European Data Protection Board

Polish DPA imposes €645,000 fine for insufficient organisational and technical safeguards

The President of the Personal Data Protection Office imposed a fine of an amount higher than PLN 2.8 million (ca. 645,000 euros) on Morele.net.

The company’s organisational and technical measures for the protection of personal data were not appropriate to the risk posed by the processing of personal data, which means that data of about 2.2 million people have fallen into the wrong hands. There was a lack of appropriate response procedures to deal with the emergence of unusual network traffic, concluded the President of the Personal Data Protection Office (UODO).

While imposing the fine, the supervisory authority concluded that the breach which took place in this case was of considerable importance and of serious character, and concerned a large number of persons. In its decision, the supervisory authority also pointed out that, as a result of the infringement, there was a high risk of adverse effects on persons whose personal data fell into the wrong hands, such as identity theft.

The data concerned included: name and surname, phone number, email, delivery address. However, in the case of about 35,000 people, the data leaked from their installment loan application. The scope of the data comprised the personal ID number (PESEL number), the series and the number of the identity document, educational background, registered address, correspondence address, source of income, amount of net income, the cost of living of the household, marital status, as well as the amount of credit commitments or maintenance obligations.

In the decision imposing the fine, the President of UODO concluded that the company by failing to comply with the required technical means of data protection, has breached, inter alia, the principle of confidentiality, as set out in Article 5 (1)(f) of the GDPR. Therefore, there has been unauthorised access to and obtaining of customers’ data. The authority considered that unsuccessful measures for the authentication of data access were put in place. The company had implemented additional technical security measures after the breach.

The investigation revealed that the infringement occurred also because of ineffective monitoring of potential risks. The investigation further revealed other misconduct, but it was the lack of appropriate technical (insufficient safeguards) and organisational measures (on the monitoring of potential risks related to atypical online behaviour) that led to imposing a fine. In determining its amount, however, the President of UODO took account of mitigating circumstances, such as: action taken by the company to put an end to the infringement, good cooperation with the controller and the fact that the company has not breached the  personal data protection law before.

To read the full press release in Polish, click here

The Polish text of the decision is available here

For further information, please contact the Polish DPA: kancelaria@uodo.gov.pl

The Belgian data protection authority imposes a fine of € 10,000

The Belgian data protection authority imposed a fine of €10,000 on a merchant for the disproportionate use of the electronical identity card for the purpose of creating a loyalty card.

L’Autorité a sanctionné un commerçant qui propose comme seul moyen de création d’une carte de fidélité la lecture de la carte d’identité électronique. L’amende administrative imposée s’élève à 10.000 €. La carte d’identité électronique contient de nombreuses données sur son titulaire et l’utilisation de ces données, sans consentement du client, est considérée comme disproportionnée au regard du service proposé.

Exposé des faits : lecture de l'eID en échange d’une carte de fidélité
L’APD a reçu une plainte concernant l’utilisation par un commerçant de la carte d’identité électronique (eID) dans le cadre d’un service commercial, à savoir la création d’une carte de fidélité. Le plaignant ne voulant pas présenter sa carte d’identité, la carte de fidélité lui a été refusée alors qu'il a proposé de transmettre par écrit au commerçant les données le concernant pour pouvoir bénéficier d’une carte de fidélité. La Chambre Contentieuse de l’APD a jugé cette pratique non conforme au Règlement général sur la protection des données (RGPD) pour plusieurs motifs.

Non-respect du principe de minimisation des données
Le principe de minimisation est un principe important dans le RGPD qui impose aux responsables du traitement de limiter la quantité de données personnelles collectées ainsi que la durée de conservation de celles-ci à ce qui est strictement nécessaire au vu du but poursuivi.

Pour la création de la carte de fidélité, le commerçant exige de lire des données sur l’eID telles que le nom, les prénoms, l'adresse, etc., mais ce dernier veut également accéder à la photo et au code-barres qui est lié au numéro de Registre national. La Chambre Contentieuse rappelle que le numéro de Registre national est une donnée qui est soumise à des règles strictes quant à sa consultation et à son utilisation.

La Chambre Contentieuse estime par conséquent que la lecture et l’utilisation de toutes les données présentes sur la carte d’identité électronique dans un cadre commercial sont des traitements de données disproportionnés au regard de l’objectif de création d’une carte de fidélité.

Absence de consentement valable
Un traitement de données à caractère personnel, pour être licite, doit reposer sur l’une des six bases légales prévues par le RGPD. Le commerçant invoque le consentement comme base légale pour justifier le traitement des données reprises sur l'eID du client mais la Chambre Contentieuse conteste la validité de cette base légale.

Pour être valable, un consentement doit être libre, spécifique et informé. La Chambre Contentieuse estime que le consentement donné dans le cas d’espèce ne peut être considéré comme un consentement donné librement car aucune alternative n’est proposée aux clients. Si les clients refusent que leur carte d’identité électronique soit utilisée pour la création d’une carte de fidélité, ils sont de ce fait pénalisés et ne peuvent jouir d’avantages et de réductions car aucune alternative ne leur est proposée.

