Datainspektionen på Åland

Datainspektionen på Åland sköter om dataskyddet i den offentliga förvaltningen på Åland. Datainspektionen i Sverige bytte namn vid årsskiftet och heter nu Integritetsskyddsmyndigheten. Se närmare på imy.se

European Data Protection Board

Europeiska dataskyddsstyrelsen – trettiosjunde plenarsessionen: Riktlinjer om personuppgiftsansvarig - personuppgiftsbiträde, riktlinjer om riktad marknadsföring mot användare av sociala medier, arbetsgrupp för klagomål som lämnats in till följd av domst

Bryssel den 3 september — Styrelsen antog riktlinjer om begreppen personuppgiftsansvarig och personuppgiftsbiträde i den allmänna dataskyddsförordningen och riktlinjer om riktad marknadsföring till användare av sociala medier. Dessutom inrättade Europeiska dataskyddsstyrelsen en arbetsgrupp för hantering av klagomål till följd av domstolens dom i Schrems II-målet och en arbetsgrupp för de kompletterande åtgärder som uppgiftsexportörer och importörer kan åläggas att vidta för att säkerställa ett adekvat skydd vid överföring av uppgifter mot bakgrund av domstolens dom i Schrems II-målet.

Dataskyddsstyrelsen har antagit riktlinjer om begreppen personuppgiftsansvarig och personuppgiftsbiträde i dataskyddsförordningen. Sedan den allmänna dataskyddsförordningen började tillämpas har frågor väckts om i vilken utsträckning dataskyddsförordningen har medfört ändringar av dessa begrepp, särskilt när det gäller begreppet gemensamt personuppgiftsansvar (som fastställs i artikel 26 i den allmänna dataskyddsförordningen och efter flera avgöranden från EU-domstolen) samt de skyldigheter för personuppgiftsbiträden (särskilt artikel 28 i den allmänna dataskyddsförordningen) som fastställs i kapitel IV i dataskyddsförordningen.

I mars 2019 anordnade Europeiska dataskyddsstyrelsen tillsammans med sitt sekretariat ett evenemang för berörda parter som klargjorde att det fanns ett behov av mer praktisk vägledning och gjorde det möjligt för styrelsen att bättre förstå behoven och problemen på området. De nya riktlinjerna består av två huvuddelar: den ena förklarar de olika begreppen, den andra innehåller detaljerad vägledning om de viktigaste konsekvenserna av dessa begrepp för personuppgiftsansvariga, personuppgiftsbiträden och gemensamma personuppgiftsansvariga. Riktlinjerna innehåller ett flödesschema som ger ytterligare praktisk vägledning. Riktlinjerna kommer att bli föremål för offentligt samråd.

Europeiska dataskyddsstyrelsen har antagit riktlinjer för riktad marknadsföring motanvändare av sociala medier. Riktlinjerna syftar till att ge de berörda parterna praktisk vägledning och innehåller olika exempel på olika situationer så att intressenterna snabbt kan identifiera det ”scenario” som ligger närmast den  praxis ifråga om riktad marknadsföring som de avser att tillämpa. Huvudsyftet med riktlinjerna är att klargöra roller och ansvarsområden för  sociala medier och för den berörda personen. I detta syfte fastställs bland annat i riktlinjerna de potentiella riskerna för individens friheter, huvudaktörerna och deras roller, tillämpningen av centrala dataskyddskrav, såsom laglighet och öppenhet och konsekvensbedömning avseende dataskydd, samt centrala inslag i arrangemang mellan leverantörer av sociala medier och de berörda personerna. Riktlinjerna fokuserar dessutom på de olika målinriktningsmekanismerna, behandlingen av särskilda kategorier av uppgifter och skyldigheten för gemensamma personuppgiftsansvariga att införa ett lämpligt arrangemang i enlighet med artikel 26 i dataskyddsförordningen. Plenarförsamlingen kommer att lägga fram riktlinjerna för offentligt samråd.

Styrelsen har inrättat en arbetsgrupp för att undersöka klagomål som lämnats in i efterdyningarna av domstolens dom i målet Schrems II. Totalt 101 identiska klagomål har lämnats in till EES dataskyddsmyndigheter mot flera personuppgiftsansvariga i EES-medlemsstaterna avseende deras användning av Google/Facebook-tjänster som inbegriper överföring av personuppgifter. De klagande, företrädda av den icke-statliga organisationen NOYB, hävdar att Google/Facebook överför personuppgifter till Förenta staterna med stöd av skölden för skydd av privatlivet i EU och USA eller standardavtalsklausuler och att den personuppgiftsansvarige enligt EU-domstolens dom nyligen i mål C-311/18 inte kan säkerställa ett adekvat skydd av klagandenas personuppgifter. Arbetsgruppen kommer att analysera frågan och säkerställa ett nära samarbete mellan EDPB :s medlemmar.

Som en uppföljning av EU-domstolens dom i målet Schrems II och utöver de frågor och svar som antogs den 23 juli har styrelsen inrättat en arbetsgrupp. Denna arbetsgrupp kommer att utarbeta rekommendationer för att bistå personuppgiftsansvariga och personuppgiftsbiträden i deras skyldighet att identifiera och genomföra lämpliga kompletterande åtgärder för att säkerställa adekvat skydd vid överföring av uppgifter till tredjeländer.

Andrea Jelinek, ordförande för Europeiska dataskyddsstyrelsen säger följande: ”Europeiska dataskyddsstyrelsen är väl medveten om att Schrems II-domen ger personuppgiftsansvariga ett viktigt ansvar. Utöver det uttalande och de  frågor och svar som vi lagt ut kort efter domen kommer vi att utarbeta rekommendationer för att stödja personuppgiftsansvariga och personuppgiftsbiträden när det gäller deras skyldighet att identifiera och genomföra lämpliga kompletterande åtgärder av rättslig, teknisk och organisatorisk karaktär för att uppfylla en väsentligen likvärdig skyddsnivå när personuppgifter överförs till tredjeländer. Domens konsekvenser är dock omfattande och kontexten för överföring av uppgifter till tredjeländer skiljer sig mycket åt. Därför kan det inte finnas en snabb lösning som passar alla. Varje organisation kommer att behöva utvärdera sin egen uppgiftsbehandling och dataöverföring och vidta lämpliga åtgärder. ”

Not till redaktörerna:
Observera att alla dokument som antas under EDPB: s plenarsammanträde är föremål för nödvändiga rättsliga, språkliga och formaterande kontroller och kommer att göras tillgängliga på EDPB: s webbplats när dessa har slutförts.

