Datainspektionen på Åland

Datainspektionen på Åland sköter om dataskyddet i den offentliga förvaltningen på Åland. Datainspektionen i Sverige bytte namn vid årsskiftet och heter nu Integritetsskyddsmyndigheten. Se närmare på imy.se

European Data Protection Board

EDPB adopted documents - 48th plenary

EDPB Opinions on draft UK adequacy decisions

The two EDPB opinions on the European Commission draft Implementing Decisions on the adequate protection of personal data in the United Kingdom have now been published on the EDPB website.

Opinion 14/2021 is based on the GDPR and assesses both general data protection aspects and government access to personal data transferred from the EEA for the purposes of law enforcement and national security included in the draft adequacy decision.

Opinion 15/2021 is based on the Law Enforcement Directive (LED) and analyses the draft adequacy decision in the light of Recommendations 01/2021 on the adequacy referential under the Law Enforcement Directive, as well as the relevant case law reflected in Recommendations 02/2020 on the European Essential Guarantees for surveillance measures. This is the first draft implementing decision on a third country’s adequacy under the LED ever presented by the European Commission and assessed by the EDPB.

European Data Protection Board - 48th Plenary Session

Opinions on draft UK adequacy decisions, Guidelines on the application of Article 65(1)(a) GDPR, Guidelines on the targeting of social media users and Statement on international agreements including transfers

During its plenary session, the EDPB adopted two Opinions on the draft UK adequacy decisions. Opinion 14/2021 is based on the GDPR and assesses both general data protection aspects and government access to personal data transferred from the EEA for the purposes of law enforcement and national security included in the draft adequacy decision. This assessment is based on the GDPR Adequacy Referential WP254. Opinion 15/2021 is based on the Law Enforcement Directive (LED) and analyses the draft adequacy decision in the light of Recommendations 01/2021 on the adequacy referential under the Law Enforcement Directive, as well as the relevant case law reflected in Recommendations 02/2020 on the European Essential Guarantees for surveillance measures. This is the first draft implementing decision on a third country’s adequacy under the LED ever presented by the European Commission and assessed by the EDPB. 

The EDPB notes that there are key areas of strong alignment between the EU and the UK data protection frameworks on certain core provisions such as: grounds for lawful and fair processing for legitimate purposes; purpose limitation; data quality and proportionality; data retention, security and confidentiality; transparency; special categories of data; and on automated decision making and profiling.

EDPB Chair, Andrea Jelinek said: "The UK data protection framework is largely based on the EU data protection framework. The UK Data Protection Act 2018 further specifies the application of the GDPR in UK law, in addition to transposing the LED, as well as granting powers and imposing duties on the national data protection supervisory authority, the ICO. Therefore, the EDPB recognises that the UK has mirrored, for the most part, the GDPR and LED in its data protection framework and when analysing its law and practice, the EDPB identified many aspects to be essentially equivalent. However, whilst laws can evolve, this alignment should be maintained. So we welcome the Commission's decision to limit the granted adequacy in time and the intention to closely monitor developments in the UK.”

The EDPB underlines that several items should be further assessed and/or closely monitored by the European Commission in its decision based on the GDPR, such as: 

  • Immigration Exemption and its consequences on restrictions on data subject rights;
  • The application of restrictions to onward transfers of EEA personal data transferred to the UK, on the basis of, for instance, future adequacy decisions adopted by the UK, international agreements concluded between the UK and third countries, or derogations.

Regarding access by public authorities for national security purposes to personal data transferred to the UK, the EDPB welcomes the establishment of the Investigatory Powers Tribunal (IPT) to address the challenges of redress in the area of national security, and the introduction of Judicial Commissioners in the Investigatory Powers Act (IPA) 2016 to ensure better oversight in that same field. The EDPB still identifies a number of points requiring further clarifications and/or monitoring: 

  • Bulk interceptions;
  • Independent assessment and oversight of the use of automated processing tools;
  • Safeguards provided under UK law when it comes to overseas disclosure, in particular in light of the application of national security exemptions.

The Board adopted Guidelines on the application of Article 65(1)(a) GDPR to delineate the main stages of the procedure and clarify the competence of the EDPB when adopting a legally binding decision on the basis of Article 65(1)(a) GDPR. The Guidelines also include a description of the applicable procedural safeguards and remedies. The guidelines will be subject to public consultation for a period of six weeks.

The EDPB adopted a final version of the Guidelines on the targeting of social media users following public consultation. The aim of the Guidelines is to clarify the roles and responsibilities of social media providers and targeted individuals. The final version integrates updated wording in order to address comments and feedback received during the public consultation.

The EDPB adopted a Statement on international agreements including transfers. The EDPB invites EU Member States to assess and, where necessary, review their international agreements that involve international transfers of personal data and which were concluded before 24 May 2016 (for those relevant to the GDPR) and 6 May 2016 (for those relevant to the LED) to align them, where necessary, with EU data protection law. 

The agenda of the forty-eighth plenary is available here.

Note to editors:
Please note that all documents adopted during the EDPB Plenary are subject to the necessary legal, linguistic and formatting checks and will be made available on the EDPB website once these have been completed.

EDPB_Press Release_2021_03
 

‘Easy privacy information via icons? Yes, you can!’ The Italian DPA launches a contest calling for creative ideas from all quarters

‘Easy privacy information via icons? Yes, you can!’ This is the claim used by the Italian SA to launch a contest for solutions that can make information notices simpler, clearer and immediately understandable through icons, symbols or other graphic elements – in short, to make sure that the notices are really helpful and suitable for the purpose for which they are intended.

