Datainspektionen på Åland

Datainspektionen på Åland sköter om dataskyddet i den offentliga förvaltningen på Åland. Datainspektionen i Sverige bytte namn vid årsskiftet och heter nu Integritetsskyddsmyndigheten. Se närmare på imy.se

European Data Protection Board

‘Easy privacy information via icons? Yes, you can!’ The Italian DPA launches a contest calling for creative ideas from all quarters

‘Easy privacy information via icons? Yes, you can!’ This is the claim used by the Italian SA to launch a contest for solutions that can make information notices simpler, clearer and immediately understandable through icons, symbols or other graphic elements – in short, to make sure that the notices are really helpful and suitable for the purpose for which they are intended.

The information notices used by companies, public bodies, websites, social networks and search engines are often lengthy and complex and therefore cannot fulfil their essential function, which is informing data subjects about how their personal data will be used and allowing them where appropriate to give their free, informed consent to the processing of their data for whatever purpose – be it marketing, profiling, or the disclosure of information to third parties.

The Garante is calling upon software developers, tech professionals, experts, lawyers, designers, university students, and anyone interested in this topic, to send a set of symbols or icons that can represent all the items that must be contained in an information notice under Articles 13 and 14 of the GDPR.

Proposals will be welcome until 30 May, 2021 and should be emailed to icona@gpdp.it.

The Garante will select three datasets of symbols and icons that are considered especially effective and will make them available on its website for use by all stakeholders, specifying the author’s name.

The applicable rules are available at www.gpdp.it/informativechiare 

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.

Dutch DPA fines Booking.com for delay in reporting data breach


The Dutch Data Protection Authority (DPA) has imposed a €475,000 fine on Booking.com because the company took too long to report a data breach to the DPA. When the breach occurred, criminals obtained the personal data of over 4,000 customers. They also got their hands on the credit card information of almost 300 people.

In a telephone scam targeting 40 hotels in the United Arab Emirates in December 2018, the criminals persuaded hotel staff to reveal the log-in details for their accounts in a Booking.com system. In this way the criminals gained access to the data of 4,109 people who had booked a hotel room in the UAE. The data included their names, addresses and telephone numbers, as well as details of their booking. 

The criminals were also able to access the credit card information of 283 people. In 97 cases, the credit card security code was obtained as well. The criminals also tried to get hold of the credit card information of other victims, by posing as Booking.com staff in emails or on the telephone. 

Phishing
‘Booking.com customers ran a risk of falling victim to serious theft,’ says DPA deputy chair Monique Verdier, ‘even if the criminals didn’t obtain credit card information but only someone’s name, contact details and booking information. After all, those details could be used by fraudsters for “phishing” expeditions. 

‘By posing in emails or on the phone as hotel staff, they attempted to steal money from people. Such an approach can seem highly credible if the fraudster knows exactly when you made a booking and what room you booked, then asks you to pay for the nights in question. Large amounts of money can be stolen in this way.’

Breach reported 22 days too late
Booking.com was informed of the data breach on 13 January 2019, but did not report it to the DPA until 7 February, which is 22 days too late: data breaches must be reported within 72 hours. On 4 February 2019 Booking.com informed the affected customers of the breach. The company also took other measures to limit the damage, such as offering to compensate any losses.

‘This is a serious violation,’ Ms Verdier says. ‘Unfortunately, a data breach can occur anywhere, even if you have good precautionary measures in place. But in order to prevent harm to customers and future attacks, you have to report a breach on time. 

‘Taking rapid action is essential, not least for the victims of the breach. After receiving a report the DPA can order a company to immediately warn those affected. This can prevent criminals having weeks in which to attempt to defraud customers.’

Huge responsibility
According to Ms Verdier, ‘A company of this size, which stores valuable personal data of millions of customers in its systems, has a huge responsibility. Customers are entrusting their personal data to Booking.com. And the company must do everything it can to protect that data properly. That means not only ensuring good security to prevent breaches, but also taking rapid action if the worst should happen.’ 

Booking.com will not lodge an objection to or apply for review of the decision imposing the fine.

International investigation
The investigation into the Booking.com breach was international in scope. The situation involved an international company with customers from a range of countries. Booking.com’s global headquarters are in the Netherlands, which is why the Dutch DPA performed the investigation. Since this was an international matter, the DPA coordinated the investigation with other European data protection supervisory authorities.

Obligation to report data breaches
The obligation to report data breaches means that both companies and public authorities must immediately (and in any case within 72 hours) inform the DPA if they suffer a serious data breach. In certain cases they must also inform the individuals whose personal data was leaked. Data breaches must be reported to the DPA’s Data breach helpdesk.

Explosive increase in data theft
In 2020 the DPA warned it was seeing an explosive increase in the number of hacks aimed at stealing personal data. The number of reports in 2020 was 30% higher than in the previous year. This can be seen in the DPA’s 2020 Report on Data Breaches. Data theft can often be prevented by enhanced security.
 

For further information, please contact the Dutch DPA: https://autoriteitpersoonsgegevens.nl/nl

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.

EU:s dataskyddsmyndigheter antar ett gemensamt yttrande om förslagen om digitala gröna intyg

Bryssel, 6 april – Europeiska dataskyddsstyrelsen (EDPB) och Europeiska datatillsynsmannen (EDPS) har antagit ett gemensamt yttrande om förslagen om ett digitalt grönt intyg. Det digitala gröna intyget syftar till att underlätta möjligheten till fri rörlighet i EU under covid-19-pandemin genom en gemensam ram för utfärdande, kontroll och godtagande av kompatibla covid-19-intyg för vaccinering, testning och tillfrisknande.

