European Data Protection Board

THE ITALIAN SUPERVISORY AUTHORITY FINES ENI GAS E LUCE EUR 11.5 MILLION - On account of unsolicited telemarketing and contracts

The Italian Supervisory Authority imposed two fines on Eni Gas and Luce (Egl), totalling EUR 11,5 million, concerning respectively illicit processing of personal data in the context of promotional activities and the activation of unsolicited contracts. The fines were determined in the light of the parameters set out in the EU Regulation, including the wide range of stakeholders involved, the pervasiveness of the conduct, the duration of the infringement, and the economic conditions of Egl.

The first fine of EUR 8,5 million relates to unlawful processing in connection with telemarketing and teleselling activities as found during inspections and inquiries that were carried out by the Authority following several dozens of alerts and complaints received in the immediate aftermath of the full application of the GDPR.  
The verifications revealed a limited number of cases, which however pointed to ‘systematic’ conduct  by Egl and highlighted serious criticalities with regard to the general processing of data.

The violations brought to light include advertising calls made without the consent of the contacted person or despite that person’s refusal to receive promotional calls, or without triggering the specific procedures for verifying the public opt-out register; the absence of technical and organisational measures to take account of the indications provided by users; longer than permitted data retention periods; and the acquisition of the data on prospective customers from entities (list providers) that had not obtained any consent for the disclosure of such data.

Having declared the conduct detected as unlawful, the Italian SA ordered Egl to put in place procedures and systems in order to verify, also by examining a large sample of customers, the consent of the persons included in the contact lists prior to the start of promotional campaigns. Egl will also have to ensure full automation of data flows from its database to the company’s own black list, i.e., the list of those who do not wish to receive advertising.  

The Italian SA further prohibited the company from using the data made available by the list providers  if the latter had not obtained specific consent for the communication of such data to Egl.

The second fine of EUR 3 million concerns breaches due to the conclusion of unsolicited contracts for the supply of electricity and gas under ‘free market’ conditions. Many individuals complained to the Authority that they learned about the conclusion of a new contract only on receiving the letter of termination of the contract with the previous supplier or else the first Egl bills. In some cases, the complaints reported incorrect  data in the contracts and forged signatures.

About 7200 consumers were affected by the above serious irregularities. The Authority’s findings showed that the conduct of Egl in acquiring new customers through certain external agencies operating on its behalf led, in organisational and managerial terms, to processing activities in breach of the EU Regulation  as they violated the principles of data fairness, accuracy and up-to-dateness.

Having established such unlawful conduct, the Italian SA ordered Egl to take several corrective measures and to introduce specific alerts in order to detect various procedural anomalies.  

Implementation of the above measures will have to take place and be communicated to the Authority within a set timeframe, while the fines will have to be paid within 30 days.

To read the press release in Italian, click here

For further information, please contact the Italian SA: garante@garanteprivacy.it

Investigation regarding access to and inspection by the employer of an employee’s emails on a company server, illegal installation and operation of a closed-circuit video-surveillance system and infringement of the right of access

The Ηellenic DPA in response to a complaint conducted an investigation regarding the lawfulness of personal data processing on a server of ‘ALLSEAS MARINE S.A.’, as well as the lawfulness of access to and inspection of deleted emails of a senior manager for whom there was suspicion that he had committed unlawful acts against the company’s interests.

The Authority found that the company as a controller had complied with the requirements of the GDPR and that its internal policies and regulations provided for a ban on the use of the company’s electronic communications and networks for private purposes, and for the possibility of carrying out internal inspections. The company therefore had a legal right under Articles 5(1) and 6(1)(f) of the GDPR to carry out an internal investigation searching and retreating employee’s emails.

The DPA, on the other hand, found that the closed-circuit video-surveillance system had been installed and operated illegally and, in addition, the recorded material submitted to the Authority was considered to be illegal.

Finally, the Authority found that the company did not satisfy the employee’s right of access to his personal data contained in his corporate PC.

Following the finding that the GDPR had been infringed, the Authority decided in this particular case to exercise its corrective powers under Article 58(2) of the GDPR by means of corrective measures, and decided to:

i) order the company to comply immediately with the complainant’s request to exercise his right to access and information concerning his personal data stored in the company’s computer that the complainant used, and inform the Authority thereof;
ii) ensure within one (1) month of receipt of the decision that the processing operations which take place by means of its video surveillance system comply with the provisions of the GDPR, and inform the Authority thereof, and, in particular:

(a) restore the application of the provisions of Article 5(1)(a) and (2) of the GDPR in accordance with the grounds of the judgement;
(b) also restore the application of the other provisions of subparagraphs (b) to (f) of Article 5(1) of the GDPR in so far as the infringement found affects the internal organisation and compliance with the provisions of the GDPR by taking all necessary measures under the principle of accountability;
iii) impose on the company an effective, proportionate and dissuasive administrative fine, as appropriate in the case of illegal installation and operation of a closed-circuit video-surveillance system, in accordance with the specific circumstances of this case, amounting to fifteen thousand euros (EUR 15,000.00).

