Datainspektionen på Åland

Datainspektionen på Åland sköter om dataskyddet i den offentliga förvaltningen på Åland. Datainspektionen i Sverige bytte namn vid årsskiftet och heter nu Integritetsskyddsmyndigheten. Se närmare på imy.se

European Data Protection Board

Polish DPA fines Surveyor General of Poland: Full inspection must be carried out

Full inspection must be carried out


The President of the Personal Data Protection Office (UODO), after having conducted an administrative proceeding instituted ex officio in the case of imposition of an administrative fine, imposed a fine in the amount of PLN 100 000 on the Surveyor General of Poland (Główny Geodeta Kraju, GGK).


The President of the Personal Data Protection established that the Surveyor General of Poland violated the provisions of the General  Data Protection Regulation (GDPR), where the breach consisted in failure to provide the supervisory authority during the conducted inspection with access to premises, data processing equipment and means, and access to personal data and information necessary for the President of the Office for the performance of its tasks. Furthermore, GGK did not cooperate with the President of the UODO during that inspection.


The President of the UODO is tasked with monitoring and enforcing the application of the GDPR. Within the scope of its competences, it conducts inter alia proceedings on the application of the provisions of the GDPR. For the performance of its tasks, the supervisory authority shall have a number of specific powers, including the right to obtain from the controller and the processor access to all personal data and to all information necessary for it, or the right to obtain access to any premises of the controller and the processor, including to any data processing equipment and means.


Moreover, the controller and the processor are obliged to cooperate with the supervisory authority in the performance of its tasks, as provided for in Article 31 of the GDPR.


An infringement of the provisions of the General Data Protection Regulation, consisting in failure to provide access to data and information by the controller or processor, shall result in a breach of the powers of the supervisory authority referred to in Article 58(1) of the  GDPR. Therefore, the President of the UODO considered it reasonable to impose an administrative fine.


Let us remind you that at the beginning of March 2020, the President of the Personal Data Protection Office decided on the necessity to perform an inspection of the processing by the Surveyor General of Poland on the portal GEOPORTAL2 of personal data from the poviat land and property registers, about which it informed GGK in the letter indicating the scope and the date of the inspection. In order to perform the inspection activities, the inspectors authorised by the President of the UODO presented their official identity cards and submitted personal authorisations containing information on the scope of the inspection to GGK. The Surveyor General of Poland did not allow for performing full inspection activities resulting from the submitted authorisations. Giving the reasoning for its position, GGK indicated that, according to its assessment, it was apparent from the scope of the inspection indicated in the authorisations that the inspection was to cover the numbers of land and property registers which, in its opinion, do not constitute personal data within the meaning of the provisions of the Geodetic (Surveying) and Cartographic Law.


Finally, GGK signed the authorisations entering a written note on them stating that it refused to carry out the inspection aimed at establishing inter alia: the grounds for the processing (including disclosing on GEOPORTAL2) of personal data, the sources of such data, the scope and type of disclosed personal data, and the method and purpose of that disclosure. Furthermore, the note allows to conclude that the Surveyor General of Poland consented to the performance of the inspection activities in the scope of determining whether appropriate technical and organisational measures have been implemented to ensure an adequate level of security of the data being subject to protection, and whether GGK has appointed a Data Protection Officer. Unfortunately, due to the lack of access by the inspectors to the IT systems used by GGK and the necessary inspections of the IT system during the inspection it has not been established whether GGK has implemented appropriate technical measures to ensure data security. In view of the above, in the course of the inspection it was only established what organisational measures GGK used for data security and whether a Data Protection Officer was appointed.


An inspection protocol has been drawn up from the inspection activities carried out, which has been signed by the Surveyor General of Poland.
Due to the categorical lack of consent of GGK to carry out full inspection activities and the unambiguously expressed lack of will to cooperate, the inspectors could not determine how and on what legal ground - when providing information from the land and property registers via the GEOPORTAL2 online portal (geoportal.gov.pl) - it enable access to personal data contained in land and property registers and whether GGK has implemented appropriate technical measures to ensure data security. During the inspection, it was not possible to investigate what was the main subject of the inspection, because all operations could not be carried out. In this respect, the inspection was thwarted by the Surveyor General of Poland.


In addition, there is a separate proceedings pending before the President of the UODO in the case of a breach consisting in the processing of personal data in the form of the numbers of land and property registers on GEOPORTAL2 online portal without a legal basis.


