The Norwegian Data Protection Authority has issued the Norwegian Public Roads Administration a fine of 37,400 EUR (400 000 NOK) for processing personal data for purposes that were incompatible with the originally stated purposes, and for not erasing video recordings after 7 days. 

The background of the fine is the extensive processing of personal data by using fixed road cameras to monitor contract parties, employees, subvendors and the subvendors’ employees. 

The usage of such photos for documenting breaches of contract several months after the incidents took place, is incompatible with the original purpose, which was to make possible immediate security measures. It is therefore not allowed to use these video recordings to follow up contracts. 

When evaluating whether this usage of the video recordings was compatible with the originally stated purpose, the Norwegian Data Protection Authority has emphasized that the new usage is at considerable disadvantage to the contract parties and its employees, and that it is in conflict with how the contract parties can expect the personal data to be used. 

You can read the origional press release on the Norwegian DPA's website in English here, and in Norwegian here.

For further information, please contact the Norwegian DPA: international@datatilsynet.no

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.

During its 37th plenary, the EDPB adopted the following documents:

• Guidelines on the concepts of controller and processor - version for public consultation
• Guidelines on the targeting of social media users - version for public consultation

The President of the Personal Data Protection Office, after  having found a personal data breach by the Warsaw University of Life Sciences (SGGW), imposed a fine on this entity in the amount of PLN 50 000.

Let us remind you that in November 2019 the President of the UODO received a notification of breach of personal data of candidates for studies at SGGW. The notification was related to the theft of a portable private computer of the university employee, who used this device also for business purposes, including the processing of personal data of candidates for studies at SGGW for the purposes of recruitment activities. After an inspection carried out at the university in connection with a data breach, the President of the UODO instituted ex officio administrative proceedings.

On the basis of the evidence collected during the proceedings, the President of the UODO imposed an administrative fine on the university. In deciding on the amount of the fine, the supervisory authority took into account that the personal data breach concerned candidates for studies at SGGW for the last five years, covered a wide range of data and that the number of persons affected could be up to 100 (upper limit). It was also important for establishing the amount of the fine that the controller had no knowledge of the processing of personal data on the employee’s private computer, nor did it control the processing of data by failing to verify on which media the personal data of candidates for studies collected from the IT system were processed and by failing to record this operation in the IT system. The above circumstances indicate a breach of the principle of confidentiality and accountability specified in the GDPR.

It is worth noting that the personal data of candidates for studies from five years of recruitment were processed, which was non-compliant with the prescribed period of storage of personal data of candidates for studies, which was specified in SGGW as three months after completion of the recruitment process. This constitutes a breach of the principle of storage limitation provided for in the GDPR.

Moreover, in the course of the conducted proceedings it was established that the university had not implemented appropriate organisational and technical measures to ensure the security of the processing of personal data of candidates for studies.

It is the controller’s obligation to implement appropriate technical and organisational measures to ensure the security of the data processed. They should be reviewed and updated on an ongoing basis to existing legislation and changing technology. It should be noted here that the establishment of appropriate technical and organisational measures is a two-step process. First of all, it is important to identify the level of risk associated with the processing of personal data. Then it is necessary to establish which technical and organisational measures will be appropriate to ensure a level of security appropriate to this risk. Those arrangements should include measures such as the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services, and a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

In the opinion of the supervisory authority, the measures taken by the university including the processing of data of candidates for studies were insufficient.

At the same time, the President of the UODO stated that in the case concerned the Data Protection Officer (DPO) performed its tasks without having due regard to the risk associated with processing operations. The appointed Data Protection Officer was not involved by the university in the recruitment process for studies covering the functioning of the IT system intended for this activity. The involvement of a DPO could reduce the risk of inappropriate processing.

When imposing a fine, the President of the UODO took into account attenuating circumstances, such as: good cooperation with the supervisory authority both in the course of the inspection and during the administrative proceedings, taking action by the university to remedy the infringement and ensure security in the processing of data in the future.

To read the press release is Polish, click here.
To read the full decision in Polish, click here.

For further information, please contact the Polish SA: http://kancelaria@uodo.gov.pl​​​​​​​

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.

The Nemzeti Adatvédelmi és Információszabadság Hatóság (Hungarian National Authority for Data Protection and Freedom of Information, hereinafter: Authority) imposed a total of 4.5 million forints in data protection fines on Mediarey Hungary Services Zrt. (hereinafter: Publisher), the publisher of the Hungarian Forbes magazine in two cases.

NAIH/2020/1154

The Authority established in its decision No. NAIH/2020/1154/9 of 23 July 2020 that by not carrying out proper interest assessment in relation to the printed and the on-line versions of the Forbes publication containing the largest family undertakings published in September 2019 and the printed and the on-line versions of the Forbes publication containing the 50 richest Hungarians published in January 2020, and by failing to inform the Complainants (the data subjects) in advance about the results of comparing the legitimate interests of its own and of a third party (the public) and of the Complainants, the Publisher infringed Article 6(1)(f) of the General Data Protection Regulation. 

