Datainspektionen på Åland

Datainspektionen på Åland sköter om dataskyddet i den offentliga förvaltningen på Åland. Datainspektionen i Sverige bytte namn vid årsskiftet och heter nu Integritetsskyddsmyndigheten. Se närmare på imy.se

European Data Protection Board

Spanish DPA imposes fine on Telefónica Móviles España

 

The Spanish Data Protection Authority (AEPD) imposed a fine of 75.000 EUR on Telefónica Móviles España, S.A.U., for unlawfully processing the claimant’s personal data by charging them several invoices corresponding to a third person.

The claimant, who wasn’t a defendant’s client, contacted the controller in order to try to solve the situation, without success. The controller stated that, eventually, the invoices charged weren’t paid, and that the processing activity was carried out by the bank. 

The AEPD considered that Telefónica Móviles España, S.A.U., violated Article 6(1) of the GDPR, by processing the claimant's personal data without any lawful basis, and consequently fined the controller. 

For further information, please contact the Spanish DPA: prensa@aepd.es

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.

Swedish SA fines Board of Education in the City of Stockholm

The Swedish Data Protection Authority has reviewed the so-called School Platform, the IT system used for, among other things, student administration of schools in the City of Stockholm. The review shows an insufficient level of security of such grave nature that the authority issues an administrative fine of four million SEK against the Board of Education in the City of Stockholm.

The Swedish Data Protection Authority has received a number of personal data breach notifications from the City of Stockholm's Board of Education. The incidents all relate to the School Platform, which is the IT system used for, among other things, student administration in Stockholm. The school platform contains information of up to 500 000 pupils, guardians and teachers. The system contains sensitive data, including special categories of personal data, as well as information about pupils and teachers with classified information or protected identity.

The DPA has reviewed four subsystems in the School Platform and has found serious shortcomings. In one of the subsystems, deficiencies in the ability to restrict users' access to data have allowed large parts of the staff to access information about students with a protected identity. In another subsystem, guardians have been able to access information on other children concerning, for example, grades and evaluations talks in a relatively easy way. Through Google's search engine, it has been possible to find links for login to an administration interface in which information about teachers with a protected identity has been accessible.

— In an IT system like this, large amounts of personal data are processed. For such systems it is extremely important that the controller has put in place sufficient security measures in order to protect the data and furthermore to ensure continuous evaluation of the level of protection," says Ranja Bunni, a lawyer at the Swedish Data Protection Authority who participated in the investigation.

In its decision, the Swedish Data Protection Authority finds that the Education Board has not ensured that the personal data in question is processed securely. The Board has failed to take adequate technical and organisational measures to ensure a level of security appropriate in relation to the risk, including a procedure for regularly testing, examining and evaluating the effectiveness of the technical measures in place.

The Swedish Data Protection Authority issues an administrative fine of four million SEK for the concluded infringements. In Sweden, the maximum amount for administrative fines against public authorities is 10 million SEK.

— According to the General Data Protection Regulation, GDPR, administrative fines must be effective, proportional and dissuasive. In this case, the infringements have affected several hundred thousand data subjects, including children and pupils, as well as includes deficiencies in the handling of sensitive and special categories of personal data such as data regarding persons with protected identity and health data, says Salli Fanaei, who also participated in the investigation of the Swedish Data Protection Authority.

To read the original press release in Swedish, click here

To read the full decision in Swedish, click here

For further information, please contact the Swedish SA: datainspektionen@datainspektionen.se

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.

European Data Protection Board - 42nd Plenary session: Presentation of two new sets of SCCs & EDPB adopts statement on ePrivacy Regulation

Brussels, 20 November - On November 19th, the EDPB met for its 42nd plenary session. During the plenary, the European Commission presented two new sets of draft Standard Contractual Clauses (SCCs) and the EDPB adopted a statement on the future ePrivacy Regulation.
 
The European Commission presented two draft SCCs: one set of SCCs for contracts between controllers and processors, and another one for data transfers outside the EU. The draft controller-processor SCCs are fully new and have been developed by the Commission in accordance with Art. 28 (7) GDPR and Art. 29 (7) of Regulation 2018/1725. These SCCs will have an EU-wide effect and aim to ensure full harmonisation and legal certainty across the EU when it comes to contracts between controllers and their processors. In addition, the Commission presented another set of SCCs for the transfer of personal data to third countries pursuant to Art. 46 (2) (c) GDPR. These SCCs will replace the existing SCCs for international transfers that were adopted on the basis of Directive 95/46 and needed to be updated to bring them in line with GDPR requirements, as well as with the CJEU’s ‘Schrems II’ ruling, and to better reflect the widespread use of new and more complex processing operations often involving multiple data importers and exporters. The Commission has requested a joint opinion from the EDPB and the EDPS on the implementing acts on both sets of SCCs.
 
EDPB Chair Andrea Jelinek said: “The new SCCs for the transfer of personal data to third countries have been highly anticipated, and it is important to point out that they are not a catch-all solution for data transfers post-Schrems II. While the updated SCCs are an important piece of the puzzle and a very important development, data exporters should still make the puzzle complete. The step-by-step approach of the EDPB recommendations on supplementary measures is necessary to bring the level of protection of the data transferred up to the EU standard of essential equivalence. Together with the EDPS, the Board will now thoroughly draft a joint opinion on the two sets of draft SCCs as invited by the European Commission.”
 
Recommendations 1/2020 on supplementary measures: During the plenary, the Members of the Board decided to extend the deadline for the public consultation on the Recommendations on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data from 30 November 2020 until 21 December 2020.

The EDPB adopted a statement on the future ePrivacy Regulation and the future role of supervisory authorities and the EDPB in this context. The EDPB expressed concerns about some new orientations of the discussions in the Council concerning the enforcement of the future ePrivacy Regulation, which could lead to fragmented supervision, procedural complexity and a lack of consistency and legal certainty for individuals and companies. The EDPB underlines that many of the provisions of the future ePrivacy Regulation concern processing of personal data and that many provisions of the GDPR and the ePrivacy Regulation are closely intertwined. Consistent interpretation and enforcement of both sets of rules, when covering personal data protection, would therefore be fulfilled in the most efficient way, if the enforcement of those parts of the ePrivacy Regulation and the GDPR would be entrusted to the same authority.
 
EDPB Chair Andrea Jelinek added: “The oversight of personal data processing activities under the ePrivacy Regulation should  be entrusted  to  the  same  national  authorities that are responsible for the enforcement of the GDPR. This will ensure a high level of data protection, guarantee a level playing field and ensure a harmonised interpretation and enforcement of the personal data processing elements of the ePrivacy Regulation across the EU.”
 