Hielke Hijmans, Président de la Chambre Contentieuse explique : "Les entreprises ou commerçants doivent avoir une approche plus consciencieuse lorsqu'ils réclament toutes sortes de données à caractère personnel pour un service, surtout en l’absence d’un consentement valable du client. Le RGPD prévoit des principes et des obligations qui doivent servir de fil conducteur pour traiter correctement des données à caractère personnel."

Sanctions
Au vu du non-respect du principe de minimisation des données et de l’absence d’une base légale valable, la Chambre Contentieuse décide d’ordonner au commerçant de se conformer aux exigences du RGPD et de lui imposer une amende administrative s’élevant à 10.000 €.

"L’utilisation de cartes d’identité électronique comme cartes de fidélité est une pratique courante. Cependant, le RGPD ne permet pas d’accéder à de nombreuses données à caractère personnel si celles-ci ne sont pas strictement nécessaires pour l’offre d’un service et sans une base légale valable. La Chambre Contentieuse considère qu’il s’agit d’une infraction grave et impose de ce fait une amende s’élevant à 10.000 €", précise Hielke Hijmans, Président de la Chambre Contentieuse.
David Stevens, Président de l'APD : “Cette décision constitue une nouvelle balise importante du chemin vers une meilleure protection de la vie privée de nos citoyens."

To read the full press release in Dutch, click here

For further information, please contact the Belgian DPA: contact@apd-gba.be

Data State Inspectorate of Latvia imposes a financial penalty of 7000 euros against online retailer

On 26 August 2019, the Director of the Data State Inspectorate of Latvia (DSI) imposed a financial penalty of 7000 euros against the online retailer, for non-compliance with the General Data Protection Regulation (GDPR), nonconformity with data subjects rights to erasure and non-cooperation with the supervisory authority.

The sanctions were applied to the retailer because the retailer failed to carry out the Controllers duty to execute the data subject request and did not cooperate with the DSI (Retailer did not provide DSI with requested information within the specified time period, nor did the retailer comply with an order issued by the DSI in accordance with GDPR Article 58(2)(c) and (g) and Article 23 of the Personal Data Processing Law).

The DSI initiated an investigation of the complaint about online retailer for non-compliance with the rights of the data subject in accordance with GDPR Article 17 – data subject right to obtain from the controller to erase his personal data without undue delay and the controller in compliance with GDPR have to response to the data subject request and erase personal data without undue delay.

Investigating the case DSI established that in 2018 claimant had repeatedly requested the retailer to delete all his personal data, including the claimants mobile phone number. The retailer did not comply with the data subject’s request to erase the data and continued to process the personal data (including claimants phone number) in question.

When determining the amount of the fine the Director of the DSI took into account the nature, gravity and duration of the infringement, the degree of cooperation with the supervisory authority, the number of data subjects affected, the total annual turnover of the preceding financial year of the retailer (GDPR Article 83(5)(b) and (e)).

The DSI informs that, in accordance with the Latvian Administrative Violations Code Article 288 and 289 the retailer has the right to appeal the decision of the Director of the DSI to the District (City) Court within ten working days from the day of receipt of the decision.

Read the full press release in Latvian here

For further information, please contact the Latvian DPA: info@dvi.gov.lv

Facial recognition in school renders Sweden’s first GDPR fine

The Swedish DPA has fined a municipality 200 000 SEK (approximately 20 000 euros) for using facial recognition technology to monitor the attendance of students in school.

A school in northern Sweden has conducted a pilot using facial recognition to keep track of students’ attendance in school. The test run was conducted in one school class for a limited period of time.

The Swedish DPA concluded that the test violates several articles in GDPR and has imposed a fine on the municipality of approximately 20 000 euros. In Sweden public authorities can receive a maximum fine of 10 million SEK (approximately 1 million euros). This is the first fine issued by the Swedish DPA.
The school has processed sensitive biometric data unlawfully and failed to do an adequate impact assessment including seeking prior consultation with the Swedish DPA.

The school has based the processing on consent but the Swedish DPA considers that consent was not a valid legal basis given the clear imbalance between the data subject and the controller.

Read the full press release in Swedish below or here

For further information, please contact the Swedish DPA: datainspektionen@datainspektionen.se

Sanktionsavgift för ansiktsigenkänning i skola

Datainspektionen utfärdar en sanktionsavgift på 200 000 kronor för en skola som på prov har använt ansiktsigenkänning via kamera för att registrera elevers närvaro.

För första gången utfärdar nu Datainspektionen en sanktionsavgift mot en aktör som har brutit mot reglerna i dataskyddsförordningen, GDPR.

En gymnasieskola i Skellefteå har på prov använt ansiktsigenkänning via kamera för att registrera elevers närvaro på lektionerna. Försöket har pågått under tre veckor och berört 22 elever. Datainspektionen har granskat användningen och konstaterar att gymnasienämnden i Skellefteå har hanterat känsliga personuppgifter i strid med dataskyddsförordningen.

– Gymnasienämnden i Skellefteå har överträtt flera av bestämmelserna i dataskyddsförordningen på ett sätt som gör att vi nu utfärdar en sanktionsavgift, säger Lena Lindgren Schelin, generaldirektör för Datainspektionen.

Sanktionsavgiften är 200 000 kronor. Avgiftens storlek påverkas bland annat av att det är frågan om en myndighet och att det handlar om ett försök under en begränsad period. Myndigheter kan maximalt få tio miljoner kronor i sanktionsavgift.