Decision 43/2019 is available in Greek on www.dpa.gr  “Decisions”

For further information, please contact the Hellenic DPA: contact@dpa.gr

London pharmacy fined after “careless” storage of patient data

The Information Commissioner’s Office (ICO) has fined a London-based pharmacy £275,000 for failing to ensure the security of special category data.
Doorstep Dispensaree Ltd, which supplies medicines to customers and care homes, left approximately 500,000 documents in unlocked containers at the back of its premises in Edgware. The documents included names, addresses, dates of birth, NHS numbers, medical information and prescriptions belonging to an unknown number of people.

Documents, some of which had not been appropriately protected against the elements and were therefore water damaged, were dated between June 2016 and June 2018. Failing to process data in a manner that ensures appropriate security against unauthorised or unlawful processing and accidental loss, destruction or damage is an infringement of the General Data Protection Regulations (GDPR).
The ICO launched its investigation into Doorstep Dispensaree after it was alerted to the insecurely stored documents by the Medicines and Healthcare Products Regulatory Agency, which was carrying out its own separate enquiry into the pharmacy.

Steve Eckersley, Director of Investigations at the ICO said:

The careless way Doorstep Dispensaree stored special category data failed to protect it from accidental damage or loss. This falls short of what the law expects and it falls short of what people expect.

In setting the fine, the ICO only considered the contravention from 25 May 2018, when the GDPR came into effect.
Doorstep Dispensaree has also been issued an enforcement notice due to the significance of the contraventions and ordered to improve its data protection practices within three months. Failure to do so could result in further enforcement action.

Full details of the investigation can be found in the Monetary Penalty Notice here.

BfDI imposes Fines on Telecommunications Service Providers

The Federal Commissioner for Data Protection and Freedom of Information (BfDI) imposed a fine of EUR 9.550.000 on the telecommunications service provider 1&1 Telecom GmbH. The company did not provide sufficient technical and organizational measures to prevent unauthorized persons from being able to obtain customer information via the customer hotline service. In another case, the BfDI imposed a fine of EUR 10. 000 on Rapidata GmbH.

Concerning this matter, the Federal Commissioner Ulrich Kelber said: “Data protection is the protection of fundamental rights. The fines imposed are a clear sign that we will enforce this protection of fundamental rights. The European General Data Protection Regulation (GDPR) gives us the opportunity to decisively punish insufficient safeguarding of personal data. We apply these powers while taking into account the required proportionality.”

In the case of 1&1 Telecom GmbH, the BfDI had become aware that persons calling the company’s customer service hotline could obtain extensive information about further personal data merely by providing a customer’s name and date of birth. The BfDI considers this authentication procedure to be in breach of Article 32 of the GDPR which obliges the company to take appropriate technical and organisational measures to systematically protect the processing of personal data.

After the BfDI had criticised the insufficient data protection, 1&1 Telecom GmbH proved to be understanding and highly cooperative. As a first step, the authentication procedure was strengthened by requesting additional information. As a further step, following consultation with the BfDI, 1&1 Telecom GmbH is currently in the process of introducing a new authentication procedure which is significantly improved in terms of technology and data protection.

Notwithstanding those measures, it was necessary to impose a fine. Among other things, the infringement was not limited to a small number of customers, but posed a risk for the entire customer base. However, the BfDI remained in the lower range of possible fines as 1&1 Telecom GmbH proved to be very cooperative throughout the whole procedure.

The BfDI is also currently investigating the authentication procedures of other telecommunications service providers.

In another context proceedings against the telecommunications provider Rapidata GmbH were required, because despite repeated requests, the company failed to comply with its legal requirement under Article 37 of the GDPR to appoint an internal data protection officer. When imposing the 10.000 Euro fine, the fact was taken into account that the company is belonging to the category of micro-enterprises.

For further information, please contact the German SA: presse@datenschutz-berlin.de

Administrative fine of 35 000 EUR imposed on the Swedish website Mrkoll.se

The Swedish DPA has issued an administrative fine of 35 000 EUR against Mrkoll.se – a website that publishes personal data of all Swedes above the age of 16 – for infringement of the Credit Information Act and the GDPR. The website has carried out credit information activity in a way that is not in compliance with the law.