The EDPB also stressed the need to adopt the new Regulation as soon as possible.
 
The EDPB added that this statement is without prejudice to the Board’s previous positions, including its statement of March 2019 and May 2018 and reiterated that the future ePrivacy Regulation should under no circumstance lower the level of protection offered by the current ePrivacy Directive and should complement the GDPR by providing additional strong guarantees for confidentiality and protection of all types of electronic communications.

Note to editors:
Please note that all documents adopted during the EDPB Plenary are subject to the necessary legal, linguistic and formatting checks and will be made available on the EDPB website once these have been completed.

EDPB_Press Release_2020_19

Aggressive telemarketing practices: Vodafone fined over 12 million Euro by Italian DPA

The Italian data protection supervisory authority (Garante per la protezione dei dati personali) ordered Vodafone to pay a fine in excess of Euro 12,250,000 on account of having unlawfully processed the personal data of millions of users for telemarketing purposes. As well as having to pay the fine, the company is required to implement several measures set out by the Garante in order to comply with national and EU data protection legislation.

This decision marks the final step in a complex proceeding that the Garante had initiated following hundreds of complaints and alerts submitted by users against unsolicited phone calls made by Vodafone and/or the company’s sales network in order to promote telephone and Internet services.

The investigations carried out by the Garante brought to light major criticalities of a ‘structural’ nature having to do with the violation not only of consent requirements, but also of key principles such as accountability and data protection by design as set forth in the EU GDPR. These criticalities could be traced down to the processing activities performed both in respect of Vodafone’s customer database and – more broadly – with regard to prospective users of electronic communications services.

More specifically, one of the most worrying findings of the investigations was the use of fake telephone numbers or numbers that were not registered with the ROC (i.e. the National Consolidated Registry of Communication Operators) in order to place the marketing calls. This practice is under Vodafone’s own spotlight and is seemingly related to a shady set of unauthorised call centres that carry out telemarketing activities in utter disregard of personal data protection legislation.

Additional violations could be established as for the handling of contact lists purchased from external providers. Those lists had been obtained by Vodafone business partners from other companies and had been transferred to Vodafone without the users’ required free, informed, and specific consent.

Customer resource management security measures were also found to be inadequate. In this respect, several complaints and alerts had been submitted to the Garante by customers who had been contacted by operators purporting to be acting on Vodafone’s behalf and requesting IDs to be sent to them via WhatsApp – quite likely for purposes related to spamming, phishing or other fraudulent activities.

Taking account of the infringements found in the course of the proceeding, the Italian Garante imposed a fine amounting to Euro 12,251,601.00.

Further, the Garante ordered Vodafone to implement systems to demonstrate that processing for telemarketing purposes complies with consent requirements. Vodafone will be required additionally to provide proof that contractual arrangements are activated only following telemarketing calls placed by their own sales network through numbers that are registered with the ROC. Stronger security measures will have to be implemented by the company to prevent unauthorised accesses to the customer database, and the company was also ordered to reply in full to certain data subject rights requests.

Finally, the Garante banned Vodafone from further processing data for marketing or commercial purposes where such data are acquired from third parties that have not obtained the users’ free, specific, and informed consent to data disclosure.

For further information, please contact the Italian SA: ufficiostampa@gpdp.it

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.

EDPB Stakeholder Workshop on Legitimate Interest

Registration has been opened

On November 27 the EDPB is organising a remote stakeholder workshop on the topic of Legitimate Interest. Representatives from, among others, individual companies, sector organisations, NGOs, law firms and academia are welcome to express interest in attending.

REGISTER HERE: https://ec.europa.eu/eusurvey/runner/03c20d6b-85a3-1839-0753-a145f27fc634

Places will be allocated on a first come, first served basis, depending on availability. We will contact your organisation in case your registration has been successful.

Detailed information and the programme of the event will be available shortly.

As we would like to have a balanced and representative audience, participation will be limited to one participant per organisation.

When? November 27th 2020, from 10:00 - 16:00

Europeiska dataskyddsstyrelsen – 41:a plenarsessionen: Europeiska dataskyddsstyrelsen antar rekommendationer om kompletterande åtgärder efter Schrems II

Bryssel den 11 november — Europeiska dataskyddsstyrelsen antog vid sin 41:a plenarsession rekommendationer om åtgärder som kompletterar överföringsverktygen för att säkerställa överensstämmelse med EU:s skyddsnivå för personuppgifter samt rekommendationer om de europeiska grundläggande garantierna för övervakningsåtgärder.

Båda dokumenten antogs som en uppföljning av EU-domstolens dom i målet Schrems II.Till följd av avgörandet av den 16 juli är personuppgiftsansvariga som förlitar sig på standardavtalsklausuler skyldiga att från fall till fall, och i förekommande fall i samarbete med mottagaren av uppgifterna i tredjelandet, kontrollera om tredjelandets lagstiftning garanterar en skyddsnivå för de överförda personuppgifterna som i allt väsentligt är likvärdig med den som garanteras i Europeiska ekonomiska samarbetsområdet (EES). Domstolen godtog att exportörer lägger till åtgärder som kompletterar standardavtalsklausulerna för att säkerställa en effektiv efterlevnad av den skyddsnivån om skyddsåtgärderna i standardavtalsklausulerna inte är tillräckliga.

Rekommendationerna syftar till att hjälpa personuppgiftsansvariga och personuppgiftsbiträden som fungerar som uppgiftsutförare med deras skyldighet att identifiera och genomföra lämpliga kompletterande åtgärder där sådana behövs för att säkerställa en i allt väsentligt likvärdig skyddsnivå för de uppgifter som de överför till tredjeländer. Därigenom eftersträvar Europeiska dataskyddsstyrelsen en enhetlig tillämpning av den allmänna dataskyddsförordningen och domstolens dom i hela EES.

Andrea Jelinek, ordförande för Europeiska dataskyddsstyrelsen, sade: ”Europeiska dataskyddsstyrelsen är mycket medveten om konsekvenserna av Schrems II-domen för tusentals företag i EU och det viktiga ansvar som den lägger på uppgiftsexportörer. Europeiska dataskyddsstyrelsen hoppas att dessa rekommendationer kan hjälpa uppgiftsexportörer att identifiera och genomföra effektiva kompletterande åtgärder där de behövs. Vårt mål är att möjliggöra laglig överföring av personuppgifter till tredjeländer och samtidigt garantera att de överförda uppgifterna ges en skyddsnivå som i allt väsentligt motsvarar den som garanteras inom EES. ”

Rekommendationerna innehåller en färdplan för de åtgärder som uppgiftsexportörer måste vidta för att ta reda på om de behöver införa kompletterande åtgärder för att kunna överföra uppgifter utanför EES i enlighet med EU-lagstiftningen och hjälper dem att identifiera vilka sådana åtgärder som skulle kunna vara effektiva. För att hjälpa uppgiftsexportörer innehåller rekommendationerna också en icke uttömmande förteckning över exempel på kompletterande åtgärder och några av de villkor som de skulle kräva för att vara effektiva.

