European Data Protection Board

Belgian DPA imposed a fine of 1,000 EUR on an association that sent direct marketing messages to (former) donors for fundraising

The Belgian Data Protection Authority has imposed a fine of 1,000 EUR on an association that, on the basis of its legitimate interest (Article 6.1, f) GDPR), sent direct marketing messages to (former) donors for its fundraising. The administrative fine was imposed following a complaint lodged with the Belgian Data Protection Authority by a former donor of the association as the latter had not complied with the request for data erasure addressed by the data subject to the data controller pursuant to Article 17.1 GDPR and its right to object pursuant to Article 21.2 GDPR.

The Litigation Chamber decided that the data controller thereby infringed Articles 6.1, 17.1, c) and d), 21.3 and 21.4 GDPR.

First of all, the Litigation Chamber found that the data controller did not comply with the data erasure request and the data subject's right to object. Secondly, the Litigation Chamber held that the association could not validly invoke its legitimate interest as a ground for the processing in the present case since it did not meet the cumulative conditions imposed by the case law of the Court of Justice of the European Union - and in particular the Rigas judgment - in this respect. According to this case law, in order to invoke Article 6.1, f) GDPR, the controller must demonstrate that i) the interests pursued by the processing, can be recognized as legitimate ("purpose test"), ; ii) the intended processing is necessary for the purposes of the intended processing ("necessity test") and iii) the balancing of these interests against the fundamental rights and freedoms of the persons concerned by the data protection weighs to the favour of the controller or of a third party ("balancing test"). In the present case, the Litigation Chamber decided that the third condition of article 6.1, f) GDPR and the case law of the Court of Justice was not fulfilled.

More specifically, the Litigation Chamber found that there were doubts as to whether the data subject could reasonably expect his data to be processed for direct marketing purposes years after the collection of these data (recital 47 GDPR). Moreover, the Litigation Chamber found that the data controller had not sufficiently facilitated the right of objection.

This decision implements the 2020-2025 Strategic Plan of the Belgian Data Protection Authority, of which 'direct marketing' is one of the priority strategic points. The Litigation Chamber also refers to Recommendation No 01/2020 of the Belgian DPA in this respect.

To read the full decision in Dutch, click here

For further information, please contact the Belgian DPA: contact@apd-gba.be

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.

EDPB publishes new register containing One-Stop-Shop decisions

The EDPB has published a new register containing decisions taken by national supervisory authorities following the One-Stop-Shop cooperation procedure (Art. 60 GDPR) on its website.

Under the GDPR, Supervisory Authorities have a duty to cooperate on cases with a cross-border component to ensure a consistent application of the regulation - the so-called one-stop-shop (OSS) mechanism. Under the OSS, the Lead Supervisory Authority (LSA) is in charge of preparing the draft decisions and works together with the concerned SAs to reach consensus. Up until early June, LSAs have adopted 110 final OSS decisions. The register includes access to the decisions as well as  summaries of the decisions in English prepared by the EDPB Secretariat. The register will be valuable to data protection practitioners who will gain access to information showcasing how SAs work together to enforce the GDPR in practice. The information in the register has been validated by the LSAs in question and in accordance with the conditions provided by its national legislation.

The register is accessible here

Temporary suspension of the Norwegian Covid-19 contact tracing app

The Norwegian Data Protection Authority has notified the Norwegian Institute of Public Health (NIPH) of its intention to impose a temporary ban on the processing of personal data in connection with the Smittestopp contact tracing mobile application. NIPH has nowtemporarily suspended all use of the app.
 
On Monday 15 June, NIPH announced that they have decided to suspend the app and erase all data until further notice, but that they will provide a formal response by 23 June, which is the date set by the Data Protection Authority. The notice entails a temporary ban on all collection of personal data by NIPH through the app.

Intervention no longer proportionate

“NIPH has chosen to suspend all collection and storage of data immediately. I hope they use the time left until 23 June well, both to document the benefits of the app and to make other necessary changes, so that they can resume use of it,” says Data Protection Authority Director-General Bjørn Erik Thon.
The basis for the notice is the Data Protection Authority’s assessment that the Smittestopp app can no longer be considered a proportionate intervention in the users’ fundamental rights to data protection.

“Smittestopp is a highly invasive measure in terms of data protection, even in these special circumstances, where our society is fighting a pandemic. We do not see the utility, given our current situation and the way the technical solution is designed and presently working,” Thon says.

Legality hinges on public benefit

Smittestopp is a digital solution for contact tracing. It can notify the user if they have been in close contact with people infected with Covid-19. By analysing anonymized and aggregated data of population movement patterns, NIPH will also evaluate infection control measures and monitor rates of transmission through society. Smittestopp collects large quantities of personal data about app users, including continuous location data and information about app users’ contact with others.

“Our notice does not mean that we can’t use technology and apps to fight this pandemic. However, the legality of Smittestopp hinges on its public benefit,” Thon says. “We have considered the solutions chosen for the Smittestopp app, the low proliferation of the app, with users accounting for approximately 14 percent of the population aged 16 and older, and the rates of infection in the general population. We have also taken into account the National Institute of Public Health’s release stating that the rate of infection is currently so low that it is difficult to validate that the app’s alerts are notifying the right people — not too many and not too few.”

