Datainspektionen på Åland

Datainspektionen på Åland sköter om dataskyddet i den offentliga förvaltningen på Åland. Datainspektionen i Sverige bytte namn vid årsskiftet och heter nu Integritetsskyddsmyndigheten. Se närmare på imy.se

European Data Protection Board

Swedish DPA: Police unlawfully used facial recognition app

The Swedish Authority for Privacy Protection finds that the Swedish Police Authority has processed personal data in breach of the Swedish Criminal Data Act when using Clearview AI to identify individuals.

Upon news in the media of the Swedish Police Authority using the application Clearview AI for facial recognition the Swedish Authority for Privacy Protection (IMY) initiated an investigation against the Police.

The investigation concludes that Cleaview AI has been used by the Police on a number of occasions. According to the Police a few employees have used the application without any prior authorisation.

IMY concludes that the Police has not fulfilled its obligations as a data controller on a number of accounts with regards to the use of Clearview AI. The Police has failed to implement sufficient organisational measures to ensure and be able to demonstrate that the processing of personal data in this case has been carried out in compliance with the Criminal Data Act. When using Clearview AI the Police has unlawfully processed biometric data for facial recognition as well as having failed to conduct a data protection impact assessment which this case of processing would require.

There are clearly defined rules and regulations on how the Police Authority may process personal data, especially for law enforcement purposes. It is the responsibility of the Police to ensure that employees are aware of those rules, says Elena Mazzotti Pallard, legal advisor at IMY.

IMY imposes an administrative fine of SEK 2,500,000 (approximately EUR 250,000) on the Police Authority for infringements of the Criminal Data Act. IMY also orders the Police to conduct further training and education of its employees in order to avoid any future processing of personal data in breach of data protection rules and regulations.

In addition, the Police are ordered to inform the data subjects, whose data has been disclosed to Clearview AI, when confidentiality rules so allows. Finally, the Police are ordered to ensure, to the extent possible, that any personal data transferred to Clearview AI is erased.

To read IMY's decision (in Swedish), click here.

For further information, please contact:

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.

Dutch DPA fines OLVG hospital for inadequate protection of medical records 

The Dutch Data Protection Authority (DPA) has imposed a fine of €440,000 on the Amsterdam-based hospital OLVG for its inadequate protection of patients’ medical records. Between 2018 and 2020 OLVG did not have sufficient safeguards in place to prevent unauthorised access to the records. It did not carry out proper checks of who accessed which records, and there were shortcomings in information systems security. In response to the DPA’s investigation OLVG has made the required improvements.

‘You should be able to count on whatever you discuss with your doctor staying confidential,’ DPA deputy chair Monique Verdier said. ‘It doesn’t bear thinking about that people who have no business doing so could look at your doctor’s notes and pry into your state of health and personal details. Patients have the right to expect that staff members will only access their medical records if it is necessary for the patient’s treatment. OLVG’s security measures couldn’t guarantee that. That’s a serious breach and that’s why the DPA has imposed this fine.’

Besides medical information, patient records also contain personal data like citizen service numbers, addresses and phone numbers. These types of data must also be properly secured to avoid risks like identity fraud and phishing.

Two violations

The DPA launched its investigation after a tip from a concerned member of the public, reports in the media and two notifications of data breaches by OLVG about work placement students and other staff accessing medical records even though it was not necessary for their work. After its investigation, the DPA concluded that there are structural shortcomings in the way OLVG secures access to medical records. Specifically, it found two violations of data protection law:

  • Every time a staff member accesses medical records, these details must be recorded in a log. In addition, the hospital must review this access log regularly, so that it can take timely steps if it finds that someone has accessed a record when they are not actually authorised to do so. OLVG did have an automated procedure that logged who accessed which files, but it did not review the logs often enough to check for cases of unauthorised access.
  • Good security requires two-factor authentication to establish the identity of a user who wants access to a patient record. Examples are a code or password in combination with a personnel badge. OLVG did not require two-factor authentication when access was requested from inside the hospital. Access from a location outside the hospital was secured with two-factor authentication.

‘It’s crucial to protect patient data’

‘The healthcare sector has consistently been in the top 3 sectors with the most data breaches in the past few years. And we’re talking about a sector that stores a lot of highly sensitive personal data,’ Ms Verdier said. ‘Protecting patient data is crucial. Patients share a lot of information with healthcare providers – and it’s vital that they do so, perhaps now more than ever because of COVID-19. But that means people have to be able to have confidence that their data is safe. So we’re asking hospitals and other healthcare providers to take a good look at how they protect their patient data and take steps to improve this where necessary.’ Healthcare providers can find more information about adequately protecting personal data on the DPA’s website.

Security improved

OLVG improved its systems security during the DPA’s investigation. The hospital introduced a structural procedure for reviewing access logs, as well as two-factor authentication for access to medical records from inside the hospital.