– Teknik för ansiktsigenkänning är i sin linda men utvecklingen går snabbt. Vi ser därför ett stort behov av att skapa tydlighet kring vad som gäller för alla aktörer, säger Lena Lindgren Schelin.

Biometriska uppgifter, som används vid ansiktsigenkänning, är känsliga personuppgifter som är extra skyddsvärda och som det krävs uttryckliga undantag för att få hantera. Gymnasienämnden har uppgett att man har fått elevernas samtycke till att använda ansiktsigenkänning för närvarokontroll.

– Gymnasienämnden kan inte använda samtycke i det här fallet eftersom eleverna befinner sig i beroendeställning till nämnden, förklarar Ranja Bunni som är jurist på Datainspektionen och som deltagit i granskningen.

I sitt beslut konstaterar Datainspektionen att ansiktsigenkänningen inneburit kamerabevakning av eleverna i deras vardagliga miljö, varit ett intrång i deras integritet och att närvarokontroll kan göras på andra sätt som är mindre integritetskränkande än ansiktsigenkänning.

För mer information kontakta
Jurist Ranja Bunni, telefon 08-657 61 46
Jurist Jenny Bård, telefon 08-657 61 54
Presskontakt Per Lövgren, telefon 08-515 15 415

Giovanni Buttarelli

It is with great sadness that we learned of the passing of Giovanni Buttarelli.
 
Giovanni Buttarelli is and will always remain a big part of European data protection law and practice as we know it today. His expert knowledge, leadership and vision have inspired many of us who are active in the data protection field.
 
Throughout his career, Giovanni worked tirelessly to raise awareness and to increase transparency regarding data protection law, not just in Europe, but around the world.  
 
We have always appreciated Giovanni's openness and his positive attitude. He has been vital in kick-starting the EDPB and his contributions to the work of the Board have been very valuable and important.
 
Our thoughts are with his family and we hope they find the strength to deal with this sorrow.

Austrian DPA fines controller in the medical sector

On 12 August 2019, the Austrian DPA imposed an administrative fine of € 55,000 (of which € 5,000 are procedural costs) on a controller operating in the medical sector. Over the course of more than six months, the controller had neither appointed a data protection officer nor published its contact details or reported those to the supervisory authority. In addition, the controller had obliged the data subjects to give their consent to a data processing, which did not meet the criteria set out in Art. 7 GDPR and also violated its duty to provide information pursuant to Art. 13, 14 GDPR. Moreover, despite handling sensitive data, no data protection impact assessment, pursuant to Art. 35 GDPR, was carried out. The administrative fine is not final yet, a complaint against the fine is expected.

For further information, please contact the Austrian DPA: dsb@dsb.gv.at

Company fined 150,000 euros for infringements of the GDPR

Exercise of the Hellenic DPA’s corrective powers pursuant to the GDPR for selection and application of inappropriate legal basis and violation of the principle of accountability by a company Company fined €150,000 by the Hellenic DPA

The Hellenic Data Protection Authority, in response to a complaint, conducted an ex officio investigation of the lawfulness of the processing of personal data of the employees of the company ‘PRICEWATERHOUSECOOPERS BUSINESS SOLUTIONS SA’ (PWC BS). According to the above complaint the employees were required to provide consent to the processing of their personal data.

The DPA considered that PWC BS as the controller:

i.  has unlawfully processed the personal data of its employees contrary to the provisions of Article 5(1)(a) indent (a) of the GDPR since it used an inappropriate legal basis.

ii.  has processed the personal data of its employees in an unfair and non-transparent manner contrary to the provisions of Article 5(1)(a) indent (b) and (c) of the GDPR giving them the false impression that it was processing their data under the legal basis of consent pursuant to Article 6(1)(a) of the GDPR, while in reality it was processing their data under a different legal basis about which the employees had never been informed.

iii.  although it was responsible in its capacity as the controller, it was not able to demonstrate compliance with Article 5(1) of the GDPR, and that it violated the principle of accountability set out in Article 5(2) of the GDPR by transferring the burden of proof of compliance to the data subjects.

The Hellenic DPA, after ascertaining the infringements of the GDPR, decided that in this case it should exercise the corrective powers conferred on it under Article 58(2) of the GDPR by imposing corrective measures, and that it would order the company in its capacity as the controller within three (3) months:

  • to bring the processing operations of its employees’ personal data as described in Annex I submitted by the company into compliance with the provisions of the GDPR;
  • to restore the correct application of the provisions of Article 5(1)(a) and (2) in conjunction with Article 6(1) of the GDPR in accordance with the grounds of the decision;
  • to subsequently restore the correct application of the rest of the provisions of Article 5(1)(b)-(f) of the GDPR insofar as the infringement established affects the internal organisation and compliance with the provisions of the GDPR taking all necessary measures under the accountability principle.

Moreover, as the above corrective measure is not sufficient in itself to restore compliance with the GDPR provisions infringed, the Hellenic DPA considered that, based on the circumstances identified in this case and under Article 58(2)(i), an additional effective, proportionate and dissuasive administrative fine should be imposed in accordance with Article 83 of the GDPR, which amounts to one hundred and fifty thousand Euros (EUR 150,000.00).