Furthermore, the Authority established that by not providing adequate information to the Complainants about all the essential circumstances of data processing and of the right of the Complainants to object to the processing of their personal data, and by failing to provide information on the possibilities of the Complainants to enforce their rights in its response to the requests of Complainants to exercise their rights as data subjects , the Publisher infringed Article 5(1)(a), Article 5(2), Article 12(1) and (4), Article 14, Article 15 and Article 21(4) of the General Data Protection Regulation.

NAIH/2020/838

The Authority established in its decision No. NAIH/2020/838/2 of 23 July 2020 that by not carrying out proper interest assessment in relation to the printed and the on-line versions of the Forbes publication containing the largest family undertakings published in January 2019 and the printed and the on-line versions of the Forbes publication containing the 50 richest Hungarians published in September 2019 and by failing to inform the Complainants (the data subjects) of the results of comparing the legitimate interests of its own and of a third party (the public) and of the Complainants, the Publisher infringed Article 6(1)(f) of the General Data Protection Regulation.

Furthermore, the Authority established that by not providing adequate information on all the essential circumstances of processing to the Complainants and about the Complainants rights to object to the processing of their personal data and in spite of the information it learned it failed to demonstrate after the objection that the data processing was justified by legitimate reasons of compelling force overriding the interests, rights and freedoms of the Complainants and in its responses to the Complainants’ requests aimed at exercising their rights as data subjects, the Publisher infringed Article 5(1)(a), Article 5(2), Article 12(1) and (4), Article 14 and Article 21(1) and (4) of the General Data Protection Regulation.

Because of the infringements established, the Authority reprimanded the Publisher in both cases and at the same time ordered it 
-    to meet its obligation to provide information to the Complainants in relation to the data processing, including information concerning the interests of the Publisher, as well as of Complainants considered in the course of interest assessment and the result of the interest assessment, the information on the right to object and the information concerning possibilities of the enforcement of rights;
-    to carry out the interest assessment including the second individual interest assessment following the objection in accordance with the legal regulations and these decisions, if in the course of data processing envisaged in the future, the Publisher intends to use legitimate interest as the legal basis;
-    to modify its practices related to providing information in advance in accordance with the legal regulations in force and the provisions of these decisions.

Because of the established infringements, the Authority imposed a data protection fine of 2 million forints in its decision NAIH/2020/1154/9 and 2.5 million forints in its decision NAIH/2020/838/2 on the Publisher.

The reason for the difference in the amounts of the fines is that despite the fact that the Publisher was aware of the specific circumstances of the Complainants in the case constituting the subject matter of decision NAIH/2020/838/2, the Publisher failed to carry out an individual interest assessment, the result of which would have demonstrated that data processing was justified by legitimate reasons of compelling force overriding the interests, rights and freedoms of the Complainants even after the objection by the Complainants.

The Authority did not arrive at a position that it was not at all possible to make lists of businessmen and companies and reports on them in this form. Forbes may compile lists on the basis of business data accessible to the public, but the publication of the lists is subject to the stringent requirements of the General Data Protection Regulation and the Publisher as controller must comply with these requirements.

The Authority supports the practice present also in the Hungarian market, according to which the various rich lists or publications listing the richest Hungarians do not in all cases include the name of the data subject and/or an entry on the data subject provided that it has sufficiently grounded reasons, and they display a single letter instead of the full name, and minimal information instead of the entry presenting the activities of the data subject (e.g. the name of the given industry, the magnitude of the assets associated with the data subject) following the well-grounded objection by the data subject.

A petition for review was submitted to the Fővárosi Törvényszék (Budapest Tribunal) by the Publisher against decision NAIH/2020/838/2 and by both parties against decision NAIH/2020/1154/9.

You can read the origional press release on the Hungarian DPA website here.

For more information, please contact the Huganian DPA here: privacy@naih.hu

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.

The Board adopted Guidelines on the concepts of controller and processor in the GDPR and Guidelines on the targeting of social media users. In addition, the EDPB created a taskforce on complaints following the CJEU Schrems II judgement and a taskforce devoted to the supplementary measures that data exporters and importers can be required to take to ensure adequate protection when transferring data in light of the CJEU Schrems II judgement.

The Board adopted Guidelines on the concepts of controller and processor in the GDPR. Since the entry into application of the GDPR, questions have been raised as to what extent the GDPR brought changes to these concepts, particularly regarding the  concept of joint controllership (as laid down in Article 26 GDPR and following several CJEU rulings), as well as the obligations for processors (in particular Article 28 GDPR) laid down in Chapter IV of the GDPR. 

In March 2019, the EDPB together with its Secretariat organised a stakeholder event, which made clear that there was a need for more practical guidance and allowed the Board to better understand the needs and concerns in the field. The new Guidelines consist of two main parts: one explaining the different concepts; the other including detailed guidance on the main consequences of these concepts for controllers, processors and joint controllers. The Guidelines include a flow chart to provide further practical guidance. The Guidelines will be subject to public consultation. 

