European Data Protection Board

Twelfth Plenary Session: adopted documents

Twelfth Plenary session: Guidelines on Video Surveillance, Implications of the US CLOUD Act, Opinion on SCCs for processors under Art.28.8 by DK, Opinion on Accreditation Criteria for monitoring bodies of Codes of Conduct by AT, Opinion on the competence

Brussels, 11 July - On July 9th and 10th, the EEA Data Protection Authorities and the European Data Protection Supervisor, assembled in the European Data Protection Board, met for their twelfth plenary session. During the plenary a wide range of topics were discussed.
 
Guidelines on Video Surveillance
The Board adopted Guidelines on Video Surveillance, which clarify how the GDPR applies to the processing of personal data when using video devices and aim to ensure the consistent application of the GDPR in this regard. The guidelines cover both traditional video devices and smart video devices. For the latter, the guidelines focus on the rules regarding processing of special categories of data. In addition, the guidelines cover, among others, the lawfulness of processing, the applicability of the household exemption and the disclosure of footage to third parties. The guidelines will be subject to public consultation.

EDPB-EDPS joint reply to the LIBE Committee on the implications of the US CLOUD Act
The EDPB adopted a joint EDPB-EDPS reply to the European Parliament Committee on Civil Liberties, Justice and Home Affairs’ (LIBE) request for a legal assessment regarding the impact of the US CLOUD Act on the EU legal data protection framework and the mandate for negotiating an EU-US agreement on cross-border access to electronic evidence for judicial cooperation in criminal matters. The CLOUD Act allows US law enforcement authorities to require the disclosure of data by service providers in the US, regardless of where the data is stored.

The EDPB and EDPS emphasize that a comprehensive EU-US agreement regarding cross-border access to electronic evidence, containing strong procedural and substantial safeguards for fundamental rights, appears the most appropriate instrument to ensure the necessary level of protection for EU data subjects and legal certainty for businesses.

Art.64 GDPR Opinion on Standard Contractual Clauses for processors under Art.28.8 GDPR by DK SA
The EDPB adopted its opinion on the draft Standard Contractual Clauses (SCCs) for framing the processing by a processor submitted to the Board by the Danish Supervisory Authority (SA). The opinion, which is the first one on this topic, aims to ensure the consistent application of Art 28 GDPR, relating to processors. In it, the Board made several recommendations that need to be taken into account in order for the draft SCCs of the Danish SA to be considered as Standard Contractual Clauses. If all recommendations are implemented, the Danish SA will be able to use this draft agreement as Standard Contractual Clauses pursuant to article 28.8 GDPR.

Art. 64 GDPR Opinion on Accreditation Criteria for monitoring bodies of Codes of Conduct by AT SA
Following submission by the Austrian SA of its draft decision on the Accreditation Criteria for Codes of Conduct monitoring bodies, the Board adopted its opinion. The Board agreed that all codes covering non-public authorities and bodies are required to have accredited monitoring bodies in accordance with the GDPR.

Art. 64 GDPR Opinion on the competence of a supervisory authority in case of a change in circumstances relating to the main or single establishment
The Board adopted an opinion on the competence of a supervisory authority when the circumstances relating to the main or single establishment change. This can occur when the main establishment is relocated within the EEA, a main establishment is moved to the EEA from a third country, or when there no longer is a main or single establishment in the EEA. In such circumstances, the Board is of the opinion that the competence of the lead supervisory authority (LSA) can switch to another SA. In this case, the cooperation procedure set forth under Art. 60 will continue to apply and the new LSA will be obligated to cooperate with the former LSA and with the other concerned SAs in an endeavour to reach consensus. The switch can take place as long as no final decision has been reached by the competent supervisory authority.

EDPB-EDPS Joint Opinion on the eHDSI
The Board adopted a joint EDPB-EDPS opinion on the personal data protection aspects of the processing of patients’ data in the eHealth Digital Service Infrastructure (eHDSI). It is the first joint opinion by the EDPB and the EDPS adopted in response to a request from the European Commission under Article 42(2) of Regulation 2018/1725 on data protection for EU institutions and bodies. In their opinion, the EDPB and EDPS consider that, in this specific situation, and for the concrete processing of patients’ data within the eHDSI, there is no reason to dissent from the European Commission’s assessment of its role as a processor within the eHDSI. Furthermore, the joint opinion stresses the need to ensure that all the processor duties of the Commission, in this processing operation, as specified in the applicable data protection legislation, are clearly set out in the relevant Implementing Act.  

DPIA List Cyprus
The EDPB adopted an opinion on the Data Protection Impact Assessment (DPIA) list submitted to the Board by Cyprus. DPIA lists form an important tool for the consistent application of the GDPR across the EEA. DPIA is a process to help identify and mitigate data protection risks that could affect the rights and freedoms of individuals.

Art. 64 GDPR Opinion on Art 35.5 lists FR, ES & CZ (DPIA exemption)
The EDPB adopted its opinion on the Art. 35.5 lists submitted to the Board by the French, Spanish and Czech SAs.

Recommendation on EDPS list pursuant to Art. 39.4 Regulation 2018/1725 (DPIA list)
The Board has adopted a recommendation on the Art. 39.4 list submitted to the Board by the EDPS. The EDPS has to consult the EDPB prior to adoption of these lists insofar as these “refer to processing operations by a controller acting jointly with one or more controllers other than Union institutions and bodies” (Article 39(6) of Regulation (EU) 2018/1725). Similar to GDPR DPIA lists, the EDPS list informs controllers about processing activities which require a DPIA.

Note to editors:
Please note that all documents adopted during the EDPB Plenary are subject to the necessary legal, linguistic and formatting checks and will be made available on the EDPB website once these have been completed.

