purpose of creating a loyalty card.

L’Autorité a sanctionné un commerçant qui propose comme seul moyen de création d’une carte de fidélité la lecture de la carte d’identité électronique. L’amende administrative imposée s’élève à 10.000 €. La carte d’identité électronique contient de nombreuses données sur son titulaire et l’utilisation de ces données, sans consentement du client, est considérée comme disproportionnée au regard du service proposé.

Exposé des faits : lecture de l'eID en échange d’une carte de fidélité
L’APD a reçu une plainte concernant l’utilisation par un commerçant de la carte d’identité électronique (eID) dans le cadre d’un service commercial, à savoir la création d’une carte de fidélité. Le plaignant ne voulant pas présenter sa carte d’identité, la carte de fidélité lui a été refusée alors qu'il a proposé de transmettre par écrit au commerçant les données le concernant pour pouvoir bénéficier d’une carte de fidélité. La Chambre Contentieuse de l’APD a jugé cette pratique non conforme au Règlement général sur la protection des données (RGPD) pour plusieurs motifs.

Non-respect du principe de minimisation des données
Le principe de minimisation est un principe important dans le RGPD qui impose aux responsables du traitement de limiter la quantité de données personnelles collectées ainsi que la durée de conservation de celles-ci à ce qui est strictement nécessaire au vu du but poursuivi.

Pour la création de la carte de fidélité, le commerçant exige de lire des données sur l’eID telles que le nom, les prénoms, l'adresse, etc., mais ce dernier veut également accéder à la photo et au code-barres qui est lié au numéro de Registre national. La Chambre Contentieuse rappelle que le numéro de Registre national est une donnée qui est soumise à des règles strictes quant à sa consultation et à son utilisation.

La Chambre Contentieuse estime par conséquent que la lecture et l’utilisation de toutes les données présentes sur la carte d’identité électronique dans un cadre commercial sont des traitements de données disproportionnés au regard de l’objectif de création d’une carte de fidélité.

Absence de consentement valable
Un traitement de données à caractère personnel, pour être licite, doit reposer sur l’une des six bases légales prévues par le RGPD. Le commerçant invoque le consentement comme base légale pour justifier le traitement des données reprises sur l'eID du client mais la Chambre Contentieuse conteste la validité de cette base légale.

Pour être valable, un consentement doit être libre, spécifique et informé. La Chambre Contentieuse estime que le consentement donné dans le cas d’espèce ne peut être considéré comme un consentement donné librement car aucune alternative n’est proposée aux clients. Si les clients refusent que leur carte d’identité électronique soit utilisée pour la création d’une carte de fidélité, ils sont de ce fait pénalisés et ne peuvent jouir d’avantages et de réductions car aucune alternative ne leur est proposée.

Hielke Hijmans, Président de la Chambre Contentieuse explique : "Les entreprises ou commerçants doivent avoir une approche plus consciencieuse lorsqu'ils réclament toutes sortes de données à caractère personnel pour un service, surtout en l’absence d’un consentement valable du client. Le RGPD prévoit des principes et des obligations qui doivent servir de fil conducteur pour traiter correctement des données à caractère personnel."

Sanctions
Au vu du non-respect du principe de minimisation des données et de l’absence d’une base légale valable, la Chambre Contentieuse décide d’ordonner au commerçant de se conformer aux exigences du RGPD et de lui imposer une amende administrative s’élevant à 10.000 €.

"L’utilisation de cartes d’identité électronique comme cartes de fidélité est une pratique courante. Cependant, le RGPD ne permet pas d’accéder à de nombreuses données à caractère personnel si celles-ci ne sont pas strictement nécessaires pour l’offre d’un service et sans une base légale valable. La Chambre Contentieuse considère qu’il s’agit d’une infraction grave et impose de ce fait une amende s’élevant à 10.000 €", précise Hielke Hijmans, Président de la Chambre Contentieuse.
David Stevens, Président de l'APD : “Cette décision constitue une nouvelle balise importante du chemin vers une meilleure protection de la vie privée de nos citoyens."

To read the full press release in Dutch, click here

For further information, please contact the Belgian DPA: contact@apd-gba.be

Data State Inspectorate of Latvia imposes a financial penalty of 7000 euros against online retailer

On 26 August 2019, the Director of the Data State Inspectorate of Latvia (DSI) imposed a financial penalty of 7000 euros against the online retailer, for non-compliance with the General Data Protection Regulation (GDPR), nonconformity with data subjects rights to erasure and non-cooperation with the supervisory authority.

The sanctions were applied to the retailer because the retailer failed to carry out the Controllers duty to execute the data subject request and did not cooperate with the DSI (Retailer did not provide DSI with requested information within the specified time period, nor did the retailer comply with an order issued by the DSI in accordance with GDPR Article 58(2)(c) and (g) and Article 23 of the Personal Data Processing Law).