The EDPB adopted Guidelines on the targeting of social media users. The Guidelines aim to provide practical guidance to stakeholders and contain various examples of different situations so that stakeholders can quickly identify the ‘scenario’ that is closest to the targeting practice they intend to deploy. The main aim of the Guidelines is to clarify the roles and responsibilities of the social media provider and the targeted individual. To this purpose, the Guidelines, among others, identify the potential risks for the freedoms of individual, the main actors and their roles, the application of key data protection requirements, such as lawfulness and transparency and DPIA, as well as key elements of arrangements between social media providers and the targeted individuals. In addition, the Guidelines focus on the different targeting mechanisms, the processing of special categories of data and the obligation for joint controllers to put in place an appropriate arrangement pursuant to Article 26 GDPR. The Plenary will submit the Guidelines for public consultation.

The Board has created a taskforce to look into complaints filed in the aftermath of the CJEU Schrems II judgement. A total of 101 identical complaints have been lodged with EEA Data Protection Authorities against several controllers in the EEA member states regarding their use of Google / Facebook services which involve the transfer of personal data. Specifically the complainants, represented by the NGO NOYB, claim that Google/Facebook transfer personal data to the U.S. relying on the EU-U.S. Privacy Shield or Standard Contractual Clauses and that according to the recent CJEU judgment in case C-311/18 the controller is unable to ensure an adequate protection of the complainants' personal data. The taskforce will analyse the matter and ensure a close cooperation among the members of the Board. 

As a follow-up to the CJEU’s Schrems II ruling and in addition to the FAQ adopted on 23 July, the Board has created a taskforce. This taskforce will prepare recommendations to assist controllers and processors with their duty to identify and implement appropriate supplementary measures to ensure adequate protection when transferring data to third countries.

Andrea Jelinek, Chair of the EDPB: “The EDPB is well aware that the Schrems II ruling gives controllers an important responsibility. In addition to the statement and the FAQ we put out shortly following the judgment, we will prepare recommendations to support controllers and processors regarding their duty in identifying and implementing appropriate supplementary measures of a legal, technical and organizational nature to meet the essential equivalence standard when transferring personal data to third countries. However, the implications of the judgment are wide-ranging, and the contexts of data transfers to third countries very diverse. Therefore, there cannot be a one-size-fits-all, quick fix solution. Each organisation will need to evaluate its own data processing operations and transfers and take appropriate measures.”

The agenda to the thirthy-seventh plenary is available here.

Note to editors:
Please note that all documents adopted during the EDPB Plenary are subject to the necessary legal, linguistic and formatting checks and will be made available on the EDPB website once these have been completed.

EDPB_Press Release_2020_14
 

Infringement of the principle of lawfulness of personal data processing and making intentionally available without a legal  basis on the GEOPORTAL2 (geoportal.gov.pl) of personal data in the form of land register numbers obtained from the land and property registers are the reason for imposing an administrative fine in the amount of PLN 100 000 on the Surveyor General of Poland (GGK).

Moreover, GGK must adapt the processing of personal data to the provisions of the GDPR by discontinuing making available on the GEOPORTAL2 portal (www.geoportal.gov.pl) of personal data in the scope of land register numbers obtained from the land and property registers (kept by the starostes).

The President of the UODO decided to carry out inspection activities at the Surveyor General of Poland at the beginning of March 2020. However, GGK prevented the possibility of examining the legality of publishing information on the land registers number on GEOPORTAL2. In the course of the inspection, it made available only documentation specifying the organisational measures applied to ensure the data security and the evidence proving the appointment of the Data Protection Officer. As a result, the President of the UODO imposed an administrative fine on GGK (https://uodo.gov.pl/en/553/1146). However, despite the refusal to carry out an inspection, GGK gave testimony which served as evidence in the present proceedings.

According to the testimony submitted, GGK publishes information obtained from land and property registers (including land register numbers) from 90 poviat starosties only on the basis of agreements concluded with them.

In accordance with Article 5(1)(a) of the GDPR, personal data must be processed lawfully, fairly and in a transparent manner in relation to the data subject. The data is processed lawfully only in cases where at least one of the conditions indicated in Art. 6 GDPR is met.

In the course of the proceedings, GGK did not indicate a provision of law which would constitute the legal basis for its activity. Moreover, none of the legal provisions governing matters related to the activities of the Surveyor General of Polandallows it to make available data obtained from the starosties within the framework of GEOPORTAL2. In the opinion of the President of the UODO, the Surveyor General of Poland, aware of the lack of a clear legal basis for the processing of land registers numbers, concluded agreements with the starostes on the basis of which it obtained information from the land and property registers (including land registers numbers) kept by the starostes for the purpose of their publication on GEOPORTAL2. The supervisory authority considered that these agreements concerned the creation and maintenance of common elements of the technical infrastructure intended to store and make available certain data filing systems, but did not constitute a legal basis for making available the data, including land register numbers. Such a basis must result from commonly binding legal provisions.