The information notices used by companies, public bodies, websites, social networks and search engines are often lengthy and complex and therefore cannot fulfil their essential function, which is informing data subjects about how their personal data will be used and allowing them where appropriate to give their free, informed consent to the processing of their data for whatever purpose – be it marketing, profiling, or the disclosure of information to third parties.

The Garante is calling upon software developers, tech professionals, experts, lawyers, designers, university students, and anyone interested in this topic, to send a set of symbols or icons that can represent all the items that must be contained in an information notice under Articles 13 and 14 of the GDPR.

Proposals will be welcome until 30 May, 2021 and should be emailed to icona@gpdp.it.

The Garante will select three datasets of symbols and icons that are considered especially effective and will make them available on its website for use by all stakeholders, specifying the author’s name.

The applicable rules are available at www.gpdp.it/informativechiare 

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.

Dutch DPA fines Booking.com for delay in reporting data breach


The Dutch Data Protection Authority (DPA) has imposed a €475,000 fine on Booking.com because the company took too long to report a data breach to the DPA. When the breach occurred, criminals obtained the personal data of over 4,000 customers. They also got their hands on the credit card information of almost 300 people.

In a telephone scam targeting 40 hotels in the United Arab Emirates in December 2018, the criminals persuaded hotel staff to reveal the log-in details for their accounts in a Booking.com system. In this way the criminals gained access to the data of 4,109 people who had booked a hotel room in the UAE. The data included their names, addresses and telephone numbers, as well as details of their booking. 

The criminals were also able to access the credit card information of 283 people. In 97 cases, the credit card security code was obtained as well. The criminals also tried to get hold of the credit card information of other victims, by posing as Booking.com staff in emails or on the telephone. 

Phishing
‘Booking.com customers ran a risk of falling victim to serious theft,’ says DPA deputy chair Monique Verdier, ‘even if the criminals didn’t obtain credit card information but only someone’s name, contact details and booking information. After all, those details could be used by fraudsters for “phishing” expeditions. 

‘By posing in emails or on the phone as hotel staff, they attempted to steal money from people. Such an approach can seem highly credible if the fraudster knows exactly when you made a booking and what room you booked, then asks you to pay for the nights in question. Large amounts of money can be stolen in this way.’

Breach reported 22 days too late
Booking.com was informed of the data breach on 13 January 2019, but did not report it to the DPA until 7 February, which is 22 days too late: data breaches must be reported within 72 hours. On 4 February 2019 Booking.com informed the affected customers of the breach. The company also took other measures to limit the damage, such as offering to compensate any losses.

‘This is a serious violation,’ Ms Verdier says. ‘Unfortunately, a data breach can occur anywhere, even if you have good precautionary measures in place. But in order to prevent harm to customers and future attacks, you have to report a breach on time. 

‘Taking rapid action is essential, not least for the victims of the breach. After receiving a report the DPA can order a company to immediately warn those affected. This can prevent criminals having weeks in which to attempt to defraud customers.’

Huge responsibility
According to Ms Verdier, ‘A company of this size, which stores valuable personal data of millions of customers in its systems, has a huge responsibility. Customers are entrusting their personal data to Booking.com. And the company must do everything it can to protect that data properly. That means not only ensuring good security to prevent breaches, but also taking rapid action if the worst should happen.’ 

Booking.com will not lodge an objection to or apply for review of the decision imposing the fine.

International investigation
The investigation into the Booking.com breach was international in scope. The situation involved an international company with customers from a range of countries. Booking.com’s global headquarters are in the Netherlands, which is why the Dutch DPA performed the investigation. Since this was an international matter, the DPA coordinated the investigation with other European data protection supervisory authorities.

Obligation to report data breaches
The obligation to report data breaches means that both companies and public authorities must immediately (and in any case within 72 hours) inform the DPA if they suffer a serious data breach. In certain cases they must also inform the individuals whose personal data was leaked. Data breaches must be reported to the DPA’s Data breach helpdesk.

Explosive increase in data theft
In 2020 the DPA warned it was seeing an explosive increase in the number of hacks aimed at stealing personal data. The number of reports in 2020 was 30% higher than in the previous year. This can be seen in the DPA’s 2020 Report on Data Breaches. Data theft can often be prevented by enhanced security.
 

For further information, please contact the Dutch DPA: https://autoriteitpersoonsgegevens.nl/nl

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.

EU:s dataskyddsmyndigheter antar ett gemensamt yttrande om förslagen om digitala gröna intyg

Bryssel, 6 april – Europeiska dataskyddsstyrelsen (EDPB) och Europeiska datatillsynsmannen (EDPS) har antagit ett gemensamt yttrande om förslagen om ett digitalt grönt intyg. Det digitala gröna intyget syftar till att underlätta möjligheten till fri rörlighet i EU under covid-19-pandemin genom en gemensam ram för utfärdande, kontroll och godtagande av kompatibla covid-19-intyg för vaccinering, testning och tillfrisknande.

Genom det gemensamma yttrandet uppmanar EDPB och EDPS medlagstiftarna att se till att det digitala gröna intyget till fullo uppfyller kraven i EU:s lagstiftning om skydd av personuppgifter. Dataskyddsmyndigheter från alla EU- och EES-länder betonar behovet av att minska de risker för EU-medborgares och andra EU-invånares grundläggande rättigheter som kan uppstå till följd av det digitala gröna intyget, bland annat risken för oavsiktlig sekundär användning. EDPB och EDPS understryker att användningen av det digitala gröna intyget inte på något sätt får leda till direkt eller indirekt diskriminering av enskilda personer och att det måste vara helt i linje med de grundläggande principerna om nödvändighet, proportionalitet och ändamålsenlighet. Med tanke på arten av de åtgärder som föreslås anser EDPB och EDPS att införandet av det digitala gröna intyget bör åtföljas av ett övergripande rättsligt ramverk.