Genom det gemensamma yttrandet uppmanar EDPB och EDPS medlagstiftarna att se till att det digitala gröna intyget till fullo uppfyller kraven i EU:s lagstiftning om skydd av personuppgifter. Dataskyddsmyndigheter från alla EU- och EES-länder betonar behovet av att minska de risker för EU-medborgares och andra EU-invånares grundläggande rättigheter som kan uppstå till följd av det digitala gröna intyget, bland annat risken för oavsiktlig sekundär användning. EDPB och EDPS understryker att användningen av det digitala gröna intyget inte på något sätt får leda till direkt eller indirekt diskriminering av enskilda personer och att det måste vara helt i linje med de grundläggande principerna om nödvändighet, proportionalitet och ändamålsenlighet. Med tanke på arten av de åtgärder som föreslås anser EDPB och EDPS att införandet av det digitala gröna intyget bör åtföljas av ett övergripande rättsligt ramverk.

– Ett digitalt grönt intyg som godtas i alla medlemsländer kan vara ett stort steg framåt för att återuppta resandet i hela EU, säger Andrea Jelinek, ordförande för EDPB. Alla åtgärder som vidtas på nationell nivå eller EU-nivå och som innebär behandling av personuppgifter måste respektera de allmänna principerna om ändamålsenlighet, nödvändighet och proportionalitet. Därför rekommenderar EDPB och EDPS att all vidare användning av det digitala gröna intyget i medlemsländerna måste ha en lämplig rättslig grund i medlemsländerna och att alla nödvändiga skyddsåtgärder måste ha vidtagits.

– Det måste vara tydligt att förslaget inte tillåter – och inte får leda till – att det skapas någon form av central databas över personuppgifter på EU-nivå, säger Wojciech Wiewiórowski, EDPS. Det måste dessutom säkerställas att personuppgifterna inte behandlas under längre tid än vad som är absolut nödvändigt och att tillgång till och användning av dessa uppgifter inte är tillåten när pandemin har upphört. Jag har alltid betonat att de åtgärder som vidtas i kampen mot covid-19 är tillfälliga och att det är vår plikt att se till att de inte blir kvar efter krisen.

I den nuvarande krissituation som orsakats av covid-19-pandemin insisterar EDPB och EDPS på att principerna om ändamålsenlighet, nödvändighet, proportionalitet och icke-diskriminering upprätthålls. EDPB och EDPS understryker att det i skrivande stund verkar finnas få vetenskapliga belägg för huruvida covid-19-vaccinering (eller tillfrisknande efter covid-19) ger garanterad immunitet och för hur länge en sådan immunitet kan vara. Men de vetenskapliga beläggen blir allt fler för var dag.

Dessutom är ett antal faktorer fortfarande okända när det gäller vaccinationens effektivitet för att minska smittspridningen. Förslaget bör innehålla tydliga och exakta regler för de digitala gröna intygens omfattning och tillämpning och föreskriva lämpliga skyddsåtgärder. Detta kommer att ge enskilda personer vars personuppgifter berörs tillräckliga garantier för att de på ett effektivt sätt skyddas mot risken för diskriminering.

Förslaget måste uttryckligen fastställa att EU-medlemsländernas tillgång till och efterföljande användning av personuppgifter när pandemin är över inte är tillåten. Samtidigt betonar EDPB och EDPS att tillämpningen av den föreslagna förordningen måste vara strikt begränsad till den nuvarande covid-19-krisen.

Det gemensamma yttrandet innehåller särskilda rekommendationer om ytterligare förtydliganden av vilka kategorier av uppgifter som berörs av förslaget, lagringen av uppgifterna, kraven på öppenhet samt identifiering av personuppgiftsansvariga och personuppgiftsbiträden.

 

Meddelande till redaktörerna: Observera att alla dokument som antas under Europeiska dataskyddsstyrelsens plenarsessioner är föremål för nödvändiga kontroller av rättsliga aspekter, språk och formatering och kommer att läggas ut på dataskyddsstyrelsens webbplats när dessa kontroller har utförts.

EDPB_Press Release_statement_2021_03

EU data protection authorities adopt joint opinion  on the Digital Green Certificate Proposals

The European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) adopted a joint opinion on the Proposals for a Digital Green Certificate. The Digital Green Certificate aims to facilitate the exercise of the right to free movement within the EU during the COVID-19 pandemic by establishing a common framework for the issuance, verification and acceptance of interoperable COVID-19 vaccination, testing and recovery certificates. 

With this Joint Opinion, the EDPB and the EDPS invite the co-legislators to ensure that the Digital Green Certificate is fully in line with EU personal data protection legislation. The data protection commissioners from all EU and European Economic Area countries highlight the need to mitigate the risks to fundamental rights of EU citizens and residents that may result from issuing the Digital Green Certificate, including its possible unintended secondary uses. The EDPB and the EDPS underline that the use of the Digital Green Certificate may not, in any way, result in direct or indirect discrimination of individuals, and must be fully in line with the fundamental principles of necessity, proportionality and effectiveness. Given the nature of the measures put forward by the Proposal, the EDPB and the EDPS consider that the introduction of the Digital Green Certificate should be accompanied by a comprehensive legal framework.


Andrea Jelinek, Chair of the EDPB, said: "A Digital Green Certificate that is accepted in all Member States can be a major step forward in re-starting travel across the EU. Any measure adopted at national or EU level that involves processing of personal data must respect the general principles of effectiveness, necessity and proportionality. Therefore, the EDPB and the EDPS recommend that any further use of the Digital Green Certificate by the Member States must have an appropriate legal basis in the Member States and all the necessary safeguards must be in place."