The Decision (in Greek) is available on www.dpa.gr (--> “Decisions”)
A summary of the Decision (in English) is available on http://www.dpa.gr/portal/page?_pageid=33,43590&_dad=portal&_schema=PORTAL

The press release is available on: https://www.dpa.gr/portal/page?_pageid=33,43547&_dad=portal&_schema=PORTAL

Twelfth Plenary Session: adopted documents

Twelfth Plenary session: Guidelines on Video Surveillance, Implications of the US CLOUD Act, Opinion on SCCs for processors under Art.28.8 by DK, Opinion on Accreditation Criteria for monitoring bodies of Codes of Conduct by AT, Opinion on the competence

Brussels, 11 July - On July 9th and 10th, the EEA Data Protection Authorities and the European Data Protection Supervisor, assembled in the European Data Protection Board, met for their twelfth plenary session. During the plenary a wide range of topics were discussed.
 
Guidelines on Video Surveillance
The Board adopted Guidelines on Video Surveillance, which clarify how the GDPR applies to the processing of personal data when using video devices and aim to ensure the consistent application of the GDPR in this regard. The guidelines cover both traditional video devices and smart video devices. For the latter, the guidelines focus on the rules regarding processing of special categories of data. In addition, the guidelines cover, among others, the lawfulness of processing, the applicability of the household exemption and the disclosure of footage to third parties. The guidelines will be subject to public consultation.

EDPB-EDPS joint reply to the LIBE Committee on the implications of the US CLOUD Act
The EDPB adopted a joint EDPB-EDPS reply to the European Parliament Committee on Civil Liberties, Justice and Home Affairs’ (LIBE) request for a legal assessment regarding the impact of the US CLOUD Act on the EU legal data protection framework and the mandate for negotiating an EU-US agreement on cross-border access to electronic evidence for judicial cooperation in criminal matters. The CLOUD Act allows US law enforcement authorities to require the disclosure of data by service providers in the US, regardless of where the data is stored.

The EDPB and EDPS emphasize that a comprehensive EU-US agreement regarding cross-border access to electronic evidence, containing strong procedural and substantial safeguards for fundamental rights, appears the most appropriate instrument to ensure the necessary level of protection for EU data subjects and legal certainty for businesses.

Art.64 GDPR Opinion on Standard Contractual Clauses for processors under Art.28.8 GDPR by DK SA
The EDPB adopted its opinion on the draft Standard Contractual Clauses (SCCs) for framing the processing by a processor submitted to the Board by the Danish Supervisory Authority (SA). The opinion, which is the first one on this topic, aims to ensure the consistent application of Art 28 GDPR, relating to processors. In it, the Board made several recommendations that need to be taken into account in order for the draft SCCs of the Danish SA to be considered as Standard Contractual Clauses. If all recommendations are implemented, the Danish SA will be able to use this draft agreement as Standard Contractual Clauses pursuant to article 28.8 GDPR.

Art. 64 GDPR Opinion on Accreditation Criteria for monitoring bodies of Codes of Conduct by AT SA
Following submission by the Austrian SA of its draft decision on the Accreditation Criteria for Codes of Conduct monitoring bodies, the Board adopted its opinion. The Board agreed that all codes covering non-public authorities and bodies are required to have accredited monitoring bodies in accordance with the GDPR.

Art. 64 GDPR Opinion on the competence of a supervisory authority in case of a change in circumstances relating to the main or single establishment
The Board adopted an opinion on the competence of a supervisory authority when the circumstances relating to the main or single establishment change. This can occur when the main establishment is relocated within the EEA, a main establishment is moved to the EEA from a third country, or when there no longer is a main or single establishment in the EEA. In such circumstances, the Board is of the opinion that the competence of the lead supervisory authority (LSA) can switch to another SA. In this case, the cooperation procedure set forth under Art. 60 will continue to apply and the new LSA will be obligated to cooperate with the former LSA and with the other concerned SAs in an endeavour to reach consensus. The switch can take place as long as no final decision has been reached by the competent supervisory authority.

EDPB-EDPS Joint Opinion on the eHDSI
The Board adopted a joint EDPB-EDPS opinion on the personal data protection aspects of the processing of patients’ data in the eHealth Digital Service Infrastructure (eHDSI). It is the first joint opinion by the EDPB and the EDPS adopted in response to a request from the European Commission under Article 42(2) of Regulation 2018/1725 on data protection for EU institutions and bodies. In their opinion, the EDPB and EDPS consider that, in this specific situation, and for the concrete processing of patients’ data within the eHDSI, there is no reason to dissent from the European Commission’s assessment of its role as a processor within the eHDSI. Furthermore, the joint opinion stresses the need to ensure that all the processor duties of the Commission, in this processing operation, as specified in the applicable data protection legislation, are clearly set out in the relevant Implementing Act.  

DPIA List Cyprus
The EDPB adopted an opinion on the Data Protection Impact Assessment (DPIA) list submitted to the Board by Cyprus. DPIA lists form an important tool for the consistent application of the GDPR across the EEA. DPIA is a process to help identify and mitigate data protection risks that could affect the rights and freedoms of individuals.

Art. 64 GDPR Opinion on Art 35.5 lists FR, ES & CZ (DPIA exemption)
The EDPB adopted its opinion on the Art. 35.5 lists submitted to the Board by the French, Spanish and Czech SAs.