Location data from GPS and Bluetooth

Currently, Smittestopp users cannot choose to provide personal data for contact tracing purposes without also agreeing to the data being used for analysis and research. These different purposes require different types of personal data. We question the lack of choice for the users. Several other European countries have developed contact tracing apps that rely solely on Bluetooth technology and that do not collect GPS-based location data. The World Health Organization (WHO) has also posted several publications related to digital proximity tracking for Covid-19 (example link).

“The European Data Protection Board has concluded that the use of location data in contact tracing is unnecessary and recommend the use of Bluetooth data only. We do not find that NIPH has sufficiently justified the need to use location data for contact tracing and await new information from NIPH on this issue,” Thon says.
Smittestopp currently only has contact tracing functionality in combination with notification in three test municipalities: Drammen, Trondheim and Tromsø.
“Also, no solution for anonymizing and aggregating data for analysis has yet been implemented.The app nevertheless continually collects personal data from all users,” Thon says.

Going forward

The Data Protection Authority has invited the National Institute of Public Health to a meeting on Friday 19 June to further discuss this matter. NIPH has until 23 June to provide a response to the order.

“There are many different things we need to discuss. The design of the request for approval and the use of GPS in contact tracing are central issues, but we also need to discuss the anonymization solution, which is not yet in place. A solution for how to handle requests for access will also be a topic for discussion. We need to see some specific changes on these important issues,” Thon says.

To read the press release in Norwegian, click here

For further information, please contact the Norwegian DPA: international@datatilsynet.no

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.

Thirty-second Plenary Session: adopted documents

Belgian DPA fines controller for sending a direct marketing message to the wrong person and for not responding adequately to the subsequent request for access

The Belgian DPA has imposed a fine of 10 000 EUR on a controller for sending a direct marketing message to the wrong person and for not responding adequately to the data subject’s subsequent request for access to his data. The marketing message was sent to the plaintiff, instead of to another person who had the same name, but another email address. This incorrect processing is due to a human error. As a result, the plaintiff exercised his right of access, which did not run smoothly. The Belgian DPA established that the controller did not sufficiently answer to the request of the plaintiff (Article 15 GDPR), did not respond within the deadline set by the GDPR (Article 12.3 GDPR) and was not sufficiently transparent (Article 12.1 GDPR). For these reasons, the Belgian DPA considers that the exercise of the rights of the plaintiff were not sufficiently facilitated, as required by article 12.2 of the GDPR.

To read the full decision in French, click here

For further information, please contact the Belgian DPA contact@apd-gba.be

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.

Co-operative housing association banned from using video surveillance in entrance and stairwell

The Swedish Data Protection Authority (DPA) has investigated a co-operative housing association’s use of video surveillance on its property. The DPA concludes that the association has gone too far when using video surveillance in the main entrance and the stairwell and when recording audio.

The Swedish DPA has received complaints claiming that a co-operative housing association monitors the stairwell in the association’s apartment building. The DPA has now finished an audit of the association.

The Swedish Data Protection Authority’s investigation shows that the association has four surveillance cameras installed. Two are located in the stairwell, one in the main entrance and one is directed towards a distribution box in the association’s storage room. All cameras record video and audio non-stop 24 hrs 7 days a week.

For the two cameras set up in the stairwell, the Swedish Data Protection Authority notes that these allow the association to map the habits, visits and social circle of the residents. “Already the fact that the surveillance is of the residents and their home environment means that it requires very strong reasons for the monitoring to be allowed,” writes the authority in its decision.

– Under special circumstances, a co-operative housing association may monitor a stairwell. However, in order for such surveillance to be allowed, the association must be able to demonstrate a pressing need for such video surveillance and that has not been the case here, says Nils Henckel, legal advisor at the Swedish DPA.

The third camera is set up at the main entrance and the association states that it is to combat problems with vandalism, which it had experienced during two months in 2018. The Swedish DPA stresses the obligation to continuously review whether a need for video surveillance is justified and concludes that no such need was still present to date.

As for the fourth camera, which is directed towards the distribution box, the DPA concludes that it must be re-directed so that it does not monitor the residents’ storage facilities.

Furthermore, the Swedish Data Protection Authority notes that audio recording constitutes an additional intrusion into the private sphere, in particular when recorded in a residential building, and that there are no circumstances that motivates such intrusion in this case.

The Swedish DPA also concludes that the association has failed to properly inform the residents about the video surveillance. That includes the lack of information about the data controller, where to turn to for further detailed information and that audio is recorded, which is a particularly severe omission.

The Swedish Data Protection Authority orders the co-operative housing association to stop the video surveillance of the stairwell and entrance, to cease audio recording for the surveillance camera by the distribution box and to improve the information provided concerning the video surveillance. The Swedish Data Protection Authority furthermore issues an administrative fine of 20 000 Swedish kronor (approximately 2 000 euro) against the association. When calculating the amount of the fine, consideration was taken to the fact that it was a smaller co-operative housing association.

To read the press release in Swedish, click here

For further information, please contact the Swedish SA: datainspektionen@datainspektionen.se 

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.

Thirty-second plenary session: Statement on the interoperability of contact tracing applications, statement on the opening of borders and data protection rights, response letters to MEP Körner on laptop camera covers and encryption and letter to the Commi

During its 32nd plenary session, the EDPB adopted a statement on the interoperability of contact tracing apps, as well as a statement on the opening of borders and data protection rights. The Board also adopted two letters to MEP Körner - on encryption and on Article 25 GDPR - and a letter to CEAOB on PCAOB arrangements.