EDPB_Press Release_2020_14

European Data Protection Board - Thirty-seventh Plenary session: Guidelines controller-processor, Guidelines targeting social media users, taskforce complaints CJEU Schrems II judgement, taskforce supplementary measures

The Board adopted Guidelines on the concepts of controller and processor in the GDPR and Guidelines on the targeting of social media users. In addition, the EDPB created a taskforce on complaints following the CJEU Schrems II judgement and a taskforce devoted to the supplementary measures that data exporters and importers can be required to take to ensure adequate protection when transferring data in light of the CJEU Schrems II judgement.

The Board adopted Guidelines on the concepts of controller and processor in the GDPR. Since the entry into application of the GDPR, questions have been raised as to what extent the GDPR brought changes to these concepts, particularly regarding the  concept of joint controllership (as laid down in Article 26 GDPR and following several CJEU rulings), as well as the obligations for processors (in particular Article 28 GDPR) laid down in Chapter IV of the GDPR. 

In March 2019, the EDPB together with its Secretariat organised a stakeholder event, which made clear that there was a need for more practical guidance and allowed the Board to better understand the needs and concerns in the field. The new Guidelines consist of two main parts: one explaining the different concepts; the other including detailed guidance on the main consequences of these concepts for controllers, processors and joint controllers. The Guidelines include a flow chart to provide further practical guidance. The Guidelines will be subject to public consultation. 

The EDPB adopted Guidelines on the targeting of social media users. The Guidelines aim to provide practical guidance to stakeholders and contain various examples of different situations so that stakeholders can quickly identify the ‘scenario’ that is closest to the targeting practice they intend to deploy. The main aim of the Guidelines is to clarify the roles and responsibilities of the social media provider and the targeted individual. To this purpose, the Guidelines, among others, identify the potential risks for the freedoms of individual, the main actors and their roles, the application of key data protection requirements, such as lawfulness and transparency and DPIA, as well as key elements of arrangements between social media providers and the targeted individuals. In addition, the Guidelines focus on the different targeting mechanisms, the processing of special categories of data and the obligation for joint controllers to put in place an appropriate arrangement pursuant to Article 26 GDPR. The Plenary will submit the Guidelines for public consultation.

The Board has created a taskforce to look into complaints filed in the aftermath of the CJEU Schrems II judgement. A total of 101 identical complaints have been lodged with EEA Data Protection Authorities against several controllers in the EEA member states regarding their use of Google / Facebook services which involve the transfer of personal data. Specifically the complainants, represented by the NGO NOYB, claim that Google/Facebook transfer personal data to the U.S. relying on the EU-U.S. Privacy Shield or Standard Contractual Clauses and that according to the recent CJEU judgment in case C-311/18 the controller is unable to ensure an adequate protection of the complainants' personal data. The taskforce will analyse the matter and ensure a close cooperation among the members of the Board. 

As a follow-up to the CJEU’s Schrems II ruling and in addition to the FAQ adopted on 23 July, the Board has created a taskforce. This taskforce will prepare recommendations to assist controllers and processors with their duty to identify and implement appropriate supplementary measures to ensure adequate protection when transferring data to third countries.


Andrea Jelinek, Chair of the EDPB: “The EDPB is well aware that the Schrems II ruling gives controllers an important responsibility. In addition to the statement and the FAQ we put out shortly following the judgment, we will prepare recommendations to support controllers and processors regarding their duty in identifying and implementing appropriate supplementary measures of a legal, technical and organizational nature to meet the essential equivalence standard when transferring personal data to third countries. However, the implications of the judgment are wide-ranging, and the contexts of data transfers to third countries very diverse. Therefore, there cannot be a one-size-fits-all, quick fix solution. Each organisation will need to evaluate its own data processing operations and transfers and take appropriate measures.”

The agenda to the thirthy-seventh plenary is available here.

Note to editors:
Please note that all documents adopted during the EDPB Plenary are subject to the necessary legal, linguistic and formatting checks and will be made available on the EDPB website once these have been completed.

EDPB_Press Release_2020_14
 

Polish DPA imposes 100 000 PLN fine on the Surveyor General of Poland


Infringement of the principle of lawfulness of personal data processing and making intentionally available without a legal  basis on the GEOPORTAL2 (geoportal.gov.pl) of personal data in the form of land register numbers obtained from the land and property registers are the reason for imposing an administrative fine in the amount of PLN 100 000 on the Surveyor General of Poland (GGK).


Moreover, GGK must adapt the processing of personal data to the provisions of the GDPR by discontinuing making available on the GEOPORTAL2 portal (www.geoportal.gov.pl) of personal data in the scope of land register numbers obtained from the land and property registers (kept by the starostes).


The President of the UODO decided to carry out inspection activities at the Surveyor General of Poland at the beginning of March 2020. However, GGK prevented the possibility of examining the legality of publishing information on the land registers number on GEOPORTAL2. In the course of the inspection, it made available only documentation specifying the organisational measures applied to ensure the data security and the evidence proving the appointment of the Data Protection Officer. As a result, the President of the UODO imposed an administrative fine on GGK (https://uodo.gov.pl/en/553/1146). However, despite the refusal to carry out an inspection, GGK gave testimony which served as evidence in the present proceedings.


According to the testimony submitted, GGK publishes information obtained from land and property registers (including land register numbers) from 90 poviat starosties only on the basis of agreements concluded with them.


In accordance with Article 5(1)(a) of the GDPR, personal data must be processed lawfully, fairly and in a transparent manner in relation to the data subject. The data is processed lawfully only in cases where at least one of the conditions indicated in Art. 6 GDPR is met.


In the course of the proceedings, GGK did not indicate a provision of law which would constitute the legal basis for its activity. Moreover, none of the legal provisions governing matters related to the activities of the Surveyor General of Polandallows it to make available data obtained from the starosties within the framework of GEOPORTAL2. In the opinion of the President of the UODO, the Surveyor General of Poland, aware of the lack of a clear legal basis for the processing of land registers numbers, concluded agreements with the starostes on the basis of which it obtained information from the land and property registers (including land registers numbers) kept by the starostes for the purpose of their publication on GEOPORTAL2. The supervisory authority considered that these agreements concerned the creation and maintenance of common elements of the technical infrastructure intended to store and make available certain data filing systems, but did not constitute a legal basis for making available the data, including land register numbers. Such a basis must result from commonly binding legal provisions.