Belgian DPA reprimands Federal Public Service Health

This Tuesday, the Belgian Data Protection Authority decided to reprimand the FPS Public Health for not responding to the exercise of a citizen's right of access.

Vandaag, dinsdag 9 juli 2019 besliste de Gegevensbeschermingsautoriteit om een berisping te formuleren ten aanzien van de Federale Overheidsdienst Volksgezondheid. Deze sanctie betreft een geval waarin de FOD Volksgezondheid niet heeft gereageerd op het verzoek van een burger om zijn recht van inzage uit te oefenen, ondanks een bevel van de Autoriteit. Eerbiediging van het recht van de burgers op bescherming van persoonsgegevens is volgens de Autoriteit een hoeksteen van de AVG, en de verwerkingsverantwoordelijken moeten alles in het werk stellen om dit te waarborgen.

De zaak : niet naleven van het recht van inzage

De zaak betreft een beroepsbeoefenaar in de gezondheidszorg van wie de benoeming als plaatsvervangend lid van PGC Limburg werd ontnomen (Provinciale Geneeskundige Commissie van Limburg) bij een besluit dat zijn vorige benoeming corrigeert. De klager beslist vervolgens om zijn recht op toegang tot zijn persoonsgegevens uit te oefenen om de reden te kennen waarom zijn functie werd ontnomen. Zonder antwoord van de FOD Volksgezondheid diende hij eind 2018 een eerste klacht in bij de Autoriteit.

In oktober 2018 gelastte de Geschillenkamer van de Autoriteit de FOD Volksgezondheid om te antwoorden op het verzoek van de klager, maar de FOD heeft niet gereageerd op het verzoek. De klager dient vervolgens in 2019 voor de tweede keer een klacht in.

Tijdens een hoorzitting heeft de FOD Volksgezondheid de feiten erkend en benadrukte dat er problemen zijn met de interne procedures.

Na beide partijen te hebben gehoord, concludeerde de Geschillenkamer van de Autoriteit dat er sprake was van nalatigheid van de FOD Volksgezondheid en besloot zij een berisping tegen de desbetreffende FOD uit te spreken, alsook om het besluit van de Geschillenkamer te publiceren met inbegrip van de namen van de partijen (met formele toestemming van de klager). De Kamer acht het ook belangrijk dat de FOD Volksgezondheid op korte termijn interne procedures invoert zodat zij haar verplichtingen krachtens de AVG (Algemene Verordening Gegevensbescherming) doeltreffend kan beheren.

Hielke Hijmans, Voorzitter van de Geschillenkamer legt uit: « De procedure bracht het feit aan het licht dat de FOD Volksgezondheid geen interne procedures heeft ingevoerd om aan de vereisten van de AVG te voldoen, terwijl de Verordening in mei 2016 gepubliceerd werd en sinds mei 2018 in werking is getreden. De FOD Volksgezondheid heeft zich daarbij ook niet gehouden aan het verantwoordelijkheidspincipe van de verwerkingsverantwoordelijke zoals bedoeld in de AVG.»

Rechten van de burger en invoeren van interne procedures

Burgers hebben krachtens de AVG een aantal rechten om hun gegevens te beschermen, zoals het recht op toegang tot hun gegevens, het recht om hun gegevens te corrigeren of het recht om ze te wissen of er bezwaar tegen te maken.

Burgers kunnen hun rechten uitoefenen bij de verwerkingsverantwoordelijke van hun persoonsgegevens.  Deze verantwoordelijke moet binnen een maand reageren op het verzoek van de betrokkene.

Om de burgers in staat te stellen hun rechten inzake gegevensbescherming doeltreffend uit te oefenen, is het derhalve noodzakelijk dat organisaties die persoonsgegevens verwerken, voorzien in interne maatregelen waardoor zij binnen de bij wet vastgestelde termijn kunnen reageren op verzoeken, door bijvoorbeeld een duidelijke contactpersoon voor burgers aan te duiden en een antwoordprocedure in te voeren.

« Het is voor ons van groot belang om organisaties eraan te herinneren dat zij er alles aan moeten doen om aan de AVG na te leven», besluit Hielke Hijmans, Voorzitter van de Geschillenkamer van de Autoriteit.

David Stevens, Voorzitter van de Gegevensbeschermingsautoriteit: « We zijn verheugd dat steeds meer burgers bij ons terechtkomen om hun rechten te doen gelden. »

Burgers die een verzoek tot bemiddeling of een klacht willen indienen vinden de procedure hier terug.

To read the full decision in French, click here

For further information, please contact the Belgian DPA: contact@apd-gba.be

ICO statement: Intention to fine Marriott International, Inc more than £99 million under GDPR for data breach

Statement in response to Marriott International, Inc’s filing with the US Securities and Exchange Commission that the Information Commissioner's Office (ICO) intends to fine it for breaches of data protection law.

Following an extensive investigation the ICO has issued a notice of its intention to fine Marriott International £99,200,396 for infringements of the General Data Protection Regulation (GDPR).

The proposed fine relates to a cyber incident which was notified to the ICO by Marriott in November 2018. A variety of personal data contained in approximately 339 million guest records globally were exposed by the incident, of which around 30 million related to residents of 31 countries in the European Economic Area (EEA). Seven million related to UK residents.

It is believed the vulnerability began when the systems of the Starwood hotels group were compromised in 2014. Marriott subsequently acquired Starwood in 2016, but the exposure of customer information was not discovered until 2018. The ICO’s investigation found that Marriott failed to undertake sufficient due diligence when it bought Starwood and should also have done more to secure its systems.

Information Commissioner Elizabeth Denham said:

“The GDPR makes it clear that organisations must be accountable for the personal data they hold. This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected.

“Personal data has a real value so organisations have a legal duty to ensure its security, just like they would do with any other asset. If that doesn’t happen, we will not hesitate to take strong action when necessary to protect the rights of the public.”