Having regard to the above, the President of the UODO considered that personal data were made available in the form of land register numbers on GEOPORTAL2 without a legal basis. Such action results in infringement of Article 5(1)(a) and Article 6(1) of the GDPR. The doctrine of law represents the view that making personal data available from public fling systems in the absence of a clear legal basis relating to the operation of making personal data available is unlawful.

In this case, it is undeniable that the land register numbers processed on www.geoportal.gov.pl constitute personal data. According to the GDPR, ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

The scope of data disclosed in the land register of natural persons includes, among others, names, surnames, parents’ names, PESEL number (personal identification number), property address. The publication of such data allows the identification of the person whose data is contained in the land register. By publishing land register numbers on Geoportal2, access to the information contained in them can be obtained by any interested Internet user. This type of situation may expose a very large number of people (data subjects) to theft of their identity.

When imposing a fine, the supervisory authority took into account not only the severity of the infringement, its nature and duration, but also the intentional character of the action.

To read the press release is Polish, click here.
To read the full decision in Polish, click here.
This press release can be seen as a follow up to an article previously posted here on the EDPB website.

For further information, please contact the Polish SA: http://kancelaria@uodo.gov.pl​​​​​​​

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.

The President of the Personal Data Protection Office (UODO) imposed a penalty of a reprimand for the processing of students’ personal data without legal basis in connection with survey carried out by a school in the school year 2019/2020. The survey entitled “Diagnosis of student’s home and school situation” examined personal situation of students.

In connection with the survey, the school processed personal data of students, including minors, in particular names and surnames, attended class, indication of legal guardians (parents), family status (single parent, full family), information about death of a legal guardian (parent), separation of legal guardians (parents), their education and professional situation, the number of people in the household, financial situation, health condition and addictions of legal guardians (parents), housing situation and information on social benefits.

The processing of students’ personal data included collection, storage and destruction of those data.

In the course of the UODO’s inspection it was established that the survey was conducted to identify students who require psychological support from the school they attend. The survey was carried out by class teachers in classes 7-8 of elementary school and in high school classes. It was conducted in the form of in blanco paper forms on direct instruction from school principal.

All returned copies of the survey were destroyed by an official commission. According to the findings of the inspection, personal data included in the surveys were not entered into electronic telecommunication systems, were not recorded on electronic data carriers or other information carriers, including in paper form. After collecting the surveys, the teachers did not make any scans or paper copies of them, nor did they make other additional documents containing personal data concerning the surveys. As of the date of the inspection, students' personal data obtained in connection with the surveys were no longer processed.

According to the evidence obtained as a result of the inspection, the surveys were conducted in a way that excludes the possibility of unauthorized disclosure of the data contained in them.

By conducting a survey among students, the school has violated the principle of lawfulness of data processing, according to which personal data must be processed lawfully, fairly and in a transparent manner for the data subject. The above principle has been developed in the content of Article 6(1)(c) of the GDPR, according to which the processing is lawful only if - and to the extent to which - the condition that the processing is necessary for compliance with a legal obligation to which the controller is subject is fulfilled.

The school, as a public entity, may process personal data within the scope of its tasks imposed by law. In turn, according to the Educational Law, schools process personal data to the extent necessary for the performance of the tasks and obligations arising from these regulations. The legal acts regulating the functioning of educational institutions do not specify such tasks and obligations of schools that would justify the processing of students' personal data in the way it was done in the penalised entity, in connection with the conducted survey.

The President of the UODO considered that, in the established circumstances of this case, a reprimand was sufficient. The unintended nature of the infringement was considered to be an attenuating circumstance. The school principal immediately took a number of corrective measures, such as: destruction of the survey forms or refraining from carrying out the survey by some teachers, organisation of training for staff to raise their awareness of personal data protection issues, and analysis of the incident of conducting the survey among students, given the risk to the rights and freedoms of natural persons. Moreover, on the basis of the circumstances of the present case, there are no grounds to consider that the data subjects have suffered damage as a result of the event. The President of the UODO has not received any signals that similar behaviours resulting in violations have taken place on the part of the school.

To read the press release is Polish, click here.
To read the full decision in Polish, click here.

For further information, please contact the Polish SA: http://kancelaria@uodo.gov.pl

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.

The Belgian DPA imposed a fine of 20,000 EUR on telecom operator Proximus for several data protection infringements during the processing of personal data for the purpose of publishing public telephone directories.

The facts
A Belgian citizen (the plaintiff) had requested Proximus, the publisher of a public directory, to retract the publication of his personal data in Proximus’ public directory, as well as the publication of the personal data in the directory of other publishers. Proximus, as publisher of its own public directory, had confirmed towards the plaintiff it would no longer publish the personal data, and would also inform other publishers of a public directory to not publish the personal data of the plaintiff. However, a few months later, the plaintiff discovered his personal data had not only been published in the directory of Proximus, but also in the ones of other publishers of a public directory. In its communication towards the plaintiff, Proximus also mentioned it had transferred the personal data of the plaintiff to other publishers of a public directory. 