To read the information on hindering the inspection by GGK and on issuing the decision by the President of the UODO in Polish, click here


To read the press release is Polish, click here.
To read the full decision in Polish, click here.
 

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.

Polish DPA fines non-public nursery and pre-school: Lack of cooperation with the supervisory authority

The President of the Personal Data Protection Office (UODO) imposed a fine of PLN 5 000 on an individual entrepreneur running a non-public nursery and pre-school. 


Entrepreneur running a nursery and pre-school failed to provide the President of the UODO with access to personal data and other information necessary for the performance of its tasks - in this case for assessment whether the controller communicated a data breach to the data subject in accordance with the GDPR (Article 58(1)(e) of the GDPR). 


The controller notified to the President of the UODO a personal data breach, which consisted in losing access to personal data stored in the run private nursery and pre-school.


Given the lack of information necessary to carry out an assessment of the notification, the supervisory authority sent three requests to the entrepreneur to submit relevant explanations. Two of them weren’t collected on time, one was collected personally by the fined entity itself. The entrepreneur failed to respond to the requests of the President of the UODO. 


The obligation of an entrepreneur, that is an entity conducting professional business activity on the market, is to collect correspondence connected with the conducted activity. Course of action of the entrepreneur is incomprehensible, considering the fact that it notified a personal data breach to the President of the UODO and therefore should be expecting the DPA’s standpoint in this case.   


It is worth emphasizing that the activity conducted by the fined entity included the processing of personal data relating to children, who require special protection, since they can be less aware of the risk and consequences related to data processing.


When issuing the decision on imposing an administrative fine and determining its amount, the President of the UODO took into account as aggravating circumstances, among others, the severity of the breach and its duration, the intentional nature of the breach and the lack of cooperation of the controller with the supervisory authority. In view of the President of the UODO the imposed fine is proportional to the severity of the established breach and the possibility of paying the fine by the entrepreneurs without big detriment to the conducted activity. 


The fine imposed by the President of the Personal Data Protection Office is intended to discipline the entrepreneur in terms of proper cooperation with the President of the UODO, both in further course of the proceedings in the case of data breach notification, and in other possible future proceedings with participation of this entrepreneur conducted by the President of the UODO. It is a clear signal to all entities that disregarding their obligation to cooperate, on request, with the supervisory authority, especially by hindering access to information necessary for the performance of its tasks, is a serious infringement and as such is subject to fines. 


To read the press release is Polish, click here.
To read the full decision in Polish, click here.

 

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.

European Data Protection Board - Thirty-fourth Plenary session: Schrems II, Interplay PSD2 and GDPR and letter to MEP Ďuriš Nicholsonová on contact tracing, interoperability of apps and DPIAs

European Data Protection Board - Thirty-fourth Plenary session: Schrems II, Interplay PSD2 and GDPR and letter to MEP Ďuriš Nicholsonová on contact tracing, interoperability of apps and DPIAs

Brussels, 20 July - During its 34th plenary session, the EDPB adopted a statement on the CJEU’s ruling in Facebook Ireland v Schrems. The Board adopted Guidelines on the interplay between the second Payment Services Directive (PSD2) and the GDPR, as well as a response letter to MEP Ďuriš Nicholsonová on contact tracing, interoperability of apps and DPIAs.


The EDPB adopted a statement on the judgment of the Court of Justice of the European Union in Case C-311/18 - Data Protection Commissioner v Facebook Ireland and Maximillian Schrems, which invalidates Decision 2016/1250 on the adequacy of the protection provided by the EU-US Privacy Shield and considers Commission Decision 2010/87 on Standard Contractual Clauses (SCC) for the transfer of personal data to processors established in third countries valid.

With regard to the Privacy Shield, the EDPB points out that the EU and the U.S. should achieve a complete and effective framework guaranteeing that the level of protection granted to personal data in the U.S. is essentially equivalent to that guaranteed within the EU, in line with the judgment. The EDPB intends to continue playing a constructive part in securing a transatlantic transfer of personal data that benefits EEA citizens and organisations and stands ready to provide the European Commission with assistance and guidance to help it build, together with the U.S., a new framework that fully complies with EU data protection law.

As regards Standard Contractual Clauses, the EDPB takes note of the primary responsibility of the exporter and the importer, when considering whether to enter into SCCs, to ensure that these maintain a level of protection that is essentially equivalent to the one guaranteed by the GDPR in light of the EU Charter. When performing such prior assessment, the exporter (if necessary, with the assistance of the importer) shall take into consideration the content of the SCCs, the specific circumstances of the transfer, as well as the legal regime applicable in the importer’s country. The Court underlines that the exporter may have to consider putting in place additional measures to those included in the SCCs. The EDPB will be looking further into what these additional measures could consist of.