The Swedish DPA has issued an administrative fine against the company Nusvar which runs the website Mrkoll.se. This website publishes personal data of all Swedes above the age of 16. In total, the database contains personal data of more than 8 million people. The administrative fine issued amounts to 35 000 EUR.

- The decision addresses the interplay between the legislative frameworks for credit information activity, data protection and the constitutional protection of freedom of expression, says Hans Kärnlöf who led the investigation of the website.

The website in question has been granted a publishing certificate that provides it with a constitutional protection for the majority of its publishing activities, meaning that the GDPR does not apply under those circumstances.

The website did however publish information that a person does not have a record of non-payment. Information about payment defaults is considered to be credit information and for the publishing of such information the Credit Information Act applies, including its references to the GDPR. The website furthermore published information about records of criminal convictions. Such information is regulated in the GDPR and may not be published under the Credit Information Act without prior authorization from the Swedish DPA. The DPA has not issued any such authorization for this website.

- Websites entrusted with a publishing certificate do not need prior authorization from the DPA to carry out credit information activity as such, but they must comply with the rules in the Credit Information Act. This website has not complied with these rules, says Hans Kärnlöf.

The decision concerns unlawful publications from December 2018 to April 2019. As of April 2019, the website no longer publishes information about records of non-payment.  For that reason, the DPA’s decision will not affect how the website publishes information today.

Since May 2018 the Swedish DPA has received more than 750 complaints concerning websites that hold publishing certificates.

For further information, please contact the Swedish SA : per.lovgren@datainspektionen.se  

The Norwegian Data Protection Authority imposes a fine on the City of Oslo

The Norwegian Data Protection Authority has issued an administrative fine of EUR 49 300 to the City of Oslo for having stored patient data outside the electronic health record system at the city’s nursing homes/health centres from 2007 to November 2018.

“This is a serious violation, given the extended time period and considerable scope of processing,” stressed Bjørn Erik Thon, Director General of the Norwegian Data Protection Authority. “An indeterminable quantity of health data has been available to a large number of employees for at least 11 years. The City of Oslo has the largest population of all Norwegian municipalities and should therefore be especially well placed to comply with relevant information security requirements.”

Background

The case commenced when the City of Oslo sent a data breach notification to the Data Protection Authority in November 2018. The City of Oslo reported that its 19 nursing homes/health centres under the Nursing Home Agency, as well as nine private nursing homes under contract with the city, had been practising the use of so-called work sheets. These work sheets would include information about the residents, detailing their daily needs and care routines, and residents were identified by their full names and national identity numbers, initials or room numbers.

The work sheets were stored electronically in the individual nursing home’s/health centre’s internal zone, where all unit employees, as well as some employees in the Nursing Home Agency, had access. Approximately 90 percent of the employees at these nursing homes/health centres are health personnel, but the remaining 10 percent – such as members of the cleaning or janitorial staff – could, in theory, also log on and gain access to this information. The sheets were allegedly continuously overwritten, so that they contained information about current residents only – and no former residents – at any given time. However, employees who worked at an individual nursing home/health centre for any extended period of time, would have had access to information about a large number of residents.

Old data protection regulations applied in assessment

In calculating the size of the fine, the Data Protection Authority emphasized that the city reported the violation to the Data Protection Authority on its own initiative and quickly took steps to delete the data. It was furthermore taken into account that the violation primarily took place before the new Personal Data Act and General Data Protection Regulation entered into force in July 2018. Under the old Personal Data Act, fines were limited to approximately EUR 100 000. A fine of EUR 49 300 was therefore deemed appropriate in this particular case.

The Data Protection Authority found that the Nursing Home Agency for many years had failed to apply a sufficiently comprehensive mindset in its approach to managing nursing home/health centre practices for information security. The Authority concluded that the practice of storing identifiable patient data outside the electronic health record system clearly violated the requirements for security and internal control provided in Article 32 of the General Data Protection Regulation and Sections 22 and 23 of the Health Record Act.

Measures to prevent future violations

When the practice of work sheets was discovered, the Nursing Home Agency sent out an e-mail to all nursing homes/health centres, instructing them to delete all work sheets immediately. Due to the way that work sheets were stored, there is no log detailing which employees have accessed the list, and there is no way of finding out whether any unauthorized persons have gained access to the data. In order to prevent similar situations from occurring again, the Nursing Home Agency has implemented various measures related to internal audit, follow-up by management and training, among other things.

The City of Oslo did not appeal the decision.