Having regard to the above, the President of the UODO considered that personal data were made available in the form of land register numbers on GEOPORTAL2 without a legal basis. Such action results in infringement of Article 5(1)(a) and Article 6(1) of the GDPR. The doctrine of law represents the view that making personal data available from public fling systems in the absence of a clear legal basis relating to the operation of making personal data available is unlawful.


In this case, it is undeniable that the land register numbers processed on www.geoportal.gov.pl constitute personal data. According to the GDPR, ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.


The scope of data disclosed in the land register of natural persons includes, among others, names, surnames, parents’ names, PESEL number (personal identification number), property address. The publication of such data allows the identification of the person whose data is contained in the land register. By publishing land register numbers on Geoportal2, access to the information contained in them can be obtained by any interested Internet user. This type of situation may expose a very large number of people (data subjects) to theft of their identity.


When imposing a fine, the supervisory authority took into account not only the severity of the infringement, its nature and duration, but also the intentional character of the action.


To read the press release is Polish, click here.
To read the full decision in Polish, click here.
This press release can be seen as a follow up to an article previously posted here on the EDPB website.

For further information, please contact the Polish SA: http://kancelaria@uodo.gov.pl​​​​​​​

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.

Polish DPA imposes a Penalty of a Reprimand for the Processing of Students’ Personal Data


The President of the Personal Data Protection Office (UODO) imposed a penalty of a reprimand for the processing of students’ personal data without legal basis in connection with survey carried out by a school in the school year 2019/2020. The survey entitled “Diagnosis of student’s home and school situation” examined personal situation of students.


In connection with the survey, the school processed personal data of students, including minors, in particular names and surnames, attended class, indication of legal guardians (parents), family status (single parent, full family), information about death of a legal guardian (parent), separation of legal guardians (parents), their education and professional situation, the number of people in the household, financial situation, health condition and addictions of legal guardians (parents), housing situation and information on social benefits.


The processing of students’ personal data included collection, storage and destruction of those data.


In the course of the UODO’s inspection it was established that the survey was conducted to identify students who require psychological support from the school they attend. The survey was carried out by class teachers in classes 7-8 of elementary school and in high school classes. It was conducted in the form of in blanco paper forms on direct instruction from school principal.


All returned copies of the survey were destroyed by an official commission. According to the findings of the inspection, personal data included in the surveys were not entered into electronic telecommunication systems, were not recorded on electronic data carriers or other information carriers, including in paper form. After collecting the surveys, the teachers did not make any scans or paper copies of them, nor did they make other additional documents containing personal data concerning the surveys. As of the date of the inspection, students' personal data obtained in connection with the surveys were no longer processed.


According to the evidence obtained as a result of the inspection, the surveys were conducted in a way that excludes the possibility of unauthorized disclosure of the data contained in them.


By conducting a survey among students, the school has violated the principle of lawfulness of data processing, according to which personal data must be processed lawfully, fairly and in a transparent manner for the data subject. The above principle has been developed in the content of Article 6(1)(c) of the GDPR, according to which the processing is lawful only if - and to the extent to which - the condition that the processing is necessary for compliance with a legal obligation to which the controller is subject is fulfilled.


The school, as a public entity, may process personal data within the scope of its tasks imposed by law. In turn, according to the Educational Law, schools process personal data to the extent necessary for the performance of the tasks and obligations arising from these regulations. The legal acts regulating the functioning of educational institutions do not specify such tasks and obligations of schools that would justify the processing of students' personal data in the way it was done in the penalised entity, in connection with the conducted survey.


The President of the UODO considered that, in the established circumstances of this case, a reprimand was sufficient. The unintended nature of the infringement was considered to be an attenuating circumstance. The school principal immediately took a number of corrective measures, such as: destruction of the survey forms or refraining from carrying out the survey by some teachers, organisation of training for staff to raise their awareness of personal data protection issues, and analysis of the incident of conducting the survey among students, given the risk to the rights and freedoms of natural persons. Moreover, on the basis of the circumstances of the present case, there are no grounds to consider that the data subjects have suffered damage as a result of the event. The President of the UODO has not received any signals that similar behaviours resulting in violations have taken place on the part of the school.


To read the press release is Polish, click here.
To read the full decision in Polish, click here.

For further information, please contact the Polish SA: http://kancelaria@uodo.gov.pl

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.

Belgian DPA imposes €20.000 fine on Proximus for several data protection infringements

The Belgian DPA imposed a fine of 20,000 EUR on telecom operator Proximus for several data protection infringements during the processing of personal data for the purpose of publishing public telephone directories.

The facts
A Belgian citizen (the plaintiff) had requested Proximus, the publisher of a public directory, to retract the publication of his personal data in Proximus’ public directory, as well as the publication of the personal data in the directory of other publishers. Proximus, as publisher of its own public directory, had confirmed towards the plaintiff it would no longer publish the personal data, and would also inform other publishers of a public directory to not publish the personal data of the plaintiff. However, a few months later, the plaintiff discovered his personal data had not only been published in the directory of Proximus, but also in the ones of other publishers of a public directory. In its communication towards the plaintiff, Proximus also mentioned it had transferred the personal data of the plaintiff to other publishers of a public directory. 

Background: lex specialis of the e-Privacy Directive
In Belgium, the consent for the publication in a public directory is given in accordance with the provisions of national telecommunications law. Those provisions are the national implementation of article 12 of the e-Privacy Directive. Although the e-Privacy Directive forms lex specialis vis-à-vis the GDPR (as lex generalis), as stated in article 95 GDPR,  the provisions with regard to consent of the GDPR remain applicable as preconditions for lawful processing with regard to the consent in article 12 e-Privacy Directive .

Decision of the Litigation Chamber 
The Litigation Chamber of the Belgian DPA upheld, among other things, that:
-    Proximus publishes its own public directory and must therefore be considered as a controller for several relevant processing activities. As such, it has a responsibility to align the withdrawing of the data subject’s consent with the actual processing activities. It is apparent that Proximus did not take the appropriate measures to ensure and be able to demonstrate that the personal data of the complainant was not unlawfully processed after the withdrawal of the consent. Thus, Proximus had not fulfilled its obligations (appropriately) as a controller, and therefore infringed article 6 GDPR read in conjunction with article 7 GDPR, as well as articles 24 and article 5.2 GDPR.
-    Proximus did not provide the data subject with transparent information during and after the handling of his request, nor did it appropriately facilitate the exercise of his data subject rights, and therefore infringed article 12 and article 13 GDPR. 
The Litigation Chamber decided not to pseudonymise the name of the defendant, as the publication of that identity was in the public interest. 
 