OLVG will not lodge an objection or appeal against the decision of the DPA to impose a fine.

For further information, please contact the Dutch DPA: https://autoriteitpersoonsgegevens.nl/nl

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.

Polish DPA fines the National School of Judiciary and Public Prosecution (KSSIP) fined for breaching the GDPR rules

The President of the Polish DPA found the breach of GDPR and imposed an administrative fine in the amount of PLN 100 000 (nearly EUR 22 000) on KSSIP for failing to fulfil its obligations as a controller.

According to the Personal Data Protection Office, the controller did not take the necessary technical and organisational measures, which would allow to ensure the confidentiality of the processing services. KSSIP failed to test and did not carry out the impact assessment of effectiveness of the technical and organisational measures in order to ensure the security of personal data contained in the copy of the database of the training platform of the KSSIP, and thus improperly took into account the risks associated with changes in the processing of personal data.

In addition, it should be pointed out that the controller entrusted the processing of personal data to a processor without contractual binding commitment to process personal data only on documented instructions from the controller.

Let us recall, the KSSIP notified to the UODO a breach of personal data protection, in connection with the notification by the National Police Headquarters of the appearance on the Internet of personal data related to the domain kssip.gov.pl. The notified incident involved unknown persons gaining unauthorized access to a copy of the KSSIP training site database created during a test migration to a new training platform. The breach involved the personal data of more than 50 000 people, users subject to continuous training, whose personal data were collected on the KSSIP training platform. Those persons hold positions, among others, of judges, court assessors, prosecutors and assistant prosecutors, law clerks. 

Organizational and technical measures

A controller implements appropriate technical and organizational measures so that the processing of personal data should be carried out in accordance with the GDPR. These measures shall be reviewed and updated as necessary. This means that the controller, when carrying out the assessment of the proportionality of the safeguards, should take into account the factors and circumstances concerning the processing (e.g. type, means of processing) and the risks involved.

On the IT resources of KSSIP there was a copy of the database, the existence and security of which, after performing the migration activities, was in no way verified by the controller, which is its legal obligation resulting from the personal data protection provisions. KSSIP, in regard to the changes in the processing, did not take the sufficient measures in order to verify the security of the processing environment before and after the migration activities.

The entrustment of data processing must be precisely defined

In the situation of entrusting the processing of personal data to an external processor, the subject-matter and duration of the processing, the nature and the purpose of the processing, the type of personal data and the categories of data subjects, as well as the obligations and rights of the controller shall be specified in the personal data entrustment contract.

The content of the entrustment contract in this case insufficiently defined the scope of entrusted data. KSSIP, while entrusting the processing of personal data to the processor, did not include in the personal data processing entrustment contract of the categories of data subjects and did not specify the type of personal data by indicating their categories. In addition, the fined entity did not include in the contract the obligation of the processor to process personal data only on the documented instructions from the controller.

The model of cooperation between the controller and the processor was ineffective. The controller’s lack of understanding of its role in the relationship with the processor led to the personal data protection breach. KSSIP, both before and after the data protection breach was determined, was not fully aware of how the rights and obligations between the controller and the processor were shaped.

The proceedings against the processor discontinued

The processor complied with the obligations under the entrustment contract and the main contract, and applied the organizational measures adopted by it in order to ensure the security of the IT systems. It was the controller that did not undertake an analysis whether, by indicating to the processor a place to make a backup copy of the database, it was exposing the personal data contained therein to the breach of their confidentiality.

In the opinion of the Personal Data Protection Office there are also no legal grounds to accuse the processor of breaching the obligation to support the controller in complying with its duties. As a result, the proceedings in this respect were discontinued.

To read the press release is Polish, click here.
To read the full decision in Polish, click here.

For more information please contact the Polish DPA at kancelaria@uodo.gov.pl 

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.

Norwegian DPA issues fine for forwarding e-mail

The Norwegian Data Protection Authority has fined an organization EUR 40 000 (NOK 400,000) for unlawfully setting up automatic forwarding of an employee’s e-mails.

The background for this case is a complaint from an employee who discovered that their employer had activated automatic forwarding of the employee’s inbox.

Lacks legal basis

This automatic forwarding was activated in connection with the employee’s sickness absence, and remained active for more than a month. After investigating the matter, the Data Protection Authority concludes that the forwarding was in violation of the national regulations concerning an employer’s access to e-mail inboxes and other electronic information, as well as the requirements of the General Data Protection Regulation concerning legal basis, informing the data subject and the obligation to consider the employee’s objections.

On this basis, the Data Protection Authority has ordered the organization to review its written procedures for access to e-mail inboxes and issued a fine in the amount of EUR 40 000 for the unlawful forwarding.

The name of the organization has been withheld from public access to protect the identity of the complainant. The organization has appealed the decision.

For further information, please contact the Norwegian DPA: international@datatilsynet.no

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.