Background: lex specialis of the e-Privacy Directive
In Belgium, the consent for the publication in a public directory is given in accordance with the provisions of national telecommunications law. Those provisions are the national implementation of article 12 of the e-Privacy Directive. Although the e-Privacy Directive forms lex specialis vis-à-vis the GDPR (as lex generalis), as stated in article 95 GDPR,  the provisions with regard to consent of the GDPR remain applicable as preconditions for lawful processing with regard to the consent in article 12 e-Privacy Directive .

Decision of the Litigation Chamber 
The Litigation Chamber of the Belgian DPA upheld, among other things, that:
-    Proximus publishes its own public directory and must therefore be considered as a controller for several relevant processing activities. As such, it has a responsibility to align the withdrawing of the data subject’s consent with the actual processing activities. It is apparent that Proximus did not take the appropriate measures to ensure and be able to demonstrate that the personal data of the complainant was not unlawfully processed after the withdrawal of the consent. Thus, Proximus had not fulfilled its obligations (appropriately) as a controller, and therefore infringed article 6 GDPR read in conjunction with article 7 GDPR, as well as articles 24 and article 5.2 GDPR.
-    Proximus did not provide the data subject with transparent information during and after the handling of his request, nor did it appropriately facilitate the exercise of his data subject rights, and therefore infringed article 12 and article 13 GDPR. 
The Litigation Chamber decided not to pseudonymise the name of the defendant, as the publication of that identity was in the public interest. 
 

You can find the final decision in Dutch here.

For further information, please contact the Belgian DPA: contact@apd-gba.be 

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.

Methods used by Dutch Tax and Customs Administration unlawful and discriminatory

The Benefits Office of the Dutch Tax and Customs Administration should not have processed the (dual) nationality of childcare benefit applicants in the way it did for many years. According to the results of the Data Protection Authority’s investigation, this practice was unlawful and discriminatory, and a serious and improper breach of the General Data Protection Regulation (GDPR). Today Aleid Wolfsen, chairman of the Data Protection Authority, submitted the investigation report to State Secretary for Benefits and Customs Alexandra van Huffelen.

Unlawful processing
The Tax and Customs Administration should have deleted the data on dual nationality back in January 2014. In May 2018, however, some 1.4 million people were still registered as dual nationals in its systems.

Dual nationality should not play a role in the assessment of childcare benefit applications. Nonetheless, the Tax and Customs Administration retained and used this data.
 
It also processed the nationality data of childcare benefit applicants for the purpose of combating organised fraud, even though this data was not necessary for this purpose.

Lastly, the Tax and Customs Administration used applicants’ nationality (Dutch/not Dutch) as an indicator in a system that automatically designated certain applications as risky. The data was not necessary for this purpose either.

It is unlawful to use nationality data to assess applications, combat fraud and determine risk. In other words, the Tax and Customs Administration was not allowed to do what it did.

Discriminatory processing
By unnecessarily retaining nationality data in its systems, the Tax and Customs Administration acted in a discriminatory way. Entitlement to childcare benefit is not contingent on nationality but on lawful residence in the Netherlands.
 
The Tax and Customs Administration therefore made an unjustified distinction on the basis of nationality. Under the GDPR, it is improper to process nationality data to combat fraud and determine risks because data processing may not infringe on any fundamental rights. This includes the right to equality and non-discrimination.

Unacceptable practices
‘Our investigation shows that the Tax and Customs Administration’s Benefits Office stored and used large amounts of data in various ways over a long period in a manner that was entirely impermissible,’ said Mr Wolfsen. ‘The way in which the entire system was set up and used was discriminatory. The specific consequences this has had for individual applicants is beyond the scope of this investigation, but we know that the nationality or dual nationality of applicants was consistently and systematically used against them and it should not have been.’

Next steps
The Data Protection Authority’s investigation of the facts concludes the first step of the investigation process. The next step is for the DPA to determine whether to impose a sanction, such as a fine, on the Tax and Customs Administration. Before it can do so, the Minister of Finance is entitled to first officially respond to the investigation. After he has done so, the Data Protection Authority can announce in late 2020 any sanction it decides to impose.
 

For further information, please contact the Dutch DPA: https://autoriteitpersoonsgegevens.nl/nl

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.

The Spanish Data Protection Authority (AEPD) imposed a fine of 1.200 EUR on a company for calling the data subject, offering them a deal on hotels, while they were included in an advertisement exclusion system. By joining this system, the data subject exercised their right to object to processing for marketing purposes under Article 21 GDPR. However, the company did not comply with its obligation of consulting the advertisement exclusion system before making a telephone call with marketing purposes in order to avoid processing their personal data. 

The data subject received a call from the data controller’s number, stating that a friend of them had provided the company with their telephone number so that they offer them a hotel voucher, naming other friends of theirs and declaring that they had joined the promotion. 

The AEPD considered that this constitutes a breach of Article 48(1)(b) of the Spanish Law 9/2014 General Telecommunications [to make it clear, I'd suggest specifying it's a Spanish law, see in yellow]
 

You can read the text of the decision in Spanish here.