I slutänden ansvarar dock exportörerna för att göra den konkreta bedömningen utifrån överföringen, tredjelandets lagstiftning och det överföringsverktyg som de förlitar sig på. Uppgiftsexportörer måste gå vidare med tillbörlig aktsamhet och noggrant dokumentera sin process, eftersom de kommer att hållas ansvariga för de beslut som de fattar på grundval av detta, i enlighet med principen om ansvarsskyldighet i den allmänna dataskyddsförordningen. Dessutom bör uppgiftsexportörerna veta att det kanske inte är möjligt att genomföra tillräckliga kompletterande åtgärder i varje enskilt fall.

Rekommendationerna om de kompletterande åtgärderna kommer att läggas fram för offentligt samråd. De kommer att börja gälla omedelbart efter det att de har offentliggjorts.

Dessutom antog Europeiska dataskyddsstyrelsen rekommendationer om de europeiska grundläggande garantierna för övervakningsåtgärder. Rekommendationerna om de europeiska grundläggande garantierna kompletterar rekommendationerna om kompletterande åtgärder. Rekommendationerna om europeiska grundläggande garantier ger uppgiftsexportörer underlag för att avgöra om den rättsliga ram som reglerar offentliga myndigheters tillgång till uppgifter för övervakningsändamål i tredjeländer kan betraktas som ett motiverat ingrepp i rätten till integritet och skydd av personuppgifter, och därmed inte inkräktar på de åtaganden i det överföringsverktyg enligt artikel 46 i den allmänna dataskyddsförordningen som uppgiftsutföraren och uppgiftsinföraren förlitar sig på.

Ordföranden tillade: ”Konsekvenserna av Schrems II-domen omfattar alla överföringar till tredjeländer. Därför finns det inga snabba lösningar eller någon universallösning för alla överföringar, eftersom detta skulle ignorera de många olika situationer som exportörer av uppgifter ställs inför. Uppgiftsexportörer kommer att behöva utvärdera sin uppgiftsbehandling och sina överföringar och vidta effektiva åtgärder med beaktande av rättsordningen i de tredjeländer till vilka de överför eller avser att överföra uppgifter. ”

EES-tillsynsmyndigheterna kommer att fortsätta att samordna sina åtgärder i Europeiska dataskyddsstyrelsen för att säkerställa en enhetlig tillämpning av EU: s dataskyddslagstiftning.

Not till redaktörerna:
observera att alla dokument som antas under EDPB: s plenarsammanträde är föremål för nödvändiga rättsliga, språkliga och formaterande kontroller och kommer att göras tillgängliga på EDPB: s webbplats när dessa har slutförts.

EDPB_Press Release_2020_18

European Data Protection Board - 41st Plenary session: EDPB adopts recommendations on supplementary measures following Schrems II

 

Brussels, 11 November - During its 41st plenary session, the EDPB adopted recommendations on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data, as well as recommendations on the European Essential Guarantees for surveillance measures. 

Both documents were adopted as a follow-up to the CJEU’s ‘Schrems II’ ruling. As a result of the ruling on July 16th, controllers  relying on Standard Contractual Clauses (SCCs) are required to verify, on a case-by-case basis and, where appropriate, in collaboration with the recipient of the data in the third country, if the law of the third country ensures a level of protection of the personal data transferred that is essentially equivalent to that guaranteed in the European Economic Area (EEA). The CJEU allowed exporters to add measures that are supplementary to the SCCs to ensure effective compliance with that level of protection where the safeguards contained in SCCs are not sufficient.   

The recommendations aim to assist controllers and processors acting as data exporters with their duty to identify and implement appropriate supplementary measures where they are needed to ensure an essentially equivalent level of protection to the data they transfer to third countries. In doing so, the EDPB seeks a consistent application of the GDPR and the Court’s ruling across the EEA. 

EDPB Chair, Andrea Jelinek said: “The EDPB is acutely aware of the impact of the Schrems II ruling on thousands of EU businesses and the important responsibility it places on data exporters. The EDPB hopes that these recommendations can help data exporters with identifying and implementing effective supplementary measures where they are needed. Our goal is to enable lawful transfers of personal data to third countries while guaranteeing that the data transferred is afforded a level of protection essentially equivalent to that guaranteed within the EEA.”  

The recommendations contain a roadmap of the steps data exporters must take to find out if they need to put in place supplementary measures to be able to transfer data outside the EEA in accordance with EU law, and help them identify those that could be effective. To assist data exporters, the recommendations also contain a non-exhaustive list of examples of supplementary measures and some of the conditions they would require to be effective. 

However, in the end data exporters are responsible for making the concrete assessment in the context of the transfer, the third country law and the transfer tool they are relying on. Data exporters must proceed with due diligence and document their process thoroughly, as they will be held accountable to the decisions they take on that basis, in line with the GDPR principle of accountability. Moreover, data exporters should know that it may not be possible to implement sufficient supplementary measures in every case.

The recommendations on the supplementary measures will be submitted to public consultation. They will be applicable immediately following their publication. 

In addition, the EDPB adopted recommendations on the European Essential Guarantees for surveillance measures. The recommendations on the European Essential Guarantees are complementary to the recommendations on supplementary measures. The European Essential Guarantees recommendations provide data exporters with elements to determine if the legal framework governing public authorities’ access to data for surveillance purposes in third countries can be regarded as a justifiable interference with the rights to privacy and the protection of personal data, and therefore as not impinging on the commitments of the Article 46 GDPR transfer tool the data exporter and importer rely on.

The Chair added: “The implications of the Schrems II judgment extend to all transfers to third countries. Therefore, there are no quick fixes, nor a one-size-fits-all solution for all transfers, as this would be ignoring the wide diversity of situations data exporters face. Data exporters will need to evaluate their data processing operations and transfers and take effective measures bearing in mind the legal order of the third countries to which they transfer or intend to transfer data.”

The EEA data protection supervisory authorities will continue coordinating their actions in the EDPB to ensure consistency in the application of EU data protection law. 