Norwegian DPA issues fine to Coop Finnmark

The Norwegian Data Protection Authority has issued a fine in the amount of EUR 40 000 (NOK 400,000) to Coop Finnmark SA. The case concerns unlawful distribution of a camera recording from a shop.

The manager of the shop in question made a recording of surveillance footage with their phone and distributed the recording. The recording quickly spread.

The amount of the fine has not changed since our first notice in this case.

Lacked legal basis

All processing of personal data requires a legal basis in order to be lawful. After reviewing the case, the Data Protection Authority finds that Coop Finnmark lacked a legal basis for the shop manager’s distribution of the surveillance footage.

“The requirement for a legal basis is a basic principle of the General Data Protection Regulation, and any violation of this principle is considered serious,” Bjørn Erik Thon, Director-General of the Norwegian Data Protection Authority, explains.

This case was reported as a personal data breach notification from Coop Finnmark AS on April 10th 2019, and the Data Protection Authority issued a notice of fine in March 2020. Coop Finnmark has submitted comments to the notice, which the Data Protection Authority now has considered.

Responded with a fine

The Data Protection Authority finds that this case is so severe that a fine is the appropriate corrective measure. The Authority has given weight to the fact that the camera footage showed children, and that the distribution potentially entailed a major risk to their privacy.

The fine amount was calculated on the basis of an overall assessment of the severity of the violation and the financial situation of the organization, among other things.

“This case is a textbook example of how easy it is to lose control of personal data once shared — these things spread quickly,” says Bjørn Erik Thon 

For further information, please contact the Norwegian DPA: international@datatilsynet.no
 

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.

Norwegian DPA issues fine to Cyberbook AS

The Norwegian Data Protection Authority has fined Cyberbook AS EUR 20 000 (NOK 200,000) for unlawfully setting up the automatic forwarding of a former employee’s e-mails.

The background for this case is a complaint filed by a former employee of Cyberbook. The person discovered that the company had activated automatic forwarding of their personal e-mail address at the company.

In violation of regulations

This forwarding remained active for several months without the former employee being informed of it.
After reviewing the matter, the Data Protection Authority finds that the forwarding is in violation of the national regulations concerning an employer’s access to e-mail inboxes and other electronic information.

Ordered to implement procedures

In addition, we find that the organization has violated the requirements of the General Data Protection Regulation concerning legal basis, informing the data subject and the obligation to consider the employee’s objections, as well as the provisions concerning erasure of personal data.

On this basis, the Data Protection Authority has ordered the organization to implement written procedures for access to the e-mail inboxes of employees and former employees, and issued a fine in the amount of EUR 20,000 for the unlawful forwarding.

Cyberbook has three weeks to appeal, from the date on which they received notice of our decision.

For further information, please contact the Norwegian DPA: international@datatilsynet.no
 

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.

Norwegian DPA issues fine to Gveik AS

The Norwegian Data Protection Authority has fined Gveik AS EUR 7 500 (NOK 75,000) for having conducted a credit rating without a legal basis.

An individual with no customer relationship or other affiliation with Gveik AS received a notice and became aware that the company had performed a credit rating on them. The individual filed a complaint with the Data Protection Authority.

Credit rating for personal purposes

The General Data Protection Regulation (GDPR) requires that all processing of personal data must have a legal basis. When an organization performs a credit rating, it collects detailed information about an individual’s personal financial situation. A credit rating is a compilation of personal data from many different sources. In certain cases, it will indicate how likely it is that a person will be able to pay their debts, and it will include any payment defaults, the debt-to-income ratio and whether the person has any mortgages.

In this case, the purpose of conducting the credit rating was personal and outside of the business interests of the organization. These types of cases are serious, and the Data Protection Authority normally issues fines for such violations.

Gveik AS may appeal the fine within the term set.

For further information, please contact the Norwegian DPA: international@datatilsynet.no

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.

Norwegian DPA issues fine to Lindstrand Trading AS

The Norwegian Data Protection Authority has decided to issue a fine of EUR 10 000 (NOK 100,000) to Lindstrand Trading AS for conducting a total of four credit ratings of individuals and sole proprietorships without a legal basis.

This fine was issued in response to a complaint filed by an individual who discovered she had been subjected to credit ratings without having any form of customer relationship or other association with Lindstrand Trading.

The General Data Protection Regulation requires that all processing of personal data must have a legal basis. Credit ratings are a type of personal data subject to special protections.

 “As a credit rating includes detailed information about one’s personal financial situation, it feels very intrusive when an organization unlawfully gains access to this information,” says Bjørn Erik Thon, Director-General of the Norwegian Data Protection Authority.

Directly linked to the owner’s personal financial situation

Credit ratings of a sole proprietorship are also considered personal data, as this type of business enterprise is directly linked to the owner and thereby also the owner’s personal financial situation. This means that a legal basis is required to subject sole proprietorships to a credit rating.