For further information, please contact the Norwegian SA: international@datatilsynet.no

The Belgian DPA has imposed a fine of €2000 on a non-profit association

The Belgian DPA has imposed a fine of €2000 on a non-profit association that provides specialized nursing care for failure to comply to the access request of a data subject. The data subject had requested access to her personal data, as well as the erasure of her data, after receiving a political email from the delegated administrator of the organization. Evidence suggests the association did not act on these requests. In her decision, the Belgian DPA also orders the nonprofit association to meet the demands of the data subject.

Read the decision in French here

For further information, please contact the Belgian DPA: contact@apd-gba.be

The Belgian DPA has imposed a fine of €15000 on a website specialized in legal news

The Belgian DPA has imposed a fine of €15000 on a website specialized in legal news for their noncompliant cookie management and privacy policy. The Belgian DPA found that their privacy policy lacked transparency and infringed the rules on information to be provided; and also that the website failed to comply with its obligations in terms of consent (the principle of “opt in”)  and withdrawal of consent.

To read the decision in Dutch, click here

For further information, please contact the Belgian DPA: contact@apd-gba.be

First standard contractual clauses for contracts between controllers and processors (art. 28 GDPR) at the initiative of DK SA published in EDPB register

Following the EDPB opinion (July 2019) on the draft standard contractual clauses (SCCs) for contracts between controller and processor submitted to the Board by the Danish Supervisory Authority (SA), the final text of the Danish SCCs, as adopted by the Danish SA, has been published in the EDPB's Register for Decisions taken by supervisory authorities and courts on issues handled in the consistency mechanism.
 
The standard processor agreement has been adopted by the Danish SA pursuant to art. 28(8) GDPR and aims at helping organisations to meet the requirements of art. 28 (3) and (4), given the fact that the contract between controller and processor cannot just restate the provisions of the GDPR but should further specify them, e.g. with regard to the assistance provided by the processor to the controller.
 
The possibility of using SCCs adopted by a SA does not prevent the parties from adding other clauses or additional safeguards, provided that they do not contradict, directly or indirectly, the adopted clauses or prejudice the fundamental rights or freedoms of the data subjects.
Nevertheless, the clauses are an instrument to be used "as is", i.e. the parties who enter into a contract with a modified version of the clauses are not deemed to have employed the adopted SCCs. On the contrary, to the extent that organizations choose to make use of these standard provisions, the Danish SA, for example in connection with an inspection visit, will not examine these provisions in more detail.

Sixteenth EDPB Plenary Session

On December 2nd and 3rd, the EEA Data Protection Authorities and the European Data Protection Supervisor, assembled in the European Data Protection Board, met for their sixteenth plenary session. During the plenary, several topics were discussed.
 
Art. 64 GDPR Opinion on Accreditation Requirements for Codes of Conduct monitoring bodies by UK SA
The EDPB adopted its opinion on the UK Supervisory Authority’s (SA) draft decision on the Accreditation Requirements for Codes of Conduct monitoring bodies. The opinion aims to ensure consistency and the correct application of these requirements among EEA SAs. In the opinion, the EDPB proposes some changes to the draft accreditation requirements, in order to ensure a consistent application of the accreditation of monitoring bodies.

Response to BEREC request for guidance on the revision of its guidelines on net neutrality rules
The EDPB adopted its response to a request for guidance by the Body of European Regulators for Electronic Communication (BEREC) on the current EU data protection framework. In the letter, the Board raises concerns regarding the processing of domain names and URLs for the purposes of traffic management and billing (zero-rating offers).

The EDPB encourages the internet access services (IAS), and where relevant BEREC, to define and agree on less invasive and more standardized ways to manage internet traffic, interoperable throughout different IASs, which are not based on the use of URLs and domain names.

Guidelines on “the Criteria of the Right to be Forgotten in the search engine cases under the GDPR” (part 1)
The Board adopted draft guidelines on “the Criteria of the Right to be Forgotten in the search engine cases under the GDPR.” The guidelines provide an interpretation of Art. 17 GDPR with regard to the grounds and exceptions for delisting requests directed to search engine providers and are an update of the 2014 guidelines on the implementation of the Costeja judgment, issued by the Article 29 Working Party (WP29). These guidelines, which will be presented for public consultation, will be complemented by another set of guidelines on the criteria for handling complaints for refusals of delisting.

Note to editors:
Please note that all documents adopted during the EDPB Plenary are subject to the necessary legal, linguistic and formatting checks and will be made available on the EDPB website once these have been completed.

