Datainspektionen

European Data Protection Board - Eighteenth Plenary session: Evaluation of the GDPR; Guidelines on Art 46.2 (a) and 46.3 (b) GDPR for transfers personal data between EEA and non-EEA public authorities a bodies; Statement on privacy implications of mergers

Brussels, 20 February - On February 18th and 19th, the EEA Supervisory Authorities and the European Data Protection Supervisor, assembled in the European Data Protection Board, met for their eighteenth plenary session. During the plenary, a wide range of topics was discussed.
 
The EDPB and the individual EEA Supervisory Authorities (SAs) contributed to the evaluation and review of the GDPR as required by Art. 97 GDPR. The EDPB is of the opinion that the application of the GDPR in the first 20 months has been successful. Although the need for sufficient resources for all SAs is still a concern and some challenges remain, resulting, for example, from the patchwork of national procedures, the Board is convinced that the cooperation between SAs will result in a common data protection culture and consistent practice. The EDPB is examining possible solutions to overcome these challenges and to improve existing cooperation procedures. It also calls upon the European Commission to check if national procedures impact the effectiveness of the cooperation procedures and considers that, eventually, legislators may also have a role to play in ensuring further harmonisation. In its assessment, the EDPB also addresses issues such as international transfer tools, impact on SMEs, SA resources and development of new technologies. The EDPB concludes that it is premature to revise the GDPR at this point in time.

The EDPB adopted draft guidelines to provide further clarification regarding the application of Articles 46.2 (a) and 46.3 (b) of the GDPR. These articles address transfers of personal data from EEA public authorities or bodies to public bodies in third countries or to international organisations, where these transfers are not covered by an adequacy decision. The guidelines recommend which safeguards to implement in legally binding instruments (art. 46.2 (a)) or in administrative arrangements (Art. 46.3 (b)) to ensure that the level of protection of natural persons under the GDPR is met and not undermined. The guidelines will be submitted for public consultation.

Statement on privacy implications of mergers
Following the announcement of Google LLC’s intention to acquire Fitbit, the EDPB adopted a statement highlighting that the possible further combination and accumulation of sensitive personal data regarding people in Europe by a major tech company could entail a high level of risk to privacy and data protection. The EDPB reminds the parties to the proposed merger of their obligations under the GDPR and to conduct a full assessment of the data protection requirements and privacy implications of the merger in a transparent way. The Board urges the parties to mitigate possible risks to the rights to privacy and data protection before notifying the merger to the European Commission. The EDPB will consider any implications for the protection of personal data in the EEA and stands ready to contribute its advice to the EC if so requested.

Note to editors:
Please note that all documents adopted during the EDPB Plenary are subject to the necessary legal, linguistic and formatting checks and will be made available on the EDPB website once these have been completed.

On February 18th and 19th, the eighteenth plenary session of the European Data Protection Board is taking place in Brussels. For further information, please consult the agenda.

Agenda of Eighteenth Plenary

In October 2019, an administrative fine of € 120 000 was imposed on the Municipality of Oslo, the Education Agency, as a result of poor security of processing in the ‘Skolemelding’ mobile app. The app is used for communication between school employees, parents and pupils.

The fine was issued because the municipality had not implemented appropriate technical and organisational measures to ensure a level of security appropriate to the risk. The following were key elements in the Data Protection Authority’s assessment:
1.    One of the intended uses of the app is for parents to send messages regarding their children and absence from school using a free-text field. This enables communication of special category personal data, such as health data, regarding the children. There are no technical measures to prevent this from happening, and no information is given within the app that such transmission should be avoided. In line with data protection by design and default, alternative measures such as drop-down lists and tick boxes are more appropriate.
2.    Poor app login security made it possible for unauthorised persons to access and alter personal data of more than 63 000 pupils in the first to tenth grade.
3.    As a consequence of inadequate security testing before the app was launched, the app contained well-known security vulnerabilities.
Previously, the Data Protection Authority notified its intent to impose a fine of € 200 000 in response to the findings above. However, in the final amount was reduced to € 120 000 as there were mitigating factors present in the case. The municipality implemented measures to limit the damages as soon as it was made aware of the security flaws, and it has shown willingness to resolve the issues.
The Municipality of Oslo did not appeal the decision.