The EDPB adopted a statement on the interoperability of contact tracing applications, building on the EDPB Guidelines 04/2020 on the use of location data and contact tracing tools in the context of the COVID-19 outbreak. The statement offers a more in-depth analysis of key aspects, including transparency, legal basis, controllership, data subject rights, data retention and minimisation, information security and data accuracy in the context of creating an interoperable network of applications, that need to be considered on top of those highlighted in the EDPB Guidelines 04/2020.

The EDPB emphasises that the sharing of data about individuals that have been diagnosed or tested positively with such interoperable applications should only be triggered by a voluntary action of the user. Giving data subjects information and control will increase their trust in the solutions and their potential uptake. The goal of interoperability should not be used as an argument to extend the collection of personal data beyond what is necessary.

Moreover, contact tracing apps need to be part of a comprehensive public health strategy to fight the pandemic, such as testing and subsequent manual contact tracing for the purpose of improving effectiveness of the performed measures.

Ensuring interoperability is not only technically challenging and sometimes impossible without disproportionate trade-offs, but also leads to a potential increased data protection risk. Therefore, controllers need to ensure measures are effective and proportionate and must assess whether a less intrusive alternative can achieve the same purpose.

The EDPB adopted a statement on the processing of personal data in the context of reopening the Schengen borders following the COVID-19 outbreak. The measures allowing a safe reopening of the borders currently envisaged or implemented by Member States include testing for COVID-19, requiring certificates issued by health professionals and the use of a voluntary contact tracing app. Most measures involve processing of personal data.

The EDPB recalls that data protection legislation remains applicable and allows for an efficient response to the pandemic, while at the same time protecting fundamental rights and freedoms. The EDPB stresses that the processing of personal data must be necessary and proportionate, and the level of protection should be consistent throughout the EEA. In the statement, the EDPB urges the Member States to take a common European approach when deciding which processing of personal data is necessary in this context.

The statement also addresses the GDPR principles that Member States need to pay special attention to when processing personal data in the context of reopening the border. These include lawfulness, fairness and transparency, purpose limitation, data minimisation, storage limitation, security of data and data protection by design and by default. Moreover, the decision to allow the entrance into a country should not only be based on the automated individual decision making technologies. In any case, such decisions should be subject to suitable safeguards, which should include specific information to the data subject and the right to obtain human intervention, to express his or her point of view, to obtain an explanation of the decision reached after such assessment and to challenge the decision. Automated individual decision measures should not apply to children.

Finally, the EDPB highlights the importance of a prior consultation with competent national supervisory authorities when Member States intend to process personal data in this context.

The EDPB adopted a response to a letter from MEP Moritz Körner on the relevance of encryption bans in third countries for assessing the level of data protection when personal data are transferred to countries where these bans exist. According to the EDPB, any ban on encryption or provisions weakening encryption would seriously undermine compliance with GDPR security obligations applicable to controllers and processors, be that in a third country or in the EEA. Security measures are one of the elements the European Commission must take into account when assessing the adequacy of the level of protection in a third country.

A second letter to MEP Körner addresses the topic of laptop camera covers. MEP Körner highlighted that this technology could help comply with the GDPR and suggested new laptops should be equipped with it. In its reply, the Board clarifies that while laptop manufacturers should be encouraged to take into account the right to data protection when developing and designing such products, they are not responsible for the processing carried out with those products and the GDPR does not establish legal obligations for manufacturers, unless they also act as controllers or processors. Controllers must evaluate the risks of each processing and choose the appropriate safeguards to comply with GDPR, including the privacy by design and by default enshrined in Article 25 GDPR.

Finally, the EDPB adopted a letter to the Committee of European Auditor Oversight Bodies (CEAOB). The EDPB received a proposal from the CEAOB, which gathers the national auditor oversight bodies at EU level, to cooperate and receive feedback on negotiations of draft administrative arrangements for the transfer of data to the US Public Company Accounting Oversight Board (PCAOB). The EDPB welcomes this proposal and indicates that it is available to hold an exchange with the CEAOB to clarify any potential questions on data protection requirements related to such arrangements in light of the EDPB Guidelines 2/2020 on Art. 46 (2) (a) and 46 (3) (b) GDPR for transfers of personal data between EEA and non-EEA public authorities. The exchange could also involve the PCAOB if the CEAOB and its members deem it beneficial for their work on these arrangements.

Note to editors:
Please note that all documents adopted during the EDPB Plenary are subject to the necessary legal, linguistic and formatting checks and will be made available on the EDPB website once these have been completed.

Thirty-second plenary session: Statement on the interoperability of contact tracing applications, statement on the opening of borders and data protection rights, response letters to MEP Körner on laptop camera covers and encryption and letter to the Commi

During its 32nd plenary session, the EDPB adopted a statement on the interoperability of contact tracing apps, as well as a statement on the opening of borders and data protection rights. The Board also adopted two letters to MEP Körner - on encryption and on Article 25 GDPR - and a letter to CEAOB on PCAOB arrangements.

The EDPB adopted a statement on the interoperability of contact tracing applications, building on the EDPB Guidelines 04/2020 on the use of location data and contact tracing tools in the context of the COVID-19 outbreak. The statement offers a more in-depth analysis of key aspects, including transparency, legal basis, controllership, data subject rights, data retention and minimisation, information security and data accuracy in the context of creating an interoperable network of applications, that need to be considered on top of those highlighted in the EDPB Guidelines 04/2020.