Wojciech Wiewiórowski, EDPS, said: It must be made clear that the Proposal does not allow for - and must not lead to - the creation of any sort of central database of personal data at EU level. In addition, it must be ensured that personal data is not processed any longer than what is strictly necessary and that access to and use of this data is not permitted once the pandemic has ended. I have always stressed that measures taken in the fight against COVID-19 are temporary and it is our duty to ensure that they are not here to stay after the crisis.”

In the current emergency situation caused by the COVID-19 pandemic, the EDPB and the EDPS insist that the principles of effectiveness, necessity, proportionality and non-discrimination are upheld. The EDPB and the EDPS reiterate that, at the moment of writing, there seems to be little scientific evidence as to whether having received the COVID-19 vaccine (or having recovered from COVID-19) grants immunity, and, by extension, how long such immunity may last. But scientific evidence is growing daily.

Moreover, a number of factors are still unknown regarding the efficacy of the vaccination in reducing transmission. The Proposal should lay down clear and precise rules governing the scope and application of the Digital Green Certificate and impose appropriate safeguards. This will allow individuals, whose personal data is affected, to have sufficient guarantees that they will be protected, in an effective way, against the risk of potential discrimination.

The Proposal must expressly include that access to and subsequent use of individuals’ data by EU Member States once the pandemic has ended is not permitted. At the same time, the EDPB and the EDPS highlight that the application of the proposed Regulation must be strictly limited to the current COVID-19 crisis.

The Joint Opinion includes specific recommendations for further clarifications on the categories of data concerned by the Proposal, data storage, transparency obligations and identification of controllers and processors for the processing of personal data. 

 

Note to editors: Please note that all documents adopted during the EDPB Plenary are subject to the necessary legal, linguistic and formatting checks and will be made available on the EDPB website once these have been completed.

EDPB_Press Release_statement_2021_03

Spanish DPA Fines Vodafone Spain more than 8 Million Euros

Vodafone Spain fined more than 8 million euros for the RGPD and two infractions of national laws

Case summary:  From April 2018 to September 2019, 191 complaints were received for similar cases concerning telephone calls and SMS messages to citizens who had opposed the processing of their data for advertising. In September 2019, a face-to-face inspection was carried out at the headquarters of “Vodafone España, S.A.U.” detecting the absence of continuous monitoring to processor and the lack of organizational and technical means to carry out the commission by the entrusted treatments (art. 28), especially on the ability to avoid advertising actions to those citizens who had exercised their rights of opposition or erasure of their personal data. An international data transfer (Article 44) to third country (Republic of Peru) was also detected from where the processors carried out advertising actions on behalf of the entity responsible for the processing (Vodafone España, S.A.,U.).

It should be added that the supervisory authority, based on its national competences, sanctioned two other penalties relating to two related national laws (General Telecommunications Law and Electronic Commerce Law) with fines of 2,000,000 € and 150,000 €, respectively.

For further information, please contact the Spanish DPA: prensa@aepd.es

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.

Bavarian DPA (BayLDA) calls for German company to cease the use of 'Mailchimp' tool

 

The "ruling" presented in the "Standard" concerns a remedy procedure concluded without formal supervisory measures regarding a complaint by a data subject, in which the controller (an individual company) that had used Mailchimp had, after our request for comments and detailed information on the consequences of the Schrems II- decision, announced that it had now refrained from using Mailchimp. 

Our final notice to the complainant, which apparently formed the basis of the publication and was sent in mid-March, had the following wording in extracts and translated informally: 

"... We are referring to your data protection complaint against .... concerning the use of "Mailchimp". As a result of our intervention, the company has informed us that it had used Mailchimp twice to send newsletters. As a result of our intervention, the company has now informed us that it will no longer use Mailchimp with immediate effect.

The company also informed us that it had only transmitted email addresses to Mailchimp in the context of the above-mentioned use. It also mentioned that the recommendations of the European Data Protection Board on the so-called Supplementary Measures for transfers of personal data to third countries are not yet available in a final version, but are still subject to public consultation; this is correct

According to our assessment, the use of Mailchimp by .... in the two cases mentioned - and thus also the transfer of your email address to Mailchimp, which is the subject of your complaint - was unlawful under data protection law, because .... had not examined whether, in addition to the EU standard data protection clauses (which were used), "additional measures" within the meaning of the ECJ decision "Schrems II" (ECJ, judgment of 16.7. 2020, C-311/18) were necessary in order to make the transfer compliant with data protection requirements, and in the present case there were at least indications that Mailchimp may in principle be subject to data access by US intelligence services on the basis of the US legal provision FISA702 (50 U.S.C. § 1881) as a possible so-called Electronic Communications Service Provider and thus the transfer could only be lawful if such additional measures (if possible and sufficient to remediate the problem) were taken. “

We informed the company that, due to the above, the above-mentioned transfers of personal data to the U.S.- were  not lawful.

“The processing of your complaint is thus concluded. This letter constitutes the legally required information on the outcome of the processing of your complaint pursuant to Art. 77 (2) of the GDPR. "

This case is exemplary for our supervisory enforcement of the requirements of the ECJ decision, which, contrary to recurring criticism, has already been taken up with a high degree of intensity even without publicly perceived investigations or sanctions and has so far succeeded with above-average frequency in reaching agreement.

For more information, please contact the Bavarian DPA: poststelle@lda.bayern.de

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.

Lithuanian DPA issues EUR 12,000 fine for infringements of the General Data Protection Regulation in application “Karantinas” (Quarantine)

Following the temporary suspension of the use of application “Karantinas” in May 2020 and after an investigation conducted by Lithuanian State Data Protection Inspectorate (DPA) in February 2021, fines for infringements of the General Data Protection Regulation (GDPR) were imposed on the National Public Health Centre (NPHC) and the developer of the application UAB “IT sprendimai sėkmei” (the Company). 