Recommendation on EDPS list pursuant to Art. 39.4 Regulation 2018/1725 (DPIA list)
The Board has adopted a recommendation on the Art. 39.4 list submitted to the Board by the EDPS. The EDPS has to consult the EDPB prior to adoption of these lists insofar as these “refer to processing operations by a controller acting jointly with one or more controllers other than Union institutions and bodies” (Article 39(6) of Regulation (EU) 2018/1725). Similar to GDPR DPIA lists, the EDPS list informs controllers about processing activities which require a DPIA.

Note to editors:
Please note that all documents adopted during the EDPB Plenary are subject to the necessary legal, linguistic and formatting checks and will be made available on the EDPB website once these have been completed.

Belgian DPA reprimands Federal Public Service Health

This Tuesday, the Belgian Data Protection Authority decided to reprimand the FPS Public Health for not responding to the exercise of a citizen's right of access.

Vandaag, dinsdag 9 juli 2019 besliste de Gegevensbeschermingsautoriteit om een berisping te formuleren ten aanzien van de Federale Overheidsdienst Volksgezondheid. Deze sanctie betreft een geval waarin de FOD Volksgezondheid niet heeft gereageerd op het verzoek van een burger om zijn recht van inzage uit te oefenen, ondanks een bevel van de Autoriteit. Eerbiediging van het recht van de burgers op bescherming van persoonsgegevens is volgens de Autoriteit een hoeksteen van de AVG, en de verwerkingsverantwoordelijken moeten alles in het werk stellen om dit te waarborgen.

De zaak : niet naleven van het recht van inzage

De zaak betreft een beroepsbeoefenaar in de gezondheidszorg van wie de benoeming als plaatsvervangend lid van PGC Limburg werd ontnomen (Provinciale Geneeskundige Commissie van Limburg) bij een besluit dat zijn vorige benoeming corrigeert. De klager beslist vervolgens om zijn recht op toegang tot zijn persoonsgegevens uit te oefenen om de reden te kennen waarom zijn functie werd ontnomen. Zonder antwoord van de FOD Volksgezondheid diende hij eind 2018 een eerste klacht in bij de Autoriteit.

In oktober 2018 gelastte de Geschillenkamer van de Autoriteit de FOD Volksgezondheid om te antwoorden op het verzoek van de klager, maar de FOD heeft niet gereageerd op het verzoek. De klager dient vervolgens in 2019 voor de tweede keer een klacht in.

Tijdens een hoorzitting heeft de FOD Volksgezondheid de feiten erkend en benadrukte dat er problemen zijn met de interne procedures.

Na beide partijen te hebben gehoord, concludeerde de Geschillenkamer van de Autoriteit dat er sprake was van nalatigheid van de FOD Volksgezondheid en besloot zij een berisping tegen de desbetreffende FOD uit te spreken, alsook om het besluit van de Geschillenkamer te publiceren met inbegrip van de namen van de partijen (met formele toestemming van de klager). De Kamer acht het ook belangrijk dat de FOD Volksgezondheid op korte termijn interne procedures invoert zodat zij haar verplichtingen krachtens de AVG (Algemene Verordening Gegevensbescherming) doeltreffend kan beheren.

Hielke Hijmans, Voorzitter van de Geschillenkamer legt uit: « De procedure bracht het feit aan het licht dat de FOD Volksgezondheid geen interne procedures heeft ingevoerd om aan de vereisten van de AVG te voldoen, terwijl de Verordening in mei 2016 gepubliceerd werd en sinds mei 2018 in werking is getreden. De FOD Volksgezondheid heeft zich daarbij ook niet gehouden aan het verantwoordelijkheidspincipe van de verwerkingsverantwoordelijke zoals bedoeld in de AVG.»

Rechten van de burger en invoeren van interne procedures

Burgers hebben krachtens de AVG een aantal rechten om hun gegevens te beschermen, zoals het recht op toegang tot hun gegevens, het recht om hun gegevens te corrigeren of het recht om ze te wissen of er bezwaar tegen te maken.

Burgers kunnen hun rechten uitoefenen bij de verwerkingsverantwoordelijke van hun persoonsgegevens.  Deze verantwoordelijke moet binnen een maand reageren op het verzoek van de betrokkene.

Om de burgers in staat te stellen hun rechten inzake gegevensbescherming doeltreffend uit te oefenen, is het derhalve noodzakelijk dat organisaties die persoonsgegevens verwerken, voorzien in interne maatregelen waardoor zij binnen de bij wet vastgestelde termijn kunnen reageren op verzoeken, door bijvoorbeeld een duidelijke contactpersoon voor burgers aan te duiden en een antwoordprocedure in te voeren.

« Het is voor ons van groot belang om organisaties eraan te herinneren dat zij er alles aan moeten doen om aan de AVG na te leven», besluit Hielke Hijmans, Voorzitter van de Geschillenkamer van de Autoriteit.

David Stevens, Voorzitter van de Gegevensbeschermingsautoriteit: « We zijn verheugd dat steeds meer burgers bij ons terechtkomen om hun rechten te doen gelden. »

Burgers die een verzoek tot bemiddeling of een klacht willen indienen vinden de procedure hier terug.