For further information, please contact the Norwegian SA: international@datatilsynet.no

During its January Plenary Session, the EDPB adopted the following documents:

• Article 64 Opinions on Accreditation Requirements for Codes of Conduct Monitoring Bodies, submitted to the Board by:
  • Spain
  • Belgium
  • France
• Guidelines on Connected Vehicles
• Guidelines on the processing of Personal Data through Video Devices (following public consultation)
• Article 64 Opinions on Accreditation Requirements for Certification Bodies, submitted to the Board by:
  • The United Kingdom
  • Luxembourg
• Article 64 Opinion on  the Fujikura Automotive Europe Group’s Controller BCRs
• Letter on unfair algorithms
• Letter to the Council of Europe on the Cybercrime Convention
• Document on the procedure for the approval of certification criteria by the EDPB resulting in a common certification: the European Data Protection Seal

The Italian SA (Garante per la protezione dei dati personali) fined TIM SpA EUR 27,802,496 on account of several instances of unlawful processing for marketing purposes. The infringements concerned on the whole millions of individuals.

From January 2017 to the beginning of 2019, the SA received hundreds of complaints regarding, in particular, unsolicited marketing calls that had been performed without any consent or in spite of the called parties’ inclusion in the public opt-out register; in yet other cases, the called parties had clearly denied their consent to receiving marketing calls. Allegedly unfair processing practices were also mentioned in the complaints with regard to prize competitions and the relevant forms as submitted by TIM to users.
Complex investigations were carried out also with the support provided by a specialised unit of the Italian Financial Police and brought to light a number of severe infringements of personal data protection legislation.
TIM were proven to be insufficiently familiar with fundamental features of the processing activities they performed (accountability).
In many cases out of the millions of marketing calls that had been placed in a six-month period with ‘non-customers’, the SA could establish that the call centre operators relied upon by TIM had contacted the data subjects in the absence of whatever consent. In one case, a person was contacted 155 times in one month. In about two hundred thousand cases, ‘off-list’ numbers – that is, numbers not included in TIM’s list of marketing numbers – had been called. Other types of illicit conduct were also found such as TIM’s failure to supervise the activities of some call centres or to properly manage and update their blacklists (listing individuals who do not wish to receive marketing calls), and the fact that consent to marketing activities was mandatory in order to join the ‘Tim Party’ incentive discount scheme.
Inaccurate, unclear data processing information was provided in connection with certain apps targeted to customers and the arrangements for obtaining the required consent were inadequate. In a few cases paper forms were to be filled in where a single consent statement was available in respect of different purposes including marketing.
The data breach management system proved ineffective as well and no adequate implementation and management systems were in place regarding personal data processing, which fell short of privacy by design requirements. TIM’s blacklists were found not to match those of the contractor call centres, and this also applied to the recordings of the ‘verbal orders’ - that is, the contracts stipulated on the phone. The numbers relating to other phone operators’ customers, which TIM held in their capacity as network provider, were stored for longer than permitted by the law and had been used for marketing campaigns without the customers’ consent.
As well as the fine, the Italian SA imposed 20 corrective measures on TIM including both prohibitions and injunctions. In particular, the SA banned TIM from using, for marketing purposes, the data of the users that had denied their consent to marketing calls when contacted by call centres, of the users included in the black lists, and of the ‘non-customers’ that had not given their consent.
The company is not permitted to use any longer the customer data that were collected via the ‘MyTim’, ‘TimPersonal’ and ‘TimSmartKid’ apps for purposes other than the provision of the relevant services without the users’ free, specific consent.

The injunctions issued by the Italian SA include the obligation for TIM to check consistency of their blacklists and to timely acquire those put together by call centres so as to update their own blacklists. TIM will have to reconsider the ‘TimParty’ scheme and enable customers to access discount schemes and prize competitions without having to consent to marketing activities. TIM will also have to check the app activation procedures; always specify, in clear and understandable language, the processing activities they perform along with the purposes and the relevant processing mechanisms; and obtain valid consent. TIM will have to implement technical and organisational measures in respect of data subject rights requests and enhance the measures to ensure quality, accuracy and timely updates of the personal data that are processed in their individual systems.
The measures and implementing arrangements imposed will have to be in place and notified to the Italian SA according to a specific timeline, whilst the fine will have to be paid within thirty days.