You can find the final decision in Dutch here.

For further information, please contact the Belgian DPA: contact@apd-gba.be 

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.

Dutch DPA: Methods used by Dutch Tax and Customs Administration unlawful and discriminatory

Methods used by Dutch Tax and Customs Administration unlawful and discriminatory

The Benefits Office of the Dutch Tax and Customs Administration should not have processed the (dual) nationality of childcare benefit applicants in the way it did for many years. According to the results of the Data Protection Authority’s investigation, this practice was unlawful and discriminatory, and a serious and improper breach of the General Data Protection Regulation (GDPR). Today Aleid Wolfsen, chairman of the Data Protection Authority, submitted the investigation report to State Secretary for Benefits and Customs Alexandra van Huffelen.

Unlawful processing
The Tax and Customs Administration should have deleted the data on dual nationality back in January 2014. In May 2018, however, some 1.4 million people were still registered as dual nationals in its systems.

Dual nationality should not play a role in the assessment of childcare benefit applications. Nonetheless, the Tax and Customs Administration retained and used this data.
 
It also processed the nationality data of childcare benefit applicants for the purpose of combating organised fraud, even though this data was not necessary for this purpose.

Lastly, the Tax and Customs Administration used applicants’ nationality (Dutch/not Dutch) as an indicator in a system that automatically designated certain applications as risky. The data was not necessary for this purpose either.

It is unlawful to use nationality data to assess applications, combat fraud and determine risk. In other words, the Tax and Customs Administration was not allowed to do what it did.

Discriminatory processing
By unnecessarily retaining nationality data in its systems, the Tax and Customs Administration acted in a discriminatory way. Entitlement to childcare benefit is not contingent on nationality but on lawful residence in the Netherlands.
 
The Tax and Customs Administration therefore made an unjustified distinction on the basis of nationality. Under the GDPR, it is improper to process nationality data to combat fraud and determine risks because data processing may not infringe on any fundamental rights. This includes the right to equality and non-discrimination.

Unacceptable practices
‘Our investigation shows that the Tax and Customs Administration’s Benefits Office stored and used large amounts of data in various ways over a long period in a manner that was entirely impermissible,’ said Mr Wolfsen. ‘The way in which the entire system was set up and used was discriminatory. The specific consequences this has had for individual applicants is beyond the scope of this investigation, but we know that the nationality or dual nationality of applicants was consistently and systematically used against them and it should not have been.’

Next steps
The Data Protection Authority’s investigation of the facts concludes the first step of the investigation process. The next step is for the DPA to determine whether to impose a sanction, such as a fine, on the Tax and Customs Administration. Before it can do so, the Minister of Finance is entitled to first officially respond to the investigation. After he has done so, the Data Protection Authority can announce in late 2020 any sanction it decides to impose.
 

For further information, please contact the Dutch DPA: https://autoriteitpersoonsgegevens.nl/nl

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.

Spanish Data Protection Authority (AEPD) imposes fine on company for not complying with advertisement exclusion

The Spanish Data Protection Authority (AEPD) imposed a fine of 1.200 EUR on a company for calling the data subject, offering them a deal on hotels, while they were included in an advertisement exclusion system. By joining this system, the data subject exercised their right to object to processing for marketing purposes under Article 21 GDPR. However, the company did not comply with its obligation of consulting the advertisement exclusion system before making a telephone call with marketing purposes in order to avoid processing their personal data. 

The data subject received a call from the data controller’s number, stating that a friend of them had provided the company with their telephone number so that they offer them a hotel voucher, naming other friends of theirs and declaring that they had joined the promotion. 

The AEPD considered that this constitutes a breach of Article 48(1)(b) of the Spanish Law 9/2014 General Telecommunications [to make it clear, I'd suggest specifying it's a Spanish law, see in yellow]
 

You can read the text of the decision in Spanish here.

For further information, please contact the Spanish DPA: prensa@aepd.es

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.

Spanish Data Protection Authority (AEPD) imposes fine of 75.000 EUR on VODAFONE ESPAÑA

 

The Spanish Data Protection Authority (AEPD) imposed a fine of 75.000 EUR on VODAFONE ESPAÑA for processing the claimant’s telephone number for marketing purposes after they had exercised their right to erasure in 2015, in spite of what the data subject was sent advertising SMS. The controller stated that the claimant number, being easy to remember, had been used as a “dummy number” by its employees.

The AEPD considered that VODAFONE ESPAÑA violated Article 6(1) of the GDPR, by processing the claimant's personal data without any lawful basis.  
 

You can read the text of the decision in Spanish here.

For further information, please contact the Spanish DPA: prensa@aepd.es
 

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.

Spanish Data Protection Authority (AEPD) imposes fine of 70.000 EUR on XFERA MOVILES

The Spanish Data Protection Authority (AEPD) imposed a fine of 70.000 EUR on XFERA MOVILES for disclosing a customer’s personal data to a third party.

The claimant was informed by another customer of Masmovil that, because of a company’s mistake, they had been charged with a claimant’s bill, and thus had access to their personal data (name, surname ID card number, and personal phone number).

The AEPD considered that this constitutes a breach of the principle of confidentiality, established in Article 5(1)(f) of the GDPR.

You can read the text of the decision here.

For further information, please contact the Spanish DPA: prensa@aepd.es

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.

Norwegian DPA: Administrative fine for Rælingen municipality 

Final decision, administrative fine for Rælingen municipality 

The Norwegian Data Protection Authority has imposed an administrative fine of EUR 47,500 to Rælingen Municipality. The fine is imposed after data concerning health of children with special needs was processed using the digital learning platform Showbie. 
- The case started when we received a notification of a personal data breach from the municipality. Upon further investigation of the case, it appeared that the level of security of the application was not proportionate with the risk, says Director-General of the Norwegian Data Protection Authority, Bjørn Erik Thon. – This is obviously a significant issue, as it has to do with both children and personal data concerning health. 

Several infringements
The infringement affects 15 children with special needs. The application Showbie has been used to send health related personal data between the school and the homes of the children. 


The necessary risk and data protection impact assessments and testing have not been completed before the application was put to use. Lack of security measures when logging in to the application has made it possible to obtain information about other children in the group. 