A fine of EUR 12,000 was imposed on the NHPC for infringements of provisions of Articles 5, 13, 24, 32, 35 and Article 58(2)(f) of the GDPR, and a fine of EUR 3,000 was imposed on the Company for infringements of Articles 5, 13, 24, 32 and 35 of the GDPR.

In spring 2020, the DPA started monitoring activities in response to information in the media about the possible improper processing of personal data by application “Karantinas”. After an assessment of the initial information, it was decided to open an investigation and suspend the processing of personal data by the application.

The study revealed that data from 677 individuals had been collected since April 2020 when the application became operational. Not all personal data were collected to the same extent, however the application was provided for processing such personal data as identification number, latitude and longitude coordinates, country, city, municipality, postal code, street name, house number, name, surname, personal number, telephone number, address, 2nd address, and whether the place of residence had been declared in Lithuania and other information. According to the submitted data, it was established that the processing of data of the app was performed not only in the territory of Lithuania, but also in Europe (Estonia, Switzerland, etc.) and abroad (India, USA, etc.).

After conducting an investigation, the DPA revealed that both the NHPC and the Company were joint data controllers, although both organizations denied such status.

When deciding on the imposition of the administrative fine and its amount, the DPA took into account the fact that the NHPC and the Company processed personal data intentionally, to a large extent, illegally, systematically, without providing technical and organizational means to demonstrate compliance with the requirements of the GDPR while processing personal data, and also processed special category personal data. In addition, the Company did not comply with the DPA instructions to stop the processing of personal data collected with the help of the app and deleted part of the personal data.

The decision of the DPA may be appealed in court within one month from the date of its service in accordance with the procedure established by legal acts.

For further information, please contact the Lithuanian supervisory authority: ada@ada.lt

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.

Lithuanian DPA issues EUR 15,000 fine for infringements of the General Data Protection Regulation in the Centre of Registers

Following the incident at the State Enterprise Centre of Registers on 20 July 2020, which disrupted the operation of state registers and state information systems managed by the State Enterprise Centre of Registers, Lithuanian State Data Protection Inspectorate (DPA), after conducting an investigation under the General Data Protection Regulation (GDPR), in February 2021 imposed a fine for improper implementation of technical and organizational data security measures.

A fine of EUR 15,000 was imposed on the State Enterprise Centre of Registers for infringements of Article 32(1) (b) and (c) of the GDPR, namely failure to ensure the ongoing integrity, availability and resilience of processing systems and services, as well as failure to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident.

The fine imposed on the Centre of Registers as the data controller and / or data processor of 22 registers and information systems. Such a decision on the fine was issued having regard to the state of the art and the costs of implementation, and taking into account the nature, scope, context and purposes of the processing as well as the risk of varying likelihood and severity for the rights and freedoms of individuals, failure to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, infringement of Article 32(1)(b)(c) of the GDPR, and also taking into account the factors listed in Article 83(2)(a),(d)(g) (related to the nature, gravity, duration and scope of the data), which are to be recognized as aggravating the infringement of the SE Centre of Registers.

Pursuant to the Law on Legal Protection of Personal Data, a supervisory authority may impose an administrative fine of up to 0.5% of the current year's budget or other general annual revenues received in the previous year of the public authority or body, but not more than thirty thousand euros, on the authority or body that has violated the provisions of Article 83(4)(a)(b)(c) of the GDPR. 

In determining the amount of the administrative fine, the DPA took into account the factors mitigating the violation committed by the SE Centre of Registers listed in Article 83(2)(b), (c), (e), (f) (h) of the GDPR, namely the absence of intent, the efforts made to restore the damaged data, the absence of facts about the material damage suffered by the data subjects, the close cooperation with the DPA and the absence of previous violations of a similar nature. The DPA also took into account that the State Enterprise Centre of Registers, when implementing security measures, is dependent both on the data controller, the Ministry of Health of the Republic of Lithuania, and other institutions dealing with consolidation of state IT resources, and decided that the fine is a proportionate measure to ensure compliance with the provisions of the GDPR in the future.

The DPA points out that ensuring the security of personal data is not only the duty of the data controller, but also the direct responsibility of the data processor provided for in Article 32 of the GDPR. The processor is directly liable for non-performance or improper performance of this obligation too.

For further information, please contact the Lithuanian supervisory authority: ada@ada.lt

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.

Forty-seventh Plenary Session of the EDPB

On March 30th, the EDPB will hold its 47th plenary session. During the plenary, the EDPB will dicsuss the European Commission's proposal for Regulations on a Digital Green Certificate.

The agenda for the 47th plenary is available here

EDPB adopted documents - 46th plenary

EDPB Stakeholder Event on processing of personal data for scientific research purposes

On April 30, the EDPB is organising a remote stakeholder event on the topic "application of the GDPR to the processing of personal data for scientific research purposes”. Representatives from, among others, individual companies, sector organisations, NGOs, law firms and academia with an expertise on the field are welcome to express interest in attending.

In order to express your interest to participate in the event, please fill in this form.

Places will be allocated on a first come, first served basis, depending on availability. Nonetheless, the EDPB reserves the right to give precedence to specific stakeholders, in light of their relevance in the field. Selected participants will receive the confirmation of their registration in the event via e-mail.

Detailed information and the programme of the event will be available shortly.

As we would like to have a balanced and representative audience, participation will be limited to one participant per organisation.