For further information, please contact the Italian SA: garante@garanteprivacy.it

On January 28th and 29th, the EEA Data Protection Authorities and the European Data Protection Supervisor, assembled in the European Data Protection Board, met for their seventeenth plenary session. During the plenary, a wide range of topics was discussed.
 
The EDPB adopted its opinions on the Accreditation Requirements for Codes of Conduct Monitoring Bodies submitted to the Board by the Belgian, Spanish and French supervisory authorities (SAs). These opinions aim to ensure consistency and the correct application of the criteria among EEA SAs.

The EDPB adopted draft Guidelines on Connected Vehicles. As vehicles become increasingly more connected, the amount of data generated about drivers and passengers by these connected vehicles is growing rapidly. The EDPB guidelines focus on the processing of personal data in relation to the non-professional use of connected vehicles by data subjects. More specifically, the guidelines deal with the personal data processed by the vehicle and the data communicated by the vehicle as a connected device. The guidelines will be submitted for public consultation.

The Board adopted the final version of the Guidelines on the processing of Personal Data through Video Devices following public consultation. The guidelines aim to clarify how the GDPR applies to the processing of personal data when using video devices and to ensure the consistent application of the GDPR in this regard. The guidelines cover both traditional video devices and smart video devices. The guidelines address, among others, the lawfulness of processing, including the processing of special categories of data, the applicability of the household exemption and the disclosure of footage to third parties. Following public consultation, several amendments were made.

The EDPB adopted its opinions on the draft accreditation requirements for Certification Bodies submitted to the Board by the UK and Luxembourg SAs. These are the first opinions on accreditation requirements for Certification Bodies adopted by the Board. They aim to establish a consistent and harmonised approach regarding the requirements which SAs and national accreditation bodies will apply when accrediting certification bodies. 

The EDPB adopted its opinion on the draft decision regarding the Fujikura Automotive Europe Group’s Controller Binding Corporate Rules (BCRs), submitted to the Board by the Spanish Supervisory Authority.

Letter on unfair algorithms
The EDPB adopted a letter in response to MEP Sophie in’t Veld’s request concerning the use of unfair algorithms. The letter provides an analysis of the challenges posed by the use of algorithms, an overview of the relevant GDPR provisions and existing guidelines addressing these issues, and describes the work already undertaken by SAs.

Letter to the Council of Europe on the Cybercrime Convention
Following the Board’s contribution to the consultation process on the negotiation of a second additional protocol to the Council of Europe Convention on Cybercrime (Budapest Convention), several EDPB Members actively participated in the Council of Europe Cybercrime Committee’s (T-CY) Octopus Conference. The Board adopted a follow-up letter to the conference, stressing the need to integrate strong data protection safeguards into the future Additional Protocol to the Convention and to ensure its consistency with Convention 108, as well as with the EU Treaties and Charter of Fundamental Rights.

Note to editors:
Please note that all documents adopted during the EDPB Plenary are subject to the necessary legal, linguistic and formatting checks and will be made available on the EDPB website once these have been completed.

On January 28th and 29th, the seventeenth plenary session of the European Data Protection Board is taking place in Brussels. For further information, please consult the agenda.

Agenda of Seventeenth Plenary

The Commissioner for Personal Data Protection (Cypriot SA) banned the processing and fined LGS Handling Ltd, Louis Travel Ltd and Louis Aviation Ltd (Louis Group of Companies) for a total amount of EUR 82,000.00, concerning the lack of legal basis of “Bradford Factor” tool, which was used to score sick leaves of employees.

The Commissioner launched an investigation after a complaint was lodged by the employees’ trade union.

The reasoning behind Bradford's Factor automated system for scoring employees' sick leave was that short, frequent, and unplanned absences lead to a higher disorganising of the company rather than longer absences.