The EDPB also takes note of the competent supervisory authorities’ (SAs) duties to suspend or prohibit a transfer of data to a third country pursuant to SCCs, if, in the view of the competent SA and in light of all the circumstances of that transfer, those clauses are not or cannot be complied with in that third country, and the protection of the data transferred cannot be ensured by other means, in particular where the controller or processor has not already itself suspended or put an end to the transfer. 

The EDPB recalls that it adopted Guidelines on Article 49 GDPR and that such derogations must be applied on a case-by-case basis.

The EDPB will assess the judgment in more detail and provide further clarification for stakeholders and guidance on the use of instruments for the transfer of personal data to third countries pursuant to the judgment. The EDPB and its European SAs also stand ready, as stated by the CJEU, to ensure consistency across the EEA.

The full statement is available here: https://edpb.europa.eu/news/news/2020/statement-court-justice-european-u...;

The EDPB adopted Guidelines on the second Payment Services Directive (PSD2). PSD2 modernises the legal framework for the payment services market. Importantly, PSD2 introduces a legal framework for new payment initiation services (PISP) and account information services (AISP). Users can request that these new payment service providers are granted access to their payment accounts. Following a stakeholders workshop in February 2019, the EDPB developed Guidelines on the application of the GDPR to these new payment services. 


The Guidelines point out that in this context the processing of special categories of personal data is generally prohibited (in line with Article 9 (1) GDPR), except when explicit consent is given by the data subject (Article 9 (2) (a) GDPR) or processing is necessary for reasons of substantial public interest (Article 9 (2) (g) GDPR).


The Guidelines also address conditions under which Account Servicing Payment Service Providers (ASPSPs) grant access to payment account information to PISPs and AISPs, especially granular access to payment accounts. 


The Guidelines clarify that neither Article 66 (3) (g) nor Article 67 (2) (f) of the PSD2 allow for any further processing, unless the data subject has given consent pursuant to Article 6 (1) (a) of the GDPR or the processing is laid down by Union law or Member State law. The Guidelines will be submitted for public consultation. 


Finally, the Board adopted a letter in response to MEP Ďuriš Nicholsonová’s questions on data protection in the context of the fight against COVID-19. The letter addresses questions on the harmonisation and interoperability of contact tracing applications, the requirement of a DPIA for such processing and the duration for which processing may be put in place.


EDPB_Press Release_2020_12

Statement on the Court of Justice of the European Union Judgment in Case C-311/18 - Data Protection Commissioner v Facebook Ireland and Maximillian Schrems

The European Data Protection Board has adopted the following statement:

The EDPB welcomes the CJEU’s judgment, which highlights the fundamental right to privacy in the context of the transfer of personal data to third countries. The CJEU’s decision is one of great importance. The European Data Protection Board (EDPB) has taken note of the fact that the Court of Justice invalidates Decision 2016/1250 on the adequacy of the protection provided by the EU-US Privacy Shield, and of the fact that it considers Commission Decision 2010/87 on Standard Contractual Clauses (SCCs) for the transfer of personal data to processors established in third countries valid.

The EDPB discussed the Court’s ruling during its 34th plenary session of 17 July 2020.

With regard to the Privacy Shield, the EDPB points out that the EU and the U.S. should achieve a complete and effective framework guaranteeing that the level of protection granted to personal data in the U.S. is essentially equivalent to that guaranteed within the EU, in line with the judgment.

The EDPB identified in the past some of the main flaws of the Privacy Shield on which the CJEU grounds its decision to declare it invalid.

The EDPB questioned in its reports on the annual joint reviews of Privacy Shield the compliance with the data protection principles of necessity and proportionality in the application of U.S. law. (1)

The EDPB intends to continue playing a constructive part in securing a transatlantic transfer of personal data that benefits EEA citizens and organisations and stands ready to provide the European Commission with assistance and guidance to help it build, together with the U.S., a new framework that fully complies with EU data protection law.

While the SCCs remain valid, the CJEU underlines the need to ensure that these maintain, in practice, a level of protection that is essentially equivalent to the one guaranteed by the GDPR in light of the EU Charter. The assessment of whether the countries to which data are sent offer adequate protection is primarily the responsibility of the exporter and the importer, when considering whether to enter into SCCs. When performing such prior assessment, the exporter (if necessary, with the assistance of the importer) shall take into consideration the content of the SCCs, the specific circumstances of the transfer, as well as the legal regime applicable in the importer’s country. The examination of the latter shall be done in light of the non-exhaustive factors set out under Art 45(2) GDPR.