The EDPB emphasises that the sharing of data about individuals that have been diagnosed or tested positively with such interoperable applications should only be triggered by a voluntary action of the user. Giving data subjects information and control will increase their trust in the solutions and their potential uptake. The goal of interoperability should not be used as an argument to extend the collection of personal data beyond what is necessary.

Moreover, contact tracing apps need to be part of a comprehensive public health strategy to fight the pandemic, such as testing and subsequent manual contact tracing for the purpose of improving effectiveness of the performed measures.

Ensuring interoperability is not only technically challenging and sometimes impossible without disproportionate trade-offs, but also leads to a potential increased data protection risk. Therefore, controllers need to ensure measures are effective and proportionate and must assess whether a less intrusive alternative can achieve the same purpose.

The EDPB adopted a statement on the processing of personal data in the context of reopening the Schengen borders following the COVID-19 outbreak. The measures allowing a safe reopening of the borders currently envisaged or implemented by Member States include testing for COVID-19, requiring certificates issued by health professionals and the use of a voluntary contact tracing app. Most measures involve processing of personal data.

The EDPB recalls that data protection legislation remains applicable and allows for an efficient response to the pandemic, while at the same time protecting fundamental rights and freedoms. The EDPB stresses that the processing of personal data must be necessary and proportionate, and the level of protection should be consistent throughout the EEA. In the statement, the EDPB urges the Member States to take a common European approach when deciding which processing of personal data is necessary in this context.

The statement also addresses the GDPR principles that Member States need to pay special attention to when processing personal data in the context of reopening the border. These include lawfulness, fairness and transparency, purpose limitation, data minimisation, storage limitation, security of data and data protection by design and by default. Moreover, the decision to allow the entrance into a country should not only be based on the automated individual decision making technologies. In any case, such decisions should be subject to suitable safeguards, which should include specific information to the data subject and the right to obtain human intervention, to express his or her point of view, to obtain an explanation of the decision reached after such assessment and to challenge the decision. Automated individual decision measures should not apply to children.

Finally, the EDPB highlights the importance of a prior consultation with competent national supervisory authorities when Member States intend to process personal data in this context.

The EDPB adopted a response to a letter from MEP Moritz Körner on the relevance of encryption bans in third countries for assessing the level of data protection when personal data are transferred to countries where these bans exist. According to the EDPB, any ban on encryption or provisions weakening encryption would seriously undermine compliance with GDPR security obligations applicable to controllers and processors, be that in a third country or in the EEA. Security measures are one of the elements the European Commission must take into account when assessing the adequacy of the level of protection in a third country.

A second letter to MEP Körner addresses the topic of laptop camera covers. MEP Körner highlighted that this technology could help comply with the GDPR and suggested new laptops should be equipped with it. In its reply, the Board clarifies that while laptop manufacturers should be encouraged to take into account the right to data protection when developing and designing such products, they are not responsible for the processing carried out with those products and the GDPR does not establish legal obligations for manufacturers, unless they also act as controllers or processors. Controllers must evaluate the risks of each processing and choose the appropriate safeguards to comply with GDPR, including the privacy by design and by default enshrined in Article 25 GDPR.

Finally, the EDPB adopted a letter to the Committee of European Auditor Oversight Bodies (CEAOB). The EDPB received a proposal from the CEAOB, which gathers the national auditor oversight bodies at EU level, to cooperate and receive feedback on negotiations of draft administrative arrangements for the transfer of data to the US Public Company Accounting Oversight Board (PCAOB). The EDPB welcomes this proposal and indicates that it is available to hold an exchange with the CEAOB to clarify any potential questions on data protection requirements related to such arrangements in light of the EDPB Guidelines 2/2020 on Art. 46 (2) (a) and 46 (3) (b) GDPR for transfers of personal data between EEA and non-EEA public authorities. The exchange could also involve the PCAOB if the CEAOB and its members deem it beneficial for their work on these arrangements.

The agenda of the 32nd plenary is available here

Note to editors:
Please note that all documents adopted during the EDPB Plenary are subject to the necessary legal, linguistic and formatting checks and will be made available on the EDPB website once these have been completed.

Belgian DPA imposes fine of 1000 euro on a controller for not responding to a request to object to the processing of his data for marketing purposes

The Belgian DPA has imposed a fine of 1000 euro on a controller for not responding to a request from a citizen to object to the processing of his data for marketing purposes (article 15.3 GDPR), and for not collaborating with the authority (article 31 GDPR).

In a previous decision, the Belgian DPA had ordered the controller to meet the request of the plaintiff and to notify the Belgian DPA of the action taken on the request. The controller did not react to this injunction. When the controller, at a later stage, was asked why they did not comply with the injunction of the Belgian DPA, the controller demonstrated a cavalier attitude and a complete lack of interest for both the application of the GDPR and the procedure. For this attitude, as well as the established infringement of the right to object, the Belgian DPA decided to eventually impose a 1000 euro fine.

To read the full decision in French, click here

For further information, please contact the Belgian DPA: contact@apd-gba.be

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.

Belgian Data Protection Authority imposed a fine of 5.000 EUR on local election candidate

The Litigation Chamber of the Belgian Data Protection Authority imposed a fine of 5.000 EUR on a candidate in local elections for using the staff registry of a municipality to send election propaganda (in the form of a letter) to staff members. The Belgian municipality in question filed the complaint against the candidate.