The date and the frequency of a sick leave relating to an individual, insofar as his or her identity is directly or indirectly disclosed, entail the processing of "special categories of personal data", as defined under Article 9(1) of the GDPR. Providing personal data to an automated system, scoring the data using 'Bradford Factor', and profiling individuals based on the results, is considered as processing of personal data; therefore such a processing operation needs to be in line with the principles defined in the GDPR.

The controller carried out an impact assessment of the processing operation, and it was submitted to the Commissioner for consultation during the investigation. The Commissioner was of the opinion that the controller failed to demonstrate through the impact assessment that its legitimate interest prevailed over the interests, rights and freedoms of its employees and consequently the mitigation of the risks was inadequate.

In the course of the investigation, we made use of the possibility to raise legal questions to the other EEA SAs via the so called Mutual assistance procedure and received input from 25 authorities. The replies received validated the absence of legal basis of the said processing and highlighted the necessity to regulate such issues with specific rules in line with article 88 of the GDPR.

After assessing all the elements gathered for the purpose of the investigation, the Commissioner decided that such processing operation had no legal basis. Primarily, it had not been established that the legitimate interest of the controller overrides the interests, rights and freedoms of its employees, which would enable the controller to rely on article 6(1)(f) of the GDPR. Likewise, none of the provisions of Article 9(2) of the GDPR would apply in this case, enabling the controller to process health data of employees.

The controller, as the employer, was entitled to supervise the frequency of sick leaves and the validity of sick leaves certificates. However, such a perquisite should not lead to mishandling and should be applied within the limits set by the relevant legislative framework.

Having established such unlawful conduct, the Commissioner ordered the controller to interrupt the processing and delete all data collected. Moreover, a fine of €70.000 was imposed to LGS Handling Ltd, a fine of €10.000 was imposed to Louis Travel Ltd and a fine of €2.000 was imposed to Louis Aviation Ltd, in relation to the infringements of articles 6(1) and 9 of the GDPR.

When deciding on the amount of the administrative fines, due regard was given to the number of data subjects (818 employees in total), the nature and duration of the infringements and the relevant turnover of the companies.

The full decision in Greek is available here

For further information, please contact the Cypriot SA: commissioner@dataprotection.gov.cy

The Italian Supervisory Authority imposed two fines on Eni Gas and Luce (Egl), totalling EUR 11,5 million, concerning respectively illicit processing of personal data in the context of promotional activities and the activation of unsolicited contracts. The fines were determined in the light of the parameters set out in the EU Regulation, including the wide range of stakeholders involved, the pervasiveness of the conduct, the duration of the infringement, and the economic conditions of Egl.

The first fine of EUR 8,5 million relates to unlawful processing in connection with telemarketing and teleselling activities as found during inspections and inquiries that were carried out by the Authority following several dozens of alerts and complaints received in the immediate aftermath of the full application of the GDPR.  
The verifications revealed a limited number of cases, which however pointed to ‘systematic’ conduct  by Egl and highlighted serious criticalities with regard to the general processing of data.

The violations brought to light include advertising calls made without the consent of the contacted person or despite that person’s refusal to receive promotional calls, or without triggering the specific procedures for verifying the public opt-out register; the absence of technical and organisational measures to take account of the indications provided by users; longer than permitted data retention periods; and the acquisition of the data on prospective customers from entities (list providers) that had not obtained any consent for the disclosure of such data.

Having declared the conduct detected as unlawful, the Italian SA ordered Egl to put in place procedures and systems in order to verify, also by examining a large sample of customers, the consent of the persons included in the contact lists prior to the start of promotional campaigns. Egl will also have to ensure full automation of data flows from its database to the company’s own black list, i.e., the list of those who do not wish to receive advertising.  

The Italian SA further prohibited the company from using the data made available by the list providers  if the latter had not obtained specific consent for the communication of such data to Egl.

The second fine of EUR 3 million concerns breaches due to the conclusion of unsolicited contracts for the supply of electricity and gas under ‘free market’ conditions. Many individuals complained to the Authority that they learned about the conclusion of a new contract only on receiving the letter of termination of the contract with the previous supplier or else the first Egl bills. In some cases, the complaints reported incorrect  data in the contracts and forged signatures.