After the breach notification, the municipality has pointed out that there is no indication that any of the children have actually been victim to material or non-material damage, but the Norwegian Data Protection Authority has not put emphasis on this in the consideration of the case. This is because we found that the infringement itself creates a risk, regardless of whether the risk actually manifests itself in a more concrete form of damage to the affected children or not. 
The Norwegian Data Protection Authority has chosen to reduce the fine after an overall assessment, made on the basis of an inquiry from Rælingen municipality. An assessment was also made in relation to previous practice under the old law. The case has not been appealed, and the fee of EUR 47,500 is final.

You can read the origional press release in Norwegian here.

For further information, please contact the Norwegian DPA: international@datatilsynet.no

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.

Danish DPA Fines PrivatBo

In 2018, the Danish company PrivatBo assisted a housing fund with an intended sale of three properties. On that occasion, PrivatBo provided material for the properties in question, which was distributed to the occupants of the properties on a total of 424 USB keys. However, PrivatBo was not aware that some of the documents contained personal information of a confidential nature which should not have been disclosed.

The Danish Data Protection Agency assessed the case and found that PrivatBo has not complied with the requirements of Article 32 of the Data Protection Regulation to implement appropriate technical and organizational security measures. Based on the nature of the case, the Danish DPA has therefore chosen to report PrivatBo to the police for the unintentional disclosure of personal information and proposed a fine of DKK 150.000.

You can read the full press release in Danish below or on the Danish DPA website here.

For further information, please contact the Danish SA: dt@datatilsynet.dk

Datatilsynet indstiller PrivatBo til bøde


PrivatBo er blevet anmeldt til politiet, da Datatilsynet vurderer, at administrationsselskabet ikke har levet op til kravene om et passende sikkerhedsniveau i databeskyttelsesforordningen (GDPR).

I 2018 bistod PrivatBo – som administrationsselskab – en boligfond med et påtænkt salg af tre ejendomme. PrivatBo tilvejebragte i den anledning materiale til de omhandlede ejendomme, som blev uddelt til beboerne i de pågældende ejendomme på i alt 424 USB-nøgler. PrivatBo var imidlertid ikke opmærksom på, at der for en del af de udleverede lejekontrakter var knyttet dokumenter, som indeholdt personoplysninger af fortrolig karakter, og som ikke burde have været videregivet.

”I en sag som den pågældende er det vores vurdering, at PrivatBo som minimum burde have gennemgået tilbudsmaterialet, før det blev udleveret til andre. Vi hæfter os i den forbindelse særligt ved, at der var risiko for at videregive oplysninger af fortrolig karakter til bl.a. naboer, og at dette kunne indebære et betydeligt ubehag for de pågældende lejere, herunder for tab af omdømme,” siger Frederik Viksøe Siegumfeldt, kontorchef for tilsynsenheden i Datatilsynet, og tilføjer:

”Helt generelt er det sådan, at når man som virksomhed behandler folks personoplysninger, har man også et ansvar for at sikre, at de ikke kommer til uvedkommendes kendskab. I dette tilfælde mener vi ikke, PrivatBo har gjort nok for at undgå, at personoplysningerne blev videregivet.”

Datatilsynet har således vurderet, at PrivatBo ikke har levet op til kravene i databeskyttelsesforordningens artikel 32 om at gennemføre passende tekniske og organisatoriske sikkerhedsforanstaltninger. På baggrund af sagens karakter har tilsynet derfor valgt at politianmelde PrivatBo for den utilsigtede videregivelse af personoplysninger, der skete som led i udleveringen af de 424 USB-nøgler.

Datatilsynet har herudover fundet grundlag for at udtale alvorlig kritik af, at PrivatBo efterfølgende – i forbindelse med samme tilbudspligt – utilsigtet udleverede en oversigt over indestående deposita og forudbetalt leje, og i nogle tilfælde oplysninger om udlæg i deposita, fordelt på lejemålenes adresse til beboere i en anden ejendom end den, som var omfattet af den pågældende tilbudspligt. Den utilsigtede videregivelse af disse oplysninger skete til trods for, at PrivatBo havde antaget et eksternt revisionsselskab med henblik på at kvalitetssikre materialet.

 

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.

National Credit Register (BKR) fined for personal data access charges

The National Credit Register (BKR) in the Netherlands can no longer charge people who wish to access the personal data it holds on them. In addition, if data subjects wish to receive a copy of their data by post, the procedure must be simple, and they must be able to request a new copy after a reasonable period of time has passed. The BKR had created too many obstacles for people wishing to access their data. Under privacy legislation, this is not permitted. As a result, the Dutch Data Protection Authority (Dutch DPA) issued the BKR with a €830,000 fine. 

The Dutch DPA received complaints from data subjects about the difficulties involved in accessing the data the BKR held on them. The Dutch DPA considered these complaints significant enough to warrant an investigation.

Accessing credit registration data
In the words of Dutch DPA chairman Aleid Wolfsen, ‘It is vital that people are able to access their credit registration data. A poor credit score can affect a person’s ability to take out a loan or mortgage. So it is important for people to be able to quickly and easily check what data of theirs is being processed and if this is being done in the proper manner.’ 

The issue
In May 2018 the BKR began charging a fee to data subjects for requesting access to their data in a digital format. Furthermore, although data subjects could obtain a paper copy of their data for free, this was only possible once a year. This situation was an infringement of privacy legislation, and led to the BKR being fined €830,000.

Following the Dutch DPA’s investigation, the BKR has modified its processes. Since April 2019 data subjects have been able to access their data for free. In addition, in March 2019 the BKR changed the number of times a year data subjects can receive a paper copy of their data by post. 

What’s next?
The BKR has appealed the case in court, which means that the Dutch DPA’s decision about the fine is not yet final. 

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.

Baden-Wuerttemberg State Commissioner imposes fine on AOK Baden-Wuerttemberg

Baden-Wuerttemberg State Commissioner for Data Protection and Freedom of Information imposes fine on AOK Baden-Wuerttemberg – 
Effective data protection requires regular monitoring and adjustment 

Due to an infringement of the obligations of secure data processing (article 32 of the European General Data Protection Regulation, GDPR), the Department of Fines of the Baden-Wuerttemberg State Commissioner for Data Protection and Freedom of Information (LfDI) has issued a fine of 1,240,000 € against the AOK Baden- Wuerttemberg. At the same time, the Department of Fines, in constructive collabora-tion with the AOK, also paved the way for an improvement of the technical and organ-isational measures for the protection of personal data at the AOK Baden- Wuerttemberg. 