The DSI initiated an investigation of the complaint about online retailer for non-compliance with the rights of the data subject in accordance with GDPR Article 17 – data subject right to obtain from the controller to erase his personal data without undue delay and the controller in compliance with GDPR have to response to the data subject request and erase personal data without undue delay.

Investigating the case DSI established that in 2018 claimant had repeatedly requested the retailer to delete all his personal data, including the claimants mobile phone number. The retailer did not comply with the data subject’s request to erase the data and continued to process the personal data (including claimants phone number) in question.

When determining the amount of the fine the Director of the DSI took into account the nature, gravity and duration of the infringement, the degree of cooperation with the supervisory authority, the number of data subjects affected, the total annual turnover of the preceding financial year of the retailer (GDPR Article 83(5)(b) and (e)).

The DSI informs that, in accordance with the Latvian Administrative Violations Code Article 288 and 289 the retailer has the right to appeal the decision of the Director of the DSI to the District (City) Court within ten working days from the day of receipt of the decision.

Read the full press release in Latvian here

For further information, please contact the Latvian DPA: info@dvi.gov.lv

Facial recognition in school renders Sweden’s first GDPR fine

The Swedish DPA has fined a municipality 200 000 SEK (approximately 20 000 euros) for using facial recognition technology to monitor the attendance of students in school.

A school in northern Sweden has conducted a pilot using facial recognition to keep track of students’ attendance in school. The test run was conducted in one school class for a limited period of time.

The Swedish DPA concluded that the test violates several articles in GDPR and has imposed a fine on the municipality of approximately 20 000 euros. In Sweden public authorities can receive a maximum fine of 10 million SEK (approximately 1 million euros). This is the first fine issued by the Swedish DPA.
The school has processed sensitive biometric data unlawfully and failed to do an adequate impact assessment including seeking prior consultation with the Swedish DPA.

The school has based the processing on consent but the Swedish DPA considers that consent was not a valid legal basis given the clear imbalance between the data subject and the controller.

Read the full press release in Swedish below or here

For further information, please contact the Swedish DPA: datainspektionen@datainspektionen.se

Sanktionsavgift för ansiktsigenkänning i skola

Datainspektionen utfärdar en sanktionsavgift på 200 000 kronor för en skola som på prov har använt ansiktsigenkänning via kamera för att registrera elevers närvaro.

För första gången utfärdar nu Datainspektionen en sanktionsavgift mot en aktör som har brutit mot reglerna i dataskyddsförordningen, GDPR.

En gymnasieskola i Skellefteå har på prov använt ansiktsigenkänning via kamera för att registrera elevers närvaro på lektionerna. Försöket har pågått under tre veckor och berört 22 elever. Datainspektionen har granskat användningen och konstaterar att gymnasienämnden i Skellefteå har hanterat känsliga personuppgifter i strid med dataskyddsförordningen.

– Gymnasienämnden i Skellefteå har överträtt flera av bestämmelserna i dataskyddsförordningen på ett sätt som gör att vi nu utfärdar en sanktionsavgift, säger Lena Lindgren Schelin, generaldirektör för Datainspektionen.

Sanktionsavgiften är 200 000 kronor. Avgiftens storlek påverkas bland annat av att det är frågan om en myndighet och att det handlar om ett försök under en begränsad period. Myndigheter kan maximalt få tio miljoner kronor i sanktionsavgift.

– Teknik för ansiktsigenkänning är i sin linda men utvecklingen går snabbt. Vi ser därför ett stort behov av att skapa tydlighet kring vad som gäller för alla aktörer, säger Lena Lindgren Schelin.

Biometriska uppgifter, som används vid ansiktsigenkänning, är känsliga personuppgifter som är extra skyddsvärda och som det krävs uttryckliga undantag för att få hantera. Gymnasienämnden har uppgett att man har fått elevernas samtycke till att använda ansiktsigenkänning för närvarokontroll.

– Gymnasienämnden kan inte använda samtycke i det här fallet eftersom eleverna befinner sig i beroendeställning till nämnden, förklarar Ranja Bunni som är jurist på Datainspektionen och som deltagit i granskningen.

I sitt beslut konstaterar Datainspektionen att ansiktsigenkänningen inneburit kamerabevakning av eleverna i deras vardagliga miljö, varit ett intrång i deras integritet och att närvarokontroll kan göras på andra sätt som är mindre integritetskränkande än ansiktsigenkänning.

För mer information kontakta
Jurist Ranja Bunni, telefon 08-657 61 46
Jurist Jenny Bård, telefon 08-657 61 54
Presskontakt Per Lövgren, telefon 08-515 15 415

Sidor