– Ett digitalt grönt intyg som godtas i alla medlemsländer kan vara ett stort steg framåt för att återuppta resandet i hela EU, säger Andrea Jelinek, ordförande för EDPB. Alla åtgärder som vidtas på nationell nivå eller EU-nivå och som innebär behandling av personuppgifter måste respektera de allmänna principerna om ändamålsenlighet, nödvändighet och proportionalitet. Därför rekommenderar EDPB och EDPS att all vidare användning av det digitala gröna intyget i medlemsländerna måste ha en lämplig rättslig grund i medlemsländerna och att alla nödvändiga skyddsåtgärder måste ha vidtagits.

– Det måste vara tydligt att förslaget inte tillåter – och inte får leda till – att det skapas någon form av central databas över personuppgifter på EU-nivå, säger Wojciech Wiewiórowski, EDPS. Det måste dessutom säkerställas att personuppgifterna inte behandlas under längre tid än vad som är absolut nödvändigt och att tillgång till och användning av dessa uppgifter inte är tillåten när pandemin har upphört. Jag har alltid betonat att de åtgärder som vidtas i kampen mot covid-19 är tillfälliga och att det är vår plikt att se till att de inte blir kvar efter krisen.

I den nuvarande krissituation som orsakats av covid-19-pandemin insisterar EDPB och EDPS på att principerna om ändamålsenlighet, nödvändighet, proportionalitet och icke-diskriminering upprätthålls. EDPB och EDPS understryker att det i skrivande stund verkar finnas få vetenskapliga belägg för huruvida covid-19-vaccinering (eller tillfrisknande efter covid-19) ger garanterad immunitet och för hur länge en sådan immunitet kan vara. Men de vetenskapliga beläggen blir allt fler för var dag.

Dessutom är ett antal faktorer fortfarande okända när det gäller vaccinationens effektivitet för att minska smittspridningen. Förslaget bör innehålla tydliga och exakta regler för de digitala gröna intygens omfattning och tillämpning och föreskriva lämpliga skyddsåtgärder. Detta kommer att ge enskilda personer vars personuppgifter berörs tillräckliga garantier för att de på ett effektivt sätt skyddas mot risken för diskriminering.

Förslaget måste uttryckligen fastställa att EU-medlemsländernas tillgång till och efterföljande användning av personuppgifter när pandemin är över inte är tillåten. Samtidigt betonar EDPB och EDPS att tillämpningen av den föreslagna förordningen måste vara strikt begränsad till den nuvarande covid-19-krisen.

Det gemensamma yttrandet innehåller särskilda rekommendationer om ytterligare förtydliganden av vilka kategorier av uppgifter som berörs av förslaget, lagringen av uppgifterna, kraven på öppenhet samt identifiering av personuppgiftsansvariga och personuppgiftsbiträden.

 

Meddelande till redaktörerna: Observera att alla dokument som antas under Europeiska dataskyddsstyrelsens plenarsessioner är föremål för nödvändiga kontroller av rättsliga aspekter, språk och formatering och kommer att läggas ut på dataskyddsstyrelsens webbplats när dessa kontroller har utförts.

EDPB_Press Release_statement_2021_03

EU data protection authorities adopt joint opinion  on the Digital Green Certificate Proposals

The European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) adopted a joint opinion on the Proposals for a Digital Green Certificate. The Digital Green Certificate aims to facilitate the exercise of the right to free movement within the EU during the COVID-19 pandemic by establishing a common framework for the issuance, verification and acceptance of interoperable COVID-19 vaccination, testing and recovery certificates. 

With this Joint Opinion, the EDPB and the EDPS invite the co-legislators to ensure that the Digital Green Certificate is fully in line with EU personal data protection legislation. The data protection commissioners from all EU and European Economic Area countries highlight the need to mitigate the risks to fundamental rights of EU citizens and residents that may result from issuing the Digital Green Certificate, including its possible unintended secondary uses. The EDPB and the EDPS underline that the use of the Digital Green Certificate may not, in any way, result in direct or indirect discrimination of individuals, and must be fully in line with the fundamental principles of necessity, proportionality and effectiveness. Given the nature of the measures put forward by the Proposal, the EDPB and the EDPS consider that the introduction of the Digital Green Certificate should be accompanied by a comprehensive legal framework.


Andrea Jelinek, Chair of the EDPB, said: "A Digital Green Certificate that is accepted in all Member States can be a major step forward in re-starting travel across the EU. Any measure adopted at national or EU level that involves processing of personal data must respect the general principles of effectiveness, necessity and proportionality. Therefore, the EDPB and the EDPS recommend that any further use of the Digital Green Certificate by the Member States must have an appropriate legal basis in the Member States and all the necessary safeguards must be in place."

Wojciech Wiewiórowski, EDPS, said: It must be made clear that the Proposal does not allow for - and must not lead to - the creation of any sort of central database of personal data at EU level. In addition, it must be ensured that personal data is not processed any longer than what is strictly necessary and that access to and use of this data is not permitted once the pandemic has ended. I have always stressed that measures taken in the fight against COVID-19 are temporary and it is our duty to ensure that they are not here to stay after the crisis.”