Fine against hospital due to data protection deficits in patient management

The Commissioner for Data Protection and the Freedom of Information Rhineland-Palatinate imposed a fine of 105,000 euros on a hospital in Rhineland-Palatinate.
The fine is based on several breaches of the General Data Protection Regulation in the framework of a patient mix-up when admitting the patient. This resulted in incorrect invoicing and revealed structural technical and organisational deficits in the hospital's patient and privacy management.

The Commissioner Prof. Dr. Kugelmann emphasises: "The primary objective of the corrective measures and sanctions is to remedy existing shortcomings and improve data protection. Fines are one instrument among several ones. In addition to their sanctioning effect, they always contain a preventive element in that it becomes clear that grievances are consistently investigated. What matters to me is that substantial progress is made on health data protection in view of the particular sensitivity of the data. I therefore hope that the fine will also be seen as a signal so that the data protection supervisory authorities are particularly vigilant in the field of data handling in health care."

To read the press release in German, click here

For further information, please contact the Rhineland-Palatinate DPA: poststelle@datenschutz.rlp.de

The Belgian Data Protection Authority imposes two new fines

The Belgian Data Protection Authority has imposed a fine of €5000 on a mayor and a municipal officer in two separate cases. These fines were imposed after they improperly used personal information to send political advertisements in order to be reelected during the 2018 local elections in Belgium. For the Belgian Litigation Chamber, the behaviour of people who hold a public mandate should be exemplary.

L’ Autorité de protection des données (APD) a prononcé deux amendes administratives de 5000 euros chacune dans deux dossiers séparés. Celles-ci sanctionnent l’utilisation abusive de données personnelles par un bourgmestre et un échevin en vue de leur réélection lors de la campagne électorale d’octobre 2018. Hielke Hijmans, Président de la Chambre Contentieuse de l’APD : « La qualité de mandataire public doit s’accompagner d’un comportement exemplaire au regard de la législation.»

Les deux dossiers : envoi de courrier électoral personnalisé non conforme aux règles de protection des données

Le premier dossier porte sur une plainte concernant l’utilisation par un bourgmestre sortant de données obtenues dans le cadre de l’exécution de sa fonction à des fins de campagne électorale. Ces données de contact figuraient en effet sur une liste comprenant 476 personnes ayant fait appel à lui  en sa qualité de bourgmestre de 2012 à 2018.

Le second dossier porte sur l’envoi par un échevin sortant d’un courrier électoral à une liste de clients obtenue dans le cadre d’un métier qu’il exerçait en parallèle de son mandat public. Suite à l’enquête du Service d’inspection de l’Autorité de protection des données, il fut établi que 654 personnes étaient concernées.
L’APD rappelle que les responsables du traitement doivent respecter le principe de finalité : les données collectées par un responsable de traitement doivent être collectées pour des finalités déterminées et ne peuvent être traitées ultérieurement de manière incompatible avec les finalités en question. Réutiliser un fichier client ou des données obtenues dans le cadre d’un mandat public à des fins de publicité électorale, alors que ce n’est la finalité de départ, est donc une infraction au RGPD.

Après avoir entendu les différentes parties et analysé leurs arguments, la Chambre Contentieuse a donc décidé d’imposer à l’échevin et au bourgmestre sortants une sanction financière de 5000 euros, ainsi que de prononcer une réprimande à leur encontre.

Hielke Hijmans, Président de la Chambre Contentieuse de l’APD rajoute : « La qualité de mandataire public doit s’accompagner d’un comportement exemplaire au regard de la législation. Le fait que les défendeurs aient été échevin et bourgmestre au moment des faits renforce la gravité du manquement. Le fait que des centaines de personnes soient concernées a également été pris en compte dans notre décision. »

L’utilisation de données personnelles par des personnalités politiques à des fins de campagne électorale est une question qui préoccupe beaucoup les citoyens, l’APD a reçu plusieurs questions et plaintes suites aux dernières élections communales.  En mai 2019, l’APD avait déjà émis une amende dans un cas similaire.

La protection des données personnelles comme garante de la démocratie
Les faits constatés sont d’autant plus graves qu’ils sont commis par des mandataires publics, et tout particulièrement dans le contexte électoral.

L’EDPB (Comité Européen à la Protection des données) a récemment rappelé que le respect des règles de protection des données est essentiel à la protection de la démocratie. Il s’agit du seul moyen de préserver la confiance des citoyens et l’intégrité des élections. Le scandale Cambridge Analytica en est un flagrant exemple.
Hielke Hijmans : « Les courriers envoyés consistaient à inciter les destinataires à voter pour un candidat. Même si c’est le but d’une campagne électorale, le respect des lois dans ce contexte est particulièrement important. Ce n’est pas la première fois que nous sanctionnons des manquements à la législation sur les données personnelles dans le cadre d’une campagne électorale, notre message est clair : cette pratique n’est pas acceptable. »

L’APD a récemment lancé un site web dédié aux citoyens qui a pour but d’expliquer les risques individuels et collectifs liés à la perte de contrôle sur les données personnelles : www.maitrisermesdonnees.be.