If the result of this assessment is that the country of the importer does not provide an essentially equivalent level of protection, the exporter may have to consider putting in place additional measures to those included in the SCCs. The EDPB is looking further into what these additional measures could consist of.

The CJEU’s judgment also recalls the importance for the exporter and importer to comply with their obligations included in the SCCs, in particular the information obligations in relation to change of legislation in the importer’s country. When those contractual obligations are not or cannot be complied with, the exporter is bound by the SCCs to suspend the transfer or terminate the SCCs or to notify its competent supervisory authority if it intends to continue transferring data.

The EDPB takes note of the duties for the competent supervisory authorities (SAs) to suspend or prohibit a transfer of data to a third country pursuant to SCCs, if, in the view of the competent SA and in the light of all the circumstances of that transfer, those clauses are not or cannot be complied with in that third country, and the protection of the data transferred cannot be ensured by other means, in particular where the controller or a processor has not already itself suspended or put an end to the transfer.

The EDPB recalls that it issued guidelines on Art 49 GDPR derogations (2); and that such derogations must be applied on a case-by-case basis.

The EDPB will assess the judgment in more detail and provide further clarification for stakeholders and guidance on the use of instruments for the transfer of personal data to third countries pursuant to the judgment.

The EDPB and its European SAs stand ready, as stated by the CJEU, to ensure consistency across the EEA.

For the European Data Protection Board

The Chair

(Andrea Jelinek)

(1) See EDPB, EU-U.S. Privacy Shield  - Second Annual Joint Review report here, and  EDPB, EU -U.S. Privacy Shield   - Third Annual Joint Review report here.

(2) DPB Guidelines 2/2018 on derogations of Article 49 under Regulation 2016/679, adopted on 25 May 2018, p3.

EDPB_Press Release_statement_2020_05

Belgian DPA imposes €600.000 fine on Google Belgium for not respecting the right to be forgotten of a Belgian citizen, and for lack of transparency in its request form to delist

The Belgian DPA just imposed a €600.000 fine on Google Belgium for not respecting the right to be forgotten of a Belgian citizen, and for lack of transparency in its request form to delist.

A Belgian citizen had requested the removal of links containing negative information about him. The request was refused by Google.

The Litigation Chamber of the Belgian DPA found that some of those links were needed for public interest and should not be removed: the citizen plays indeed a role in public life and the links concerned a presumed relation with a political party. The other links contained information that was outdated, unsubstantiated and could seriously damage the reputation of the citizen. The Belgian DPA considers that those links should have therefore been delisted by Google. For the Belgian DPA it is important to note that the facts of the case were clear, leaving Google no reasonable room to decide otherwise.   

What’s more, Google lacked transparency in their delisting form, as well as in their response to the data subject.

For these reasons, the Belgian DPA decided to impose a fine of €600.000. This is the highest fine ever imposed by the Belgian DPA.

The Belgian DPA considers to be competent in this case, including because Google argued that their main establishment in Europe (Google Ireland) was not responsible for delisting activities. The decision contains a detailed explanation of the responsibilities of the various establishments of Google.    

The decision (currently only in French) is available here.

 

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.

The President of the Personal Data Protection Office imposes a fine in cross-border proceedings

The President of the Personal Data Protection Office (UODO) imposed a fine of PLN 15 000 on East Power company from Jelenia Góra for failing to provide the supervisory authority with access to personal data and other information necessary for the performance of its tasks.

The fined company provides employment services in Poland and Germany, and a complaint against its actions was lodged by a German citizen because it processed his personal data for marketing purposes. The complaint was lodged with the German data protection authority competent for Rhineland-Palatinate, but it was taken over for consideration by the President of the UODO, who was the so-called lead authority in this case, because the company is established in Poland.

Within the framework of this proceeding, the President of the UODO sent three requests to the company to submit explanations. Two of them (correctly served and received by the company) remained unanswered. The company replied to one of the requests, but its explanations were incomplete and contradictory. In the opinion of the President of the UODO, they were manifestly insufficient to establish the facts of the case. Due to such conduct of the company, the President of the Personal Data Protection Office considered that it intentionally impedes the course of proceedings or at least ignores its obligations related to cooperation with the supervisory authority. The President of the UODO therefore considered it necessary to initiate a separate proceedings for the imposition of an administrative fine on it.