For further information, please contact the Spanish DPA: prensa@aepd.es

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.

 

The Spanish Data Protection Authority (AEPD) imposed a fine of 75.000 EUR on VODAFONE ESPAÑA for processing the claimant’s telephone number for marketing purposes after they had exercised their right to erasure in 2015, in spite of what the data subject was sent advertising SMS. The controller stated that the claimant number, being easy to remember, had been used as a “dummy number” by its employees.

The AEPD considered that VODAFONE ESPAÑA violated Article 6(1) of the GDPR, by processing the claimant's personal data without any lawful basis.  
 

You can read the text of the decision in Spanish here.

For further information, please contact the Spanish DPA: prensa@aepd.es
 

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.

The Spanish Data Protection Authority (AEPD) imposed a fine of 70.000 EUR on XFERA MOVILES for disclosing a customer’s personal data to a third party.

The claimant was informed by another customer of Masmovil that, because of a company’s mistake, they had been charged with a claimant’s bill, and thus had access to their personal data (name, surname ID card number, and personal phone number).

The AEPD considered that this constitutes a breach of the principle of confidentiality, established in Article 5(1)(f) of the GDPR.

You can read the text of the decision here.

For further information, please contact the Spanish DPA: prensa@aepd.es

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.

Final decision, administrative fine for Rælingen municipality 

The Norwegian Data Protection Authority has imposed an administrative fine of EUR 47,500 to Rælingen Municipality. The fine is imposed after data concerning health of children with special needs was processed using the digital learning platform Showbie. 
- The case started when we received a notification of a personal data breach from the municipality. Upon further investigation of the case, it appeared that the level of security of the application was not proportionate with the risk, says Director-General of the Norwegian Data Protection Authority, Bjørn Erik Thon. – This is obviously a significant issue, as it has to do with both children and personal data concerning health. 

Several infringements
The infringement affects 15 children with special needs. The application Showbie has been used to send health related personal data between the school and the homes of the children. 

The necessary risk and data protection impact assessments and testing have not been completed before the application was put to use. Lack of security measures when logging in to the application has made it possible to obtain information about other children in the group. 

After the breach notification, the municipality has pointed out that there is no indication that any of the children have actually been victim to material or non-material damage, but the Norwegian Data Protection Authority has not put emphasis on this in the consideration of the case. This is because we found that the infringement itself creates a risk, regardless of whether the risk actually manifests itself in a more concrete form of damage to the affected children or not. 
The Norwegian Data Protection Authority has chosen to reduce the fine after an overall assessment, made on the basis of an inquiry from Rælingen municipality. An assessment was also made in relation to previous practice under the old law. The case has not been appealed, and the fee of EUR 47,500 is final.

You can read the origional press release in Norwegian here.

For further information, please contact the Norwegian DPA: international@datatilsynet.no

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.

In 2018, the Danish company PrivatBo assisted a housing fund with an intended sale of three properties. On that occasion, PrivatBo provided material for the properties in question, which was distributed to the occupants of the properties on a total of 424 USB keys. However, PrivatBo was not aware that some of the documents contained personal information of a confidential nature which should not have been disclosed.

The Danish Data Protection Agency assessed the case and found that PrivatBo has not complied with the requirements of Article 32 of the Data Protection Regulation to implement appropriate technical and organizational security measures. Based on the nature of the case, the Danish DPA has therefore chosen to report PrivatBo to the police for the unintentional disclosure of personal information and proposed a fine of DKK 150.000.

You can read the full press release in Danish below or on the Danish DPA website here.

For further information, please contact the Danish SA: dt@datatilsynet.dk

Datatilsynet indstiller PrivatBo til bøde

PrivatBo er blevet anmeldt til politiet, da Datatilsynet vurderer, at administrationsselskabet ikke har levet op til kravene om et passende sikkerhedsniveau i databeskyttelsesforordningen (GDPR).

I 2018 bistod PrivatBo – som administrationsselskab – en boligfond med et påtænkt salg af tre ejendomme. PrivatBo tilvejebragte i den anledning materiale til de omhandlede ejendomme, som blev uddelt til beboerne i de pågældende ejendomme på i alt 424 USB-nøgler. PrivatBo var imidlertid ikke opmærksom på, at der for en del af de udleverede lejekontrakter var knyttet dokumenter, som indeholdt personoplysninger af fortrolig karakter, og som ikke burde have været videregivet.

”I en sag som den pågældende er det vores vurdering, at PrivatBo som minimum burde have gennemgået tilbudsmaterialet, før det blev udleveret til andre. Vi hæfter os i den forbindelse særligt ved, at der var risiko for at videregive oplysninger af fortrolig karakter til bl.a. naboer, og at dette kunne indebære et betydeligt ubehag for de pågældende lejere, herunder for tab af omdømme,” siger Frederik Viksøe Siegumfeldt, kontorchef for tilsynsenheden i Datatilsynet, og tilføjer:

”Helt generelt er det sådan, at når man som virksomhed behandler folks personoplysninger, har man også et ansvar for at sikre, at de ikke kommer til uvedkommendes kendskab. I dette tilfælde mener vi ikke, PrivatBo har gjort nok for at undgå, at personoplysningerne blev videregivet.”