To read the full decision in French, click here

For further information, please contact the Belgian DPA: contact@apd-gba.be

ICO statement: Intention to fine Marriott International, Inc more than £99 million under GDPR for data breach

Statement in response to Marriott International, Inc’s filing with the US Securities and Exchange Commission that the Information Commissioner's Office (ICO) intends to fine it for breaches of data protection law.

Following an extensive investigation the ICO has issued a notice of its intention to fine Marriott International £99,200,396 for infringements of the General Data Protection Regulation (GDPR).

The proposed fine relates to a cyber incident which was notified to the ICO by Marriott in November 2018. A variety of personal data contained in approximately 339 million guest records globally were exposed by the incident, of which around 30 million related to residents of 31 countries in the European Economic Area (EEA). Seven million related to UK residents.

It is believed the vulnerability began when the systems of the Starwood hotels group were compromised in 2014. Marriott subsequently acquired Starwood in 2016, but the exposure of customer information was not discovered until 2018. The ICO’s investigation found that Marriott failed to undertake sufficient due diligence when it bought Starwood and should also have done more to secure its systems.

Information Commissioner Elizabeth Denham said:

“The GDPR makes it clear that organisations must be accountable for the personal data they hold. This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected.

“Personal data has a real value so organisations have a legal duty to ensure its security, just like they would do with any other asset. If that doesn’t happen, we will not hesitate to take strong action when necessary to protect the rights of the public.”

Marriott has co-operated with the ICO investigation and has made improvements to its security arrangements since these events came to light. The company will now have an opportunity to make representations to the ICO as to the proposed findings and sanction.

The ICO has been investigating this case as lead supervisory authority on behalf of other EU Member State data protection authorities. It has also liaised with other regulators. Under the GDPR ‘one stop shop’ provisions the data protection authorities in the EU whose residents have been affected will also have the chance to comment on the ICO’s findings.

The ICO will consider carefully the representations made by the company and the other concerned data protection authorities before it takes its final decision.

You can read the press release on the ICO website here

For further information, please contact the ICO: casework@ico.org.uk

For press questions, please visit the media section on the ICO website

Notes to Editors

1.    The Information Commissioner’s Office upholds information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
2.    The ICO has specific responsibilities set out in the Data Protection Act 2018, the European Union’s General Data Protection Regulation (GDPR), the Freedom of Information Act 2000, Environmental Information Regulations 2004 and Privacy and Electronic Communications Regulations 2003.
3.    The ICO can take action to change the behaviour of organisations and individuals that collect, use and keep personal information. This includes criminal prosecution, non-criminal enforcement and audit. The ICO has the power to impose a civil monetary penalty on a data controller of up to £17million (20m Euro) or 4% of global turnover.
4.    The GDPR applied in the UK from 25 May 2018. Its provisions are included in the Data Protection Act 2018. The Act also includes measures related to wider data protection reforms in areas not covered by GDPR, such as law enforcement and security. The government intends to incorporate the GDPR into our data protection law when the UK leaves the EU.
5.    Under the GDPR, the data protection principles set out the main responsibilities for organisations. Article 5 of the GDPR requires that personal data shall be:
·         Processed lawfully, fairly and in a transparent manner in relation to individuals;
·         Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
·         Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
·         Accurate and, where necessary, kept up to date
·         Kept in a form which permits identification of data subjects for no longer than is necessary; and
·         Processed using appropriate technical or organisational measures in a manner that ensures appropriate security of the personal data.”
·         Article 5(2) requires that “the controller shall be responsible for, and be able to demonstrate, compliance with the principles.”
6.    Civil Monetary Penalties (CMPs) are subject to a right of appeal to the (First-tier Tribunal) General Regulatory Chamber against the imposition of the monetary penalty and/or the amount of the penalty specified in the monetary penalty notice.
7.    Any monetary penalty is paid into the Treasury’s Consolidated Fund and is not kept by ICO.
8.    To report a concern to the ICO telephone our helpline 0303 123 1113 or go to ico.org.uk/concerns.

ICO statement: Intention to fine British Airways £183.39m under GDPR for data breach

Following an extensive investigation the ICO has issued a notice of its intention to fine British Airways £183.39M for infringements of the General Data Protection Regulation (GDPR).

The proposed fine relates to a cyber incident notified to the ICO by British Airways in September 2018. This incident in part involved user traffic to the British Airways website being diverted to a fraudulent site. Through this false site, customer details were harvested by the attackers. Personal data of approximately 500,000 customers were compromised in this incident, which is believed to have begun in June 2018.

The ICO’s investigation has found that a variety of information was compromised by poor security arrangements at the company, including log in, payment card, and travel booking details as well name and address information.

Information Commissioner Elizabeth Denham said: “People’s personal data is just that – personal. When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience. That’s why the law is clear – when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”

British Airways has cooperated with the ICO investigation and has made improvements to its security arrangements since these events came to light. The company will now have opportunity to make representations to the ICO as to the proposed findings and sanction.

ICO has been investigating this case as lead supervisory authority on behalf of other EU Member State data protection authorities. It has also liaised with other regulators. Under the GDPR ‘one stop shop’ provisions the data protection authorities in the EU whose residents have been affected will also have the chance to comment on the ICO’s findings.

The ICO will consider carefully the representations made by the company and the other concerned data protection authorities before it takes its final decision.