It was only in response to the notice of initiation of the proceedings that the company provided more extensive explanations, but they were incomplete and required further investigation. Therefore, the President of the Personal Data Protection Office considered that the company does not want to cooperate with it and does not fulfil the obligation – provided for in the GDPR – to provide it with access to personal data and other information necessary for the performance of its tasks, in this case for handling a complaint lodged by a German citizen.

When issuing the decision to impose an administrative fine on East Power Sp. z o.o. and determining its amount, the President of the UODO took into account as aggravating circumstances, among others, the seriousness of the breach (undermining the proper functioning of the personal data protection system specified by the GDPR), the intentional nature of the breach and the unsatisfactory degree of cooperation of the controller with the President of UODO in order to remedy the breach and mitigate its consequences.

Sanctions imposed by the President of the Personal Data Protection Office in the form of administrative fines are intended to discipline controllers and processors. Their disregard for their obligations related to cooperation with the President of the UODO leads to prolonging the proceedings conducted by it. In this way, it is difficult to exercise the rights of persons whose personal data are being violated.

The above situation occurs in the case of the fined company. By its actions, it makes it impossible to handle the complaint of a German citizen and to issue a decision by the President of the UODO determining the case relating to the complaint lodged.

To read the press release is Polish, click here

To read the full decision in Polish, click here

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.

Belgian DPA imposed a fine of 1,000 EUR on an association that sent direct marketing messages to (former) donors for fundraising

The Belgian Data Protection Authority has imposed a fine of 1,000 EUR on an association that, on the basis of its legitimate interest (Article 6.1, f) GDPR), sent direct marketing messages to (former) donors for its fundraising. The administrative fine was imposed following a complaint lodged with the Belgian Data Protection Authority by a former donor of the association as the latter had not complied with the request for data erasure addressed by the data subject to the data controller pursuant to Article 17.1 GDPR and its right to object pursuant to Article 21.2 GDPR.

The Litigation Chamber decided that the data controller thereby infringed Articles 6.1, 17.1, c) and d), 21.3 and 21.4 GDPR.

First of all, the Litigation Chamber found that the data controller did not comply with the data erasure request and the data subject's right to object. Secondly, the Litigation Chamber held that the association could not validly invoke its legitimate interest as a ground for the processing in the present case since it did not meet the cumulative conditions imposed by the case law of the Court of Justice of the European Union - and in particular the Rigas judgment - in this respect. According to this case law, in order to invoke Article 6.1, f) GDPR, the controller must demonstrate that i) the interests pursued by the processing, can be recognized as legitimate ("purpose test"), ; ii) the intended processing is necessary for the purposes of the intended processing ("necessity test") and iii) the balancing of these interests against the fundamental rights and freedoms of the persons concerned by the data protection weighs to the favour of the controller or of a third party ("balancing test"). In the present case, the Litigation Chamber decided that the third condition of article 6.1, f) GDPR and the case law of the Court of Justice was not fulfilled.

More specifically, the Litigation Chamber found that there were doubts as to whether the data subject could reasonably expect his data to be processed for direct marketing purposes years after the collection of these data (recital 47 GDPR). Moreover, the Litigation Chamber found that the data controller had not sufficiently facilitated the right of objection.

This decision implements the 2020-2025 Strategic Plan of the Belgian Data Protection Authority, of which 'direct marketing' is one of the priority strategic points. The Litigation Chamber also refers to Recommendation No 01/2020 of the Belgian DPA in this respect.

To read the full decision in Dutch, click here

For further information, please contact the Belgian DPA: contact@apd-gba.be

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.

EDPB publishes new register containing One-Stop-Shop decisions

The EDPB has published a new register containing decisions taken by national supervisory authorities following the One-Stop-Shop cooperation procedure (Art. 60 GDPR) on its website.

Under the GDPR, Supervisory Authorities have a duty to cooperate on cases with a cross-border component to ensure a consistent application of the regulation - the so-called one-stop-shop (OSS) mechanism. Under the OSS, the Lead Supervisory Authority (LSA) is in charge of preparing the draft decisions and works together with the concerned SAs to reach consensus. Up until early June, LSAs have adopted 110 final OSS decisions. The register includes access to the decisions as well as  summaries of the decisions in English prepared by the EDPB Secretariat. The register will be valuable to data protection practitioners who will gain access to information showcasing how SAs work together to enforce the GDPR in practice. The information in the register has been validated by the LSAs in question and in accordance with the conditions provided by its national legislation.