The agenda of the forty-first plenary is available here.

Note to editors:
Please note that all documents adopted during the EDPB Plenary are subject to the necessary legal, linguistic and formatting checks and will be made available on the EDPB website once these have been completed.


EDPB_Press Release_2020_18
 

EDPB adopts first Art. 65 decision

Brussels, 10 November - During its 41st plenary session, the EDPB adopted by a 2/3 majority of its members its first dispute resolution decision on the basis of Art. 65 GDPR. The binding decision seeks to address the dispute arisen following a draft decision issued by the Irish SA as lead supervisory authority (LSA) regarding Twitter International Company and the subsequent relevant and reasoned objections (RROs) expressed by a number of concerned supervisory authorities (CSAs). 

The Irish SA issued the draft decision following an own-volition inquiry and investigations into Twitter International Company, after the company notified the Irish SA of a personal data breach on 8 January 2019. In May 2020, the Irish SA shared its draft decision with the CSAs in accordance with Art. 60 (3) GDPR. The CSAs then had four weeks to submit their RROs. Among others, the CSAs issued RROs on the infringements of the GDPR identified by the LSA, the role of Twitter International Company as the (sole) data controller, and the quantification of the proposed fine. 

As the LSA rejected the objections and/or considered they were not “relevant and reasoned”, it referred the matter to the EDPB in accordance with Art 60 (4) GDPR, thereby initiating the dispute resolution procedure. 

Following the submission by the LSA, the completeness of the file was assessed, resulting in the formal launch of the Art. 65 procedure on 8 September 2020. In compliance with Article 65 (3) GDPR and in conjunction with Article 11.4 of the EDPB Rules of Procedure, the default adoption timeline of one month was extended by a further month because of the complexity of the subject matter. 

On 9 November 2020, the EDPB adopted its binding decision and will shortly notify it formally to the Irish SA. 

The Irish SA shall adopt its final decision on the basis of the EDPB decision, which will be addressed to the controller, without undue delay and at the latest one month after the EDPB has notified its decision. The LSA and CSAs shall notify the EDPB of the date the final decision was notified to the controller. Following this notification, the EDPB will publish its decision on its website.

Note to editors:
Please note that all documents adopted during the EDPB Plenary are subject to the necessary legal, linguistic and formatting checks and will be made available on the EDPB website once these have been completed.

EDPB_Press Release_2020_17

Norwegian DPA fines Odin Flissenter for performing a credit check of a sole proprietorship without having a lawful basis for the processing

The Norwegian Data Protection Authority has issued Odin Flissenter AS (Tile distributor) an administrative fine of EUR 13 905 (NOK 150 000) for performing a credit check of a sole proprietorship without having a lawful basis for the processing. 

The background of the fine was a person filing a complaint that Odin Flissenter had performed a credit check of a sole proprietorship that did not have a customer relationship or any other connection to the company. 

The amount of the fine has been somewhat reduced compared to the notification to impose an administrative fine, because of the economic consequences that Covid-19 has had on the company. 

Credit information about a sole proprietorship is regarded as personal data, as the owner is directly identified with the enterprise, and this is directly linked to the owner’s private economy. 

Credit check ratings are built upon a compilation of personal data from several different sources, and shows a score that states the probability that a person or a sole proprietorship will be able to pay for oneself. The credit rating will also show details about the economy of the enterprise, such as payment remarks, voluntary security (for costs), and debt-to-equity ratio. 

In our evaluation of the case, we have emphasized the private character of the personal data, seeing that the data is closely linked to the private economy of the owner, and that the complainant’s privacy protection weighs heavily when this kind of personal data is being processed. We have further emphasized that the data also has been collected for purposes completely outside of the company’s line of business.

For further information, please contact the Norwegian DPA: international@datatilsynet.no

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.

European Data Protection Board - 40th Plenary session: Guidelines on Data Protection by Design & Default, Coordinated Enforcement Framework, Letter on Copyright Directive 

Brussels, 21 October - On October 20th, the EDPB met for its 40th plenary session. During the plenary, a wide range of topics was discussed. 

Following public consultation, the EDPB adopted a final version of the Guidelines on Data Protection by Design & Default. The guidelines focus on the obligation of Data Protection by Design and by Default (DPbDD) as set forth in Art. 25 GDPR. The core obligation enshrined in Art.25 is the effective implementation of the data protection principles and data subjects’ rights and freedoms by design and by default. This means that controllers have to implement appropriate technical and organisational measures and the necessary safeguards, designed to ascertain data protection principles in practice and to protect the rights and freedoms of data subjects. In addition, controllers should be able to demonstrate that the implemented measures are effective. 

The Guidelines also contain guidance on how to effectively implement the data protection principles in Article 5 GDR, listing key design and default elements, as well as practical cases for illustration. They further provide recommendations on how controllers, processors and producers can cooperate to achieve DPbDD.

The final guidelines integrate updated wording and further legal reasoning in order to address comments and feedback received during the public consultation.

The EDPB decided to set up a Coordinated Enforcement Framework (CEF). The CEF provides a structure for coordinating recurring annual activities by EDPB Supervisory Authorities (SAs). The objective of the CEF is to facilitate joint actions in a flexible and coordinated manner, ranging from joint awareness raising and information gathering to enforcement sweeps and joint investigations. The purpose of recurring annual coordinated actions is to promote compliance, to empower data subjects to exercise their rights and to raise awareness. 

The EDPB adopted a letter in response to the Europäische Akademie für Informationsfreiheit und Datenschutz concerning the data protection implications of Art.17 of the Copyright Directive, in particular concerning upload filters. In the letter, the EDPB states that any processing of personal data for the purpose of upload filters must be proportionate and necessary and that, as far possible, no personal data should be processed when Art. 17 Copyright Directive is implemented. Where the processing of personal data is necessary, such as for the redress mechanism, such data should only concern data necessary for this specific purpose, while applying all the other principles of the GDPR. The EDPB further highlighted that it is in continuous exchange with the European Commission on this topic and that it has indicated its availability for further collaboration.

You can read the agenda of the EDPB's fortieth plenary here.

Note to editors:
Please note that all documents adopted during the EDPB Plenary are subject to the necessary legal, linguistic and formatting checks and will be made available on the EDPB website once these have been completed.


EDPB_Press Release_2020_16
 

Lithuanian DPA imposes fine for improperly processed personal data of the parents of an adopted child

The State Data Protection Inspectorate – personal data protection supervisory authority of the Republic of Lithuania has punished Vilnius City Municipality Administration for infringements of the General Data Protection Regulation. A fine in the amount of EUR 15,000 has been imposed for improperly processed personal data of the parents of an adopted child.