When? 30 April 2021, from 10:00 - 16:00h CET

Europeiska dataskyddsstyrelsen (EDPB) och Europeiska datatillsynsmannen (EDPS) antar ett gemensamt yttrande om dataförvaltningsakten

Bryssel den 10 mars – Europeiska dataskyddsstyrelsen och Europeiska datatillsynsmannen antog ett gemensamt yttrande om förslaget till dataförvaltningsakten. Syftet med dataförvaltningsakten är att främja att data görs tillgängliga genom att man ökar förtroendet för dataförmedlarna[1] och stärker mekanismerna för datadelning i hela EU. Dataförvaltningsakten har särskilt för avsikt att främja tillgången till data från den offentliga sektorn för vidareutnyttjande, delning av data mellan företag och möjliggöra användning av personuppgifter med hjälp av en ”förmedlare för delning av personuppgifter”. Dataförvaltningsakten strävar också efter att göra det möjligt att använda uppgifter för altruistiska ändamål.

Europeiska dataskyddsstyrelsen och Europeiska datatillsynsmannen erkänner dataförvaltningsaktens legitima mål att förbättra villkoren för datadelning på den inre marknaden. Samtidigt är skyddet av personuppgifter en viktig och integrerad del av förtroendet för den digitala ekonomin. Med detta gemensamma yttrande uppmanar Europeiska dataskyddsstyrelsen och Europeiska datatillsynsmannen medlagstiftarna att se till att den framtida dataförvaltningsakten är helt i linje med EU:s lagstiftning om skydd av personuppgifter, och på så sätt främja förtroendet för den digitala ekonomin och upprätthålla den skyddsnivå som EU-lagstiftningen ger under överinseende av EU-medlemsstaternas tillsynsmyndigheter.

 – EU:s rättsliga ram för uppgiftsskydd hindrar inte utvecklingen av dataekonomin. Tvärtom är det så att förtroende för alla typer av datadelning endast kan uppnås genom respekt för befintlig dataskyddslagstiftning. Den allmänna dataskyddsförordningen är den grund på vilken den europeiska modellen för dataförvaltning måste byggas. Därför understryker vi behovet av att säkerställa överensstämmelse med den allmänna dataskyddsförordningen när det gäller tillsynsmyndigheternas behörighet, de olika berörda aktörernas roller, den rättsliga grunden för behandling av personuppgifter, nödvändiga skyddsåtgärder och de registrerades utövande av sina rättigheter, säger Andrea Jelinek, ordförande för Europeiska dataskyddsstyrelsen.

– Vi förstår att data blir allt viktigare för ekonomin och samhället såsom beskrivs i den europeiska datastrategin. Med ”stordata följer dock ett stort ansvar” och därför måste lämpliga uppgiftsskyddsgarantier införas. Den övergripande ramen för europeiska dataområden bör säkerställa att regelverket om uppgiftsskydd inte påverkas, säger Wojciech Wiewiórowski, Europeiska datatillsynsmannen.

Europeiska dataskyddsstyrelsen och Europeiska datatillsynsmannen anser att EU:s lagstiftare bör se till att det tydligt och otvetydigt anges i lydelsen till dataförvaltningsakten att den akten inte kommer att påverka nivån på skyddet av enskildas personuppgifter och att inga rättigheter och skyldigheter som fastställs i dataskyddslagstiftningen kommer att ändras.

När det gäller vidareutnyttjande av personuppgifter som innehas av myndigheter rekommenderar Europeiska dataskyddsstyrelsen och Europeiska datatillsynsmannen att dataförvaltningsakten anpassas till de befintliga bestämmelserna om skydd av personuppgifter i den allmänna dataskyddsförordningen och till direktivet om öppna data. Vidare bör det klargöras att vidareutnyttjande av personuppgifter som innehas av myndigheter endast får tillåtas om det grundar sig på EU:s eller medlemsstaternas lagstiftning. Sådana lagar bör innehålla en förteckning över klart förenliga ändamål för vilka ytterligare behandling kan tillåtas lagligen eller som utgör en nödvändig och proportionell åtgärd i ett demokratiskt samhälle för att skydda de mål som avses i artikel 23 i dataskyddsförordningen.

När det gäller leverantörer av datadelningstjänster betonas i det gemensamma yttrandet behovet av att säkerställa förhandsinformation och kontroller för enskilda personer, med beaktande av principerna om inbyggt dataskydd och öppenhet och begränsning av ändamål.  Dessutom bör det klargöras hur sådana tjänsteleverantörer effektivt skulle hjälpa enskilda personer att utöva sina rättigheter som registrerade.

När det gäller dataaltruism rekommenderar Europeiska dataskyddsstyrelsen och Europeiska datatillsynsmannen att dataförvaltningsakten bör definiera ändamålen med sådan ”dataaltruism” av allmänt intresse bättre. Dataaltruism bör organiseras på ett sådant sätt att enskilda personer enkelt kan ge, men också dra tillbaka sitt samtycke.

Mot bakgrund av de möjliga riskerna för registrerade när deras personuppgifter kan behandlas av leverantörer av datadelningstjänster eller dataaltruismorganisationer anser Europeiska dataskyddsstyrelsen och Europeiska datatillsynsmannen att de automatiska registreringssystemen för dessa enheter, som fastställs i dataförvaltningsakten, inte innehåller ett tillräckligt strikt prövningsförfarande som är tillämpligt på sådana tjänster. Därför rekommenderar Europeiska dataskyddsstyrelsen och Europeiska datatillsynsmannen att man undersöker alternativa förfaranden som möjliggör ett mer systematiskt införande av ansvarighetsverktyg, särskilt efterlevnad av en uppförandekod eller certifieringsmekanism.

Det gemensamma yttrandet innehåller också rekommendationer om att utse tillsynsmyndigheterna som de viktigaste behöriga myndigheterna för kontroll av efterlevnaden av bestämmelserna i dataförvaltningsakten, i samråd med andra relevanta sektorsmyndigheter.

 

______________________________________
[1] Se motiveringen till förslaget, s. 1

Meddelande till redaktörerna: Observera att alla dokument som antas under Europeiska dataskyddsstyrelsens plenarsessioner är föremål för nödvändiga kontroller av rättsliga aspekter, språk och formatering och kommer att läggas ut på dataskyddsstyrelsens webbplats när dessa kontroller har utförts.