In the current emergency situation caused by the COVID-19 pandemic, the EDPB and the EDPS insist that the principles of effectiveness, necessity, proportionality and non-discrimination are upheld. The EDPB and the EDPS reiterate that, at the moment of writing, there seems to be little scientific evidence as to whether having received the COVID-19 vaccine (or having recovered from COVID-19) grants immunity, and, by extension, how long such immunity may last. But scientific evidence is growing daily.

Moreover, a number of factors are still unknown regarding the efficacy of the vaccination in reducing transmission. The Proposal should lay down clear and precise rules governing the scope and application of the Digital Green Certificate and impose appropriate safeguards. This will allow individuals, whose personal data is affected, to have sufficient guarantees that they will be protected, in an effective way, against the risk of potential discrimination.

The Proposal must expressly include that access to and subsequent use of individuals’ data by EU Member States once the pandemic has ended is not permitted. At the same time, the EDPB and the EDPS highlight that the application of the proposed Regulation must be strictly limited to the current COVID-19 crisis.

The Joint Opinion includes specific recommendations for further clarifications on the categories of data concerned by the Proposal, data storage, transparency obligations and identification of controllers and processors for the processing of personal data. 

 

Note to editors: Please note that all documents adopted during the EDPB Plenary are subject to the necessary legal, linguistic and formatting checks and will be made available on the EDPB website once these have been completed.

EDPB_Press Release_statement_2021_03

Spanish DPA Fines Vodafone Spain more than 8 Million Euros

Vodafone Spain fined more than 8 million euros for the RGPD and two infractions of national laws

Case summary:  From April 2018 to September 2019, 191 complaints were received for similar cases concerning telephone calls and SMS messages to citizens who had opposed the processing of their data for advertising. In September 2019, a face-to-face inspection was carried out at the headquarters of “Vodafone España, S.A.U.” detecting the absence of continuous monitoring to processor and the lack of organizational and technical means to carry out the commission by the entrusted treatments (art. 28), especially on the ability to avoid advertising actions to those citizens who had exercised their rights of opposition or erasure of their personal data. An international data transfer (Article 44) to third country (Republic of Peru) was also detected from where the processors carried out advertising actions on behalf of the entity responsible for the processing (Vodafone España, S.A.,U.).

It should be added that the supervisory authority, based on its national competences, sanctioned two other penalties relating to two related national laws (General Telecommunications Law and Electronic Commerce Law) with fines of 2,000,000 € and 150,000 €, respectively.

For further information, please contact the Spanish DPA: prensa@aepd.es

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.

Bavarian DPA (BayLDA) calls for German company to cease the use of 'Mailchimp' tool

 

The "ruling" presented in the "Standard" concerns a remedy procedure concluded without formal supervisory measures regarding a complaint by a data subject, in which the controller (an individual company) that had used Mailchimp had, after our request for comments and detailed information on the consequences of the Schrems II- decision, announced that it had now refrained from using Mailchimp. 

Our final notice to the complainant, which apparently formed the basis of the publication and was sent in mid-March, had the following wording in extracts and translated informally: 

"... We are referring to your data protection complaint against .... concerning the use of "Mailchimp". As a result of our intervention, the company has informed us that it had used Mailchimp twice to send newsletters. As a result of our intervention, the company has now informed us that it will no longer use Mailchimp with immediate effect.

The company also informed us that it had only transmitted email addresses to Mailchimp in the context of the above-mentioned use. It also mentioned that the recommendations of the European Data Protection Board on the so-called Supplementary Measures for transfers of personal data to third countries are not yet available in a final version, but are still subject to public consultation; this is correct

According to our assessment, the use of Mailchimp by .... in the two cases mentioned - and thus also the transfer of your email address to Mailchimp, which is the subject of your complaint - was unlawful under data protection law, because .... had not examined whether, in addition to the EU standard data protection clauses (which were used), "additional measures" within the meaning of the ECJ decision "Schrems II" (ECJ, judgment of 16.7. 2020, C-311/18) were necessary in order to make the transfer compliant with data protection requirements, and in the present case there were at least indications that Mailchimp may in principle be subject to data access by US intelligence services on the basis of the US legal provision FISA702 (50 U.S.C. § 1881) as a possible so-called Electronic Communications Service Provider and thus the transfer could only be lawful if such additional measures (if possible and sufficient to remediate the problem) were taken. “

We informed the company that, due to the above, the above-mentioned transfers of personal data to the U.S.- were  not lawful.

“The processing of your complaint is thus concluded. This letter constitutes the legally required information on the outcome of the processing of your complaint pursuant to Art. 77 (2) of the GDPR. "

This case is exemplary for our supervisory enforcement of the requirements of the ECJ decision, which, contrary to recurring criticism, has already been taken up with a high degree of intensity even without publicly perceived investigations or sanctions and has so far succeeded with above-average frequency in reaching agreement.

For more information, please contact the Bavarian DPA: poststelle@lda.bayern.de

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.

Lithuanian DPA issues EUR 12,000 fine for infringements of the General Data Protection Regulation in application “Karantinas” (Quarantine)

Following the temporary suspension of the use of application “Karantinas” in May 2020 and after an investigation conducted by Lithuanian State Data Protection Inspectorate (DPA) in February 2021, fines for infringements of the General Data Protection Regulation (GDPR) were imposed on the National Public Health Centre (NPHC) and the developer of the application UAB “IT sprendimai sėkmei” (the Company). 

A fine of EUR 12,000 was imposed on the NHPC for infringements of provisions of Articles 5, 13, 24, 32, 35 and Article 58(2)(f) of the GDPR, and a fine of EUR 3,000 was imposed on the Company for infringements of Articles 5, 13, 24, 32 and 35 of the GDPR.