David Stevens, Président de l’APD, explique : « Les règles en matière de protection des données personnelles ont notamment pour but de préserver la liberté de chaque citoyen à faire des choix libres. Ceci ne vaut pas seulement pour le secteur commercial, mais aussi, voire tout particulièrement,  pour le secteur public qui doit montrer l’exemple. »

L’APD rappelle qu’elle possède sur son site web un dossier dédié aux élections.

Si un citoyen a le sentiment que ses droits en matière de protections des données n’ont pas été respectés, il peut porter plainte via cette page.

To read the full press release in Dutch, click here

For further information, please contact the Belgian DPA: contact@apd-gba.be

Fifteenth Plenary Session: adopted documents

Fifteenth Plenary session: Privacy Shield Review, Guidelines on Territorial Scope, Guidelines on Data Protection by Design & Default, Art. 64 Opinion on Exxon Mobil BCRs, Response letter to LIBE, Additional Protocol Budapest Convention

Brussels, 14 November - On November 12th and 13th, the EEA Data Protection Authorities and the European Data Protection Supervisor, assembled in the European Data Protection Board, met for their fifteenth plenary session. During the plenary a wide range of topics was discussed.
 
Third Annual Privacy Shield Review
The EDPB adopted its report on the third Annual Joint Review of the EU-US Privacy Shield. In the report, the EDPB welcomes the efforts made by the U.S. authorities to implement the Privacy Shield, especially regarding ex officio oversight and enforcement actions on the commercial aspects, as well as the appointments of the last missing members of the Privacy and Civil Liberties Oversight Board (PCLOB) and of a permanent Ombudsperson.

However, a number of concerns still need to be addressed. The Board points out that substantial compliance checks with the substance of the Privacy Shield’s principles remain concerning. Other areas that require further attention are the application of the Privacy Shield requirements regarding onward transfers, HR data and processors, as well as the recertification process. More generally, the members of the Review Team would benefit from broader access to non-public information, concerning commercial aspects and ongoing investigations.

As regards the collection of data by public authorities, the EDPB encourages the PCLOB to issue and publish further reports, among others to provide an independent assessment of surveillance programmes conducted outside the US territory, while data are undergoing transfer from the EU to the US. The Board reiterates that its security-cleared experts remain ready to review further documents and discuss additional classified elements.

While the EDPB welcomes the new elements provided during this year’s review, the EDPB still cannot conclude that the Ombudsperson is vested with sufficient powers to access information and remedy non-compliance.

Guidelines on Territorial Scope
The EDPB adopted a final version of the Guidelines on Territorial Scope following public consultation. The guidelines aim to provide a common interpretation of the GDPR for EEA Data Protection Authorities when assessing whether a particular processing by a controller or a processor falls within the territorial scope of the legal framework, as per Art. 3 GDPR. The Guidelines provide further clarification on the application of the GDPR in various situations, for example, where the data controller or processor is established outside the EEA, including on the designation and role of a representative under Art. 27 GDPR.

The final guidelines integrate updated wording and further legal reasoning in order to address comments and feedback received during the public consultation, while maintaining the overall interpretation and methodology presented in the first version of the guidelines.

Guidelines on Data Protection by Design & Default
The EDPB adopted Guidelines on Data Protection by Design & Default. The guidelines focus on the obligation of Data Protection by Design and by Default (DPbDD) as set forth in Art. 25 GDPR. The core obligation here is the effective implementation of the data protection principles and data subjects’ rights and freedoms by design and by default. This requires that controllers implement appropriate technical and organisational measures and the necessary safeguards, designed to ascertain data protection principles in an effective manner and to protect the rights and freedoms of data subjects. In addition, controllers must be able to demonstrate that the implemented measures are effective. The guidelines will be submitted for public consultation.

Article 64 Opinion on ExxonMobil BCRs
The EDPB adopted its opinion on the draft decision regarding ExxonMobil’s Binding Corporate Rules (BCRs), submitted to the Board by the Belgian Supervisory Authority. The EDPB is of the opinion that the draft controller BCRs provide sufficient safeguards in the meaning of Art. 46(2)(b) and comply with Art. 47 GDPR.