About 7200 consumers were affected by the above serious irregularities. The Authority’s findings showed that the conduct of Egl in acquiring new customers through certain external agencies operating on its behalf led, in organisational and managerial terms, to processing activities in breach of the EU Regulation  as they violated the principles of data fairness, accuracy and up-to-dateness.

Having established such unlawful conduct, the Italian SA ordered Egl to take several corrective measures and to introduce specific alerts in order to detect various procedural anomalies.  

Implementation of the above measures will have to take place and be communicated to the Authority within a set timeframe, while the fines will have to be paid within 30 days.

To read the press release in Italian, click here

For further information, please contact the Italian SA: garante@garanteprivacy.it

The Ηellenic DPA in response to a complaint conducted an investigation regarding the lawfulness of personal data processing on a server of ‘ALLSEAS MARINE S.A.’, as well as the lawfulness of access to and inspection of deleted emails of a senior manager for whom there was suspicion that he had committed unlawful acts against the company’s interests.

The Authority found that the company as a controller had complied with the requirements of the GDPR and that its internal policies and regulations provided for a ban on the use of the company’s electronic communications and networks for private purposes, and for the possibility of carrying out internal inspections. The company therefore had a legal right under Articles 5(1) and 6(1)(f) of the GDPR to carry out an internal investigation searching and retreating employee’s emails.

The DPA, on the other hand, found that the closed-circuit video-surveillance system had been installed and operated illegally and, in addition, the recorded material submitted to the Authority was considered to be illegal.

Finally, the Authority found that the company did not satisfy the employee’s right of access to his personal data contained in his corporate PC.

Following the finding that the GDPR had been infringed, the Authority decided in this particular case to exercise its corrective powers under Article 58(2) of the GDPR by means of corrective measures, and decided to:

i) order the company to comply immediately with the complainant’s request to exercise his right to access and information concerning his personal data stored in the company’s computer that the complainant used, and inform the Authority thereof;
ii) ensure within one (1) month of receipt of the decision that the processing operations which take place by means of its video surveillance system comply with the provisions of the GDPR, and inform the Authority thereof, and, in particular:

(a) restore the application of the provisions of Article 5(1)(a) and (2) of the GDPR in accordance with the grounds of the judgement;
(b) also restore the application of the other provisions of subparagraphs (b) to (f) of Article 5(1) of the GDPR in so far as the infringement found affects the internal organisation and compliance with the provisions of the GDPR by taking all necessary measures under the principle of accountability;
iii) impose on the company an effective, proportionate and dissuasive administrative fine, as appropriate in the case of illegal installation and operation of a closed-circuit video-surveillance system, in accordance with the specific circumstances of this case, amounting to fifteen thousand euros (EUR 15,000.00).

Decision 43/2019 is available in Greek on www.dpa.gr  “Decisions”

For further information, please contact the Hellenic DPA: contact@dpa.gr

The Information Commissioner’s Office (ICO) has fined a London-based pharmacy £275,000 for failing to ensure the security of special category data.
Doorstep Dispensaree Ltd, which supplies medicines to customers and care homes, left approximately 500,000 documents in unlocked containers at the back of its premises in Edgware. The documents included names, addresses, dates of birth, NHS numbers, medical information and prescriptions belonging to an unknown number of people.

Documents, some of which had not been appropriately protected against the elements and were therefore water damaged, were dated between June 2016 and June 2018. Failing to process data in a manner that ensures appropriate security against unauthorised or unlawful processing and accidental loss, destruction or damage is an infringement of the General Data Protection Regulations (GDPR).
The ICO launched its investigation into Doorstep Dispensaree after it was alerted to the insecurely stored documents by the Medicines and Healthcare Products Regulatory Agency, which was carrying out its own separate enquiry into the pharmacy.

Steve Eckersley, Director of Investigations at the ICO said:

The careless way Doorstep Dispensaree stored special category data failed to protect it from accidental damage or loss. This falls short of what the law expects and it falls short of what people expect.

In setting the fine, the ICO only considered the contravention from 25 May 2018, when the GDPR came into effect.
Doorstep Dispensaree has also been issued an enforcement notice due to the significance of the contraventions and ordered to improve its data protection practices within three months. Failure to do so could result in further enforcement action.