A credit rating compiles personal data from many different sources and estimates how likely it is that a person will be able to pay what they owe. A credit rating will also include detailed information concerning the personal financial situation of individuals, such as any payment defaults, debt-to-income ratio and whether the person has any mortgages.

Serious violation

The Data Protection Authority finds that these credit ratings were conducted for personal purposes, completely disconnected from the organization’s business activities. On this basis, we have concluded that the credit ratings were conducted without a legal basis, thus constituting a violation of the provisions of the General Data Protection Regulation.

“We receive many complaints concerning credit ratings, and we see that many organizations have insufficient knowledge of the rules that apply. These types of cases are serious offences, and we normally issue fines for such violations,” Bjørn Erik Thon concludes.

Lindstrand Trading AS has appealed the fine.

For further information, please contact the Norwegian DPA: international@datatilsynet.no

 

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.

EDPB adopted documents - 45th plenary

European Data Protection Board - 45th Plenary session

EDPB adopts Recommendations on Art. 36 LED – Adequacy referential, Opinion on the H3C/PCAOB Administrative Arrangement, Statement on new draft provisions on a protocol to Cybercrime Convention, Response to EC questionnaire on processing personal data for scientific research & discussion on Whatsapp privacy polic.

During its 45th plenary session, the EDPB adopted a wide range of documents. In addition, the Board discussed Whatsapp’s updated privacy policy. 

The EDPB adopted Recommendations on the adequacy referential under the Law Enforcement Directive (LED). The EDPB ensures the consistent application of EU data protection law in the EU, including of the Law Enforcement Directive (LED), which deals with the processing of personal data for law enforcement purposes. The aim of the Recommendations is to provide a list of elements to be examined when assessing the adequacy of a third country under the LED. The document recalls the concept and procedural aspects of adequacy according to the LED and the case law of the CJEU, and lays down the EU standards for data protection for police and judicial cooperation in criminal matters.

The EDPB adopted an opinion on the draft Administrative Arrangement (AA) for transfers of personal data between the Haut Conseil du Commissariat aux Comptes (H3C) and the Public Company Accounting Oversight Board (PCAOB). This AA will be submitted to the French SA for authorisation at national level. The French SA will monitor the application of the AA in practice and, if necessary, suspend any transfer performed by the H3C, if the AA ceases to provide data subjects with an essentially equivalent level of protection.

The EDPB adopted a Statement on the draft provisions on a protocol to the Cybercrime Convention. This statement complements the EDPB contribution to the draft second additional protocol to the Council of Europe Convention on Cybercrime (Budapest Convention) and follows the publication of the new draft provisions. 
In this statement, the EDPB recalls that the provisions currently being discussed are likely to affect the conditions for access to personal data in the EU for law enforcement purposes and calls for a careful scrutiny of the ongoing negotiation by the relevant EU and national institutions. In addition, the EDPB stresses the need to guarantee full consistency with the EU acquis in the field of personal data protection. 

The EDPB adopted its response to the European Commission questionnaire on processing personal data for scientific research, focusing on health related research. The answers provided by the EDPB form a preliminary position on this topic and aim to provide clarity as to the application of the GDPR in the domain of scientific health research. The EDPB is currently developing guidelines on processing personal data for scientific research purposes that will elaborate on these issues. 

Finally, the Members of the Board had an exchange of views on WhatsApp's recent Privacy Policy update. The EDPB will continue to facilitate this exchange of information between authorities, in order to ensure a consistent application of data protection law across the EU in accordance with its mandate.

The agenda of the forty-fifth plenary is available here.

Note to editors:
Please note that all documents adopted during the EDPB Plenary are subject to the necessary legal, linguistic and formatting checks and will be made available on the EDPB website once these have been completed.

Note to editors:
Please note that all documents adopted during the EDPB Plenary are subject to the necessary legal, linguistic and formatting checks and will be made available on the EDPB website once these have been completed.

EDPB_Press Release_2021_1
 

Polish DPA fines Smart Cities: Another fine for lack of cooperation with the Personal Data Protection Office

A fine of over PLN 12 000 (EUR 3 000) was imposed on Smart Cities company from Warsaw for not cooperating with the Personal Data Protection Office (UODO) by failing to reply to its letter and failing to provide access to personal data and other information necessary to perform its tasks.

As a supervisory authority within the remit of Article 51 of the GDPR, UODO monitors and enforces the application of this regulation in its territory. In order to enable the performance of tasks, the UODO has a number of powers in the field of proceedings, including the power to order the controller and processor to provide all the information necessary for the performance of its tasks and to obtain from the controller and processor access to all personal data and all information necessary for the performance of its tasks.

Hindering and preventing access to the information that the UODO requested from the Company, which it undoubtedly has in its possession, demonstrates a flagrant disregard for its obligations concerning cooperation with the supervisory authority in the performance of its tasks

To read the press release is Polish, click here.

To read the full decision in Polish, click here.