The Litigation Chamber established the following elements:
-    A legal person (in this case the municipality) is entitled to file a complaint with the DPA.
-    Contrary to what was said by the defendant, the communication didn’t amount to normal communication between a municipal councilor, which the defendant was at the time, and municipal staff. The content of the letter sent shows that it was indeed election propaganda.
-    A violation of article 5, 1., b (purpose limitation) occurred, considering that the staff register is not meant to be used for other purposes than the internal management of the municipality
-    The Litigation Chamber could find no legal basis for a lawful processing of data from the staff register and therefore also concluded in a violation of articles 5, 1., a) and 6, 1 (lawfulness of processing).
The imposition of a fine of 5.000 EUR was done on the basis of previous similar decisions by the Litigation Chamber of the BE DPA, where it had found that further processing of data gathered for municipal purposes with the intent of using them for political propaganda violated the principles of lawful processing and of purpose limitation.
The Litigation Chamber also considers that the defendant’s other positions in public service should have led him to a greater respect for rules on electoral campaigning, which include data protection rules.

To read the full decision in French, click here

For further information, please contact the Belgian DPA: contact@apd-gba.be

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.

Thirty-first Plenary session: Establishment of a taskforce on TikTok, Response to MEPs on use of Clearview AI by law enforcement authorities, Response to ENISA Advisory Group, Response to Open Letter NYOB

During its 31st plenary session, the EDPB decided to establish a taskforce to coordinate potential actions and to acquire a more comprehensive overview of TikTok’s processing and practices across the EU, and adopted a letter with regard to the use of Clearview AI by law enforcement authorities. In addition, the EDPB adopted a response to the ENISA advisory group and a letter in response to an Open Letter from NOYB.

The EDPB announced its decision to establish a taskforce to coordinate potential actions and to acquire a more comprehensive overview of TikTok’s processing and practices across the EU.

In response to MEP Körner’s request regarding TikTok, the EDPB indicates that it has already issued guidelines and recommendations that should be taken into account by all data controllers whose processing is subject to the GDPR, in particular when it comes to the transfer of personal data to third countries, substantive and procedural conditions for access to personal data by public authorities or the application of the GDPR territorial scope, in particular when it comes to the processing of minors’ data. The EDPB recalls that the GDPR applies to the processing of personal data by a controller, even if it is not established in the Union, where the processing activities are related to the offering of goods or services to data subjects in the Union.

In its response to MEPs regarding Clearview AI, the EDPB shared its concerns regarding certain developments in facial recognition technologies. The EDPB recalls that under the Law Enforcement Directive (EU) 2016/680, law enforcement authorities may process biometric data for the purpose of uniquely identifying a natural person only in accordance with the strict conditions of Articles 8 and 10 of the Directive.

The EDPB has doubts as to whether any Union or Member State law provides a legal basis for using a service such as the one offered by Clearview AI. Therefore, as it stands and without prejudice to any future or pending investigation, the lawfulness of such use by EU law enforcement authorities cannot be ascertained.

Without prejudice to further analysis on the basis of additional elements provided, the EDPB is therefore of the opinion that the use of a service such as Clearview AI by law enforcement authorities in the European Union would, as it stands, likely not be consistent with the EU data protection regime.

Finally, the EDPB refers to its guidelines on the processing of personal data through video devices and announces upcoming work on the use of facial recognition technology by law enforcement authorities.

In response to a letter from the European Union Agency for Cybersecurity (ENISA) requesting that the EDPB nominate a representative to the ENISA Advisory group, the Board appointed Gwendal Le Grand, Deputy Secretary-General CNIL, as representative. The Advisory Group assists the Executive Director of ENISA with drawing up an annual work programme and ensuring communication with the relevant stakeholders.

The EDPB adopted a response to an Open Letter by NOYB regarding cooperation between the Supervisory Authorities and the consistency procedures. In its letter, the Board indicates it has been working constantly on the improvement of the cooperation between the Supervisory Authorities and the consistency procedures. The Board is aware that there are issues requiring improvement, such as the differences in national administrative procedural laws and practices, together with the time and resources needed to resolve cross-border cases. The Board reiterates it is committed to finding solutions, where these lie within its competence.

The agenda of the 31st plenary is available here

Note to editors:
Please note that all documents adopted during the EDPB Plenary are subject to the necessary legal, linguistic and formatting checks and will be made available on the EDPB website once these have been completed.

The Spanish Data Protection Authority fined the company Iberdrola for not responding to the request for information with 4,000 euros

Sanction procedure opened for not responding to the request for information made in order to investigate the facts identified in a complaint. The complainant requested the exclusion of his data from a debts file -Asnef - by an alleged debt to the energy supply company -Iberdrola-.
 
The complaint was transferred to Iberdrola and it was required to forward to the AEPD the information and documents requested in the letter. After receiving no response, the complaint was accepted.
 
Investigations were then carried out and the entity was again required to report on the facts denounced. This new request was also not answered. In a nutshell, Iberdrola had not provided the information required and consequently hindered the investigative powers that each supervisory authority has, infringing Article 58.1 of the GDPR.
 
This infringement is typified in Article 83.5(e) of the GDPR and is classified for prescription purposes as very serious. It has also been taken into account that Iberdrola is a large undertaking, not newly created and therefore should have established procedures for the fulfilment of the obligations under the data protection regulations, including provide any information required by the supervisory authority. For this reason, it was sanctioned with 5,000 euros, reduced to 4,000 euros as it benefited from voluntary payment reduction according to the Spanish Procedure Law.