From 2015 to 2019, the AOK Baden-Wuerttemberg hosted raffles on different occa-sions. Within this context, the AOK collected the participants’ personal data, including contact details and health insurance affiliation. Inter alia, the AOK wished to use this data for advertisement purposes, provided that the participants had consented ac-cordingly. Through technical and organisational measures, which included internal guidelines and data protection trainings, among others, the AOK wanted to ensure that only data of raffle participants who had given their prior and valid consent would be used for advertisement purposes. These measures set by the AOK did not, how-ever, comply with legal requirements. The personal data of more than 500 raffle par-ticipants were therefore used for advertisement purposes without their consent. No insurance data was concerned. 

The AOK Baden-Wuerttemberg discontinued all sales activities immediately after the allegation became known, in order to thoroughly check all procedures. In addition, the AOK created a task force for data protection in sales and made adjustments which concerned, in particular, internal procedures and control structures, besides the dec-larations of consent. Further measures are to be taken in close coordination with the LfDI. 

Within the frame that article 83 (4) GDPR sets for fines, the comprehensive internal reviews and adjustments of the technical and organisational measures, as well as the constructive cooperation with the LfDI, spoke in the AOK’s favour. Thus, an increase in the protection level for personal data related to the AOK’s sales activities was achieved within a short amount of time. In the future, the AOK will continue and, if necessary, adjust, these improvements and additional control mechanisms, in ac-cordance with the specifications and recommendations set by the Baden-Wuerttemberg State Commissioner of Data Protection and Freedom of Information. 

When assessing the fine, the Commissioner considered factors such as the size and the relevance of the AOK Baden-Wuerttemberg. He also paid special consideration to the AOK being a statutory health insurance and thus an important part of our health system, as the AOK has the statutory obligation to preserve, restore or improve the health of the insured persons. The GDPR requires fines to not only be effective and dissuasive, but also proportionate. Determining the amount of the fine, the Commis-sioner therefore had to ensure that the fulfilment of this statutory obligation would not be endangered. To this end, particular attention was paid to the challenges the AOK currently faces due to the Corona pandemic. 

“Data security is an ongoing task”, the Baden-Wuerttemberg State Commissioner for Data Protection and Freedom of Information, Dr. Stefan Brink, stresses. “Technical and organisational measures need to be adjusted to the actual conditions on a regular basis, so as to ensure an appropriate level of protection in the long term.” In this con-text, great importance is regularly attached to ensuring conditions of data protection compliance, as well as to the good cooperation of controllers with the LfDI. Brink con-cludes, “Our aim is not to issue fines which are as high as possible, but rather to reach a data protection level which is as good and appropriate as possible.” 

If you have any questions you can reach call the number +49 (0)711 615541-23. For further information about data protection and freedom of information on the web please visit www.baden-wuerttemberg.datenschutz.de or www.datenschutz.de


The German version of this press release is available at www.baden-wuerttemberg.datenschutz.de.
 

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.

EDPB adopted documents - 34th, 35th & 36th plenary

Telephone Operators: Italian SA Fines Wind EUR 17 million and Iliad EUR 0.8 million

Within the framework of the Italian SA’s enforcement activities regarding telephone operators, Wind Tre SpA was fined about EUR 17 million on July 9th on account of several instances of unlawful data processing that were mostly related to marketing. The Italian SA had already issued a prohibitory injunction against the company, on account of similar infringements that had occurred when the previous data protection law was in force. 


The fine was imposed following complex investigations and inspections. Complaints were received from users against unsolicited marketing communications made without their consent via texting, emails, faxes, and automated phone calls. In several cases, the complainants had declared they had not been enabled to exercise their right to withdraw consent or object to the processing of their data for marketing purposes, partly on account of the inaccurate contact information provided in the information notices. In yet other cases, users’ personal data had been included in public phone listings despite the (at times reiterated) objections made by those users. 


The investigation showed that the MyWind and My3 apps had been configured in such a way as to require the user to consent, on each access, to processing for various purposes including marketing, profiling, communication of data to third parties, data enrichment and geolocation; withdrawal of such consent was allowed after 24 hours. 


Beyond these overarching flaws, the investigations by the Italian SA shed light on multifarious infringements affecting Wind Tre’s business partners. On account of those infringements, one such business partner was fined EUR 200,000 by the Italian SA and was banned from using the data its agents had collected and processed in the national territory without any consideration for data protection rules. This business partner had subcontracted – without relying on any legal instrument – whole sets of processing activities to call centres, which collected data in breach of the law.


The pleadings submitted by Wind Tre and the corrective measures implemented by the company, as also related to the centralised approach applying to marketing campaigns, were found inadequate by the Italian SA, which accordingly fined Wind Tre EUR 16,729,600 and prohibited any further processing of the data they had acquired without consent. The Italian SA also ordered the company to take technical and organisational measures to ensure effective oversight of their business partners, along with implementing procedures to respect users’ indications to be left alone. 


During its 9 July meeting, the Italian SA also assessed the findings of the investigations regarding another phone operator, i.e. Iliad; in that case, shortcomings were detected under different respects, in particular concerning employees’ access to traffic data. Accordingly, the company was fined EUR 800,000. 


Rome, 13 July 2020
 

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.

Europeiska dataskyddsstyrelsen offentliggör dokument med vanliga frågor om Europeiska unionens domstols dom i mål C-311/18 (Schrems II)

Europeiska dataskyddsstyrelsen offentliggör dokument med vanliga frågor om Europeiska unionens domstols dom i mål C-311/18 (Schrems II)

Med anledning av Europeiska unionens domstols dom i mål C-311/18 – Data Protection Commissioner mot Facebook Ireland Ltd och Maximillian Schrems – har dataskyddsstyrelsen antagit ett dokument med vanliga frågor för att tillhandahålla ett första förtydligande och en preliminär vägledning för berörda parter om användningen av rättsliga instrument för överföring av personuppgifter till tredjeländer, inklusive Förenta staterna. Detta dokument kommer tillsammans med ytterligare vägledning att utarbetas och kompletteras allteftersom dataskyddsstyrelsen fortsätter att granska och bedöma EU-domstolens dom. 

Dokumentet med vanliga frågor om Europeiska unionens domstols dom i mål C-311/18 finns här.

EDPB_Pressmeddelande_uttalande_2020_06

European Data Protection Board publishes FAQ document on CJEU judgment C-311/18 (Schrems II)

European Data Protection Board publishes FAQ document on CJEU judgment C-311/18 (Schrems II)


Following the judgment of the Court of Justice of the European Union in Case C-311/18 - Data Protection Commissioner v Facebook Ireland Ltd and Maximillian Schrems, the EDPB has adopted a ‘Frequently Asked Questions’ document to provide initial clarification and give preliminary guidance to stakeholders on the use of legal instruments for the transfer of personal data to third countries, including the U.S. This document will be developed and complemented, along with further guidance, as the EDPB continues to examine and assess the judgment of the Court. 