Marriott has co-operated with the ICO investigation and has made improvements to its security arrangements since these events came to light. The company will now have an opportunity to make representations to the ICO as to the proposed findings and sanction.

The ICO has been investigating this case as lead supervisory authority on behalf of other EU Member State data protection authorities. It has also liaised with other regulators. Under the GDPR ‘one stop shop’ provisions the data protection authorities in the EU whose residents have been affected will also have the chance to comment on the ICO’s findings.

The ICO will consider carefully the representations made by the company and the other concerned data protection authorities before it takes its final decision.

You can read the press release on the ICO website here

For further information, please contact the ICO: casework@ico.org.uk

For press questions, please visit the media section on the ICO website

Notes to Editors

1.    The Information Commissioner’s Office upholds information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
2.    The ICO has specific responsibilities set out in the Data Protection Act 2018, the European Union’s General Data Protection Regulation (GDPR), the Freedom of Information Act 2000, Environmental Information Regulations 2004 and Privacy and Electronic Communications Regulations 2003.
3.    The ICO can take action to change the behaviour of organisations and individuals that collect, use and keep personal information. This includes criminal prosecution, non-criminal enforcement and audit. The ICO has the power to impose a civil monetary penalty on a data controller of up to £17million (20m Euro) or 4% of global turnover.
4.    The GDPR applied in the UK from 25 May 2018. Its provisions are included in the Data Protection Act 2018. The Act also includes measures related to wider data protection reforms in areas not covered by GDPR, such as law enforcement and security. The government intends to incorporate the GDPR into our data protection law when the UK leaves the EU.
5.    Under the GDPR, the data protection principles set out the main responsibilities for organisations. Article 5 of the GDPR requires that personal data shall be:
·         Processed lawfully, fairly and in a transparent manner in relation to individuals;
·         Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
·         Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
·         Accurate and, where necessary, kept up to date
·         Kept in a form which permits identification of data subjects for no longer than is necessary; and
·         Processed using appropriate technical or organisational measures in a manner that ensures appropriate security of the personal data.”
·         Article 5(2) requires that “the controller shall be responsible for, and be able to demonstrate, compliance with the principles.”
6.    Civil Monetary Penalties (CMPs) are subject to a right of appeal to the (First-tier Tribunal) General Regulatory Chamber against the imposition of the monetary penalty and/or the amount of the penalty specified in the monetary penalty notice.
7.    Any monetary penalty is paid into the Treasury’s Consolidated Fund and is not kept by ICO.
8.    To report a concern to the ICO telephone our helpline 0303 123 1113 or go to ico.org.uk/concerns.

ICO statement: Intention to fine British Airways £183.39m under GDPR for data breach

Following an extensive investigation the ICO has issued a notice of its intention to fine British Airways £183.39M for infringements of the General Data Protection Regulation (GDPR).

The proposed fine relates to a cyber incident notified to the ICO by British Airways in September 2018. This incident in part involved user traffic to the British Airways website being diverted to a fraudulent site. Through this false site, customer details were harvested by the attackers. Personal data of approximately 500,000 customers were compromised in this incident, which is believed to have begun in June 2018.

The ICO’s investigation has found that a variety of information was compromised by poor security arrangements at the company, including log in, payment card, and travel booking details as well name and address information.

Information Commissioner Elizabeth Denham said: “People’s personal data is just that – personal. When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience. That’s why the law is clear – when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”

British Airways has cooperated with the ICO investigation and has made improvements to its security arrangements since these events came to light. The company will now have opportunity to make representations to the ICO as to the proposed findings and sanction.

ICO has been investigating this case as lead supervisory authority on behalf of other EU Member State data protection authorities. It has also liaised with other regulators. Under the GDPR ‘one stop shop’ provisions the data protection authorities in the EU whose residents have been affected will also have the chance to comment on the ICO’s findings.

The ICO will consider carefully the representations made by the company and the other concerned data protection authorities before it takes its final decision.

You can read the press release on the ICO website here

For further information, please contact the ICO: casework@ico.org.uk

First fine by the Romanian Supervisory Authority

The National Supervisory Authority finalised an investigation into the controller UNICREDIT BANK S.A. and found that it breached the provisions of Article 25 (1) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
 
The controller was sanctioned with a fine of the amount of 613,912 lei, the equivalent of 130,000 euros.
 
The sanction was applied to UNICREDIT BANK S.A. as a result of the failure to implement appropriate technical and organisational measures, both within the determination of the processing means and processing operations themselves, designed to effectively implement data protection principles, such as data minimisation, and to integrate the necessary safeguards in the processing, in order to meet the GDPR requirements and to protect the rights of the data subjects. This led to the disclosure of data concerning the personal identification number and the payer’s address (for situations where the payer performs the transaction from an account opened with another credit institution – external transactions and cash deposits) and data concerning the payer’s address (for situations where the payer made the transaction from an account opened with UNICREDIT BANK SA – internal transactions) in the documents containing the details of transactions and made available online to payment customers, for a number of 337,042 data subjects, during the period of the 25th of May 2018 – the 10th of December 2018.
 
The sanction was imposed following an intimation addressed to the National Supervisory Authority on the 22nd of November 2018 indicating that the data concerning the personal identification number and the address of the persons performing payments to UNICREDIT BANK S.A., via online transactions, were disclosed to the beneficiary of the transaction through the account statement/details.
 
Pursuant to Article 5 (1) c) of GDPR (“Principles relating to processing of personal data”), the controller had the obligation to process the data limited to what is necessary in relation to the purposes for which they are processed.
 