The register is accessible here

Temporary suspension of the Norwegian Covid-19 contact tracing app

The Norwegian Data Protection Authority has notified the Norwegian Institute of Public Health (NIPH) of its intention to impose a temporary ban on the processing of personal data in connection with the Smittestopp contact tracing mobile application. NIPH has nowtemporarily suspended all use of the app.
 
On Monday 15 June, NIPH announced that they have decided to suspend the app and erase all data until further notice, but that they will provide a formal response by 23 June, which is the date set by the Data Protection Authority. The notice entails a temporary ban on all collection of personal data by NIPH through the app.

Intervention no longer proportionate

“NIPH has chosen to suspend all collection and storage of data immediately. I hope they use the time left until 23 June well, both to document the benefits of the app and to make other necessary changes, so that they can resume use of it,” says Data Protection Authority Director-General Bjørn Erik Thon.
The basis for the notice is the Data Protection Authority’s assessment that the Smittestopp app can no longer be considered a proportionate intervention in the users’ fundamental rights to data protection.

“Smittestopp is a highly invasive measure in terms of data protection, even in these special circumstances, where our society is fighting a pandemic. We do not see the utility, given our current situation and the way the technical solution is designed and presently working,” Thon says.

Legality hinges on public benefit

Smittestopp is a digital solution for contact tracing. It can notify the user if they have been in close contact with people infected with Covid-19. By analysing anonymized and aggregated data of population movement patterns, NIPH will also evaluate infection control measures and monitor rates of transmission through society. Smittestopp collects large quantities of personal data about app users, including continuous location data and information about app users’ contact with others.

“Our notice does not mean that we can’t use technology and apps to fight this pandemic. However, the legality of Smittestopp hinges on its public benefit,” Thon says. “We have considered the solutions chosen for the Smittestopp app, the low proliferation of the app, with users accounting for approximately 14 percent of the population aged 16 and older, and the rates of infection in the general population. We have also taken into account the National Institute of Public Health’s release stating that the rate of infection is currently so low that it is difficult to validate that the app’s alerts are notifying the right people — not too many and not too few.”

Location data from GPS and Bluetooth

Currently, Smittestopp users cannot choose to provide personal data for contact tracing purposes without also agreeing to the data being used for analysis and research. These different purposes require different types of personal data. We question the lack of choice for the users. Several other European countries have developed contact tracing apps that rely solely on Bluetooth technology and that do not collect GPS-based location data. The World Health Organization (WHO) has also posted several publications related to digital proximity tracking for Covid-19 (example link).

“The European Data Protection Board has concluded that the use of location data in contact tracing is unnecessary and recommend the use of Bluetooth data only. We do not find that NIPH has sufficiently justified the need to use location data for contact tracing and await new information from NIPH on this issue,” Thon says.
Smittestopp currently only has contact tracing functionality in combination with notification in three test municipalities: Drammen, Trondheim and Tromsø.
“Also, no solution for anonymizing and aggregating data for analysis has yet been implemented.The app nevertheless continually collects personal data from all users,” Thon says.

Going forward

The Data Protection Authority has invited the National Institute of Public Health to a meeting on Friday 19 June to further discuss this matter. NIPH has until 23 June to provide a response to the order.

“There are many different things we need to discuss. The design of the request for approval and the use of GPS in contact tracing are central issues, but we also need to discuss the anonymization solution, which is not yet in place. A solution for how to handle requests for access will also be a topic for discussion. We need to see some specific changes on these important issues,” Thon says.

To read the press release in Norwegian, click here

For further information, please contact the Norwegian DPA: international@datatilsynet.no

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.

Thirty-second Plenary Session: adopted documents

Belgian DPA fines controller for sending a direct marketing message to the wrong person and for not responding adequately to the subsequent request for access

The Belgian DPA has imposed a fine of 10 000 EUR on a controller for sending a direct marketing message to the wrong person and for not responding adequately to the data subject’s subsequent request for access to his data. The marketing message was sent to the plaintiff, instead of to another person who had the same name, but another email address. This incorrect processing is due to a human error. As a result, the plaintiff exercised his right of access, which did not run smoothly. The Belgian DPA established that the controller did not sufficiently answer to the request of the plaintiff (Article 15 GDPR), did not respond within the deadline set by the GDPR (Article 12.3 GDPR) and was not sufficiently transparent (Article 12.1 GDPR). For these reasons, the Belgian DPA considers that the exercise of the rights of the plaintiff were not sufficiently facilitated, as required by article 12.2 of the GDPR.