Full details of the investigation can be found in the Monetary Penalty Notice here.

The Federal Commissioner for Data Protection and Freedom of Information (BfDI) imposed a fine of EUR 9.550.000 on the telecommunications service provider 1&1 Telecom GmbH. The company did not provide sufficient technical and organizational measures to prevent unauthorized persons from being able to obtain customer information via the customer hotline service. In another case, the BfDI imposed a fine of EUR 10. 000 on Rapidata GmbH.

Concerning this matter, the Federal Commissioner Ulrich Kelber said: “Data protection is the protection of fundamental rights. The fines imposed are a clear sign that we will enforce this protection of fundamental rights. The European General Data Protection Regulation (GDPR) gives us the opportunity to decisively punish insufficient safeguarding of personal data. We apply these powers while taking into account the required proportionality.”

In the case of 1&1 Telecom GmbH, the BfDI had become aware that persons calling the company’s customer service hotline could obtain extensive information about further personal data merely by providing a customer’s name and date of birth. The BfDI considers this authentication procedure to be in breach of Article 32 of the GDPR which obliges the company to take appropriate technical and organisational measures to systematically protect the processing of personal data.

After the BfDI had criticised the insufficient data protection, 1&1 Telecom GmbH proved to be understanding and highly cooperative. As a first step, the authentication procedure was strengthened by requesting additional information. As a further step, following consultation with the BfDI, 1&1 Telecom GmbH is currently in the process of introducing a new authentication procedure which is significantly improved in terms of technology and data protection.

Notwithstanding those measures, it was necessary to impose a fine. Among other things, the infringement was not limited to a small number of customers, but posed a risk for the entire customer base. However, the BfDI remained in the lower range of possible fines as 1&1 Telecom GmbH proved to be very cooperative throughout the whole procedure.

The BfDI is also currently investigating the authentication procedures of other telecommunications service providers.

In another context proceedings against the telecommunications provider Rapidata GmbH were required, because despite repeated requests, the company failed to comply with its legal requirement under Article 37 of the GDPR to appoint an internal data protection officer. When imposing the 10.000 Euro fine, the fact was taken into account that the company is belonging to the category of micro-enterprises.

For further information, please contact the German SA: presse@datenschutz-berlin.de

The Swedish DPA has issued an administrative fine of 35 000 EUR against Mrkoll.se – a website that publishes personal data of all Swedes above the age of 16 – for infringement of the Credit Information Act and the GDPR. The website has carried out credit information activity in a way that is not in compliance with the law.

The Swedish DPA has issued an administrative fine against the company Nusvar which runs the website Mrkoll.se. This website publishes personal data of all Swedes above the age of 16. In total, the database contains personal data of more than 8 million people. The administrative fine issued amounts to 35 000 EUR.

- The decision addresses the interplay between the legislative frameworks for credit information activity, data protection and the constitutional protection of freedom of expression, says Hans Kärnlöf who led the investigation of the website.

The website in question has been granted a publishing certificate that provides it with a constitutional protection for the majority of its publishing activities, meaning that the GDPR does not apply under those circumstances.

The website did however publish information that a person does not have a record of non-payment. Information about payment defaults is considered to be credit information and for the publishing of such information the Credit Information Act applies, including its references to the GDPR. The website furthermore published information about records of criminal convictions. Such information is regulated in the GDPR and may not be published under the Credit Information Act without prior authorization from the Swedish DPA. The DPA has not issued any such authorization for this website.

- Websites entrusted with a publishing certificate do not need prior authorization from the DPA to carry out credit information activity as such, but they must comply with the rules in the Credit Information Act. This website has not complied with these rules, says Hans Kärnlöf.

The decision concerns unlawful publications from December 2018 to April 2019. As of April 2019, the website no longer publishes information about records of non-payment.  For that reason, the DPA’s decision will not affect how the website publishes information today.

Since May 2018 the Swedish DPA has received more than 750 complaints concerning websites that hold publishing certificates.

For further information, please contact the Swedish SA : per.lovgren@datainspektionen.se  

The Norwegian Data Protection Authority has issued an administrative fine of EUR 49 300 to the City of Oslo for having stored patient data outside the electronic health record system at the city’s nursing homes/health centres from 2007 to November 2018.