At the same time, Recital (78) of the Regulation states: ”The protection of the rights and freedoms of natural persons with regard to the processing of personal data require that appropriate technical and organisational measures be taken to ensure that the requirements of this Regulation are met. In order to be able to demonstrate compliance with this Regulation, the controller should adopt internal policies and implement measures which meet in particular the principles of data protection by design and data protection by default. Such measures could consist, inter alia, of minimising the processing of personal data, pseudonymising personal data as soon as possible, transparency with regard to the functions and processing of personal data, enabling the data subject to monitor the data processing, enabling the controller to create and improve security features. When developing, designing, selecting and using applications, services and products that are based on the processing of personal data or process personal data to fulfil their task, producers of the products, services and applications should be encouraged to take into account the right to data protection when developing and designing such products, services and applications and, with due regard to the state of the art, to make sure that controllers and processors are able to fulfil their data protection obligations. The principles of data protection by design and by default should also be taken into consideration in the context of public tenders.

Read the full press release in Romanian here

For further information, please contact the Romanian Supervisory Authority: anspdcp@dataprotection.ro

Danish DPA set to fine furniture company

The Danish Data Protection Agency has reported IDDesign A/S and proposed a fine of DKK 1,5 million for failure to delete data about 385.000 customers.
 
In the autumn of 2018, the Danish Data Protection Agency carried out a supervisory visit to Danish furniture company IDDesign. One of the questions the visit focused on was whether the company had set deadlines for the deletion of customers’ data and whether the deadlines were complied with.
 
Prior to the inspection, IDdesign had provided an overview of the systems the company uses for the processing of personal data. This overview revealed that some of the furniture stores used an older system, which had been replaced by a newer system in the other shops. In the old system information was gathered about the names, addresses, telephone numbers, e-mail addresses and purchase history of some 385.000 customers. During the inspection, IDdesign also stated that personal data in the old system had never been deleted.
 
The GDPR establishes that personal data must be stored in such a way that data subjects cannot be identified for longer than is necessary for the purposes for which the personal data are processed.
 
IDdesign did not indicate when personal data in the old system are no longer necessary for processing purposes, and thus did not specify the deadlines applicable to erasure of the personal data processed in the system.
 
The Data Protection Agency therefore considers that IDdesign has not complied with the data protection requirements of the data protection regulation by having processed the personal data for a longer timer than necessary.

Read the full press release in Danish here

For further information, please contact the Danish DPA: dt@datatilsynet.dk

Italian SA: Users must receive specific, helpful information in case of a data breach

The information provided should enable users to understand what risks they may run and how they can protect their personal data.

No generic information may be provided to users in case of a data breach, whilst specific guidance must be made available on how to prevent unlawful use of one’s personal data – in particular identity thefts.

This is the decision issued by the Italian Supervisory Authority (Garante per la protezione dei dati personali) against one of Italy’s leading email service providers following the proceeding initiated after the company had notified the Garante of a data breach. In that notification the company had declared that technical inquiries had spotted, on the 20th February, fraudulent accesses via a WiFi hotspot which had affected about one million and a half email credentials belonging to users that had accessed the service via webmail.

In the attempt to limit the consequences of the data breach, the company had ‘obliged’ users to reset their passwords and made available a webpage containing information on the data breach prior to emailing a communication to all the affected users. That communication was emailed afterwards, however it proved  to fall short of the requirements under DP legislation – based on the findings of the Garante’s inspection. Indeed, two different communications had been emailed by the company depending on whether the given user had changed his or her password or not in the 48 hours following publication of the information on the data breach.
In both cases the communication referred to ‘unusual activities on our IT systems’ and the users that had changed their passwords were not advised to take any additional measures as it was stated that the changed password had made the old credentials useless. Conversely, those users that had failed to change their passwords were only advised to do so in order to ‘do away with the risk of unauthorised access to your email account’. Such information was considered to be insufficient by the Garante in the light of the severe risks users had been exposed to.

Accordingly, the Garante ordered the company to reiterate the communication of the data breach to the affected users, by describing the type of breach and its possible consequences and providing users with specific guidance on what measures to take in order to prevent additional risks – such as not using the affected credentials and changing the passwords to access any other online service if those passwords are identical with or similar to the breached ones.  

For more information, please contact the Italian supervisory authority: garante@garanteprivacy.it 

European Data Protection Board - Eleventh Plenary session: Guidelines on Codes of Conduct, annex to the Guidelines on Accreditation, annex to the Guidelines on Certification

Brussels, 5 June - On June 4th, the EEA Data Protection Authorities and the European Data Protection Supervisor, assembled in the European Data Protection Board, met for their eleventh plenary session. During the plenary a wide range of topics were discussed.

Guidelines on Codes of Conduct
The EDPB adopted a final version of the Guidelines on Codes of Conduct. Following public consultation, points of clarification were included in the text. The aim of these guidelines is to provide practical guidance and interpretative assistance in relation to the application of Articles 40 and 41 GDPR. The guidelines intend to help clarify the procedures and the rules involved in the submission, approval and publication of codes of conduct at both the national and the European level. These guidelines should further act as a clear framework for all competent supervisory authorities, the Board and the Commission to evaluate codes of conduct in a consistent manner and to streamline the procedures involved in the assessment process.