For more information please contact the Polish DPA at kancelaria@uodo.gov.pl

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.

Children and Social Networks: Italian DPA Requests Information on Processing from Facebook and Instagram

Rome, 27 January 2021

Probe to be extended to additional social platforms

The Garante (Italian data protection authority) is stepping up its action to protect children using social networks, after the case of the 10-year-old girl from Palermo and the limitation on processing imposed on TikTok. Inquiries were started yesterday into the processing by Facebook and Instagram.

Media reports over the past few days mentioned that the girl had allegedly opened several profiles on both social networks.

The Garante requested Facebook, which owns Instagram, to provide information including how many and which profiles were held by the girl and, if so, how a 10-year-old girl could manage  to register with both platforms.

More importantly, specific information was requested on the registration mechanisms in place and the age verification methods applied by both social networks to check compliance with the age threshold for registration.

Replies from Facebook are expected within 15 days.

The probe by the Italian SA will be also extended to other social networks with particular regard to the mechanisms regulating children’s access to the platforms. 

For further information, please contact the Italian SA: ufficiostampa@gpdp.it

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.

Belgian DPA imposes €50,000 Fine on Family Service

The BE DPA has just imposed a fine of 50,000 euro on the company Family Service, which distributes "pink boxes" well known by mothers and fathers-to-be in Belgium, for various breaches of the GDPR. 

Family Service is a marketing company that distributes pink boxes that include samples, special offers and information sheets for future parents. The inspection service of the BE DPA launched an investigation into the company after a complaint was lodged at the DPA alleging the company transferred personal data to third parties, including data brokers, without valid consent on the part of the customer, and without the provision of sufficient information. 

The Inspection Service and the Litigation Chamber of the BE DPA found that the company was renting and/or selling personal data for commercial purposes. However, these practices were not indicated in the communication to customers in a clear and comprehensible manner. It is all the more important for the company in this case to properly inform the client about these practices, given that the pink boxes were distributed via gynaecologists and hospitals, which could have led clients to believe that the initiative came from the public sector, and not from a private company whose core business is trading data.   

What’s more, the consent given by the customers for these transfers of data were not valid, as consent was clearly not informed, but also not specific (as consent for receiving the boxes automatically involved the transfer of data) or freely given (as the lack of consent involved the loss of some benefits). 

Taking into consideration the number of data subjects (the company processes data relating to 21.10% of the Belgian population), the seriousness of the breach and the nature of the data processed (in particular data relating to children), the Litigation Chamber of the BE DPA decided to impose a fine of 50,000 euro, and ordered the company to comply with the GDPR. Given the size of the company, this is a considerable amount, but the BE DPA decided that a significant sanction was needed as the business model of Family Service is clearly not compliant with the GDPR.

To read the decision (in Dutch) click here

For further information, please contact the Belgian DPA: contact@apd-gba.be

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.

EDPB celebrates Data Protection Day

On the occasion of the 15th annual Data Protection Day, the Members of the EDPB bring you a joint message. Today is an opportunity to reflect on the efforts we make day after day to empower individuals, encourage business to be compliant and to enable trust.  From all of us at the EDPB, we wish you a very happy Data Protection Day.

 

Italian DPA imposes limitation on processing on TikTok after the death of a Girl from Palermo

The Italian SA (Garante per la protezione dei dati personali) imposed an immediate limitation on the processing performed by TikTok with regard to the data of users whose age could not be established with certainty.

The SA decided to take urgent measures (GDPR, art. 58, comma 2, lett. f) and art. 66, comma 1) following the dismay caused by the death of a 10-year-old girl from Palermo.

In December, the Garante had already notified several infringements to TikTok including poor attention to the protection of minors, the easy dodging of the registration ban the company applies to children under 13 years, non-transparent and unclear information provided to users, and default settings falling short of privacy requirements.

Pending receipt of the feedback that was requested via the above notification, the Garante decided to anyhow step in today in order to afford immediate protection to the minors in Italy that have joined the social platform.

This is why the Italian SA banned TikTok from further processing the data relating to any user ‘whose age could not be established with full certainty so as to ensure compliance with the age-related requirements’.

The ban will apply provisionally until 15 February as the Garante plans to conclude its further assessment by that date.

The limitation order will be brought to the attention of the Irish SA, since TikTok recently communicated that it had set its main EU establishment in Ireland. 

To read the decision in Italian, click here.

For further information, please contact the Italian SA: ufficiostampa@gpdp.it

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.

 State Commissioner for Data Protection in Lower Saxony imposes € 10.4 million fine against notebooksbilliger.de

The State Commissioner for Data Protection in Lower Saxony has imposed a fine of 10.4 million euros against notebooksbilliger.de AG. The company had been using video surveillance to monitor its employees for at least two years with no legal justification. Some of the areas recorded by the illegal cameras included workspaces, sales floors, warehouses and staff rooms.