Datatilsynet har således vurderet, at PrivatBo ikke har levet op til kravene i databeskyttelsesforordningens artikel 32 om at gennemføre passende tekniske og organisatoriske sikkerhedsforanstaltninger. På baggrund af sagens karakter har tilsynet derfor valgt at politianmelde PrivatBo for den utilsigtede videregivelse af personoplysninger, der skete som led i udleveringen af de 424 USB-nøgler.

Datatilsynet har herudover fundet grundlag for at udtale alvorlig kritik af, at PrivatBo efterfølgende – i forbindelse med samme tilbudspligt – utilsigtet udleverede en oversigt over indestående deposita og forudbetalt leje, og i nogle tilfælde oplysninger om udlæg i deposita, fordelt på lejemålenes adresse til beboere i en anden ejendom end den, som var omfattet af den pågældende tilbudspligt. Den utilsigtede videregivelse af disse oplysninger skete til trods for, at PrivatBo havde antaget et eksternt revisionsselskab med henblik på at kvalitetssikre materialet.

 

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.

The National Credit Register (BKR) in the Netherlands can no longer charge people who wish to access the personal data it holds on them. In addition, if data subjects wish to receive a copy of their data by post, the procedure must be simple, and they must be able to request a new copy after a reasonable period of time has passed. The BKR had created too many obstacles for people wishing to access their data. Under privacy legislation, this is not permitted. As a result, the Dutch Data Protection Authority (Dutch DPA) issued the BKR with a €830,000 fine. 

The Dutch DPA received complaints from data subjects about the difficulties involved in accessing the data the BKR held on them. The Dutch DPA considered these complaints significant enough to warrant an investigation.

Accessing credit registration data
In the words of Dutch DPA chairman Aleid Wolfsen, ‘It is vital that people are able to access their credit registration data. A poor credit score can affect a person’s ability to take out a loan or mortgage. So it is important for people to be able to quickly and easily check what data of theirs is being processed and if this is being done in the proper manner.’ 

The issue
In May 2018 the BKR began charging a fee to data subjects for requesting access to their data in a digital format. Furthermore, although data subjects could obtain a paper copy of their data for free, this was only possible once a year. This situation was an infringement of privacy legislation, and led to the BKR being fined €830,000.

Following the Dutch DPA’s investigation, the BKR has modified its processes. Since April 2019 data subjects have been able to access their data for free. In addition, in March 2019 the BKR changed the number of times a year data subjects can receive a paper copy of their data by post. 

What’s next?
The BKR has appealed the case in court, which means that the Dutch DPA’s decision about the fine is not yet final. 

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.

Baden-Wuerttemberg State Commissioner for Data Protection and Freedom of Information imposes fine on AOK Baden-Wuerttemberg – 
Effective data protection requires regular monitoring and adjustment 

Due to an infringement of the obligations of secure data processing (article 32 of the European General Data Protection Regulation, GDPR), the Department of Fines of the Baden-Wuerttemberg State Commissioner for Data Protection and Freedom of Information (LfDI) has issued a fine of 1,240,000 € against the AOK Baden- Wuerttemberg. At the same time, the Department of Fines, in constructive collabora-tion with the AOK, also paved the way for an improvement of the technical and organ-isational measures for the protection of personal data at the AOK Baden- Wuerttemberg. 

From 2015 to 2019, the AOK Baden-Wuerttemberg hosted raffles on different occa-sions. Within this context, the AOK collected the participants’ personal data, including contact details and health insurance affiliation. Inter alia, the AOK wished to use this data for advertisement purposes, provided that the participants had consented ac-cordingly. Through technical and organisational measures, which included internal guidelines and data protection trainings, among others, the AOK wanted to ensure that only data of raffle participants who had given their prior and valid consent would be used for advertisement purposes. These measures set by the AOK did not, how-ever, comply with legal requirements. The personal data of more than 500 raffle par-ticipants were therefore used for advertisement purposes without their consent. No insurance data was concerned. 

The AOK Baden-Wuerttemberg discontinued all sales activities immediately after the allegation became known, in order to thoroughly check all procedures. In addition, the AOK created a task force for data protection in sales and made adjustments which concerned, in particular, internal procedures and control structures, besides the dec-larations of consent. Further measures are to be taken in close coordination with the LfDI. 

Within the frame that article 83 (4) GDPR sets for fines, the comprehensive internal reviews and adjustments of the technical and organisational measures, as well as the constructive cooperation with the LfDI, spoke in the AOK’s favour. Thus, an increase in the protection level for personal data related to the AOK’s sales activities was achieved within a short amount of time. In the future, the AOK will continue and, if necessary, adjust, these improvements and additional control mechanisms, in ac-cordance with the specifications and recommendations set by the Baden-Wuerttemberg State Commissioner of Data Protection and Freedom of Information. 