Annex to the Guidelines on Accreditation

The EDPB adopted a final version of the annex to the Guidelines on Accreditation, following public consultation. The text has been reviewed to enhance clarity. The aim of the guidelines is to provide guidance on how to interpret and implement the provisions of Article 43 GDPR. In particular, they aim to help Member States, supervisory authorities and national accreditation bodies establish a consistent and harmonised baseline for the accreditation of certification bodies that issue certification in accordance with the GDPR. The annex provides guidance on the additional requirements for the accreditation of certification bodies to be established by the supervisory authorities. These additional requirements, before being adopted by supervisory authorities, are to be submitted to the European Data Protection Board for approval pursuant to Article 64(1)(c).*

Annex to the Guidelines on Certification

The EDPB adopted a final version of annex 2 to the Guidelines on Certification. Following public consultation, some aspects were added to certain sections, for example, whether the criteria address the obligation of the controller/processor to appoint a DPO and the obligation to keep records of the processing activities. The primary aim of these guidelines is to identify overarching criteria which may be relevant to all types of certification mechanisms issued in accordance with art. 42 and art. 43 GDPR. The annex identifies topics that data protection supervisory authorities and the EDPB will consider and apply for the approval of certification criteria for a certification mechanism. The list is not exhaustive, but presents the minimum topics to be considered.*

Note to editors:

* As a next step, before specific cases regarding certification and accreditation can be discussed at the EDPB level, the EDPB is preparing a procedure to facilitate consistent and timely opinions on SA draft decisions and to approve European Data Protection Seals.

Please note that all documents adopted during the EDPB Plenary are subject to the necessary legal, linguistic and formatting checks and will be made available on the EDPB website once these have been completed.

First Belgian GDPR fine

On Tuesday 28 May 2019, the Belgian DPA imposed its first financial penalty since the entry into application of the GDPR. The administrative fine amounts to EUR 2 000 and concerns the misuse of personal data for election purposes. Although the fine is modest, the message is not: Data protection is an important matter to us all, but data controllers must assume their responsibility, especially if they have a government mandate.

L’Autorité de protection des données prononce une sanction dans le cadre d’une campagne électorale Ce mardi 28 mai 2019, l’Autorité de protection des données (APD) a prononcé sa première sanction financière depuis l’entrée en vigueur du RGPD. L’amende administrative imposée s’élève à 2000 euros et vise l’utilisation abusive de données personnelles par un bourgmestre à des fins de campagne électorale. Si l’amende est modérée, son message est important : la protection des données est l’affaire de tous, et les responsables de traitement doivent prendre leurs responsabilités, surtout quand ils détiennent un mandat public. L’affaire : envoi de courriel électoral personnalisé par un mandataire public

L’APD a reçu une plainte concernant l’utilisation par un bourgmestre de données obtenues dans le cadre de l’exécution de sa fonction à des fins de campagne électorale.

Les plaignants étaient entrés en contact avec le bourgmestre de la commune via leur architecte dans le cadre d’une modification de lotissement. L’architecte avait, à cette occasion, contacté le bourgmestre par courrier électronique avec en copie les adresses email des plaignants. La veille des élections communales du 14 octobre 2018, le bourgmestre avait alors utilisé la fonction « Reply » de l’email afin d’envoyer un message électoral aux plaignants.

Les deux parties ont été entendues par la Chambre Contentieuse de l’APD ce 28 Mai 2019. Suite à cette audition, la chambre a conclu qu’une infraction au RGPD avait bien été commise. 

Non-respect du principe de finalité en protection des données

Le Règlement général sur la protection des données (RGPD) précise que les données collectées par un responsable de traitement (dans ce cas-ci : les adresses emails obtenues par le bourgmestre) doivent être collectées pour des finalités déterminées et ne peuvent être traitées ultérieurement de manière incompatible avec les finalités en question. La réutilisation de données obtenues dans le cadre d’un projet urbanistique à des fins de campagne électorale contrevient donc à ce principe de finalité et constitue une infraction au RGPD.

La Chambre Contentieuse de l’APD considère que le respect du principe de finalité est une des règles cruciales du RGPD et que les détenteurs d’un mandat public (comme les bourgmestres) à qui les citoyens ont confié des données personnelles doivent être particulièrement vigilants. Il faut qu’ils prennent conscience que les données acquises dans le cadre de la fonction publique ne peuvent jamais être réutilisées à des fins personnelles.  

Prenant cependant en considération le nombre limité des personnes touchées, ainsi que la nature, la gravité et la durée de l’infraction, la Chambre contentieuse a prononcé une réprimande ainsi qu’une sanction financière sous la forme d’une amende modérée de 2000 euros.

« L’utilisation de données personnelles par des personnalités politiques à des fins de campagne électorale est une question qui préoccupe beaucoup les citoyens. Il est important de rappeler que les mandataires publics doivent respecter la législation », explique Hielke Hijmans, Président de la Chambre Contentieuse de l’APD.

Le RGPD : un règlement applicable à tous

La décision de la Chambre Contentieuse constitue la première sanction financière prononcée par l’Autorité de protection des données belge et tombe un mois seulement après l’entrée en fonction de son nouveau comité de direction. Si l’amende est modérée, son message est important : la protection des données est l’affaire de tous.

Hielke Hijmans précise:  « Le respect du RGPD vaut pour tous les responsables du traitement, et très certainement pour les détenteurs d’un mandat public. On s’attend à ce qu’un bourgmestre ait connaissance de la réglementation et respecte ses obligations

David Stevens, Président de l’APD commente : « La protection des données personnelles est à la fois un état d’esprit et une pratique : le responsable du traitement doit toujours poser un regard critique sur l’utilisation qu’il souhaite faire des données à sa disposition. »

To read the full decision in Dutch, click here

For further information, please contact the Belgian DPA: contact@apd-gba.be

EDPB Video

1 year ago, the GDPR entered into application, but what has changed for you? Where can you go to address your data protection concerns? And what is the EDPB's role in all this?

The video below provides an answer to these questions in a nutshell:

1 year GDPR – taking stock

Brussels, 22 May - Just a few days short of the GDPR’s first anniversary, the European Data Protection Board surveyed the Supervisory Authorities (SAs) of the EEA and takes stock of the Board’s achievements.

From the very first day of application, the first cross-border cases were logged in the EDPB’s IMI case register, leading to a current total of 446 cross-border. 205 of these have led to One-Stop-Shop (OSS) procedures. So far, there have been 19 final OSS outcomes.