The FAQ document on the CJEU judgement C-311/18 can be found here.

EDPB_Press Release_statement_2020_06
 

Europeiska dataskyddsstyrelsen – 35:e plenarmötet: Informerande not om bindande företagsbestämmelser med Storbritanniens tillsynsmyndighet som ansvarig myndighet

Bryssel den 23 juli – Mot bakgrund av det kommande slutet på övergångsperioden för brexit har dataskyddsstyrelsen antagit en informationsnot om åtgärder som tillsynsmyndigheterna, organisationer som fått sina bindande företagsbestämmelser godkända och organisationer som väntar på att deras bindande företagsbestämmelser ska godkännas av den brittiska tillsynsmyndigheten behöver vidta för att se till att dessa bindande företagsbestämmelser kan användas som ett giltigt överföringsverktyg efter att övergångsperioden gått ut. Eftersom den brittiska tillsynsmyndigheten inte längre kommer att vara behörig tillsynsmyndighet enligt den allmänna dataskyddsförordningen när övergångsperioden går ut kommer de beslut om godkännande som denna tillsynsmyndighet fattat enligt denna förordning inte längre att ha rättsverkan i EES. Dessutom kan innehållet i de bindande företagsbestämmelserna i fråga behöva ändras innan övergångsperioden går ut eftersom dessa bestämmelser i allmänhet innehåller hänvisningar till den brittiska rättsordningen. Detta gäller också bindande företagsbestämmelser som redan godkänts enligt direktiv 94/46/EG.

De som fått sina bindande företagsbestämmelser godkända och som har den brittiska tillsynsmyndigheten som ansvarig tillsynsmyndighet för de bindande företagsbestämmelserna behöver införa alla organisatoriska arrangemang som krävs för att utse en ny ansvarig tillsynsmyndighet för bindande företagsbestämmelser i EES. Bytet av ansvarig tillsynsmyndighet för bindande företagsbestämmelser måste ske innan övergångsperioden för brexit går ut.

De vars ansökan om godkännande av bindande företagsbestämmelser ännu inte bifallits uppmuntras att införa alla organisatoriska engagemang som krävs för att utse en ny ansvarig tillsynsmyndighet i EES i god tid innan övergångsperioden för brexit går ut. Detta innefattar att kontakta tillsynsmyndigheten i fråga för att lämna alla nödvändiga uppgifter om varför man vill ha denna tillsynsmyndighet som ny ansvarig tillsynsmyndighet för bindande företagsbestämmelser. Den senare kommer därefter att ta över ansökan och formellt inleda ett godkännandeförfarande som ska bli föremål för ett yttrande från dataskyddsstyrelsen. Alla bindande företagsbestämmelser som godkänts av den brittiska tillsynsmyndigheten kommer att kräva att den nya ansvariga tillsynsmyndigheten för bindande företagsbestämmelser i EES utfärdar ett nytt beslut om godkännande innan övergångsperioden går ut, följt av ett yttrande från dataskyddsstyrelsen. Dataskyddsstyrelsen har också antagit en bilaga med en checklista över saker som ska ändras i dokumenten om bindande företagsbestämmelser i samband med brexit.

Denna informationsnot påverkar inte den analys som dataskyddsstyrelsen för närvarande arbetar med och som handlar om vad Europeiska unionens dom i målet DPC mot Facebook Irland och Schrems innebär för bindande företagsbestämmelser som överföringsverktyg.

EDPB_Pressmeddelande_2020_13

European Data Protection Board - Thirty-fifth Plenary session: Information note on Binding Corporate Rules with UK SA as Lead Authority

European Data Protection Board - Thirty-fifth Plenary session: Information note on Binding Corporate Rules with UK SA as Lead Authority


Brussels, 23 July - In light of the upcoming end to the Brexit transition period, the EDPB has adopted an information note outlining the actions that need to be taken by Supervisory Authorities (SAs), the holders of approved Binding Corporate Rules (BCRs) and organisations that have BCRs pending with the UK SA to ensure that these BCRs can still be used as a valid transfer tool, following the end of the transition period. As the UK SA will no longer qualify as a competent SA under the GDPR at the end of the transition period, the approval decisions of the UK SA taken under the GDPR will no longer have legal effect in the EEA. In addition, the content of the BCRs in question may need to be amended before the transition period ends, as these BCRs generally contain references to the UK legal order. This also applies to BCRs already approved under Directive 94/46/EC. 
 
BCR holders who have the UK SA as their BCR Lead SA need to put in place all organisational arrangements to identify a new BCR Lead SA in the EEA. The change of BCR Lead SA will have to take place before the end of the Brexit transition period. 

Current BCR applicants are encouraged to put in place all organisational arrangements to identify a new BCR Lead SA in the EEA well in advance of the end of the Brexit transition period, including contacting the SA in question to provide all necessary information as to why this SA is being considered as the new BCR Lead SA. The latter will then take over the application and formally initiate an approval procedure subject to an opinion of the EDPB. Any BCR approved by the UK SA under the GDPR will require the new EEA BCR Lead SA to issue a new approval decision before the end of the transition period, following an opinion from the EDPB. The EDPB also adopted an annex containing a checklist of elements to be amended in BCR documents in the context of Brexit. 
 
This information note is without prejudice to the analysis currently undertaken by the EDPB on the consequences of the CJEU judgment DPC v Facebook Ireland and Schrems for BCRs as transfer tools.

The agenda to the thirty-fifth plenary is available here.

Note to editors:
Please note that all documents adopted during the EDPB Plenary are subject to the necessary legal, linguistic and formatting checks and will be made available on the EDPB website once these have been completed.

                                                                                                                                                                                                                                                                                                                                                                     EDPB_Press Release_2020_13
 

Europeiska dataskyddsstyrelsen – 34:e plenarmötet: Schrems II, samspel mellan PSD2 och den allmänna dataskyddsförordningen och en skrivelse till Europaparlamentsledamoten Ďuriš Nicholsonová om kontaktspårning, appars interoperabilitet och konsekvensbedömn

Bryssel den 20 juli – Under sitt 34:e plenarmöte antog Europeiska dataskyddsstyrelsen ett uttalande om EU-domstolens dom i målet Facebook Ireland mot Schrems. Europeiska dataskyddsstyrelsen antog riktlinjer för samspelet mellan det andra betaltjänstdirektivet (PSD2) och den allmänna dataskyddsförordningen samt en svarsskrivelse till Europaparlamentsledamoten Ďuriš Nicholsonová om kontaktspårning, appars interoperabilitet och konsekvensbedömningar avseende dataskydd.