When assessing the fine, the Commissioner considered factors such as the size and the relevance of the AOK Baden-Wuerttemberg. He also paid special consideration to the AOK being a statutory health insurance and thus an important part of our health system, as the AOK has the statutory obligation to preserve, restore or improve the health of the insured persons. The GDPR requires fines to not only be effective and dissuasive, but also proportionate. Determining the amount of the fine, the Commis-sioner therefore had to ensure that the fulfilment of this statutory obligation would not be endangered. To this end, particular attention was paid to the challenges the AOK currently faces due to the Corona pandemic. 

“Data security is an ongoing task”, the Baden-Wuerttemberg State Commissioner for Data Protection and Freedom of Information, Dr. Stefan Brink, stresses. “Technical and organisational measures need to be adjusted to the actual conditions on a regular basis, so as to ensure an appropriate level of protection in the long term.” In this con-text, great importance is regularly attached to ensuring conditions of data protection compliance, as well as to the good cooperation of controllers with the LfDI. Brink con-cludes, “Our aim is not to issue fines which are as high as possible, but rather to reach a data protection level which is as good and appropriate as possible.” 

If you have any questions you can reach call the number +49 (0)711 615541-23. For further information about data protection and freedom of information on the web please visit www.baden-wuerttemberg.datenschutz.de or www.datenschutz.de. 

The German version of this press release is available at www.baden-wuerttemberg.datenschutz.de.
 

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.

During its 34th, 35th & 36th plenary session, the EDPB adopted the following documents:

34th plenary session:

• Statement on the Court of Justice of the European Union Judgment in Case C-311/18 - Data Protection Commissioner v Facebook Ireland and Maximillian Schrems
• Guidelines 06/2020 on the interplay of the Second Payment Services Directive and the GDPR - version for public consultation
• letter to MEP Ďuriš Nicholsonová on contact tracing, interoperability of apps and DPIAs

35th plenary session:

• Information note on Binding Corporate Rules for Groups of undertakings / enterprises which have ICO as Lead Authority

36th plenary session:

• FAQ on CJEU judgment C-311/18 (Schrems II)

Within the framework of the Italian SA’s enforcement activities regarding telephone operators, Wind Tre SpA was fined about EUR 17 million on July 9th on account of several instances of unlawful data processing that were mostly related to marketing. The Italian SA had already issued a prohibitory injunction against the company, on account of similar infringements that had occurred when the previous data protection law was in force. 

The fine was imposed following complex investigations and inspections. Complaints were received from users against unsolicited marketing communications made without their consent via texting, emails, faxes, and automated phone calls. In several cases, the complainants had declared they had not been enabled to exercise their right to withdraw consent or object to the processing of their data for marketing purposes, partly on account of the inaccurate contact information provided in the information notices. In yet other cases, users’ personal data had been included in public phone listings despite the (at times reiterated) objections made by those users. 

The investigation showed that the MyWind and My3 apps had been configured in such a way as to require the user to consent, on each access, to processing for various purposes including marketing, profiling, communication of data to third parties, data enrichment and geolocation; withdrawal of such consent was allowed after 24 hours. 

Beyond these overarching flaws, the investigations by the Italian SA shed light on multifarious infringements affecting Wind Tre’s business partners. On account of those infringements, one such business partner was fined EUR 200,000 by the Italian SA and was banned from using the data its agents had collected and processed in the national territory without any consideration for data protection rules. This business partner had subcontracted – without relying on any legal instrument – whole sets of processing activities to call centres, which collected data in breach of the law.

The pleadings submitted by Wind Tre and the corrective measures implemented by the company, as also related to the centralised approach applying to marketing campaigns, were found inadequate by the Italian SA, which accordingly fined Wind Tre EUR 16,729,600 and prohibited any further processing of the data they had acquired without consent. The Italian SA also ordered the company to take technical and organisational measures to ensure effective oversight of their business partners, along with implementing procedures to respect users’ indications to be left alone. 

During its 9 July meeting, the Italian SA also assessed the findings of the investigations regarding another phone operator, i.e. Iliad; in that case, shortcomings were detected under different respects, in particular concerning employees’ access to traffic data. Accordingly, the company was fined EUR 800,000. 

Rome, 13 July 2020
 

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.

European Data Protection Board publishes FAQ document on CJEU judgment C-311/18 (Schrems II)

Following the judgment of the Court of Justice of the European Union in Case C-311/18 - Data Protection Commissioner v Facebook Ireland Ltd and Maximillian Schrems, the EDPB has adopted a ‘Frequently Asked Questions’ document to provide initial clarification and give preliminary guidance to stakeholders on the use of legal instruments for the transfer of personal data to third countries, including the U.S. This document will be developed and complemented, along with further guidance, as the EDPB continues to examine and assess the judgment of the Court. 

The FAQ document on the CJEU judgement C-311/18 can be found here.

EDPB_Press Release_statement_2020_06