In spring 2020, the DPA started monitoring activities in response to information in the media about the possible improper processing of personal data by application “Karantinas”. After an assessment of the initial information, it was decided to open an investigation and suspend the processing of personal data by the application.

The study revealed that data from 677 individuals had been collected since April 2020 when the application became operational. Not all personal data were collected to the same extent, however the application was provided for processing such personal data as identification number, latitude and longitude coordinates, country, city, municipality, postal code, street name, house number, name, surname, personal number, telephone number, address, 2nd address, and whether the place of residence had been declared in Lithuania and other information. According to the submitted data, it was established that the processing of data of the app was performed not only in the territory of Lithuania, but also in Europe (Estonia, Switzerland, etc.) and abroad (India, USA, etc.).

After conducting an investigation, the DPA revealed that both the NHPC and the Company were joint data controllers, although both organizations denied such status.

When deciding on the imposition of the administrative fine and its amount, the DPA took into account the fact that the NHPC and the Company processed personal data intentionally, to a large extent, illegally, systematically, without providing technical and organizational means to demonstrate compliance with the requirements of the GDPR while processing personal data, and also processed special category personal data. In addition, the Company did not comply with the DPA instructions to stop the processing of personal data collected with the help of the app and deleted part of the personal data.

The decision of the DPA may be appealed in court within one month from the date of its service in accordance with the procedure established by legal acts.

For further information, please contact the Lithuanian supervisory authority: ada@ada.lt

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.

Lithuanian DPA issues EUR 15,000 fine for infringements of the General Data Protection Regulation in the Centre of Registers

Following the incident at the State Enterprise Centre of Registers on 20 July 2020, which disrupted the operation of state registers and state information systems managed by the State Enterprise Centre of Registers, Lithuanian State Data Protection Inspectorate (DPA), after conducting an investigation under the General Data Protection Regulation (GDPR), in February 2021 imposed a fine for improper implementation of technical and organizational data security measures.

A fine of EUR 15,000 was imposed on the State Enterprise Centre of Registers for infringements of Article 32(1) (b) and (c) of the GDPR, namely failure to ensure the ongoing integrity, availability and resilience of processing systems and services, as well as failure to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident.

The fine imposed on the Centre of Registers as the data controller and / or data processor of 22 registers and information systems. Such a decision on the fine was issued having regard to the state of the art and the costs of implementation, and taking into account the nature, scope, context and purposes of the processing as well as the risk of varying likelihood and severity for the rights and freedoms of individuals, failure to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, infringement of Article 32(1)(b)(c) of the GDPR, and also taking into account the factors listed in Article 83(2)(a),(d)(g) (related to the nature, gravity, duration and scope of the data), which are to be recognized as aggravating the infringement of the SE Centre of Registers.

Pursuant to the Law on Legal Protection of Personal Data, a supervisory authority may impose an administrative fine of up to 0.5% of the current year's budget or other general annual revenues received in the previous year of the public authority or body, but not more than thirty thousand euros, on the authority or body that has violated the provisions of Article 83(4)(a)(b)(c) of the GDPR. 

In determining the amount of the administrative fine, the DPA took into account the factors mitigating the violation committed by the SE Centre of Registers listed in Article 83(2)(b), (c), (e), (f) (h) of the GDPR, namely the absence of intent, the efforts made to restore the damaged data, the absence of facts about the material damage suffered by the data subjects, the close cooperation with the DPA and the absence of previous violations of a similar nature. The DPA also took into account that the State Enterprise Centre of Registers, when implementing security measures, is dependent both on the data controller, the Ministry of Health of the Republic of Lithuania, and other institutions dealing with consolidation of state IT resources, and decided that the fine is a proportionate measure to ensure compliance with the provisions of the GDPR in the future.

The DPA points out that ensuring the security of personal data is not only the duty of the data controller, but also the direct responsibility of the data processor provided for in Article 32 of the GDPR. The processor is directly liable for non-performance or improper performance of this obligation too.

For further information, please contact the Lithuanian supervisory authority: ada@ada.lt

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.

Forty-seventh Plenary Session of the EDPB

On March 30th, the EDPB will hold its 47th plenary session. During the plenary, the EDPB will dicsuss the European Commission's proposal for Regulations on a Digital Green Certificate.

The agenda for the 47th plenary is available here

EDPB adopted documents - 46th plenary

EDPB Stakeholder Event on processing of personal data for scientific research purposes

On April 30, the EDPB is organising a remote stakeholder event on the topic "application of the GDPR to the processing of personal data for scientific research purposes”. Representatives from, among others, individual companies, sector organisations, NGOs, law firms and academia with an expertise on the field are welcome to express interest in attending.

In order to express your interest to participate in the event, please fill in this form.

Places will be allocated on a first come, first served basis, depending on availability. Nonetheless, the EDPB reserves the right to give precedence to specific stakeholders, in light of their relevance in the field. Selected participants will receive the confirmation of their registration in the event via e-mail.

Detailed information and the programme of the event will be available shortly.

As we would like to have a balanced and representative audience, participation will be limited to one participant per organisation.