Response letter to LIBE on EU Information Systems
The EDPB adopted its response to the European Parliament’s committee for Civil Liberties’ request for a legal assessment on the European Commission’s proposals for the Regulation establishing the conditions for accessing the other EU information systems and the Regulation establishing the conditions for accessing other EU information systems for ETIAS purposes. In the letter, the EDPB argues that the proposals should be seen as part of a bigger picture, i.e. as implementing parts of the Interoperability Framework and recalls the concerns previously expressed by the Article 29 Working Party. Additionally, the letter points out there are concerns regarding fundamental data protection principles, such as transparency, data protection by design and by default, and purpose limitation.

Additional protocol to the Budapest Convention on Cybercrime
The EDPB has adopted a contribution to the draft second additional protocol to the Council of Europe Convention on Cybercrime (Budapest Convention), to be considered within the framework of consultations held by the Council of Europe Cybercrime Convention Committee (T-CY). The EDPB recalls that the protection of personal data and legal certainty must be guaranteed, thus contributing to the objective of establishing sustainable arrangements for the sharing of personal data with third countries for law enforcement purposes, which are fully compatible with the EU Treaties and the Charter of Fundamental Rights.

Note to editors:
Please note that all documents adopted during the EDPB Plenary are subject to the necessary legal, linguistic and formatting checks and will be made available on the EDPB website once these have been completed.

Polish DPA: Withdrawal of consent shall not be impeded

The President of the Personal Data Protection Office imposed an administrative fine of over PLN 201,000 for, inter alia, obstructing the exercise of the right to withdraw consent to the processing of personal data.

The company - ClickQuickNow Sp. z o.o. did not implement appropriate technical and organizational measures that would enable easy and effective withdrawal of consent to the processing of personal data and the exercise of the right to obtain the erasure of personal data (the "right to be forgotten"). Thus, it violated the principles of lawfulness, fairness and transparency of processing of personal data, specified in the GDPR.

The President of the Personal Data Protection Office (PDPO) found that the company's actions were also inconsistent with Article 7(3) of the GDPR. The company did not take into account the principle that withdrawal of consent should be as easy as giving consent - on the contrary, it applied complicated organisational and technical solutions with regard to the withdrawal of consent. Moreover, the company did not facilitate the exercise of the subject rights, as required by Article 12(2) of the GDPR.

The proceedings of the President of PDPO established that the company violated the abovementioned provisions of the GDPR, because the mechanism of the consent withdrawal, involving the use of a link included in the commercial information, did not result in a quick withdrawal. After the link was set up, messages addressed to the person interested in withdrawing consent were misleading. Moreover, the company forced stating the reason for withdrawing consent, which is not required by the law. Furthermore, failure to indicate the reason resulted in discontinuation of the process of withdrawing consent.

In his decision, the President of the PDPO also pointed out that the company processed, without any legal basis, the data of data subjects, who are not its customers and from whom the company received objections to processing their personal data. Thus, it also violated the so-called "right to be forgotten".

When determining the amount of the administrative fine, the President of the PDPO did not take into account any mitigating circumstances affecting the final penalty. He also decided that the company's action was intentional - providing contradictory communications to the data subject interested in withdrawing consent resulted in an ineffective withdrawal of consent. In this way, the company made it difficult, or even impossible, to exercise the rights of the data subjects.

The President of PDPO not only imposed an administrative fine on the company, but also ordered it to adjust the process of processing requests for withdrawing consent to data processing to the provisions of the GDPR. ClickQuickNow Sp. z o.o. has 14 days from the date of delivery of the decision to comply with the decision. The company must also delete the data of data subjects who are not its customers and objected to processing the personal data concerning them.

To read the press release in Polish, click here

The Polish text of the decision is available here

For further information, please contact the Polish DPA: kancelaria@uodo.gov.pl 

Berlin Commissioner for Data Protection Imposes Fine on Real Estate Company

On October 30th 2019, the Berlin Commissioner for Data Protection and Freedom of Information issued a fine of around 14.5 million Euros against Deutsche Wohnen SE for violations of the General Data Protection Regulation (GDPR).

During on-site inspections in June 2017 and March 2019, the supervisory authority found that the company used an archive system for the storage of personal data of tenants that did not provide the possibility of removing data that was no longer required. Personal data of tenants was stored without checking whether storage was permissible or even necessary. In some of the individual cases that were examined, it was therefore possible to find years-old private
data from tenants that were preserved although they were no longer necessary for the purpose of their original collection. This involved data on the personal and financial circumstances of tenants, such as salary statements, self-disclosure forms, extracts from employment and training contracts, tax, social security and health insurance data and bank statements.