To read the full decision in French, click here

For further information, please contact the Belgian DPA contact@apd-gba.be

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.

Co-operative housing association banned from using video surveillance in entrance and stairwell

The Swedish Data Protection Authority (DPA) has investigated a co-operative housing association’s use of video surveillance on its property. The DPA concludes that the association has gone too far when using video surveillance in the main entrance and the stairwell and when recording audio.

The Swedish DPA has received complaints claiming that a co-operative housing association monitors the stairwell in the association’s apartment building. The DPA has now finished an audit of the association.

The Swedish Data Protection Authority’s investigation shows that the association has four surveillance cameras installed. Two are located in the stairwell, one in the main entrance and one is directed towards a distribution box in the association’s storage room. All cameras record video and audio non-stop 24 hrs 7 days a week.

For the two cameras set up in the stairwell, the Swedish Data Protection Authority notes that these allow the association to map the habits, visits and social circle of the residents. “Already the fact that the surveillance is of the residents and their home environment means that it requires very strong reasons for the monitoring to be allowed,” writes the authority in its decision.

– Under special circumstances, a co-operative housing association may monitor a stairwell. However, in order for such surveillance to be allowed, the association must be able to demonstrate a pressing need for such video surveillance and that has not been the case here, says Nils Henckel, legal advisor at the Swedish DPA.

The third camera is set up at the main entrance and the association states that it is to combat problems with vandalism, which it had experienced during two months in 2018. The Swedish DPA stresses the obligation to continuously review whether a need for video surveillance is justified and concludes that no such need was still present to date.

As for the fourth camera, which is directed towards the distribution box, the DPA concludes that it must be re-directed so that it does not monitor the residents’ storage facilities.

Furthermore, the Swedish Data Protection Authority notes that audio recording constitutes an additional intrusion into the private sphere, in particular when recorded in a residential building, and that there are no circumstances that motivates such intrusion in this case.

The Swedish DPA also concludes that the association has failed to properly inform the residents about the video surveillance. That includes the lack of information about the data controller, where to turn to for further detailed information and that audio is recorded, which is a particularly severe omission.

The Swedish Data Protection Authority orders the co-operative housing association to stop the video surveillance of the stairwell and entrance, to cease audio recording for the surveillance camera by the distribution box and to improve the information provided concerning the video surveillance. The Swedish Data Protection Authority furthermore issues an administrative fine of 20 000 Swedish kronor (approximately 2 000 euro) against the association. When calculating the amount of the fine, consideration was taken to the fact that it was a smaller co-operative housing association.

To read the press release in Swedish, click here

For further information, please contact the Swedish SA: datainspektionen@datainspektionen.se 

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.

Thirty-second plenary session: Statement on the interoperability of contact tracing applications, statement on the opening of borders and data protection rights, response letters to MEP Körner on laptop camera covers and encryption and letter to the Commi

During its 32nd plenary session, the EDPB adopted a statement on the interoperability of contact tracing apps, as well as a statement on the opening of borders and data protection rights. The Board also adopted two letters to MEP Körner - on encryption and on Article 25 GDPR - and a letter to CEAOB on PCAOB arrangements.

The EDPB adopted a statement on the interoperability of contact tracing applications, building on the EDPB Guidelines 04/2020 on the use of location data and contact tracing tools in the context of the COVID-19 outbreak. The statement offers a more in-depth analysis of key aspects, including transparency, legal basis, controllership, data subject rights, data retention and minimisation, information security and data accuracy in the context of creating an interoperable network of applications, that need to be considered on top of those highlighted in the EDPB Guidelines 04/2020.

The EDPB emphasises that the sharing of data about individuals that have been diagnosed or tested positively with such interoperable applications should only be triggered by a voluntary action of the user. Giving data subjects information and control will increase their trust in the solutions and their potential uptake. The goal of interoperability should not be used as an argument to extend the collection of personal data beyond what is necessary.

Moreover, contact tracing apps need to be part of a comprehensive public health strategy to fight the pandemic, such as testing and subsequent manual contact tracing for the purpose of improving effectiveness of the performed measures.

Ensuring interoperability is not only technically challenging and sometimes impossible without disproportionate trade-offs, but also leads to a potential increased data protection risk. Therefore, controllers need to ensure measures are effective and proportionate and must assess whether a less intrusive alternative can achieve the same purpose.