    

{ "service": "chart", "provider": "highcharts", "data": { "chart": { "type": "column", "height": 400, "style": { "fontFamily": "\"PT Sans\", sans-serif","fontSize":"14px" } }, "colors": ["#004494"], "xAxis": [ { "type": "category", "labels": { "rotation": -45, "step": 1, "style": { "fontFamily": "\"PT Sans\", sans-serif","fontSize":"14px" } } } ], "yAxis": { "min": 0, "title": { "text": "Number of procedures" }, "labels": { "enabled": false, "style": { "fontFamily": "\"PT Sans\", sans-serif","fontSize":"14px" } } }, "title": { "text": "Evolution of One-Stop Shop Procedures" }, "subtitle": { "text": "May 2018-April 2019" }, "plotOptions": { "series": { "dataLabels": { "enabled": false } } }, "legend": { "enabled": false }, "series": [ { "type": "column", "animation": false, "name": "Number of procedures", "data": [ { "y": 1, "name": "2018 Jun" }, { "y": 1, "name": "2018 Jul" }, { "y": 2, "name": "2018 Aug" }, { "y": 5, "name": "2018 Sep" }, { "y": 7, "name": "2018 Oct" }, { "y": 11, "name": "2018 Nov" }, { "y": 9, "name": "2018 Dec" }, { "y": 15, "name": "2019 Jan" }, { "y": 22, "name": "2019 Feb" }, { "y": 41, "name": "2019 Mar" }, { "y": 51, "name": "2019 Apr" }, { "y": 40, "name": "2019 May 20th" } ] } ] } }

Number of procedures initiated by SAs from 21 EEA countries
Germany: Number of procedures initiated by SAs from 7 Regional SAs

    

At a national level, most Supervisory Authorities (SAs) report an increase in queries and complaints received compared to 2017. Over 144.000 queries and complaints* and over 89.000 data breaches have been logged by the EEA Supervisory Authorities. 63% of these have been closed and 37% are ongoing.

Based on information provided by SAs from 27 EEA countries
Germany: Based on information provided by The Federal and 17 Regional SAs

{ "service": "chart", "provider": "highcharts", "data": { "chart": { "type": "pie", "borderWidth" : 0, "height": 391, "plotBackgroundColor": null, "plotBorderWidth": null, "plotShadow": false, "style": { "fontFamily": "\"PT Sans\", sans-serif","fontSize":"15px" } }, "legend": { "enabled": false, "itemStyle": { "fontSize":"15px", "fontWeight":"normal" } }, "title": { "text": "National Cases" }, "subtitle": { "text": "Number of cases per status" }, "tooltip": { "pointFormat": "{series.name}: {point.percentage:.1f}%" }, "colors": [ "#004494", "#3ca8d3","#ed7d31"], "plotOptions": { "pie": { "allowPointSelect": true, "cursor": "pointer", "dataLabels": { "enabled": true, "format": "{point.name}
{point.percentage:.1f} %", "style": { "fontSize": "15px", "textOutline": "none" } }, "showInLegend": true } }, "series": [{ "name": "Number of procedures", "colorByPoint": true, "data": [{ "name": "Closed", "y": 62.9 }, { "name": "Ongoing", "y": 37.0 }, { "name": "Appealed", "y": 0.1 }] }] } }

Based on information provided by SAs from 27 EEA countries (Case status information provided for 164633 cases)
Germany: Based on information provided by The Federal and 11 Regional SAs

    

The increase in queries and complaints confirms the perceived rise in awareness about data protection rights among individuals, as shown in the Eurobarometer of March 2019. 67% of EU citizens polled indicated that they have heard of the GDPR, 36% of them indicated that they are well aware of what the GDPR entails. In addition, 57% of EU citizens polled indicated that they are aware of the existence of a public authority in their country responsible for protecting their data protection rights. This result shows an increase of 20 percentage points compared to 2015 Eurobarometer results**.

The EEA SAs have reported that, while the cooperation procedures are robust and efficient works, they are time and resource intensive: SAs need to carry out investigations, observe procedural rules, coordinate and share information with other supervisory authorities.

Looking back on the first 12 months of the EDPB’s work, Andrea Jelinek, Chair of the EDPB, comments:

It has been a challenging first year, but we have reached the goals that we set out to achieve, and we intend to keep up both the work and the pace. Earlier this year, the EDPB adopted its work program for 2019 and 2020. We will also see several cross-border cases carried out by SAs leading to a final outcome in the coming months. Last but not least, we want to continue to listen to and to work together with the people who can give us the best insights into the day-to-day practice of data processing. An ambitious programme, but I am certain that we, as European data protection authorities will find more and more synergies, which will increase our effectiveness.

   

*At the time of the survey, the notion of complaint had not yet been analysed by the EDPB. Up to then, the interpretation of the notion was done by the national supervisory authorities, which may have an impact on the statistics.

**Source European Commission.

First Significant Fine Was Imposed for the Breaches of the General Data Protection Regulation in Lithuania

The State Data Protection Inspectorate has imposed an administrative fine in the amount of EUR 61,500 for the breaches of the General Data Protection Regulation. The sanctions were imposed on MisterTango UAB for the breaches of Articles 5, 32 and 33 of the afore-mentioned Regulation, i.e. the personal data breach in the payment initiation service system which, inter alia, has also not been reported to the supervisory authority. In the opinion of the Inspectorate, the start of imposing fines under the General Data Protection Regulation should be a significant signal to other companies which only declaratively comply with the provisions of the above legal acts.