You can read the press release on the ICO website here

For further information, please contact the ICO: casework@ico.org.uk

Third fine by the Romanian Supervisory Auhtority

On the 5th of July 2019, the National Supervisory Authority finalised an investigation into controller LEGAL COMPANY & TAX HUB SRL and found that the controller infringed the provisions of Article 32 (1) and (2) of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

The data controller, LEGAL COMPANY & TAX HUB SRL, was sanctioned to a fine of 14173.50 lei, the equivalent of 3,000 Euros.
The sanction was issued to the data controller, because it has not implemented adequate technical and organisational measures in order to ensure a level of security appropriate to the risk of accidental or unlawful processing.

This led to unauthorized disclosure of and unauthorized access to the personal data of persons who performed transactions received by the avocatoo.ro website (name, surname, mailing address, email, phone, job, details of transactions made), publicly accessible documents, between 10 December 2018 and 1 February 2019.

The National Supervisory Authority imposed the sanction following an intimation received on the 10th of December 2018 indicating that a set of files on the details of the transactions received by the avocatoo.ro website, which contained the name, surname, mailing address, email, telephone, job and details of transactions made, was publicly accessible through two links.

We underline that pursuant to Article 5.1 (f) GDPR, the data controller had the obligation to process personal data in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (“integrity and confidentiality”).

Also, the General Data Protection Regulation provides under Article 32 that: “1.  Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:
a)    the pseudonymisation and encryption of personal data;
b)    the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
c)    the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
d)    a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
2.   In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.”

Read the full press release in Romanian here

For further information, please contact the Romanian Supervisory Authority: anspdcp@dataprotection.ro

First fine by the Romanian Supervisory Authority

The National Supervisory Authority finalised an investigation into the controller UNICREDIT BANK S.A. and found that it breached the provisions of Article 25 (1) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
 
The controller was sanctioned with a fine of the amount of 613,912 lei, the equivalent of 130,000 euros.
 
The sanction was applied to UNICREDIT BANK S.A. as a result of the failure to implement appropriate technical and organisational measures, both within the determination of the processing means and processing operations themselves, designed to effectively implement data protection principles, such as data minimisation, and to integrate the necessary safeguards in the processing, in order to meet the GDPR requirements and to protect the rights of the data subjects. This led to the disclosure of data concerning the personal identification number and the payer’s address (for situations where the payer performs the transaction from an account opened with another credit institution – external transactions and cash deposits) and data concerning the payer’s address (for situations where the payer made the transaction from an account opened with UNICREDIT BANK SA – internal transactions) in the documents containing the details of transactions and made available online to payment customers, for a number of 337,042 data subjects, during the period of the 25th of May 2018 – the 10th of December 2018.
 
The sanction was imposed following an intimation addressed to the National Supervisory Authority on the 22nd of November 2018 indicating that the data concerning the personal identification number and the address of the persons performing payments to UNICREDIT BANK S.A., via online transactions, were disclosed to the beneficiary of the transaction through the account statement/details.
 
Pursuant to Article 5 (1) c) of GDPR (“Principles relating to processing of personal data”), the controller had the obligation to process the data limited to what is necessary in relation to the purposes for which they are processed.
 
At the same time, Recital (78) of the Regulation states: ”The protection of the rights and freedoms of natural persons with regard to the processing of personal data require that appropriate technical and organisational measures be taken to ensure that the requirements of this Regulation are met. In order to be able to demonstrate compliance with this Regulation, the controller should adopt internal policies and implement measures which meet in particular the principles of data protection by design and data protection by default. Such measures could consist, inter alia, of minimising the processing of personal data, pseudonymising personal data as soon as possible, transparency with regard to the functions and processing of personal data, enabling the data subject to monitor the data processing, enabling the controller to create and improve security features. When developing, designing, selecting and using applications, services and products that are based on the processing of personal data or process personal data to fulfil their task, producers of the products, services and applications should be encouraged to take into account the right to data protection when developing and designing such products, services and applications and, with due regard to the state of the art, to make sure that controllers and processors are able to fulfil their data protection obligations. The principles of data protection by design and by default should also be taken into consideration in the context of public tenders.

Read the full press release in Romanian here

For further information, please contact the Romanian Supervisory Authority: anspdcp@dataprotection.ro

Second fine by the Romanian Supervisory Authority

On the 2nd of July 2019, the National Supervisory Authority finalised an investigation into controller WORLD TRADE CENTER BUCHAREST S.A. and found that the controller infringed the provisions of Article 32 (4) in relation to Article 32 (1) and (2) of the General Data Protection Regulation in respect of the security of  processing.

The data controller, WORLD TRADE CENTER BUCHAREST S.A., was sanctioned to a fine of 71028 lei, the equivalent of 15,000 Euros.
The breach of personal data security consisted in the fact that a printed paper list used to check the customers attending breakfast and which contained personal data of 46 clients accommodated at the hotel belonging to WORLD TRADE CENTER BUCHAREST S.A. was photographed by unauthorized people outside the company, which led to the disclosure of the personal data of some clients through publication.

The data controller, WORLD TRADE CENTER BUCHAREST S.A., has been sanctioned because it has not taken measures in order to ensure that its employees who have access to personal data process data only at its request, according to the law.