“This is a serious violation, given the extended time period and considerable scope of processing,” stressed Bjørn Erik Thon, Director General of the Norwegian Data Protection Authority. “An indeterminable quantity of health data has been available to a large number of employees for at least 11 years. The City of Oslo has the largest population of all Norwegian municipalities and should therefore be especially well placed to comply with relevant information security requirements.”

Background

The case commenced when the City of Oslo sent a data breach notification to the Data Protection Authority in November 2018. The City of Oslo reported that its 19 nursing homes/health centres under the Nursing Home Agency, as well as nine private nursing homes under contract with the city, had been practising the use of so-called work sheets. These work sheets would include information about the residents, detailing their daily needs and care routines, and residents were identified by their full names and national identity numbers, initials or room numbers.

The work sheets were stored electronically in the individual nursing home’s/health centre’s internal zone, where all unit employees, as well as some employees in the Nursing Home Agency, had access. Approximately 90 percent of the employees at these nursing homes/health centres are health personnel, but the remaining 10 percent – such as members of the cleaning or janitorial staff – could, in theory, also log on and gain access to this information. The sheets were allegedly continuously overwritten, so that they contained information about current residents only – and no former residents – at any given time. However, employees who worked at an individual nursing home/health centre for any extended period of time, would have had access to information about a large number of residents.

Old data protection regulations applied in assessment

In calculating the size of the fine, the Data Protection Authority emphasized that the city reported the violation to the Data Protection Authority on its own initiative and quickly took steps to delete the data. It was furthermore taken into account that the violation primarily took place before the new Personal Data Act and General Data Protection Regulation entered into force in July 2018. Under the old Personal Data Act, fines were limited to approximately EUR 100 000. A fine of EUR 49 300 was therefore deemed appropriate in this particular case.

The Data Protection Authority found that the Nursing Home Agency for many years had failed to apply a sufficiently comprehensive mindset in its approach to managing nursing home/health centre practices for information security. The Authority concluded that the practice of storing identifiable patient data outside the electronic health record system clearly violated the requirements for security and internal control provided in Article 32 of the General Data Protection Regulation and Sections 22 and 23 of the Health Record Act.

Measures to prevent future violations

When the practice of work sheets was discovered, the Nursing Home Agency sent out an e-mail to all nursing homes/health centres, instructing them to delete all work sheets immediately. Due to the way that work sheets were stored, there is no log detailing which employees have accessed the list, and there is no way of finding out whether any unauthorized persons have gained access to the data. In order to prevent similar situations from occurring again, the Nursing Home Agency has implemented various measures related to internal audit, follow-up by management and training, among other things.

The City of Oslo did not appeal the decision.

For further information, please contact the Norwegian SA: international@datatilsynet.no

The Belgian DPA has imposed a fine of €2000 on a non-profit association that provides specialized nursing care for failure to comply to the access request of a data subject. The data subject had requested access to her personal data, as well as the erasure of her data, after receiving a political email from the delegated administrator of the organization. Evidence suggests the association did not act on these requests. In her decision, the Belgian DPA also orders the nonprofit association to meet the demands of the data subject.

Read the decision in French here

For further information, please contact the Belgian DPA: contact@apd-gba.be

The Belgian DPA has imposed a fine of €15000 on a website specialized in legal news for their noncompliant cookie management and privacy policy. The Belgian DPA found that their privacy policy lacked transparency and infringed the rules on information to be provided; and also that the website failed to comply with its obligations in terms of consent (the principle of “opt in”)  and withdrawal of consent.

To read the decision in Dutch, click here

For further information, please contact the Belgian DPA: contact@apd-gba.be

During its December Plenary Session, the EDPB adopted the following documents:

• Art. 64 GDPR Opinion on Accreditation Requirements for Codes of Conduct monitoring bodies by UK SA
• Response to BEREC request for guidance on the revision of its guidelines on net neutrality rules
• Guidelines on “the Criteria of the Right to be Forgotten in the search engine cases under the GDPR” (part 1)

Following the EDPB opinion (July 2019) on the draft standard contractual clauses (SCCs) for contracts between controller and processor submitted to the Board by the Danish Supervisory Authority (SA), the final text of the Danish SCCs, as adopted by the Danish SA, has been published in the EDPB's Register for Decisions taken by supervisory authorities and courts on issues handled in the consistency mechanism.
 