To read the full decision in Spanish, click here

For further information, please contact the Spanish DPA: prensa@aepd.es

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.

EDPB adopted documents - 26th, 28th and 30th plenary

Finnish DPA imposes administrative fine for several deficiencies in personal data processing

The Office of the Data Protection Ombudsman’s sanctions board imposed an administrative fine on Taksi Helsinki Oy for violations of data protection legislation on 26 May. The company had not assessed the risks and effects of personal data processing before adopting a camera surveillance system that records audio and video in its taxis. Deficiencies were also noted in the information provided to customers and the documentation of personal data processing.

The Office of the Data Protection Ombudsman started an investigation on Taksi Helsinki’s personal data processing in November 2019. Serious deficiencies were found in the company’s processing of personal data.

The impact of the processing had not been assessed in accordance with data protection legislation.

Taksi Helsinki replaced its camera surveillance system with one that records both video and audio in the summer of 2019. However, the company did not assess the compliance of the related personal data processing with the GDPR.

The Deputy Data Protection Ombudsman ordered the company to conduct a balance test to evaluate, for example the necessity of personal data processing and its impact on the interests and rights of the data subjects.

Taksi Helsinki also failed to conduct the impact assessments required by the GDPR before the start of processing. Data protection impact assessments would have been required for security camera surveillance, location data processing and automated decision-making and profiling connected to the company’s loyalty scheme. The Deputy Data Protection Ombudsman ordered the company to carry out the required impact assessments.

No basis given for processing audio data

Taksi Helsinki reported that it processed the personal data of drivers, staff and the customers of its drivers with a camera surveillance system that records both video and audio. However, the company did not provide an explanation for why it only processed audio data from some of its taxis. The company later stated that the audio data had been processed by mistake.

The Deputy Data Protection Ombudsman found that the processing of audio data was not in line with the GDPR’s principle of data minimisation. She ordered Taksi Helsinki to ensure that the processing of audio data without appropriate grounds is stopped immediately.

Problems with basic data protection issues

The Deputy Data Protection Ombudsman’s investigation also revealed that Taksi Helsinki did not inform data subjects of the processing of their personal data in the manner required by data protection legislation. The notifications in the taxis did not say anything about audio recording or indicate from where customers could obtain information on it.

Neither did the company’s privacy statement contain information on the automated decision-making and profiling performed in its loyalty scheme. The Deputy Data Protection Ombudsman ordered the company to change its policies for informing customers to provide clear information on its processing of personal data. The information must also be easily accessible.

Deficiencies related to documentation and the definition of personal data processing roles were also discovered in the investigation. The Deputy Data Protection Ombudsman ordered Taksi Helsinki to rectify its procedures.

Administrative fine imposed

Several serious shortcomings in the identification of risks, compliance with data protection principles and implementation of the rights of data subjects were identified in Taksi Helsinki’s processing of personal data.

The Office of the Data Protection Ombudsman’s sanctions board imposed an administrative fine of EUR 72,000 on Taksi Helsinki. This amount was proportionate, effective and cautionary in the assessment of the board.  

The decisions of the Deputy Data Protection Ombudsman and sanctions board are not yet final and are open to appeal in the administrative court.

To read the full decisions in Finnish, click here.

For further information, please contact the Finnish DPA: tietosuoja(at)om.fi

The decision-making of the sanctions board and legal protection of controllers are provided for in the Finnish Data Protection Act. The sanctions board is made up of the Data Protection Ombudsman and his two Deputy Data Protection Ombudsmen and has the power to impose administrative fines for violations of data protection legislation. The maximum amount of the administrative fine is four percent of the company’s turnover or EUR 20 million.

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.

Thirtieth Plenary session: EDPB response to NGOs on Hungarian Decrees and statement on Article 23 GDPR

During its 30th plenary session, the EDPB adopted a statement on data subject rights in connection to the state of emergency in Member States. The Board also adopted a letter in response to a letter from Civil Liberties Union for Europe, Access Now and the Hungarian Civil Liberties Union (HCLU) regarding the Hungarian Government’s Decree 179/2020 of 4 May.

The EDPB recalls that, even in these exceptional times, the protection of personal data must be upheld in all emergency measures, thus contributing to the respect of the overarching values of democracy, rule of law and fundamental rights on which the Union is founded.

In both the statement and the letter the EDPB reiterates that the GDPR remains applicable and allows for an efficient response to the pandemic, while at the same time protecting fundamental rights and freedoms. Data protection law already enables data-processing operations necessary to contribute to the fight against the COVID-19 pandemic.