The State Data Protection Inspectorate (hereinafter referred to as the “SDPI”) imposed an administrative fine in the amount of EUR 15,000 on Vilnius City Municipality Administration (hereinafter referred to as the “Municipality Administration”) for infringements of the General Data Protection Regulation (hereinafter referred to as the “GDPR”). The fine was imposed for infringements of Articles 5(1)(d) and 5(1)(f) of the GDPR, i.e. a failure to implement appropriate technical and organisational measures, thus, failing to ensure the accuracy of processed personal data when processing personal data of the parents of the adopted child.

Having carried out an investigation, the SDPI has determined that when filling in an application for education of the adopted child in the Centralised Application Submission and Population Information System (hereinafter referred to as the “IS”) of the Municipality Administration, the applicant indicated his data; nevertheless, according to the agreement between the Municipality Administration and the State Enterprise Centre of Registers providing for that the data in the IS shall be automatically updated on a monthly basis, when the data in the IS was automatically updated, the contact personal data of the applicant was updated and replaced with the contact data (e-mail address) of one of the biological parents of the child available in the Population Register of the Republic of Lithuania (hereinafter referred to as the “Population Register”).

When processing personal data, the Municipality Administration must follow the principle of accuracy which provides for that the data must be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (Article 5(1)(d) of the GDPR), and the principle of integrity and confidentiality providing for that personal data must be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (Article 5(1)(f) of the GDPR).

The SDPI in its decision whereby a fine was imposed on the Municipality Administration has pointed out that, in a particular case, such contact personal data as e-mail address irrespective of whether it is indicated in the Population Register or not and, if such data is indicated in the Population Register, such data may at any time be changed by the person and only the data subject should change it and the data controller should not arbitrarily update the data on the basis of information available at the State Enterprise Centre of Registers. Even more so, in this case, there were no grounds for concluding that after update of data, namely the contact data of the applicant has been obtained from the Population Register, since data was updated not even on the basis of the applicant’s data indicated in the State Enterprise Centre of Registers but on the data of the child although it is not the child but the applicant who is a party to the education agreement. Thus, when processing the e-mail address of the third party (one of the biological parents of the child) as the contact data of the applicant, the Municipality Administration has failed to implement appropriate organisational and technical measures; thus, failing to ensure the principle of accuracy of processed personal data and breached Articles 5(1)(d) and 5(1)(f) of the GDPR.

When deciding on the amount of the administrative fine, the SDPI has considered all circumstances relevant to holding the Municipality Administration liable, for example:

- Although, in the case in question, the infringement committed by the Municipality Administration is attributed to individuals (applicants), it is not accidental and would have occurred for any person in the same circumstances due to the technical and organisational measures improperly applied by the Municipality Administration in processing of personal data;

- Data concerning adoption of the child which is particularly sensitive data and his further education has been disclosed;

- The infringement has been committed through negligence;

- The Municipality Administration repeatedly committed the infringement; in 2019 a reprimand was imposed on the Municipality Administration for a similar infringement (improper implementation of organisational and technical measures failing to ensure the principle of accuracy of personal data when processing personal data of the adopted child in the IS of the Municipality Administration).

When imposing the fine on the Municipality Administration, the amount of the budget of the current year and other comprehensive annual income received last year was also taken into account.

The afore-mentioned decision of the SDPI is not effective and may be appealed against to the court.

For further information, please contact the Lithuanian supervisory authority: ada@ada.lt

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.

Norwegian Data Protection Authority: Decision to Fine Bergen Municipality

The Norwegian Data Protection Authority has given Bergen municipality a final decision on an administrative fine of approximately EUR 276,000 (3 million NOK). Personal information in the communication system between school and home was not secure enough.

In October 2019, the Data Protection Authority was notified of a personal data breach by Bergen Municipality regarding the municipality's new tool for communication between school and home. Vigilo contains a module where school and parents can communicate via a portal or app. The municipality had not established nor communicated the necessary guidelines to secure the personal information of children and parents with a confidential address before the tool was put to use.

This spring, the municipality was notified of the Data Protection Authority's intention to impose an administrative fine, and now the fine has been made final. 

- Bergen municipality has now received the final decision of an administrative fine of EUR 276,000, says Data Protection Authority Director-General Bjørn Erik Thon. The fee was imposed because the municipality had not implemented technical and organizational measures to achieve an adequate level of security, and for not having ensured confidentiality and integrity.


Danger to life and health

The decision emphasized that the municipality had not established nor communicated the necessary guidelines for information about children who have a clear interest in the information about them being processed with the highest degree of confidentiality.

- This applies to children who have registered a confidential or strictly confidential address in the National Register and who belong to a particularly vulnerable group. These children have a high need for protection, and in the extreme, life and health could have been in danger, says Thon.

Personal information that should have been confidential has instead been available to unauthorized persons. In one case, a contact list with information about "confidential address" was distributed to parents at a grade level.

- The risk assessments were inadequate. Among other things, there was no assessment of risk associated with information about relationships between parents and children, Thon emphasizes.

You can read the orional press release on the Norwegian DPA website in English here, and in Norwegian here.

For further information, please contact the Norwegian DPA: international@datatilsynet.no

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.

Thirty-ninth plenary session: EDPB adopts guidelines on the concept of relevant and reasoned objection

Brussels, 12 October - During its 39th plenary session, the EDPB adopted guidelines on the concept of relevant and reasoned objection. The guidelines will contribute to a unified interpretation of the concept, which will help streamline future Art. 65 GDPR procedures. 
 
Within the cooperation mechanism set out by the GDPR, the supervisory authorities (SAs) have a duty to “exchange all relevant information with each other” and cooperate “in an endeavour to reach consensus”. According to Article 60(3) and (4)GDPR, the  lead supervisory authority (LSA) is required to submit a draft decision to the concerned supervisory authorities (CSAs), which may then raise a relevant and reasoned objection within a specific timeframe. Upon receipt of a relevant and reasoned objection, the LSA has two options. If it does not follow the relevant and reasoned objection or is of the opinion that the objection is not reasoned or relevant, it shall submit the matter to the Board within the consistency mechanism (Art. 65 GDPR). If the LSA, on the contrary, follows the objection and issues the revised draft decision, the CSAs may express a relevant and reasoned objection on the revised draft decision within a period of two weeks. 
 