The standard processor agreement has been adopted by the Danish SA pursuant to art. 28(8) GDPR and aims at helping organisations to meet the requirements of art. 28 (3) and (4), given the fact that the contract between controller and processor cannot just restate the provisions of the GDPR but should further specify them, e.g. with regard to the assistance provided by the processor to the controller.
 
The possibility of using SCCs adopted by a SA does not prevent the parties from adding other clauses or additional safeguards, provided that they do not contradict, directly or indirectly, the adopted clauses or prejudice the fundamental rights or freedoms of the data subjects.
Nevertheless, the clauses are an instrument to be used "as is", i.e. the parties who enter into a contract with a modified version of the clauses are not deemed to have employed the adopted SCCs. On the contrary, to the extent that organizations choose to make use of these standard provisions, the Danish SA, for example in connection with an inspection visit, will not examine these provisions in more detail.

On December 2nd and 3rd, the EEA Data Protection Authorities and the European Data Protection Supervisor, assembled in the European Data Protection Board, met for their sixteenth plenary session. During the plenary, several topics were discussed.
 
Art. 64 GDPR Opinion on Accreditation Requirements for Codes of Conduct monitoring bodies by UK SA
The EDPB adopted its opinion on the UK Supervisory Authority’s (SA) draft decision on the Accreditation Requirements for Codes of Conduct monitoring bodies. The opinion aims to ensure consistency and the correct application of these requirements among EEA SAs. In the opinion, the EDPB proposes some changes to the draft accreditation requirements, in order to ensure a consistent application of the accreditation of monitoring bodies.

Response to BEREC request for guidance on the revision of its guidelines on net neutrality rules
The EDPB adopted its response to a request for guidance by the Body of European Regulators for Electronic Communication (BEREC) on the current EU data protection framework. In the letter, the Board raises concerns regarding the processing of domain names and URLs for the purposes of traffic management and billing (zero-rating offers).

The EDPB encourages the internet access services (IAS), and where relevant BEREC, to define and agree on less invasive and more standardized ways to manage internet traffic, interoperable throughout different IASs, which are not based on the use of URLs and domain names.

Guidelines on “the Criteria of the Right to be Forgotten in the search engine cases under the GDPR” (part 1)
The Board adopted draft guidelines on “the Criteria of the Right to be Forgotten in the search engine cases under the GDPR.” The guidelines provide an interpretation of Art. 17 GDPR with regard to the grounds and exceptions for delisting requests directed to search engine providers and are an update of the 2014 guidelines on the implementation of the Costeja judgment, issued by the Article 29 Working Party (WP29). These guidelines, which will be presented for public consultation, will be complemented by another set of guidelines on the criteria for handling complaints for refusals of delisting.

Note to editors:
Please note that all documents adopted during the EDPB Plenary are subject to the necessary legal, linguistic and formatting checks and will be made available on the EDPB website once these have been completed.

The Commissioner for Data Protection and the Freedom of Information Rhineland-Palatinate imposed a fine of 105,000 euros on a hospital in Rhineland-Palatinate.
The fine is based on several breaches of the General Data Protection Regulation in the framework of a patient mix-up when admitting the patient. This resulted in incorrect invoicing and revealed structural technical and organisational deficits in the hospital's patient and privacy management.

The Commissioner Prof. Dr. Kugelmann emphasises: "The primary objective of the corrective measures and sanctions is to remedy existing shortcomings and improve data protection. Fines are one instrument among several ones. In addition to their sanctioning effect, they always contain a preventive element in that it becomes clear that grievances are consistently investigated. What matters to me is that substantial progress is made on health data protection in view of the particular sensitivity of the data. I therefore hope that the fine will also be seen as a signal so that the data protection supervisory authorities are particularly vigilant in the field of data handling in health care."

To read the press release in German, click here

For further information, please contact the Rhineland-Palatinate DPA: poststelle@datenschutz.rlp.de