The statement recalls the main principles related to the restrictions on data subject rights in connection to the state of emergency in Member States:

•    Restrictions which are general, extensive or intrusive to the extent that they void a fundamental right of its basic content cannot be justified.
•    Under specific conditions, Article 23 GDPR allows national legislators to restrict via a legislative measure the scope of the obligations of controllers and processors and the rights of data subjects when such a restriction respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to safeguard important objectives of general public interest of the Union or of a Member State, such as in particular public health.
•    Data subject rights are at the core of the fundamental right to data protection and Article 23 GDPR should be interpreted and read bearing in mind that their application should be the general rule. As restrictions are exceptions to the general rule, they should only be applied in limited circumstances.
•    Restrictions must be provided for ‘by law’, and the law establishing restrictions should be sufficiently clear as to allow citizens to understand the conditions in which controllers are empowered to resort to them. Additionally, restrictions must be foreseeable for persons subject to them. Restrictions imposed for a duration not precisely limited in time, which apply retroactively or are subject to undefined conditions, do not meet the foreseeability criterion.
•    The mere existence of a pandemic or any other emergency situation alone is not a sufficient reason to provide for any kind of restriction on the rights of data subjects; rather, any restriction must clearly contribute to the safeguard of an important objective of general public interest of the EU or of a Member State.  
•    The emergency state, adopted in a pandemic context, is a legal condition, which may legitimise restrictions of data subject rights, provided these restrictions only apply insofar as it is strictly necessary and proportionate in order to safeguard the public health objective. Thus, restrictions must be strictly limited in scope and in time, since data subject rights can be restricted but not denied. Additionally, the guarantees provided for under Article 23(2) GDPR must fully apply.
•    Restrictions adopted in the context of a state of emergency suspending or postponing the application of data subject rights and the obligations incumbent to data controllers and processors, without any clear limitation in time, would equate to a de facto blanket suspension of those rights and would not be compatible with the essence of the fundamental rights and freedoms.

Furthermore, the EDPB announced it will issue guidelines on the implementation of Article 23 of the GDPR in the coming months.

The agenda of the 30th pleanry is available here

Note to editors:
Please note that all documents adopted during the EDPB Plenary are subject to the necessary legal, linguistic and formatting checks and will be made available on the EDPB website once these have been completed.

Finnish DPA imposed three administrative fines for data protection violations

The Office of the Data Protection Ombudsman’s sanctions board imposed administrative fines on three companies for violations of data protection legislation on 18 May. These violations concerned giving insufficient information on data protection rights, neglecting to conduct a data protection impact assessment and the unnecessary collection of personal data.

Deficiencies in information provided in connection with change-of-address notifications

The individuals who filed a complaint with the Data Protection Ombudsman had received communications and direct marketing from various companies after making change-of-address notifications to Posti Oy, which is the leading postal service operator in Finland. The investigation carried out by the Office of the Data Protection Ombudsman revealed that Posti had not informed the data subjects of their rights, including the right to object the disclosure of data, in connection with making change-of-address notifications.

The company should have informed its customers clearly about their right to object to the processing of their personal data. Posti had submitted such notifications only to customers who bought additional services in addition to making the change-of-address notification.
Posti had notified the Data Protection Ombudsman that it would look into possibilities for improving the transparency of personal data processing already in 2017. The company finally improved its practices for informing customers in 2020, after the Office of the Data Protection Ombudsman had contacted Posti again. The violations affected 161,000 customers in 2019 alone.

The sanctions board imposed an administrative fine of EUR 100,000 on Posti Oy.

The data protection impact assessment on the processing of employee location data had been neglected

The second decision concerned a complaint made to the Data Protection Ombudsman about how Kymen Vesi Oy processed the location data of its employees by tracking vehicles with a vehicle information system. The controller had not made the impact assessment required by the GDPR before starting to process the location data. The location data was used for monitoring working hours, among other things.

A data protection impact assessment is required if the processing is likely to result in a high risk to the rights and freedoms of data subjects. The assessment is necessary for example if the location data of vulnerable individuals is processed or the location data is used for systematic monitoring. The decision of situations in which a data protection impact assessment of the processing of location data is required can be found on the Data Protection Ombudsman’s website.
The sanctions board imposed an administrative fine of EUR 16,000 on Kymen Vesi Oy.

Job applicants’ personal data was collected unnecessarily

In the third case, the Data Protection Ombudsman had been notified about a company collecting unnecessary personal data from job applicants and employees. According to the Finnish Act on the Protection of Privacy in Working Life, the employer is only permitted to process data that is necessary in light of the employment relationship. Deficiencies were also discovered in the controller’s documentation related to compliance with the GDPR.

The company had asked for information on matters such as religious beliefs, state of health, possible pregnancy and family status of the data subjects.
The Data Protection Ombudsman ordered the company to delete the unnecessary data and issued a reprimand on the deficiencies in documentation. The sanctions board also imposed an administrative fine of EUR 12,500 on the company.

The decisions are not final since those can be appealed in the administrative court. The Office of the Data Protection Ombudsman publishes the name of the organisation on which the administrative fine was imposed if the matter is considered to be of public significance or the organisation could be confused with another.

Sanctions must be proportionate, efficient and cautionary

This was the first time that the sanctions board imposed administrative fines for violations of data protection regulations. The board has the right to impose administrative fines for data protection violations. The maximum amount of the administrative fine is 4 % of the company’s turnover or EUR 20 million.
The sanctions board is made up of the Data Protection Ombudsman and two Deputy Data Protection Ombudsmen, with the Data Protection Ombudsman serving as chairman. The decision-making of the sanctions board and legal protection of controllers are provided for in the Finnish Data Protection Act.

To read the full decisions in Finnish, click here

For further information, please contact the Finnish DPA: reijo.aarnio(at)om.fi

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.

Twenty-eighth Plenary session: Art. 64 GDPR Opinion on draft SCCs submitted by the SI SA, Publication register of Art. 60 GDPR (OSS) Decisions

Brussels, 20 May - During its 28th EDPB plenary session, the EDPB adopted an Art. 64 GDPR opinion on the draft Standard Contractual Clauses submitted by the Slovenian Supervisory Authority (SA) and decided on the publication of a register containing ‘one-stop-shop’ decisions.