When? 30 April 2021, from 10:00 - 16:00h CET

Europeiska dataskyddsstyrelsen (EDPB) och Europeiska datatillsynsmannen (EDPS) antar ett gemensamt yttrande om dataförvaltningsakten

Bryssel den 10 mars – Europeiska dataskyddsstyrelsen och Europeiska datatillsynsmannen antog ett gemensamt yttrande om förslaget till dataförvaltningsakten. Syftet med dataförvaltningsakten är att främja att data görs tillgängliga genom att man ökar förtroendet för dataförmedlarna[1] och stärker mekanismerna för datadelning i hela EU. Dataförvaltningsakten har särskilt för avsikt att främja tillgången till data från den offentliga sektorn för vidareutnyttjande, delning av data mellan företag och möjliggöra användning av personuppgifter med hjälp av en ”förmedlare för delning av personuppgifter”. Dataförvaltningsakten strävar också efter att göra det möjligt att använda uppgifter för altruistiska ändamål.

Europeiska dataskyddsstyrelsen och Europeiska datatillsynsmannen erkänner dataförvaltningsaktens legitima mål att förbättra villkoren för datadelning på den inre marknaden. Samtidigt är skyddet av personuppgifter en viktig och integrerad del av förtroendet för den digitala ekonomin. Med detta gemensamma yttrande uppmanar Europeiska dataskyddsstyrelsen och Europeiska datatillsynsmannen medlagstiftarna att se till att den framtida dataförvaltningsakten är helt i linje med EU:s lagstiftning om skydd av personuppgifter, och på så sätt främja förtroendet för den digitala ekonomin och upprätthålla den skyddsnivå som EU-lagstiftningen ger under överinseende av EU-medlemsstaternas tillsynsmyndigheter.

 – EU:s rättsliga ram för uppgiftsskydd hindrar inte utvecklingen av dataekonomin. Tvärtom är det så att förtroende för alla typer av datadelning endast kan uppnås genom respekt för befintlig dataskyddslagstiftning. Den allmänna dataskyddsförordningen är den grund på vilken den europeiska modellen för dataförvaltning måste byggas. Därför understryker vi behovet av att säkerställa överensstämmelse med den allmänna dataskyddsförordningen när det gäller tillsynsmyndigheternas behörighet, de olika berörda aktörernas roller, den rättsliga grunden för behandling av personuppgifter, nödvändiga skyddsåtgärder och de registrerades utövande av sina rättigheter, säger Andrea Jelinek, ordförande för Europeiska dataskyddsstyrelsen.

– Vi förstår att data blir allt viktigare för ekonomin och samhället såsom beskrivs i den europeiska datastrategin. Med ”stordata följer dock ett stort ansvar” och därför måste lämpliga uppgiftsskyddsgarantier införas. Den övergripande ramen för europeiska dataområden bör säkerställa att regelverket om uppgiftsskydd inte påverkas, säger Wojciech Wiewiórowski, Europeiska datatillsynsmannen.

Europeiska dataskyddsstyrelsen och Europeiska datatillsynsmannen anser att EU:s lagstiftare bör se till att det tydligt och otvetydigt anges i lydelsen till dataförvaltningsakten att den akten inte kommer att påverka nivån på skyddet av enskildas personuppgifter och att inga rättigheter och skyldigheter som fastställs i dataskyddslagstiftningen kommer att ändras.

När det gäller vidareutnyttjande av personuppgifter som innehas av myndigheter rekommenderar Europeiska dataskyddsstyrelsen och Europeiska datatillsynsmannen att dataförvaltningsakten anpassas till de befintliga bestämmelserna om skydd av personuppgifter i den allmänna dataskyddsförordningen och till direktivet om öppna data. Vidare bör det klargöras att vidareutnyttjande av personuppgifter som innehas av myndigheter endast får tillåtas om det grundar sig på EU:s eller medlemsstaternas lagstiftning. Sådana lagar bör innehålla en förteckning över klart förenliga ändamål för vilka ytterligare behandling kan tillåtas lagligen eller som utgör en nödvändig och proportionell åtgärd i ett demokratiskt samhälle för att skydda de mål som avses i artikel 23 i dataskyddsförordningen.

När det gäller leverantörer av datadelningstjänster betonas i det gemensamma yttrandet behovet av att säkerställa förhandsinformation och kontroller för enskilda personer, med beaktande av principerna om inbyggt dataskydd och öppenhet och begränsning av ändamål.  Dessutom bör det klargöras hur sådana tjänsteleverantörer effektivt skulle hjälpa enskilda personer att utöva sina rättigheter som registrerade.

När det gäller dataaltruism rekommenderar Europeiska dataskyddsstyrelsen och Europeiska datatillsynsmannen att dataförvaltningsakten bör definiera ändamålen med sådan ”dataaltruism” av allmänt intresse bättre. Dataaltruism bör organiseras på ett sådant sätt att enskilda personer enkelt kan ge, men också dra tillbaka sitt samtycke.

Mot bakgrund av de möjliga riskerna för registrerade när deras personuppgifter kan behandlas av leverantörer av datadelningstjänster eller dataaltruismorganisationer anser Europeiska dataskyddsstyrelsen och Europeiska datatillsynsmannen att de automatiska registreringssystemen för dessa enheter, som fastställs i dataförvaltningsakten, inte innehåller ett tillräckligt strikt prövningsförfarande som är tillämpligt på sådana tjänster. Därför rekommenderar Europeiska dataskyddsstyrelsen och Europeiska datatillsynsmannen att man undersöker alternativa förfaranden som möjliggör ett mer systematiskt införande av ansvarighetsverktyg, särskilt efterlevnad av en uppförandekod eller certifieringsmekanism.

Det gemensamma yttrandet innehåller också rekommendationer om att utse tillsynsmyndigheterna som de viktigaste behöriga myndigheterna för kontroll av efterlevnaden av bestämmelserna i dataförvaltningsakten, i samråd med andra relevanta sektorsmyndigheter.