EDPB_Press Release_statement_2021_02

EDPB & EDPS adopt joint opinion on the Data Governance Act (DGA)

The EDPB and EDPS adopted a joint opinion on the proposal for a Data Governance Act (DGA). The DGA aims to foster the availability of data by increasing trust in data intermediaries [1] and by strengthening data-sharing mechanisms across the EU. In particular, the DGA intends to promote the availability of public sector data for reuse, sharing of data among businesses and allowing personal data to be used with the help of a ‘personal data-sharing intermediary’. The DGA also seeks to enable the use of data for altruistic purposes.

The EDPB and the EDPS acknowledge the legitimate objective of the DGA to improve the conditions for data sharing in the internal market. At the same time, the protection of personal data is an essential and integral element for trust in the digital economy. With this joint opinion, the EDPB and the EDPS invite the co-legislators to ensure that the future DGA is fully in line with the EU personal data protection legislation, thus fostering trust in the digital economy and upholding the level of protection provided by EU law under the supervision of the EU Member States’ supervisory authorities.  

Andrea Jelinek, Chair of the EDPB, said:The EU's data protection legal framework does not stand in the way of developing the data economy. Quite the contrary, it enables it: trust in any kind of data sharing can only be achieved by respecting existing data protection legislation. The GDPR is the foundation on which the European data governance model must be built. That is why we underline the need to ensure consistency with the GDPR with regard to the competence of the supervisory authorities, the roles of the different actors involved, the legal basis for the processing of personal data, the necessary safeguards and the exercise of the rights of the data subjects.

Wojciech Wiewiórowski, EDPS, said:We understand the growing importance of data for the economy and society as outlined in the European Data Strategy. However, with “big data comes big responsibility”, therefore appropriate data protection safeguards must be put in place. The overarching framework for European data spaces should ensure that the data protection acquis is not affected.

The EDPB and EDPS consider that the EU legislator should ensure that the wording of the DGA clearly and unambiguously state that this act will not affect the level of protection of individuals’ personal data, nor will any rights and obligations set out in the data protection legislation be altered.  

Concerning the reuse of personal data held by public sector bodies, the EDPB and EDPS recommend aligning the DGA with the existing rules on the protection of personal data laid down in the GDPR and with the Open Data Directive. Furthermore, it should be clarified that the reuse of personal data held by public sector bodies may only be allowed if it is grounded in EU or Member State law. Such laws should include a list of clear compatible purposes for which further processing may be lawfully authorised or constitutes a necessary and proportionate measure in a democratic society to safeguard the objectives referred to in Article 23 of the GDPR. 

On data sharing service providers, the joint opinion highlights the need to ensure prior information and controls for individuals, taking into account the principles of data protection by design and by default, transparency and purpose limitation.  Furthermore, the modalities upon which such service providers would effectively assist individuals in exercising their rights as data subjects should be clarified. 

As for data altruism, the EDPB and the EDPS recommend that the DGA should better define the purposes of general interest of such “data altruism”. Data altruism should be organised in such a way that it allows individuals to easily give, but also, withdraw their consent. 

In light of the possible risks for data subjects when their personal data might be processed by data sharing service providers or data altruism organisations, the EDPB and EDPS consider that the declaratory registration regimes for these entities, as laid down in the DGA, do not provide for a sufficiently stringent vetting procedure applicable to such services. Therefore, the EDPB and EDPS recommend exploring alternative procedures that foresee a more systematic inclusion of accountability tools, in particular the adherence to a code of conduct or certification mechanism.

The joint opinion also includes recommendations on the designation of the supervisory authorities as main competent authorities for the control of the compliance with the DGA provisions, in consultation with other relevant sectorial authorities.

______________________________________
[1] See Explanatory Memorandum of the Proposal, page 1

Note to editors:  Please note that all documents adopted during the EDPB Plenary are subject to the necessary legal, linguistic and formatting checks and will be made available on the EDPB website once these have been completed.

Questions to the EDPB can be directed to: greet.gysen@edpb.europa.eu and sarah.hanselaer@edpb.europa.eu - www.edpb.europa.eu
Follow us on Twitter: @EU_EDPB

Questions to the EDPS can be directed to Olivier Rossignol: press@edps.europa.eu - www.edps.europa.eu
Follow us on Twitter: @EU_EDPS

EDPB_Press Release_statement_2021_02

European Data Protection Board - 46th Plenary session

EDPB adopts 2021-2022 Work Program, Statement on ePrivacy Regulation, Guidelines on Virtual Voice Assistants & Guidelines on Connected Vehicles, and discusses UK Adequacy

During its 46th plenary session, the EDPB adopted a wide range of documents and discussed the draft UK adequacy decisions presented by the European Commission. 

The Board adopted its two-year work program for 2021-2022, according to Article 29 of the EDPB Rules of Procedure. The work program follows the priorities set out in the EDPB 2021-2023 Strategy and will put the Board’s strategic objectives into practice. 

The EDPB adopted a statement on the draft ePrivacy Regulation. In its statement, the EDPB welcomes the agreement on the negotiation mandate by the Council as a positive step in the finalisation of the ePrivacy Regulation. The EDPB recalls that national authorities responsible for enforcement of the GDPR should be entrusted with the oversight of the privacy provisions of the future ePrivacy Regulation to ensure a harmonised interpretation and enforcement of the ePrivacy Regulation across the EU and to guarantee a level playing field in the Digital Single Market.

EDPB Chair, Andrea Jelinek said: “The ePrivacy Regulation must not - under no circumstances - lower the level of protection offered by the current ePrivacy Directive, and should complement the GDPR by providing additional strong guarantees for confidentiality and protection of all types of electronic communication.