The Berlin Commissioner for Data Protection urgently recommended an adjustment of the archive system during the first inspection in 2017. Nevertheless, in March 2019, more than one and a half years after the first inspection and nine months after the start of application of the GDPR, the company was still unable to either demonstrate a clean-up of its database or present legal reasons for the continued storage. The company actually did make preliminary
preparations to remedy the deficiencies. However, those measures did not suffice to align the storage of personal data with the legal requirements. The imposition of a fine for an infringement of Article 25 (1) GDPR and Article 5 GDPR during the period between May 2018 and March 2019 was therefore mandatory.

The GDPR requires supervisory authorities to ensure that fines in each individual case are not only effective and proportionate, but also dissuasive. The starting point for the calculation of fines is therefore, among other things, the previous year's worldwide turnover of the companies concerned. Since annual turnover of Deutsche Wohnen SE exceeded 1.4 billion Euros according to its 2018 annual report, the legally prescribed limit for fines to be assessed for the type of data protection violation that was discovered was around 28 million Euros.

For the specific determination of the amount of the fine, the Berlin Commissioner for DataProtection has used the legal criteria, taking into account both aggravating and mitigating factors. The fact that Deutsche Wohnen SE had deliberately set up the archive structure in question and that the data concerned had been processed in an inadmissible manner over a long period of time was considered to be particularly aggravating. On the other hand, it was taken into account as a mitigating factor that the company took initial measures to remedy the illegal situation and cooperated formally well with the supervisory authority. In view of the fact that the company could not be proven to have misused access to the inadmissibly stored data, a fine of about half the upper limit was appropriate.

In addition to sanctioning this structural violation, the Berlin Commissioner for Data Protection imposed fines of between 6,000 and 17,000 Euros on the company for the inadmissible storage of personal data of tenants in 15 specific individual cases as well.

The decision to impose a fine has not yet become final. Deutsche Wohnen SE has the right to lodge an appeal against the fine.

Maja Smoltczyk:

"Sadly, in the course of our supervisory practice, we frequently come across data graveyards like the one we found at Deutsche Wohnen SE. The significance of such abuses unfortunately only becomes clear when those masses of hoarded data are stolen and abused, for example due to cyber-attacks. But even without such serious consequences, we are dealing with a flagrant violation of the principles of data protection, which are intended to protect people from precisely such risks. It is gratifying that, adopting the GDPR, the legislator has introduced the possibility of sanctioning such structural deficiencies before the worst case scenario comes to pass. I recommend to all data controllers that they check their archive systems for compatibility with the GDPR".

To read the press release in German, click here

For further information, please contact the Berlin DPA: presse@datenschutz-berlin.de

The Romanian Supervisory Authority fines Artmark Holding SRL

Fine pursuant to Law no. 506/2004

The National Supervisory Authority has finalized an investigation with the controller Artmark Holding SRL and found that it infringed the provisions of Article 13 paragraph (1) letter q) of Law no. 506/2004, corroborated with Article 13 paragraph (5) of Law no. 506/2004 and with Article 7 of the Government Ordinance no. 2/2001.

The controller Artmark Holding SRL was sanctioned with a fine in the amount of 10,000 lei.

The sanction was applied to the controller because it did not prove that it obtained the express and unequivocal prior consent for the transmission of commercial messages by e-mail, in violation of the provisions regarding the unsolicited communications provided by Article 13 paragraph (1) letter q) of Law no. 506/2004 on the processing of personal data and the protection of privacy in the electronic communications sector.

In this context, the company was recommended to take the necessary measures to comply with the provisions of Article 12 of Law no. 506/2004, for sending commercial messages through electronic means of communication only with the express prior consent of the recipients.

Pursuant to Article 12 paragraph (1) of Law no. 506/2004 on the processing of personal data and the protection of privacy in the electronic communications sector, it is prohibited to carry out commercial communications by using automatic call and communication systems that do not require the intervention of a human operator, by fax or e-mail or by any other means that use electronic communications services for the public, unless the subscriber or user concerned has previously expressed his/her express consent to receive such communications.

The National Supervisory Authority imposed the sanction as a result of a petition claiming that the controller Artmark Holding SRL transmitted to the petitioner unsolicited commercial messages on his e-mail address without his consent. Thus, although the petitioner had requested the company to delete his personal data from the controller’s database as they had been obtained without his consent, he continued to receive unsolicited commercial messages from Artmark Holding SRL on his e-mail address.

For further information, please contact the Romanian Supervisory Authority: anspdcp@dataprotection.ro

Sidor