Europeiska dataskyddsstyrelsen antog ett uttalande om Europeiska unionens domstols dom i mål C-311/18 – Data Protection Commissioner mot Facebook Ireland och Maximillian Schrems, som ogiltigförklarar beslut 2016/1250 om huruvida ett adekvat skydd säkerställs genom skölden för skydd av privatlivet i EU och Förenta staterna och som slår fast att kommissionens beslut 2010/87 om standardavtalsklausuler för överföring av personuppgifter till registerförare etablerade i tredjeländer är giltigt.

Beträffande skölden för skydd av privatlivet påpekar Europeiska dataskyddsstyrelsen att EU och Förenta staterna bör komma överens om ett heltäckande och effektivt ramverk som garanterar att graden av personuppgiftsskydd i Förenta staterna är väsentligen likvärdig med den som garanteras inom EU, i enlighet med domstolens dom. Europeiska dataskyddsstyrelsen har för avsikt att fortsätta att ha en konstruktiv roll för att säkerställa en dataöverföring av personuppgifter över Atlanten som är till gagn för EES medborgare och organisationer, och står beredd att bistå och vägleda kommissionen i dess arbete med att tillsammans med Förenta staterna bygga upp ett nytt ramverk som på alla punkter uppfyller EU:s dataskyddslagstiftning.

När det gäller standardavtalsklausuler noterar Europeiska dataskyddsstyrelsen att när uppgiftsutförare och uppgiftsinförare överväger att tillämpa standardavtalsklausuler är deras främsta ansvar att säkerställa att dessa klausuler borgar för en skyddsnivå som är väsentligen likvärdig med den som garanteras av den allmänna dataskyddsförordningen mot bakgrund av EU-stadgan om de grundläggande rättigheterna. När en sådan föregående utvärdering genomförs ska uppgiftsutföraren (vid behov med hjälp av uppgiftsinföraren) ta hänsyn till innehållet i standardavtalsklausulerna, de särskilda omständigheterna kring överföringen och den gällande lagstiftningen i uppgiftsinförarens land. Domstolen understryker att uppgiftsutföraren kan behöva överväga att införa ytterligare åtgärder utöver dem som ingår i standardavtalsklausulerna. Europeiska dataskyddsstyrelsen kommer att undersöka vilka dessa ytterligare åtgärder skulle kunna vara.

Europeiska dataskyddsstyrelsen noterar även att de behöriga tillsynsmyndigheterna är skyldiga att avbryta eller förbjuda dataöverföring till ett tredjeland enligt standardavtalsklausuler om dessa klausuler, enligt den behöriga tillsynsmyndigheten och mot bakgrund av omständigheterna kring överföringen, inte följs eller inte kan följas i tredjelandet i fråga, samt om skyddet för de uppgifter som överförs inte kan säkerställas på annat sätt. Detta gäller i synnerhet i fall då den personuppgiftsansvarige eller personuppgiftsbiträdet inte redan själv avbrutit eller avslutat överföringen.

Europeiska dataskyddsstyrelsen påminner om att den har utfärdat riktlinjer om artikel 49 i den allmänna dataskyddsförordningen och om att tillämpningen av sådana undantag måste bedömas från fall till fall.

Europeiska dataskyddsstyrelsen kommer att bedöma domen närmare och tillhandahålla ytterligare klargöranden för intressenter och riktlinjer om användning av instrument för överföring av personuppgifter till tredjeländer med anledning av domen. Som fastställts av EU-domstolen är Europeiska dataskyddsstyrelsen och dess behöriga tillsynsmyndigheter redo att säkerställa överensstämmelsen inom hela EES-området.

Det fullständiga uttalandet finns här: https://edpb.europa.eu/news/news/2020/statement-court-justice-european-union-judgment-case-c-31118-data-protection_sv

Europeiska dataskyddsstyrelsen antog riktlinjer om det andra betaltjänstdirektivet (PSD2). PSD2 utgör en modernisering av den rättsliga ramen för marknaden för betaltjänster. Exempel på viktiga nyheter i PSD2 är en rättslig ram för nya betalningsinitieringstjänster (leverantörer av betalningsinitieringstjänster) och kontoinformationstjänster (leverantörer av kontoinformationstjänster). Användare kan begära att dessa nya betaltjänstleverantörer beviljas tillgång till deras betalkonton. Efter en intressentworkshop i februari 2019 utarbetade Europeiska dataskyddsstyrelsen riktlinjer om hur den allmänna dataskyddsförordningen ska tillämpas på dessa nya betaltjänster.

I riktlinjerna anges att behandling av särskilda kategorier av personuppgifter i detta sammanhang i allmänhet är förbjuden (i enlighet med artikel 9.1 i den allmänna dataskyddsförordningen), utom i fall då den registrerade uttryckligen ger sitt samtycke (artikel 9.2 a i den allmänna dataskyddsförordningen) eller om uppgiftsbehandlingen är nödvändig av hänsyn till ett viktigt allmänt intresse (artikel 9.2 g i den allmänna dataskyddsförordningen).

I riktlinjerna behandlas också villkoren för att kontoförvaltande betaltjänstleverantörer ska kunna bevilja tillgång till betalkontoinformation till leverantörer av betalningsinitieringstjänster och leverantörer av kontoinformationstjänster, i synnerhet tillgång till betalkonton på detaljnivå.

I riktlinjerna klargörs att varken artikel 66.3 g eller artikel 67.2 f i PSD2 tillåter någon ytterligare behandling av personuppgifter, såvida inte den registrerade har lämnat sitt samtycke enligt artikel 6.1 a i den allmänna dataskyddsförordningen eller behandlingen föreskrivs genom unionslagstiftning eller nationell lagstiftning. Riktlinjerna kommer att läggas fram för offentligt samråd.

Slutligen antog styrelsen en skrivelse med svar på Europaparlamentsledamoten Ďuriš Nicholsonovás frågor om dataskydd i samband med kampen mot covid-19. I skrivelsen behandlas frågor om kontaktspårningsappars harmonisering och interoperabilitet, kravet på en konsekvensbedömning avseende dataskydd för sådan behandling och hur lång tid denna behandling ska få pågå.

EDPB_Press Release_2020_12

Sidor