The company claimed the video cameras had been installed to prevent and investigate criminal offences and to track the flow of goods in warehouses. In order to prevent theft, however, a company must first implement less severe means (e.g. random bag checks when leaving the business premises). Furthermore, video surveillance may only be used to investigate crimes if specific individuals are reasonably suspected of committing such offences. If this is the case, the company may be allowed to monitor the individuals with cameras for a limited period. However, notebooksbilliger.de had not limited its video surveillance to specific employees or a specific period. In addition, many of the recordings were saved for 60 days, which is much longer than necessary.

General suspicion is not enough

“This is a serious case of workplace surveillance”, says the State Commissioner for Data Protection in Lower Saxony, Barbara Thiel. “Companies have to understand that such intensive video surveillance is a major violation of their employees’ rights”. While businesses often argue that video surveillance can be effectively used to deter criminals, this does not justify the permanent and unjustified interference with the personal rights of their employees. “If that were the case, companies would be able to extend their surveillance without limit. Employees do not have to sacrifice their personal rights just because their employer puts them under general suspicion”, explains Thiel. “Video surveillance is a particularly invasive encroachment on a person’s rights, because their entire behaviour can theoretically be observed and analysed. According to the case law of the Federal Labour Court, this can put staff under pressure to act as inconspicuously as possible to avoid being criticised or sanctioned for their behaviour”.

The customers of notebooksbilliger.de were also affected by the illegal video surveillance, because some cameras were directed at seating on the sales floor. In areas where people typically spend more time (e.g. to try out devices), data subjects have high legitimate interests. This is especially true for seating areas, where customers are clearly invited to take their time. Therefore, the video surveillance used by notebooksbilliger.de was not justified.

The fine of 10.4 million euros is the highest penalty that has ever been imposed by the State Commissioner for Data Protection in Lower Saxony under the General Data Protection Regulation (GDPR). The GDPR enables supervisory authorities to impose fines of up to 20 million euros – or up to 4% of a company’s total annual turnover worldwide – whichever is higher. The fine imposed against notebooksbilliger.de is pending legal enforcement. The company has since arranged its video surveillance in accordance with the law and proved this to the State Commissioner for Data Protection in Lower Saxony.

The State Commissioner for Data Protection in Lower Saxony provides more information on video surveillance here.

For more information please contact the Lower Saxony DPA here: poststelle@lfd.niedersachsen.de

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.

Dutch DPA issues Formal Warning to a Supermarket for its use of Facial Recognition Technology

The Dutch Data Protection Authority (DPA) has issued a formal warning to a supermarket for its use of facial recognition technology. Although the facial recognition technology has been disabled since December 2019, the supermarket wished to turn it back on.

The supermarket claims that it used facial recognition technology to protect its customers and staff and to prevent shoplifting. The technology was connected to cameras at the store’s entrance.

The technology scanned the face of everyone who entered the store and compared it to a database of people who had been banned from entering stores. The faces of people who had not been banned were deleted after several seconds.

Following reports in the media, on 6 December 2019 the DPA requested information from the owner of the supermarket. On 8 December 2019, the supermarket disabled the facial recognition technology. The owner indicated in documents provided to the DPA, however, that he wished to turn it back on.

Ban on facial recognition technology

‘It’s unacceptable for this supermarket – or any other store in the Netherlands – to just start using facial recognition technology,’ says Monique Verdier, deputy chairperson of the DPA. ‘Use of such technology outside of the home is banned in nearly all cases. And that’s for good reason.’

Walking bar codes

‘Facial recognition makes us all walking bar codes,’ explains Verdier. ‘Your face is scanned every time you enter a store, a stadium or an arena that uses this technology. And it’s done without your consent. By putting your face through a search engine, there is a possibility that your face could be linked to your name and other personal data. This could be done by cross-checking your face with your social media profile, for example.’ 

‘The technology can then decide what to do with the information: Are you suspected of something? Are you of interest as a customer? Is there value in monitoring your purchasing behaviour and creating a profile for you? If we have cameras with facial recognition technology everywhere, everything and all of us can be continuously monitored.’

Two exceptions

Facial recognition technology uses biometric data to identify people. The use of facial recognition for security is prohibited in all but two situations.

The first is if the people have given explicit consent for their data to be processed. Here, although the owner of the supermarket claims customers had been warned that the store used facial recognition technology, the customers did not give explicit consent for this.

‘The presumption that silence equals approval does not work here,’ says Verdier. ‘Simply entering the supermarket doesn’t count as giving consent.’

The other exception is if facial recognition technology is necessary for authentication or security purposes, but only in so far as substantial public interest is concerned. The supermarket claims that this is the case. The DPA considers that it is not.

‘The only example that the law gives is for the security of a nuclear power plant,’ explains Verdier. ‘The bar is therefore very high. Preventing shoplifting is of a completely different magnitude than preventing a nuclear disaster.’