 

______________________________________
[1] Se motiveringen till förslaget, s. 1

Meddelande till redaktörerna: Observera att alla dokument som antas under Europeiska dataskyddsstyrelsens plenarsessioner är föremål för nödvändiga kontroller av rättsliga aspekter, språk och formatering och kommer att läggas ut på dataskyddsstyrelsens webbplats när dessa kontroller har utförts.

EDPB_Press Release_statement_2021_02

EDPB & EDPS adopt joint opinion on the Data Governance Act (DGA)

The EDPB and EDPS adopted a joint opinion on the proposal for a Data Governance Act (DGA). The DGA aims to foster the availability of data by increasing trust in data intermediaries [1] and by strengthening data-sharing mechanisms across the EU. In particular, the DGA intends to promote the availability of public sector data for reuse, sharing of data among businesses and allowing personal data to be used with the help of a ‘personal data-sharing intermediary’. The DGA also seeks to enable the use of data for altruistic purposes.

The EDPB and the EDPS acknowledge the legitimate objective of the DGA to improve the conditions for data sharing in the internal market. At the same time, the protection of personal data is an essential and integral element for trust in the digital economy. With this joint opinion, the EDPB and the EDPS invite the co-legislators to ensure that the future DGA is fully in line with the EU personal data protection legislation, thus fostering trust in the digital economy and upholding the level of protection provided by EU law under the supervision of the EU Member States’ supervisory authorities.  

Andrea Jelinek, Chair of the EDPB, said:The EU's data protection legal framework does not stand in the way of developing the data economy. Quite the contrary, it enables it: trust in any kind of data sharing can only be achieved by respecting existing data protection legislation. The GDPR is the foundation on which the European data governance model must be built. That is why we underline the need to ensure consistency with the GDPR with regard to the competence of the supervisory authorities, the roles of the different actors involved, the legal basis for the processing of personal data, the necessary safeguards and the exercise of the rights of the data subjects.

Wojciech Wiewiórowski, EDPS, said:We understand the growing importance of data for the economy and society as outlined in the European Data Strategy. However, with “big data comes big responsibility”, therefore appropriate data protection safeguards must be put in place. The overarching framework for European data spaces should ensure that the data protection acquis is not affected.

The EDPB and EDPS consider that the EU legislator should ensure that the wording of the DGA clearly and unambiguously state that this act will not affect the level of protection of individuals’ personal data, nor will any rights and obligations set out in the data protection legislation be altered.  

Concerning the reuse of personal data held by public sector bodies, the EDPB and EDPS recommend aligning the DGA with the existing rules on the protection of personal data laid down in the GDPR and with the Open Data Directive. Furthermore, it should be clarified that the reuse of personal data held by public sector bodies may only be allowed if it is grounded in EU or Member State law. Such laws should include a list of clear compatible purposes for which further processing may be lawfully authorised or constitutes a necessary and proportionate measure in a democratic society to safeguard the objectives referred to in Article 23 of the GDPR. 

On data sharing service providers, the joint opinion highlights the need to ensure prior information and controls for individuals, taking into account the principles of data protection by design and by default, transparency and purpose limitation.  Furthermore, the modalities upon which such service providers would effectively assist individuals in exercising their rights as data subjects should be clarified. 

As for data altruism, the EDPB and the EDPS recommend that the DGA should better define the purposes of general interest of such “data altruism”. Data altruism should be organised in such a way that it allows individuals to easily give, but also, withdraw their consent. 

In light of the possible risks for data subjects when their personal data might be processed by data sharing service providers or data altruism organisations, the EDPB and EDPS consider that the declaratory registration regimes for these entities, as laid down in the DGA, do not provide for a sufficiently stringent vetting procedure applicable to such services. Therefore, the EDPB and EDPS recommend exploring alternative procedures that foresee a more systematic inclusion of accountability tools, in particular the adherence to a code of conduct or certification mechanism.

The joint opinion also includes recommendations on the designation of the supervisory authorities as main competent authorities for the control of the compliance with the DGA provisions, in consultation with other relevant sectorial authorities.

______________________________________
[1] See Explanatory Memorandum of the Proposal, page 1

Note to editors:  Please note that all documents adopted during the EDPB Plenary are subject to the necessary legal, linguistic and formatting checks and will be made available on the EDPB website once these have been completed.

Questions to the EDPB can be directed to: greet.gysen@edpb.europa.eu and sarah.hanselaer@edpb.europa.eu - www.edpb.europa.eu
Follow us on Twitter: @EU_EDPB

Questions to the EDPS can be directed to Olivier Rossignol: press@edps.europa.eu - www.edps.europa.eu
Follow us on Twitter: @EU_EDPS

EDPB_Press Release_statement_2021_02

European Data Protection Board - 46th Plenary session

EDPB adopts 2021-2022 Work Program, Statement on ePrivacy Regulation, Guidelines on Virtual Voice Assistants & Guidelines on Connected Vehicles, and discusses UK Adequacy

During its 46th plenary session, the EDPB adopted a wide range of documents and discussed the draft UK adequacy decisions presented by the European Commission. 

The Board adopted its two-year work program for 2021-2022, according to Article 29 of the EDPB Rules of Procedure. The work program follows the priorities set out in the EDPB 2021-2023 Strategy and will put the Board’s strategic objectives into practice. 