The guidelines aim to establish a common understanding of the notion ‘relevant and reasoned’, including what should be taken into consideration when assessing whether an objection “clearly demonstrates the significance of the risks posed by the draft decision” (Article 4(24) GDPR).

The agenda to the thirty-ninth plenary is available here.

Note to editors:
Please note that all documents adopted during the EDPB Plenary are subject to the necessary legal, linguistic and formatting checks and will be made available on the EDPB website once these have been completed.

EDPB_Press Release_2020_15
 

The Belgian Data Protection Authority has issued a warning and reprimand to a regional public environmental institution for wrongful processing of personal data from the National Register. 

The Facts

Three Belgian plaintiffs had lodged a complaint with the Belgian Data Protection Authority against a regional public environmental institution. This institution has the competence to take action in the case of a breach against environmental legislation, for example in the case of littering. The institution could for example fine a citizen when it finds unlawfully placed garbage containing letters with the name of that citizen. Such a fine had been issued to the first plaintiff. 

However, in the decision imposing the fine, the institution also referred to the civil partner of the first plaintiff, and the alleged father-in-law of the first plaintiff. The institution found the name of and the link to the civil partner (the second plaintiff) in the National Register of the first plaintiff. The alleged father-in-law (the third plaintiff) had communications with the institution in order to defend the first plaintiff in the environmental procedure initiated by the institution. The institution had concluded in its decision, based on the family name of the second and the third plaintiff, that there was a family connection between the two. 

Decision of the Litigation Chamber

The Litigation Chamber of the Belgian DPA upheld, among other things, that: 

-    the mentioning of the name of the second plaintiff, its link to the first plaintiff, as well as the alleged family link between the second and the third plaintiff, based on information retrieved from the National Register, constitutes unlawful processing (article 6.1 GDPR), as the legal ground for the processing activities in this specific context is deemed to be carrying out a task in the public interest (article 6.1.e. GDPR), and this processing in concreto  was not necessary to carry out the task (environmental enforcement in a decision to impose a fine to the first plaintiff) in the public interest; 

-    the mentioning that there is a family connection between the second and the third plaintiff could be incorrect, and is based on assumptions not necessary to mention in a decision by the institution in this concrete context, which means the personal data of all plaintiffs is not processed in accordance with the principles of accuracy and data minimisation (resp. article 5.1.d. and article 5.1.c. GDPR.), which means the institution breaches these GDPR-provisions. 
The Litigation Chamber issued a warning and reprimand to the institution in accordance with article 58.2.a. and 58.2.b GDPR. 
To be conclusive, it can be mentioned that the Litigation Chamber of the Belgian DPA cannot impose an administrative fine to a Belgian public institution or any other government body, as this was excluded by the Belgian legislator 

You can find the final decision in Dutch here.

For further information, please contact the Belgian DPA: contact@apd-gba.be 

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.

Hamburg Commissioner Fines H&M 35.3 Million Euro for Data Protection Violations in Service Centre

The Hamburg Commissioner for Data Protection and Freedom of Information imposes a 35.3 Million Euro Fine for Data Protection Violations in H&M's Service Center

In a case concerning the monitoring of several hundred employees of the H&M Service Center in Nuremberg by its management, the Hamburg Commissioner for Data Protection and Freedom of Information (HmbBfDI) has issued a fine of 35,258,707.95 Euros against H&M Hennes & Mauritz Online Shop A.B. & Co KG.

The company is registered in Hamburg and operates a service center in Nuremberg. Since at least 2014, parts of the workforce have been subject to extensive recording of details about their private lives. Corresponding notes were permanently stored on a network drive. After absences such as vacations and sick leave - even short absences - the supervising team leaders conducted so-called Welcome Back Talks with their employees. After these talks, in many cases not only the employees' concrete vacation experiences were recorded, but also symptoms of illness and diagnoses. In addition, some supervisors acquired a broad knowledge of their employees' private lives through personal and floor talks, ranging from rather harmless details to family issues and religious beliefs. Some of this knowledge was recorded, digitally stored and partly readable by up to 50 other managers throughout the company. The recordings were sometimes made with a high level of detail and recorded over greater periods of time documenting the development of these issues. In addition to a meticulous evaluation of individual work performance, the data collected in this way was used, among other things, to obtain a detailed profile of employees for measures and decisions regarding their employment. The combination of collecting details about their private lives and the recording of their activities led to a particularly intensive encroachment on employees’ civil rights.

This data collection was made known by the fact that the data became accessible company-wide for several hours in October 2019 due to a configuration error. After the Hamburg Commissioner for Data Protection and Freedom of Information was informed about the data collection through press reports, he first ordered the contents of the network drive to be "frozen" and then demanded it to be handed over. The company complied and submitted a data record of around 60 gigabytes for evaluation. Interrogations of numerous witnesses confirmed the documented practices after analyzing the data.

The discovery of the serious violations has prompted those responsible to take various corrective measures. The HmbBfDI was presented with a comprehensive concept how data protection is to be implemented at the Nuremberg site from now on. In order to come to terms with the past events, the company management has not only expressly apologized to those affected, it has also followed the suggestion to pay the employees a considerable compensation. This is an unprecedented acknowledgement of corporate responsibility following a data protection incident. Further elements of the newly introduced data protection concept include a newly appointed data protection coordinator, monthly data protection status updates, increasingly communicated whistleblower protection and a consistent concept for dealing with data subjects’ rights of access.

Prof. Dr. Johannes Caspar, Hamburg's Commissioner for Data Protection and Freedom of Information, comments: "This case documents a serious disregard for employee data protection at the H&M site in Nuremberg. The amount of the fine imposed is therefore adequate and effective to deter companies
from violating the privacy of their employees.

Management's efforts to compensate those affected on site and to restore confidence in the company as an employer have to be seen expressly positively. The transparent information provided by those responsible and the guarantee of financial compensation certainly show the intention to give the employees the respect and appreciation they deserve as dependent workers in their daily work for their company.

For more information, you can go The Hamburg Commissioner for Data Protection and Freedom of Information website here, or email them at mailbox@datenschutz.hamburg.de.

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.

 

Finnish DPA imposes financial sanction on a company due to carrying out electronic direct marketing without prior consent as well as neglecting the rights of the data subject 

Financial sanction on a company due to carrying out electronic direct marketing without prior consent as well as neglecting the rights of the data subject 


The sanctions board of the Finnish Data Protection Ombudsman has imposed an administrative fine on Acc Consulting Varsinais-Suomi (Independent Consulting Oy) for sending electronic direct marketing messages without prior consent as well as neglecting the rights of the data subject. The company did not respond to or implement the requests concerning the rights of data subjects, and it was not able to prove that it had processed personal data legally.