The State Data Protection Inspectorate (Inspectorate) carried out an investigation and imposed a fine taking into account the received information on the personal data of bank customers which was made public and the possibly committed personal data breach at MisterTango UAB. The company operates internationally and provides payment services to the residents and companies of Lithuania and to foreign residents and companies. It has established a branch in Latvia, provided services in other countries. The Lithuanian supervisory authority which has coordinated its decision with the Latvian personal data protection supervisory institution according to the provisions of the General Data Protection Regulation (GDPR) had the opportunity to receive a confirmation of the correctness of the made conclusions from its colleagues. This case also shows that companies should pay more attention to the management of data breaches and cooperation with the supervisory authority in the course of the investigations.

Having carried out the investigation, the Inspectorate has determined that the company breached the requirements of the GDPR as it improperly processed personal data in screenshots (SS), made personal data publicly available and failed to report the personal data breach to the personal data protection supervisory authority.

Regarding improper processing of personal data. In the light of the information collected during the investigation and the provided clarifications, it has been determined that MisterTango UAB processes (accesses, collects) more personal data than it indicates as necessary for effecting of the payment initiated by the payer itself. The Inspectorate considers that, for the purposes of implementation of the data minimisation principle, only such data as the name, surname and, if the payer wishes, his/her identification code, bank account number, currency and balance, purpose of the payment/payment code necessary for effecting the payment should be collected. However, in addition to the afore-mentioned data, the company also collected such data as dates of provision of not reviewed electronic invoices, names of the senders and amounts; dates, topics of submission of not read notifications and a part of the text of the notification; purposes, types, amounts of the loans; names of the pension funds, accumulated units, value thereof, accumulated amounts; types of credits (e.g. mortgage credit), due balances, amounts and dates of other payments, numbers of the issued payment cards and amounts in such payment cards which should be considered as superfluous data. Furthermore, it has been determined that the company stores such data longer than it has established and indicated as necessary by itself, i.e. the data provided during the investigation suggests that the data was stored for 216 days instead of 10 minutes. According to Article 5 of the GDPR, the company shall be responsible for and be able to demonstrate compliance with the principle of accountability; nevertheless, the company failed to provide sufficient evidence to the supervisory authority during the investigation.

Regarding the publicity of personal data. During the investigation it has been determined than the website with the list of payments processed by MisterTango UAB were visible for more than 2 days (9-10 July 2018). The payments made by the customers of different bank institutions through the payment initiation service system of MisterTango UAB and personal data of such customers were made public. Besides, more than 9,000 SSs with the pages of details of the payment sessions of the customers of 12 different banks in different countries were made publicly available. Furthermore, it has been determined that management, installation and maintenance of the IT infrastructure (hardware and software) of MisterTango UAB were carried out by one employee. One employee fulfilled the contradictory functions. Consequently, proper minimisation of possible unauthorised or unintentional modifications and implementation of proper personal data protection policy were not ensured. Thus, MisterTango UAB has failed to choose the appropriate technical or organisational measures which would help to ensure a level of security appropriate to the risk, including protection against unlawful processing, disclosure, thus, breaching Articles 5 and 32 of the GDPR.

Regarding the failure to give the notification of the personal data breach. According to the GDPR, an incident leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed shall be a personal data breach. From the point of view of the Inspectorate, the afore-mentioned incident where unauthorised persons were granted access to personal data in the Internet for 2 days should be considered as a data breach which must be reported to the supervisory authority. Therefore, MisterTango UAB was obliged to without undue delay and, where feasible, not later than 72 hours after having become aware of the personal data breach, notify the personal data breach to the Inspectorate. As MisterTango has failed to notify the Inspectorate of the breach, it breached Article 33 of the GDPR.

When deciding on the amount of the administrative fine, the Inspectorate took into account all circumstances relevant to extending liability to MisterTango UAB, for example, that the company processed the personal data in a non-transparent manner, to a greater extent and longer than necessary for achievement of the purpose of the processing; the unlawful processing was done systematically; it failed to ensure security of the personal data at the moment of the personal data breach, failed to report the personal data breach which has occurred and which had an impact on the personal data allowing to directly identify the data subject to the supervisory authority; furthermore, the data constituted the banking secrecy and was processed without encryption and during the period of the personal data breach the data was processed without ensuring control of access to such data. When imposing the administrative fine in the amount of EUR 61,500 on the company, the total annual worldwide turnover of the company was taken into account. The decision of the Inspectorate is not effective and may be appealed against to the court.

According to the data available to the Inspectorate, France, Spain, Germany, Poland, Austria, Bulgaria, Cyprus, Malta have already imposed significant fines under the GDPR.

For further information, please contact the Lithuanian supervisory authority: ada@ada.lt

Europeiska dataskyddsstyrelsen – tionde plenarsessionen: Val av ny vice ordförande, svar till parlamentsledamot In ’t Veld, tredje årliga översynen av Privacy Shield

Bryssel den 15 maj – Den 14 maj och den 15 maj höll Europeiska dataskyddsstyrelsen, som består av EES-ländernas dataskyddsmyndigheter och Europeiska datatillsynsmannen,  sin tionde plenarsession. Under plenarsessionen diskuterades ett brett spektrum av ämnen

Val av ny vice ordförande

Ledamöterna i styrelsen valde Aleid Wolfsen, ordförande för den nederländska tillsynsmyndigheten, som ny vice ordförande. Han ersätter Willem Debeukelere vars arbete ordföranden i Europeiska dataskyddsstyrelsen Andrea Jelinek tackade för. Tillsammans med vice ordförande Ventsislav Karadjov kommer Aleid Wolfsen att stödja EDPB:s ordförande i hennes arbete under de kommande åren.