For further information, please contact the Dutch DPA: https://autoriteitpersoonsgegevens.nl/nl

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.

Dutch DPA imposes order subject to penalty on health insurer CZ

Following an investigation, the Dutch Data Protection Authority (DPA) found that the way health insurer CZ handled applications for prior approval of treatment was in breach of the General Data Protection Regulation (GDPR). According to the DPA’s investigation, in a number of cases CZ processed more medical data than was necessary for the assessment of applications for the reimbursement of costs for rehabilitation care. The applications in question were from insured persons who required specialised medical rehabilitation, following a complex fracture or due to a motor disorder for example. For this breach of privacy legislation, the DPA has imposed an order subject to penalty on CZ.

To cover specialised medical rehabilitation, health insurer CZ requires insured persons to apply for prior approval (authorisation requirement). CZ can set additional conditions for such approval.

Twelve insured persons requested that the DPA take enforcement action against CZ. They argued that CZ had processed too much personal data – including sensitive personal data – when assessing their applications for rehabilitation care.

In breach of privacy legislation (GDPR)

The DPA found that, when assessing the applications of four insured persons, CZ processed more medical data than was necessary and was therefore in breach of the GDPR. According to the DPA’s investigation, CZ’s policy led to more personal data being provided than was necessary for such an assessment.

CZ appealed against the DPA’s decision. The DPA and CZ have, however, also already made a number of agreements, and CZ has taken several measures as a result, such as deleting from its systems the data in question of the twelve insured persons and removing the policy document on applications for prior approval from its website.

When assessing applications for prior approval for specialised outpatient medical rehabilitation, CZ will determine on a case-by-case basis whether additional data is necessary. This will be based on the information that is required according to professional frameworks and the position of the National Health Care Institute.

CZ and the DPA will continue to discuss possible adjustments to the way applications for prior approval are handled, to ensure it is in compliance with the GDPR.

For further information, please contact the Dutch DPA: https://autoriteitpersoonsgegevens.nl/nl

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority.

Polish DPA: University Fined for the lack of Data Breach Notifications 

The President of the Personal Data Protection Office (UODO) imposed a fine of PLN 25 000 (over EUR 5 850) on the Medical University of Silesia, as there was a data protection breach at the university, of which the controller should notify not only the supervisory authority but also the persons affected by the incident.

Besides the imposed fine, the supervisory authority also ordered the university to notify the persons affected by the breach that occurred in connection with the examinations conducted in the form of videoconference on the special e-learning platform.

Signals that a data protection breach had occurred at the Medical University of Silesia reached the UODO in early June 2020. The information and the description of the complaint allowed to conclude that students were identified during the examinations held at the end of May 2020 in the form of a video conference. After the end of the examination, the recordings were available not only to the examined people but also to others who had access to the system. Moreover, by using a direct link, any third party could have access to the examination recordings, and the examined students' personal data presented during identification.

Because the information indicated that there could have occurred a high risk to the rights and freedoms of the persons who took the examination, the UODO asked the data controller to clarify the situation. In reply to the letter, the controller argued that it was not necessary to notify the Office in connection with the breach, as in its opinion the risk to the rights or freedoms of the persons affected by the incident was low. Furthermore, after this incident, the system was modified so that files with the recorded course of examinations were not shared by mistake. The controller also indicated that it had identified the persons who downloaded the examination file and notified them of responsibility for using these data.

However, the university has still not notified a data breach and has not notified the persons affected by this incident. It did not do so, despite another letter from the UODO that indicated the situations in which a data breach should be notified to the supervisory authority and the affected persons should also be notified of the incident. Therefore, an administrative proceeding was instituted. In its course, it was established that the breach occurred, because one of the employees, after the completed examination on the e-learning platform, did not close the access to the virtual room, in which the test was held. As a result, the examination recordings could be downloaded. Since the students, before the examination, were identified based on their identity cards or student IDs, a number of their personal data was recorded on the recordings. Depending on the type of identity card or student ID they used, there was a different scope of data in case of individual affected persons. However, in some cases, they were, e.g. an image, a PESEL number (personal identification number), an identity document number or album number, a name and surname, an address of residence. Also, due to the breach, unauthorized persons could view other data such as a year of study, a group, a field of study, information about the subject being taken or the answers given during the examination.

The Office found that the data breach had occurred, and that the controller had failed to comply with its obligations to notify about this fact both the supervisory authority and the persons affected by the breach. Such obligations arise when, due to the breach, there is a high risk to the rights or freedoms of the persons affected (e.g. the danger of incurring various obligations on someone's data). The controller had, therefore, incorrectly assessed the risk involved.
In its decision, UODO has also indicated that it does not matter, as the controller claims, that the file with the course of the examination was downloaded only by 26 persons. Since there is no certainty that it will not be made available further to unauthorized persons.