During the spring and summer of 2019, the Office of the Data Protection Ombudsman received eleven complaints on the electronic direct marketing of the company and the company neglecting the rights of the data subject in accordance with the General Data Protection Regulation (GDPR). The topics of direct marketing included various courses, such as hot work and asbestos removal.


Reprimand for the lack of consent for electronic direct marketing
In the complaints, the data subjects reported that they had received direct marketing messages from the company without consenting to it. According to section 200 of the Information Society Code (917/2014), direct marketing may only be directed at natural persons who have given their prior consent. According to Article 4(11) of the EU General Data Protection Regulation (GDPR), the consent must be a freely given, specific, informed and unambiguous indication of the data subject's wishes. 


Some of the data subjects have responded to the marketing message sent as an SMS as requested by the controller in order to prohibit direct marketing. Despite the prohibition, the data subjects have still received direct marketing messages from the controller. Therefore, the controller has failed to implement the data subjects’ right to object in accordance with the GDPR. 


In the controller’s view, it has targeted the electronic direct marketing at corporations, to which prior consent does not apply according to the Information Society Act. The controller has stated that the telephone numbers of data subjects were used by the company, in which the data subject works, and that these companies are within the scope of the controllers’ customer segment. 


However, the Deputy Data Protection Ombudsman states that before targeting the direct marketing, the controller should have separately determined the position of the person in question in the corporation and assessed especially whether the marketed courses were significantly linked to the person’s duties. Therefore, the direct marketing by the controller targeted at natural persons cannot be considered to be intended for a corporation, and the controller should have requested the consent of the data subject for the electronic direct marketing. 


The controller has been given a reprimand after it processed personal data without the consent required by the GDPR. In addition, the Deputy Data Protection Ombudsman obliges the controller to correct its operating methods with regard to direct marketing targeted at corporations.


Neglecting the rights of the data subject and failure to comply with accountability
In addition, in some of the complaints, the data subjects had made requests concerning their rights in accordance with the GDPR. However, the controller did not respond to the requests without undue delay and within one month of receiving the request at maximum, as required by the GDPR. The controller has not implemented any requests related to these rights, either. 


According to the Deputy Data Protection Ombudsman, the controller does not seem to have organised its operating methods in processing personal data in such a way that the controller would be able to tell if it has implemented the rights of the data subjects or received requests related to the rights. The Deputy Data Protection Ombudsman states that as a result, the controller was not able to prove that it had processed personal data legally. 


The Deputy Data Protection Ombudsman gave the company a reprimand for neglecting the rights of the data subject and failing to implement them. The Deputy Data Protection Ombudsman also ordered the company to change its operating methods and implement the rights of the data subject in accordance with the GDPR.


A financial sanction was imposed on the company
The sanctions board of the Office of the Data Protection Ombudsman imposed a financial sanction of EUR 7,000 in addition to the corrective measures mentioned above. The sanctions board considers the sanction to be proportionate and function as an effective deterrent with regard to the nature of the offences.


The intentional nature of the act, the number of similar offences over a short period of time, the disinterest of the controller in cooperating with the supervisory authority and the fact that the controller has not demonstrated that it has implemented corrective measures with regard to direct marketing and the realisation of the rights of the data subjects while the matter is being resolved have been taken into account as aggravating factors in the decision. 


As a mitigating factor for the amount of the financial sanction, it has been taken into account that during the preparation of the case, it has not been found that the data subjects would have suffered financial or other material damage.


The decisions of the Deputy Data Protection Ombudsman and sanctions board are not yet final and are open to appeal in the administrative court.

 

You can read the decision of the sanctions board on electronic direct marketing and the rights of the data subject in accordance with the GDPR in Finlex (in Finnish) here.
You can read the decisions of the Deputy Data Protection Ombudsman are published in Finlex (in Finnish) here.


The decision-making of the sanctions board and legal protection of controllers are provided for in the Finnish Data Protection Act. The sanctions board is made up of the Data Protection Ombudsman and two Deputy Data Protection Ombudsmen, and it has the power to impose administrative fines for violations of data protection legislation. The maximum amount of the administrative fine is four percent of the company’s turnover or EUR 20 million.

For further information, please contact the Finnish DPA: tietosuoja@om.fi

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.

Norwegian DPA: Decision to fine The Norwegian Public Roads Administration

The Norwegian Data Protection Authority has issued the Norwegian Public Roads Administration a fine of 37,400 EUR (400 000 NOK) for processing personal data for purposes that were incompatible with the originally stated purposes, and for not erasing video recordings after 7 days. 


The background of the fine is the extensive processing of personal data by using fixed road cameras to monitor contract parties, employees, subvendors and the subvendors’ employees. 


The usage of such photos for documenting breaches of contract several months after the incidents took place, is incompatible with the original purpose, which was to make possible immediate security measures. It is therefore not allowed to use these video recordings to follow up contracts. 


When evaluating whether this usage of the video recordings was compatible with the originally stated purpose, the Norwegian Data Protection Authority has emphasized that the new usage is at considerable disadvantage to the contract parties and its employees, and that it is in conflict with how the contract parties can expect the personal data to be used. 

You can read the origional press release on the Norwegian DPA's website in English here, and in Norwegian here.

For further information, please contact the Norwegian DPA: international@datatilsynet.no

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.

Polish DPA fines Warsaw University of Life Sciences (SGGW)

The President of the Personal Data Protection Office, after  having found a personal data breach by the Warsaw University of Life Sciences (SGGW), imposed a fine on this entity in the amount of PLN 50 000.


Let us remind you that in November 2019 the President of the UODO received a notification of breach of personal data of candidates for studies at SGGW. The notification was related to the theft of a portable private computer of the university employee, who used this device also for business purposes, including the processing of personal data of candidates for studies at SGGW for the purposes of recruitment activities. After an inspection carried out at the university in connection with a data breach, the President of the UODO instituted ex officio administrative proceedings.


On the basis of the evidence collected during the proceedings, the President of the UODO imposed an administrative fine on the university. In deciding on the amount of the fine, the supervisory authority took into account that the personal data breach concerned candidates for studies at SGGW for the last five years, covered a wide range of data and that the number of persons affected could be up to 100 (upper limit). It was also important for establishing the amount of the fine that the controller had no knowledge of the processing of personal data on the employee’s private computer, nor did it control the processing of data by failing to verify on which media the personal data of candidates for studies collected from the IT system were processed and by failing to record this operation in the IT system. The above circumstances indicate a breach of the principle of confidentiality and accountability specified in the GDPR.