Dr. Jelinek tillade: ”Allmänhetens intresse av dataskydd är högre än någonsin. Jag ser fram emot att samarbeta med Aleid och Ventsislav i kontakterna med andra  aktörer  på dataskyddsområdet. ”

Aleid Wolfsen tillade: ”Under de kommande åren är det vårt ansvar att leverera  kvalitativ vägledning och goda råd. Jag kommer som vice ordförande att ta ansvar för att vi beaktar alla synpunkter och att vi i slutändan talar med en röst. ”

Svar till ledamoten Sophie In ’t Veld angående uppkopplade fordon

Europeiska dataskyddsstyrelsen antog ett brev som svar på ledamoten Sophie In ’t Velds brev den 17 april 2019 ifråga om utlämnande av bilförares personuppgifter till biltillverkare och tredje part, utan uttryckligt samtycke, särskilt och informerat samtycke från föraren, och utan korrekt rättslig grund. I sitt svar framhåller Europeiska dataskyddsstyrelsen att medlemmarna i EDPB och deras internationella kolleger antog en resolution vid det Internationella dataskyddsmötet 2017 om uppgiftsskydd i automatiserade och uppkopplade fordon och att artikel 29-gruppen antog sitt yttrande 3/2017 om behandling av personuppgifter inom ramen för samverkande intelligenta transportsystem (C-ITS).Frågan kommer också att behandlas i enlighet med Europeiska dataskyddsstyrelsens arbetsprogram 2019–2020.

Tredje årliga översynen av Privacy Shield

Europeiska dataskyddsstyrelsen har utsett företrädare för den tredje årliga översynen av Privacy Shield. Österrike, Bulgarien, Frankrike, Tyskland, Ungern och Europeiska datatillsynsmannen kommer att företräda styrelsen under översynen.

The Data Protection Ombudsman ordered Svea Ekonomi to correct its practices in the processing of personal data

Two cases concerning Svea Ekonomi, a financial credit company, have been processed at the Office of the Data Protection Ombudsman. As a result, the Data Protection Ombudsman has ordered the company to correct its practices in the processing of personal data related to the assessment of creditworthiness, the right of inspect one’s own personal data and notification practices.
One of the cases concerning Svea Ekonomi has been processed at the Office of the Data Protection Ombudsman as a complaint made by a single data subject. It concerned the personal data used to assess creditworthiness and the data subject's right to inspect data concerning them. Furthermore, the Office of the Data Protection Ombudsman began to process the matter concerning the company's notification practices upon its own initiative.

 

In its decision, the Data Protection Ombudsman stated that the use of a categorical upper age limit in assessing creditworthiness is not acceptable under the definition of credit information set out in the Credit Information Act. The mere age of the credit applicant does not describe their solvency, willingness to pay or ability to deal with their commitments. Based on the account submitted by the company, the credit applicant's financial position has not been taken into consideration at all in the automatic processing of the credit application.

 

The Data Protection Ombudsman also pointed out that the company's on-line credit decision service should be considered automatic decision-making of the kind referred to in Article 22 of the General Data Protection Regulation, in which the decision is essential in order to conclude or implement an agreement between the company and the credit applicant.

 

In its decision, the Data Protection Ombudsman ordered that Svea Ekonomi to change the processing of personal data related to assessing creditworthiness. The company must also provide the private person having complained about the matter with information on the logic employed in automatic decision-making, its role in making the credit decision as well as its consequences for the credit applicant.

 

The procedure employed by Svea Ekonomi for assessing  creditworthiness was also processed at the National Non-Discrimination and Equality Tribunal, which in its decision 216/2017, dated 21 March 2018, prohibited the company from repeating a procedure that is against the Equality Act and the Non-Discrimination Act.

 

The Office of the Data Protection Ombudsman has also investigated Svea Ekonomi's notification practices related to the automatic decision-making system used to assess creditworthiness. The Data Protection Ombudsman stated that the current notification practices do not sufficiently specify the logic of data processing so that the credit applicant could understand the grounds for the decision and ordered that such notification practices be changed.

 

Based on the Data Protection Ombudsman's decision, Svea Ekonomi must notify by 30 April 2019 how it has changed its processing of personal data. According to the Office of the Data Protection Ombudsman, Svea Ekonomi has not applied for change in the decision, so the decision is legally enforceable.

 

Further information:
Data Protection Ombudsman Reijo Aarnio, tel. +358 40 520 7068, reijo.aarnio(at)om.fi

Europeiska dataskyddsstyrelsen – nionde plenarsessionen

Europeiska dataskyddsstyrelsen – nionde plenarsessionen: Riktlinjer för behandling av personuppgifter inom ramen för informationssamhällets tjänster

 

Bryssel den 10 april – Den 9 och 10 april samlades EES-ländernas dataskyddsmyndigheter och den  Europeiska datatillsynsmannen,  i Europeiska dataskyddsstyrelsen som sammanträdde under sin nionde plenarsession.
 
Under plenarsammanträdet antog Europeiska dataskyddsstyrelsen riktlinjer för tillämpningsområdet för och tillämpningen av artikel 6.1 b * i GDPR i samband med informationssamhällets tjänster. I sina riktlinjer gör styrelsen allmänna iakttagelser om principer för uppgiftsskydd och om samspelet mellan artikel 6.1 b och andra rättsliga grunder. Dessutom innehåller riktlinjerna vägledning om tillämpligheten av artikel 6.1 b vid kombinering av separata tjänster och uppsägning av avtal.
Information till redaktörer:

 

Observera att alla handlingar som antas vid Europeiska dataskyddsstyrelsens plenarsammanträde är föremål för nödvändiga rättsliga, språkliga och formateringskontroller och kommer att finnas tillgängliga på Europeiska dataskyddsstyrelsens webbplats när de har färdigställts.
* artikel 6.1 b
”1. Behandling är endast laglig om och i den mån som åtminstone ett av följande villkor är uppfyllt:
...
Behandlingen är nödvändig för att fullgöra ett avtal i vilket den registrerade är part eller för att vidta åtgärder på begäran av den registrerade innan ett sådant avtal ingås.”