In the Office's opinion, the responsibility for these data lies with the controller, and not with the persons who downloaded the file with the course of the examination after it had finished. It was due to the controller's negligence that a breach occurred, resulting in a high risk for students' rights and freedoms.
The supervisory authority welcomed the implemented changes on the e-learning platform, which prevent students from downloading files with examinations. They will allow avoiding similar situations in the future.

The President of the Office, while imposing the fine for not notifying the supervisory authority and not informing the persons whom the incident concerned, took into account, among others, the duration of the breach (from the breach to the issuing of the decision several months passed), the intentional action of the controller, who decided not to notify a breach and not to inform the students about it, the unsatisfactory cooperation of the controller with the authority (the controller did not notify a breach despite the letters sent and the proceedings initiated). 

The imposed fine will fulfil not only a repressive but also a preventive function, as it shows that one cannot neglect the obligations that arise in connection with the personal data protection breach. Especially, that an inappropriate approach to the obligations imposed by the GDPR may lead to adverse effects for the persons affected by the breaches.

To read the press release is Polish, click here.

To read the full decision in Polish, click here.

For more information please contact the Polish DPA at kancelaria@uodo.gov.pl

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.

Norwegian DPA: Intention to issue € 10 million fine to Grindr LLC 

The Norwegian Data Protection Authority has notified Grindr LLC (Grindr) that we intend to issue an administrative fine of NOK 100 000 000 for not complying with the GDPR rules on consent. 

- Our preliminary conclusion is that Grindr has shared user data to a number of third parties without legal basis, said Bjørn Erik Thon, Director-General of the Norwegian Data Protection Authority.

Grindr is a location-based social networking app for gay, bi, trans, and queer people. In 2020, the Norwegian Consumer Council filed a complaint against Grindr claiming unlawful sharing of personal data with third parties for marketing purposes. The data shared include GPS location, user profile data, and the fact that the user in question is on Grindr. 

Our preliminary conclusion is that Grindr needs consent to share these personal data and that Grindr’s consents were not valid. Additionally, we believe that the fact that someone is a Grindr user speaks to their sexual orientation, and therefore this constitutes special category data that merit particular protection.

- The Norwegian Data Protection Authority considers that this is a serious case. Users were not able to exercise real and effective control over the sharing of their data. Business models where users are pressured into giving consent, and where they are not properly informed about what they are consenting to, are not compliant with the law, said Bjørn Erik Thon, Director-General of the Norwegian Data Protection Authority.

Invalid consents

The Norwegian Data Protection Authority considers that as a general rule, consent is required for intrusive profiling and tracking practices for marketing or advertising purposes, for example those that involve tracking individuals across multiple websites, locations, devices, services or data-brokering. The same applies where a commercial app wishes to share data concerning users’ sexual orientation.

Users were forced to accept the privacy policy in its entirety to use the app, and they were not asked specifically if they wanted to consent to the sharing of their data with third parties. Furthermore, the information about the sharing of personal data was not properly communicated to users. We consider that this was contrary to the GDPR requirements for valid consent. 

- Grindr is seen as a safe space, and many users wish to be discrete. Nonetheless, their data have been shared with an unknown number of third parties, and any information regarding this was hidden away, Thon added.

Could result in highest Norwegian DPA fine to date

An administrative fine should be effective, proportionate and dissuasive. 

- We have notified Grindr that we intend to impose a fine of high magnitude as our findings suggest grave violations of the GDPR. Grindr has 13.7 million active users, of which thousands reside in Norway. Our view is that these people have had their personal data shared unlawfully. An important objective of the GDPR is precisely to prevent take-it-or-leave-it “consents”. It is imperative that such practices cease, Thon emphasised.

We have based our calculations on a conservative estimate of Grindr’s worldwide annual turnover, according to which the turnover approaches € 100 000 000 M. This means that our proposed fine will constitute approximately 10 % of the company’s turnover.

Applicability of the GDPR

Although Grindr does not have any establishments within the EEA, the company is subject to the GDPR by virtue of its Article 3.2. Pursuant to this provision, the GDPR applies to controllers that offer goods or services to, or that monitor the behaviour of, people in the EEA.

Our investigation has focused on the consent mechanism in place from the GDPR became applicable until April 2020, when Grindr changed how the app asks for consent. We have not to date assessed whether the subsequent changes comply with the GDPR.

Not a final decision

The document we have issued to Grindr is a draft decision. Grindr has been given the opportunity to comment on our findings within 15 February 2021. We will make our final decision once we have assessed any remarks the company may have.

Our draft decision concerns the free version of the Grindr app.

The Norwegian Consumer Council also filed complaints against five of the third parties receiving data from Grindr: MoPub (owned by Twitter Inc.), Xandr Inc. (formerly known as AppNexus Inc.), OpenX Software Ltd., AdColony Inc., and Smaato Inc. These cases are ongoing.

You can read the press release on the Norwwegian DPA's website here.

For more information, please contact the Norwegian DPA: International@datatilsynet.no

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.

Sidor