It is worth noting that the personal data of candidates for studies from five years of recruitment were processed, which was non-compliant with the prescribed period of storage of personal data of candidates for studies, which was specified in SGGW as three months after completion of the recruitment process. This constitutes a breach of the principle of storage limitation provided for in the GDPR.


Moreover, in the course of the conducted proceedings it was established that the university had not implemented appropriate organisational and technical measures to ensure the security of the processing of personal data of candidates for studies.


It is the controller’s obligation to implement appropriate technical and organisational measures to ensure the security of the data processed. They should be reviewed and updated on an ongoing basis to existing legislation and changing technology. It should be noted here that the establishment of appropriate technical and organisational measures is a two-step process. First of all, it is important to identify the level of risk associated with the processing of personal data. Then it is necessary to establish which technical and organisational measures will be appropriate to ensure a level of security appropriate to this risk. Those arrangements should include measures such as the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services, and a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.


In the opinion of the supervisory authority, the measures taken by the university including the processing of data of candidates for studies were insufficient.


At the same time, the President of the UODO stated that in the case concerned the Data Protection Officer (DPO) performed its tasks without having due regard to the risk associated with processing operations. The appointed Data Protection Officer was not involved by the university in the recruitment process for studies covering the functioning of the IT system intended for this activity. The involvement of a DPO could reduce the risk of inappropriate processing.


When imposing a fine, the President of the UODO took into account attenuating circumstances, such as: good cooperation with the supervisory authority both in the course of the inspection and during the administrative proceedings, taking action by the university to remedy the infringement and ensure security in the processing of data in the future.


To read the press release is Polish, click here.
To read the full decision in Polish, click here.

For further information, please contact the Polish SA: http://kancelaria@uodo.gov.pl​​​​​​​

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.

Hungarian DPA Fines Forbes

The Nemzeti Adatvédelmi és Információszabadság Hatóság (Hungarian National Authority for Data Protection and Freedom of Information, hereinafter: Authority) imposed a total of 4.5 million forints in data protection fines on Mediarey Hungary Services Zrt. (hereinafter: Publisher), the publisher of the Hungarian Forbes magazine in two cases.


NAIH/2020/1154

The Authority established in its decision No. NAIH/2020/1154/9 of 23 July 2020 that by not carrying out proper interest assessment in relation to the printed and the on-line versions of the Forbes publication containing the largest family undertakings published in September 2019 and the printed and the on-line versions of the Forbes publication containing the 50 richest Hungarians published in January 2020, and by failing to inform the Complainants (the data subjects) in advance about the results of comparing the legitimate interests of its own and of a third party (the public) and of the Complainants, the Publisher infringed Article 6(1)(f) of the General Data Protection Regulation. 

Furthermore, the Authority established that by not providing adequate information to the Complainants about all the essential circumstances of data processing and of the right of the Complainants to object to the processing of their personal data, and by failing to provide information on the possibilities of the Complainants to enforce their rights in its response to the requests of Complainants to exercise their rights as data subjects , the Publisher infringed Article 5(1)(a), Article 5(2), Article 12(1) and (4), Article 14, Article 15 and Article 21(4) of the General Data Protection Regulation.


NAIH/2020/838

The Authority established in its decision No. NAIH/2020/838/2 of 23 July 2020 that by not carrying out proper interest assessment in relation to the printed and the on-line versions of the Forbes publication containing the largest family undertakings published in January 2019 and the printed and the on-line versions of the Forbes publication containing the 50 richest Hungarians published in September 2019 and by failing to inform the Complainants (the data subjects) of the results of comparing the legitimate interests of its own and of a third party (the public) and of the Complainants, the Publisher infringed Article 6(1)(f) of the General Data Protection Regulation.

Furthermore, the Authority established that by not providing adequate information on all the essential circumstances of processing to the Complainants and about the Complainants rights to object to the processing of their personal data and in spite of the information it learned it failed to demonstrate after the objection that the data processing was justified by legitimate reasons of compelling force overriding the interests, rights and freedoms of the Complainants and in its responses to the Complainants’ requests aimed at exercising their rights as data subjects, the Publisher infringed Article 5(1)(a), Article 5(2), Article 12(1) and (4), Article 14 and Article 21(1) and (4) of the General Data Protection Regulation.

Because of the infringements established, the Authority reprimanded the Publisher in both cases and at the same time ordered it 
-    to meet its obligation to provide information to the Complainants in relation to the data processing, including information concerning the interests of the Publisher, as well as of Complainants considered in the course of interest assessment and the result of the interest assessment, the information on the right to object and the information concerning possibilities of the enforcement of rights;
-    to carry out the interest assessment including the second individual interest assessment following the objection in accordance with the legal regulations and these decisions, if in the course of data processing envisaged in the future, the Publisher intends to use legitimate interest as the legal basis;
-    to modify its practices related to providing information in advance in accordance with the legal regulations in force and the provisions of these decisions.

Because of the established infringements, the Authority imposed a data protection fine of 2 million forints in its decision NAIH/2020/1154/9 and 2.5 million forints in its decision NAIH/2020/838/2 on the Publisher.

The reason for the difference in the amounts of the fines is that despite the fact that the Publisher was aware of the specific circumstances of the Complainants in the case constituting the subject matter of decision NAIH/2020/838/2, the Publisher failed to carry out an individual interest assessment, the result of which would have demonstrated that data processing was justified by legitimate reasons of compelling force overriding the interests, rights and freedoms of the Complainants even after the objection by the Complainants.

The Authority did not arrive at a position that it was not at all possible to make lists of businessmen and companies and reports on them in this form. Forbes may compile lists on the basis of business data accessible to the public, but the publication of the lists is subject to the stringent requirements of the General Data Protection Regulation and the Publisher as controller must comply with these requirements.

The Authority supports the practice present also in the Hungarian market, according to which the various rich lists or publications listing the richest Hungarians do not in all cases include the name of the data subject and/or an entry on the data subject provided that it has sufficiently grounded reasons, and they display a single letter instead of the full name, and minimal information instead of the entry presenting the activities of the data subject (e.g. the name of the given industry, the magnitude of the assets associated with the data subject) following the well-grounded objection by the data subject.

A petition for review was submitted to the Fővárosi Törvényszék (Budapest Tribunal) by the Publisher against decision NAIH/2020/838/2 and by both parties against decision NAIH/2020/1154/9.

You can read the origional press release on the Hungarian DPA website here.

For more information, please contact the Huganian DPA here: privacy@naih.hu

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.

Sidor