Also, the data controller did not implement adequate technical and organisational measures to ensure a level of security appropriate to the risk of accidental or unlawful processing, in particular, of unauthorized disclosure or unauthorized access to personal data. This has led to unauthorized access to the personal data of 46 clients of WORLD TRADE CENTER BUCHAREST SA and unauthorized disclosure of these data in the on-line environment, which has led to the violation of right to privacy and right to the protection of personal data, guaranteed by Article 7 and Article 8 of the Charter of Fundamental Rights of the European Union and Article 16 of the Treaty on the Functioning of the European Union.

The National Supervisory Authority performed the investigation following the notification of a personal data breach received from WORLD TRADE CENTER BUCHAREST S.A., by filling out the form concerning the personal data breach provided by Article 33 of GDPR.

The General Regulation on Data Protection establishes, by art. 24, the principle of responsibility of data controller, according to which: “Taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation. Those measures shall be reviewed and updated where necessary.”

Moreover, Recital (75) of GDPR states that:
“The risk to the rights and freedoms of natural persons, of varying likelihood and severity, may result from personal data processing which could lead to physical, material or non-material damage, in particular: where the processing may give rise to discrimination, identity theft or fraud, financial loss, damage to the reputation, loss of confidentiality of personal data protected by professional secrecy, unauthorised reversal of pseudonymisation, or any other significant economic or social disadvantage; where data subjects might be deprived of their rights and freedoms or prevented from exercising control over their personal data; where personal data are processed which reveal racial or ethnic origin, political opinions, religion or philosophical beliefs, trade union membership, and the processing of genetic data, data concerning health or data concerning sex life or criminal convictions and offences or related security measures; where personal aspects are evaluated, in particular analysing or predicting aspects concerning performance at work, economic situation, health, personal preferences or interests, reliability or behaviour, location or movements, in order to create or use personal profiles; where personal data of vulnerable natural persons, in particular of children, are processed; or where processing involves a large amount of personal data and affects a large number of data subjects.”

Read the full press release in Romanian here

For further information, please contact the Romanian Supervisory Authority: anspdcp@dataprotection.ro

Danish DPA set to fine furniture company

The Danish Data Protection Agency has reported IDDesign A/S and proposed a fine of DKK 1,5 million for failure to delete data about 385.000 customers.
 
In the autumn of 2018, the Danish Data Protection Agency carried out a supervisory visit to Danish furniture company IDDesign. One of the questions the visit focused on was whether the company had set deadlines for the deletion of customers’ data and whether the deadlines were complied with.
 
Prior to the inspection, IDdesign had provided an overview of the systems the company uses for the processing of personal data. This overview revealed that some of the furniture stores used an older system, which had been replaced by a newer system in the other shops. In the old system information was gathered about the names, addresses, telephone numbers, e-mail addresses and purchase history of some 385.000 customers. During the inspection, IDdesign also stated that personal data in the old system had never been deleted.
 
The GDPR establishes that personal data must be stored in such a way that data subjects cannot be identified for longer than is necessary for the purposes for which the personal data are processed.
 
IDdesign did not indicate when personal data in the old system are no longer necessary for processing purposes, and thus did not specify the deadlines applicable to erasure of the personal data processed in the system.
 
The Data Protection Agency therefore considers that IDdesign has not complied with the data protection requirements of the data protection regulation by having processed the personal data for a longer timer than necessary.

Read the full press release in Danish here

For further information, please contact the Danish DPA: dt@datatilsynet.dk

Italian SA: Users must receive specific, helpful information in case of a data breach

The information provided should enable users to understand what risks they may run and how they can protect their personal data.

No generic information may be provided to users in case of a data breach, whilst specific guidance must be made available on how to prevent unlawful use of one’s personal data – in particular identity thefts.

This is the decision issued by the Italian Supervisory Authority (Garante per la protezione dei dati personali) against one of Italy’s leading email service providers following the proceeding initiated after the company had notified the Garante of a data breach. In that notification the company had declared that technical inquiries had spotted, on the 20th February, fraudulent accesses via a WiFi hotspot which had affected about one million and a half email credentials belonging to users that had accessed the service via webmail.

In the attempt to limit the consequences of the data breach, the company had ‘obliged’ users to reset their passwords and made available a webpage containing information on the data breach prior to emailing a communication to all the affected users. That communication was emailed afterwards, however it proved  to fall short of the requirements under DP legislation – based on the findings of the Garante’s inspection. Indeed, two different communications had been emailed by the company depending on whether the given user had changed his or her password or not in the 48 hours following publication of the information on the data breach.
In both cases the communication referred to ‘unusual activities on our IT systems’ and the users that had changed their passwords were not advised to take any additional measures as it was stated that the changed password had made the old credentials useless. Conversely, those users that had failed to change their passwords were only advised to do so in order to ‘do away with the risk of unauthorised access to your email account’. Such information was considered to be insufficient by the Garante in the light of the severe risks users had been exposed to.

Accordingly, the Garante ordered the company to reiterate the communication of the data breach to the affected users, by describing the type of breach and its possible consequences and providing users with specific guidance on what measures to take in order to prevent additional risks – such as not using the affected credentials and changing the passwords to access any other online service if those passwords are identical with or similar to the breached ones.  

For more information, please contact the Italian supervisory authority: garante@garanteprivacy.it 

Sidor