The EDPB adopted Guidelines on Virtual Voice Assistants (VVAs). These Guidelines aim to identify some of the most relevant compliance challenges for VVAs and to provide recommendations to relevant stakeholders on how to address them. The Guidelines will be submitted for public consultation for a period of six weeks.

The EDPB adopted a final version of the Guidelines on Connected Vehicles following public consultation. The Guidelines focus on the processing of personal data in relation to the non-professional use of connected vehicles by data subjects. The final version integrates updated wording, and further clarifications in order to address comments and feedback received during the public consultation.

The Board discussed the draft UK adequacy decisions, which were received from the European Commission. The EDPB will thoroughly review the draft decisions, taking into account the importance of guaranteeing the continuity and high level of protection for data transfers from the EU. 

Finally, the EDPB adopted a joint EDPB-EDPS opinion on the Data Governance Act. A separate press release will be published on this topic later today. 

The agenda of the forty-sixth plenary is available here.

Note to editors:
Please note that all documents adopted during the EDPB Plenary are subject to the necessary legal, linguistic and formatting checks and will be made available on the EDPB website once these have been completed.

EDPB_Press Release_2021_02

Norwegian DPA issues fine to Aquateknikk AS

The Norwegian Data Protection Authority has fined Aquateknikk AS EUR 10,000 (NOK 100,000) for having performed a credit rating on a private individual without legal basis.

This case came in response to a complaint from a person who discovered that Aquateknikk had performed a credit rating on him when he had no customer relationship or any other connection with the company.

The General Data Protection Regulation requires that all processing of personal data must have a legal basis. Credit ratings are a type of personal data subject to special protections.

Lacked legal basis

A credit rating compiles personal data from many different sources for the purpose of indicating how likely it is that the person will be able to pay what they owe. A credit rating will also include detailed information about the person’s personal financial situation, such as debt-to-income ratio, payment remarks, and the person’s mortgages, if any.

Upon investigating this matter, the Data Protection Authority has concluded that the credit ratings were performed without a legal basis, in violation of the requirements of the General Data Protection Regulation. The undertaking did not have a legitimate interest in performing a credit rating on the complainant.

Insufficient knowledge of the rules

“As a credit rating includes detailed information about one’s personal financial situation, it feels very intrusive when an organization unlawfully gains access to this information,” says Bjørn Erik Thon, Director-General of the Norwegian Data Protection Authority.

“We receive many complaints concerning credit ratings, and we see that many organizations have insufficient knowledge of the rules that apply. These types of cases are serious offences, and we normally issue fines for such violations,” Thon concludes.

For further information, please contact the Norwegian DPA: international@datatilsynet.no

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.

Spanish Data Protection Authority (AEPD) imposes fine of 6.000.000 EUR on CAIXABANK, S.A.,

The Spanish Data Protection Authority (AEPD) imposed a total fine of 6.000.000 EUR on CAIXABANK, S.A., for unlawfully processing clients’ personal data (4.000.000 EUR) and not providing sufficient information regarding the processing of personal data (2.000.000 EUR). 

The AEPD considered that the document designed to comply with the information did not include enough information regarding the categories of personal data concerned, nor information about the purposes of the processing for which the personal data are intended as well as the legal basis for the processing, especially regarding those processing activities based on the company’s legitimate interest. Consequently, the AEPD concluded that CAIXABANK had violated Articles 13 and 14 of the GDPR. Following Article 83 (5) b of the GDPR, a fine of 2.000.000 EUR was imposed. When deciding on the amount of the administrative fine, the AEPD took into account, as aggravating factors, among others, the nature, gravity and duration of the infringement; the negligent character of the infringement; the relationship between the company’s activity and the processing of personal data; and the fact that the company is a large enterprise and its turnover.

On the other hand, the AEPD found that CAIXABANK did not provide with any mechanism to collect the data subject’s consent; that the data subject’s consent did not meet with all the elements of valid consent, and that the processing activities based on the company’s legitimate interest were not sufficiently justified; especially the relationship between the company’s activity and the processing of personal data. The AEPD concluded that this constituted a breach of Article 6 of the GDPR, and according to Article 83 (5) a of the GDPR, an administrative fine of 4.000.000 EUR was imposed. In deciding on the amount of the fine, the AEPD took into account, as aggravating factors, among others, the nature, gravity and duration of the infringement; the negligent character of the infringement; the degree of responsibility of the controller taking into account technical and organisational measures implemented pursuant to Articles 25 and 32 of the GDPR; the benefits gained from the infringement; the categories of personal data affected by the infringement; the relationship between the company’s activity and the processing of personal data; and the fact that the company is a large enterprise and its turnover. 

In addition to the administrative fine, the highest ever imposed by the Spanish DPA, the AEPD ordered CAIXABANK to bring its processing operations into compliance with Articles 6, 13 and 14 of the GDPR within the next six months. 

To read the full decision in Spanish, click here.

For further information, please contact the Spanish DPA: prensa@aepd.es

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.
 

Norwegian DPA issues fine to Municipality of Indre Østfold

The Norwegian Data Protection Authority has fined the Municipality of Indre Østfold EUR 20 000 (NOK 200,000) for a confidentiality violation. Personal data that should have been restricted was available to unauthorized persons.

The Municipality of Indre Østfold, formerly the Municipality of Askim, published the records file of a former pupil on its municipal website. This file included confidential personal data.

Tipped off by a local newspaper

The background for this incident was that the pupil needed his record file in connection with his further studies, and asked the municipality to send it to them. The municipality routinely enters such Access to Information requests in the public record. This process also entails the document to which access has been requested, being scanned and made available for public access.