The EDPB adopted its opinion on the draft Standard Contractual Clauses (SCCs) for controller-processor contracts submitted to the Board by the Slovenian Supervisory Authority. The opinion aims to ensure the consistent application of Article 28 GDPR, which imposes an obligation on controllers and processors to enter into a contract or other legal act stipulating the parties’ respective obligations. According to Article 28(6) GDPR, these contracts or other legal acts may be based, in whole or in part, on standard contractual clauses adopted by a Supervisory Authority. In the opinion, the Board makes several recommendations that need to be taken into account in order for these draft SCCs to be considered as Standard Contractual Clauses. If all recommendations are implemented, the Slovenian SA will be able to adopt this draft agreement as Standard Contractual Clauses pursuant to Article 28(8) GDPR.

The EDPB will publish a register containing decisions taken by national supervisory authorities following the One-Stop-Shop cooperation procedure (Art. 60 GDPR) on its website.

Under the GDPR, Supervisory Authorities have a duty to cooperate on cases with a cross-border component to ensure a consistent application of the regulation - the so-called one-stop-shop (OSS) mechanism. Under the OSS, the Lead Supervisory Authority (LSA) is in charge of preparing the draft decisions and works together with the concerned SAs to reach consensus. Up to end of April 2020, LSAs have adopted 103 final OSS decisions. The EDPB intends to publish summaries in English prepared by the EDPB Secretariat. The information will be made public after the validation of the LSA in question and in accordance with the conditions provided by its national legislation.

The agenda of the 28th plenary is available here

Note to editors:
Please note that all documents adopted during the EDPB Plenary are subject to the necessary legal, linguistic and formatting checks and will be made available on the EDPB website once these have been completed.

Fine proposed for Danish recruitment company

The Danish Data Protection Authority considers that in a case on the right of access, the Danish recruitment company JobTeam has not met the basic requirements of the General Data Protection Regulation (GDPR) that personal data must be processed lawfully, fairly and transparently.

JobTeam has been reported to the police and a fine of DKK 50.000 has been proposed. The company had erased personal data subject to the access request of a data subject during the period after the request was submitted and prior to the company's reply. The Data Protection Authority became aware of the case on the basis of a complaint.

Good data processing

‘Where a controller deletes information on the individual directly linked to the failure to meet an access request, the controller unlawfully denies the possibility of a review of the right of access by the data by the Data Protection Authority and the Courts. This is a violation of the citizen’s fundamental rights and is not an example of good data processing,” says Astrid Mavrogenis, Head of Unit in the Danish Data Protection Authority.

Fine proposal

The Data Protection Agency has decided to report JobTeam to the police and recommended that the company should pay a fine.

It is the view of the Danish Data Protection Agency that a breach of the fundamental principles of the regulation concerning processing security for an company in a case such as the one in question cannot, in principle, be penalised by a fine lower than DKK 50.000, if the basic requirement of effective and dissuasive penalties laid down by the regulation must be complied with at the same time. At the same time, when setting the amount of the fine, the Authority emphasises that the fine must be proportionate.

In most European countries, national data protection authorities can issue administrative fines themselves, but the rules are different in, inter alia, Denmark.

After having clarified and assessed the case, the Data Protection Authority (DPA) reports the data controller to the police. The police then considers whether there are grounds for bringing a charge, and finally any financial penalty will be decided by a court.

  

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.

Wrongful to publish sensitive personal data on Region Örebro County’s website

The Swedish Data Protection Authority’s investigation shows that the Healthcare Committee in Region Örebro County made a mistake when publishing on the region’s website sensitive personal data about a patient admitted to a forensic psychiatric clinic.

The Swedish Data Protection Authority received a complaint against the Healthcare Committee in Region Örebro County, in which claims that sensitive personal data about a patient admitted to forensic psychiatry clinic had been published on the region’s website was put forward.

– Our investigation into the matter shows that sensitive personal data has wrongfully been published and thereby made accessible to the public on the region’s website”, says Elin Hallström, Legal Advisor at the Swedish Data Protection Authority.

The Swedish Data Protection Authority’s audit shows that there are no written instructions relating to the publication of documents and personal data on the website in place. Instructions for publishing information are instead communicated orally. In this case, the instructions had not been followed which led to the accidental publication of the document, suggesting that the Committee had not taken sufficient organizational measures to ensure that personal data is protected from being wrongfully published on the region’s website.

– For this reason, we are now ordering the Committee to establish written instructions and introduce measures that ensure that those who publishes personal data on the region’s website does so in accordance with set instructions.

In its decision, the Swedish Data Protection Authority also concludes that in terms of publication the Committee had neither a legitimate purpose, nor a legal basis, nor fulfilled the requirements for an exemption from the general prohibition against handling sensitive personal data in the General Data Protection Regulation.

The Swedish Data Protection Authority orders the Committee to bring its personal data handling into compliance and furthermore issues an administrative fine of 120 000 Swedish kronor (approx. 11 000 euro) against the Committee.

The published document in question has been removed from the region’s website.

To read the press release in Swedish, click here

To read the full decision in Swedish, click here

For further information, please contact the Swedish SA: datainspektionen@datainspektionen.se   

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.

Sidor