The EDPB adopted a statement on the draft ePrivacy Regulation. In its statement, the EDPB welcomes the agreement on the negotiation mandate by the Council as a positive step in the finalisation of the ePrivacy Regulation. The EDPB recalls that national authorities responsible for enforcement of the GDPR should be entrusted with the oversight of the privacy provisions of the future ePrivacy Regulation to ensure a harmonised interpretation and enforcement of the ePrivacy Regulation across the EU and to guarantee a level playing field in the Digital Single Market.

EDPB Chair, Andrea Jelinek said: “The ePrivacy Regulation must not - under no circumstances - lower the level of protection offered by the current ePrivacy Directive, and should complement the GDPR by providing additional strong guarantees for confidentiality and protection of all types of electronic communication.

The EDPB adopted Guidelines on Virtual Voice Assistants (VVAs). These Guidelines aim to identify some of the most relevant compliance challenges for VVAs and to provide recommendations to relevant stakeholders on how to address them. The Guidelines will be submitted for public consultation for a period of six weeks.

The EDPB adopted a final version of the Guidelines on Connected Vehicles following public consultation. The Guidelines focus on the processing of personal data in relation to the non-professional use of connected vehicles by data subjects. The final version integrates updated wording, and further clarifications in order to address comments and feedback received during the public consultation.

The Board discussed the draft UK adequacy decisions, which were received from the European Commission. The EDPB will thoroughly review the draft decisions, taking into account the importance of guaranteeing the continuity and high level of protection for data transfers from the EU. 

Finally, the EDPB adopted a joint EDPB-EDPS opinion on the Data Governance Act. A separate press release will be published on this topic later today. 

The agenda of the forty-sixth plenary is available here.

Note to editors:
Please note that all documents adopted during the EDPB Plenary are subject to the necessary legal, linguistic and formatting checks and will be made available on the EDPB website once these have been completed.

EDPB_Press Release_2021_02

Norwegian DPA issues fine to Aquateknikk AS

The Norwegian Data Protection Authority has fined Aquateknikk AS EUR 10,000 (NOK 100,000) for having performed a credit rating on a private individual without legal basis.

This case came in response to a complaint from a person who discovered that Aquateknikk had performed a credit rating on him when he had no customer relationship or any other connection with the company.

The General Data Protection Regulation requires that all processing of personal data must have a legal basis. Credit ratings are a type of personal data subject to special protections.

Lacked legal basis

A credit rating compiles personal data from many different sources for the purpose of indicating how likely it is that the person will be able to pay what they owe. A credit rating will also include detailed information about the person’s personal financial situation, such as debt-to-income ratio, payment remarks, and the person’s mortgages, if any.

Upon investigating this matter, the Data Protection Authority has concluded that the credit ratings were performed without a legal basis, in violation of the requirements of the General Data Protection Regulation. The undertaking did not have a legitimate interest in performing a credit rating on the complainant.

Insufficient knowledge of the rules

“As a credit rating includes detailed information about one’s personal financial situation, it feels very intrusive when an organization unlawfully gains access to this information,” says Bjørn Erik Thon, Director-General of the Norwegian Data Protection Authority.

“We receive many complaints concerning credit ratings, and we see that many organizations have insufficient knowledge of the rules that apply. These types of cases are serious offences, and we normally issue fines for such violations,” Thon concludes.

For further information, please contact the Norwegian DPA: international@datatilsynet.no

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.

Spanish Data Protection Authority (AEPD) imposes fine of 6.000.000 EUR on CAIXABANK, S.A.,

The Spanish Data Protection Authority (AEPD) imposed a total fine of 6.000.000 EUR on CAIXABANK, S.A., for unlawfully processing clients’ personal data (4.000.000 EUR) and not providing sufficient information regarding the processing of personal data (2.000.000 EUR). 

The AEPD considered that the document designed to comply with the information did not include enough information regarding the categories of personal data concerned, nor information about the purposes of the processing for which the personal data are intended as well as the legal basis for the processing, especially regarding those processing activities based on the company’s legitimate interest. Consequently, the AEPD concluded that CAIXABANK had violated Articles 13 and 14 of the GDPR. Following Article 83 (5) b of the GDPR, a fine of 2.000.000 EUR was imposed. When deciding on the amount of the administrative fine, the AEPD took into account, as aggravating factors, among others, the nature, gravity and duration of the infringement; the negligent character of the infringement; the relationship between the company’s activity and the processing of personal data; and the fact that the company is a large enterprise and its turnover.

On the other hand, the AEPD found that CAIXABANK did not provide with any mechanism to collect the data subject’s consent; that the data subject’s consent did not meet with all the elements of valid consent, and that the processing activities based on the company’s legitimate interest were not sufficiently justified; especially the relationship between the company’s activity and the processing of personal data. The AEPD concluded that this constituted a breach of Article 6 of the GDPR, and according to Article 83 (5) a of the GDPR, an administrative fine of 4.000.000 EUR was imposed. In deciding on the amount of the fine, the AEPD took into account, as aggravating factors, among others, the nature, gravity and duration of the infringement; the negligent character of the infringement; the degree of responsibility of the controller taking into account technical and organisational measures implemented pursuant to Articles 25 and 32 of the GDPR; the benefits gained from the infringement; the categories of personal data affected by the infringement; the relationship between the company’s activity and the processing of personal data; and the fact that the company is a large enterprise and its turnover. 

In addition to the administrative fine, the highest ever imposed by the Spanish DPA, the AEPD ordered CAIXABANK to bring its processing operations into compliance with Articles 6, 13 and 14 of the GDPR within the next six months. 

To read the full decision in Spanish, click here.

For further information, please contact the Spanish DPA: prensa@aepd.es

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.
 

Sidor