The pupil’s file was available on the municipality’s website from Friday 27 September to Monday 30 September. The municipality was made aware of the incident by a journalist from the local newspaper Smaalenenes Avis. The documents were removed from the public record and exempted from public access as soon as they were discovered. The affected person was then notified.

Fine not adjusted

The municipality responded to the Data Protection Authority’s notice of fine. In its response, the municipality apologized for “sensitive personal data” having been included in the public record. At the same time, the municipality urged the Data Protection Authority to reconsider the size of the fine, considering the measures implemented after the fact.

A fine should reflect the severity of the violation. Norwegian law requires the municipality to implement any measures necessary to prevent future violations. The Data Protection Authority has found that, given the severity of the violation, the measures later implemented to remedy the incident do not significantly affect the amount of the fine imposed.

The Norwegian Data Protection Authority have therefore decided not to reduce the fine.

For further information, please contact the Norwegian DPA: international@datatilsynet.no

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.

Norwegian DPA issues reprimand to Telenor for inadequate protection of personal data

The Norwegian Data Protection Authority have issued a reprimand to Telenor Norge AS for inadequate protection of personal data in its voicemail function, and for failing to submit a data breach notification to the Norwegian Data Protection Authority.

A security error has made it possible for unauthorized persons to access the voicemails of approx. 1.3 million customers by using so-called 'spoofing' services. The Data Protection Authority finds that Telenor Norge AS had not implemented satisfactory security measures. This vulnerability in the voicemail function had been known for many years.

“Unlawful hacking of voicemail inboxes using ‘spoofing’ services has been a known problem for years. We believe Telenor should have identified this vulnerability in their voicemail function at an earlier date,” says Bjørn Erik Thon, Director-General of the Norwegian Data Protection Authority.

Failed to submit Data Breach Notification

This vulnerability affected a large number of subscribers. Voicemail messages may contain a lot of information, and this content has been largely outside Telenor’s control. These factors indicate that Telenor’s security measures have been inadequate.

“This decision also takes account of the fact that Telenor failed to submit a data breach notification to the Data Protection Authority. We believe Telenor Norge AS should have reported the security breach to us as soon as they became aware of the vulnerability,” says Bjørn Erik Thon.

Fine issued by the Norwegian Communications Authority (NKOM)

The Norwegian Communications Authority (NKOM) formerly issued a fine in the amount of EUR 150 000 (NOK 1.5 million) for violation of the Electronic Communications Act, for the same circumstances as the Data Protection Authority has now considered. To prevent Telenor Norge AS from being penalized twice for the same offence, the Norwegian Data Protection Authority opted to issue a formal reprimand instead. 

Two violations of the Regulation

A reprimand is a punitive measure introduced by the General Data Protection Regulation, and means we have concluded that a violation of the law has occurred. In this case, we believe the following provisions of the General Data Protection Regulation have been breached:

  • Violation of Article 32 (1) of the GDPR, by failing to implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.
  • Violation of Article 33 of the GDPR, by failing to notify the personal data breach to the Data Protection Authority.

For further information, please contact the Norwegian DPA: international@datatilsynet.no

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.

Polish DPA: The first fine for non-compliance with an administrative decision order

An administrative fine of more than PLN 85 000 (EUR 20 000) imposed on an entrepreneur, conducting an economic activity in the field of health care, for the failure to comply with the order imposed on it in an administrative decision.

The Personal Data Protection Office (UODO) ordered the entrepreneur to communicate the breach of their personal data to its patients and to provide these persons with recommendations on how to minimize the potential adverse effects of the incident. The controller failed to do so, as the proceedings revealed, the purpose of which was to check whether the obligations imposed in the UODO’s decision had been fulfilled.

Consequently, the persons affected by the breach knew nothing about it. In the notification there meant to be information such as:

  1. a description of the nature of personal data breach;
  2. the name and contact details for the data protection officer or other contact point where more information can be obtained;
  3. a description of the likely consequences of the personal data breach;
  4. a description of measures taken or proposed by the controller to be taken to address the personal data breach – including measures to mitigate its possible effects.

Properly fulfilling of this obligation would allow data subjects to understand what the breach of protection of their personal data consisted in, to learn the possible consequences of such an incident, and what actions they can take in order to mitigate its possible adverse effects.

Because the entrepreneur ignored the decision of supervisory authority, UODO decided to initiate an ex officio proceedings in the case of imposing an administrative fine. It should be noted that the entrepreneur, despite receiving from the Office detailed instructions concerning, inter alia, the correct wording of the communications and the form in which they should be delivered to patients, as well as the manner of documenting these actions. Even at the stage of the proceedings in the case of imposing a fine did not present complete evidence, which would allow to acknowledge that the obligation resulting from the order of the decision was fulfilled by the entrepreneur.

While imposing the fine, the Office took into account the following aggravating factors:

  • a long duration of the breach, which resulted in increased risk of the adverse effects for persons affected by the breach, and
  • intentional nature of the breach and unsatisfactory level of cooperation with the supervisory authority in order to remedy the breach – the entrepreneur did not follow the recommendations of the Office during the proceedings.

The entrepreneur’s failure to comply with the guidelines provided by the Office demonstrates the blatant disregard for the entrepreneur’s data protection obligations.

The supervisory authority is responsible for monitoring and enforcing compliance with personal data protection laws. In case of non-compliance by controllers, the President of the UODO may use the corrective powers granted to it. These are, among others, the power to order the controller to communicate a personal data breach to the data subject, and the power to impose an administrative fine, in addition to or instead of measures referred to in Article 58(2) of the GDPR.

To read the press release is Polish, click here.
To read the full decision in Polish, click here.

For more information please contact the Polish DPA at kancelaria@uodo.gov.pl
 

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.

Sidor