The EDPB adopted a statement on the processing of personal data in the context of reopening the Schengen borders following the COVID-19 outbreak. The measures allowing a safe reopening of the borders currently envisaged or implemented by Member States include testing for COVID-19, requiring certificates issued by health professionals and the use of a voluntary contact tracing app. Most measures involve processing of personal data.

The EDPB recalls that data protection legislation remains applicable and allows for an efficient response to the pandemic, while at the same time protecting fundamental rights and freedoms. The EDPB stresses that the processing of personal data must be necessary and proportionate, and the level of protection should be consistent throughout the EEA. In the statement, the EDPB urges the Member States to take a common European approach when deciding which processing of personal data is necessary in this context.

The statement also addresses the GDPR principles that Member States need to pay special attention to when processing personal data in the context of reopening the border. These include lawfulness, fairness and transparency, purpose limitation, data minimisation, storage limitation, security of data and data protection by design and by default. Moreover, the decision to allow the entrance into a country should not only be based on the automated individual decision making technologies. In any case, such decisions should be subject to suitable safeguards, which should include specific information to the data subject and the right to obtain human intervention, to express his or her point of view, to obtain an explanation of the decision reached after such assessment and to challenge the decision. Automated individual decision measures should not apply to children.

Finally, the EDPB highlights the importance of a prior consultation with competent national supervisory authorities when Member States intend to process personal data in this context.

The EDPB adopted a response to a letter from MEP Moritz Körner on the relevance of encryption bans in third countries for assessing the level of data protection when personal data are transferred to countries where these bans exist. According to the EDPB, any ban on encryption or provisions weakening encryption would seriously undermine compliance with GDPR security obligations applicable to controllers and processors, be that in a third country or in the EEA. Security measures are one of the elements the European Commission must take into account when assessing the adequacy of the level of protection in a third country.

A second letter to MEP Körner addresses the topic of laptop camera covers. MEP Körner highlighted that this technology could help comply with the GDPR and suggested new laptops should be equipped with it. In its reply, the Board clarifies that while laptop manufacturers should be encouraged to take into account the right to data protection when developing and designing such products, they are not responsible for the processing carried out with those products and the GDPR does not establish legal obligations for manufacturers, unless they also act as controllers or processors. Controllers must evaluate the risks of each processing and choose the appropriate safeguards to comply with GDPR, including the privacy by design and by default enshrined in Article 25 GDPR.

Finally, the EDPB adopted a letter to the Committee of European Auditor Oversight Bodies (CEAOB). The EDPB received a proposal from the CEAOB, which gathers the national auditor oversight bodies at EU level, to cooperate and receive feedback on negotiations of draft administrative arrangements for the transfer of data to the US Public Company Accounting Oversight Board (PCAOB). The EDPB welcomes this proposal and indicates that it is available to hold an exchange with the CEAOB to clarify any potential questions on data protection requirements related to such arrangements in light of the EDPB Guidelines 2/2020 on Art. 46 (2) (a) and 46 (3) (b) GDPR for transfers of personal data between EEA and non-EEA public authorities. The exchange could also involve the PCAOB if the CEAOB and its members deem it beneficial for their work on these arrangements.

Note to editors:
Please note that all documents adopted during the EDPB Plenary are subject to the necessary legal, linguistic and formatting checks and will be made available on the EDPB website once these have been completed.

Thirty-second plenary session: Statement on the interoperability of contact tracing applications, statement on the opening of borders and data protection rights, response letters to MEP Körner on laptop camera covers and encryption and letter to the Commi

During its 32nd plenary session, the EDPB adopted a statement on the interoperability of contact tracing apps, as well as a statement on the opening of borders and data protection rights. The Board also adopted two letters to MEP Körner - on encryption and on Article 25 GDPR - and a letter to CEAOB on PCAOB arrangements.

The EDPB adopted a statement on the interoperability of contact tracing applications, building on the EDPB Guidelines 04/2020 on the use of location data and contact tracing tools in the context of the COVID-19 outbreak. The statement offers a more in-depth analysis of key aspects, including transparency, legal basis, controllership, data subject rights, data retention and minimisation, information security and data accuracy in the context of creating an interoperable network of applications, that need to be considered on top of those highlighted in the EDPB Guidelines 04/2020.

The EDPB emphasises that the sharing of data about individuals that have been diagnosed or tested positively with such interoperable applications should only be triggered by a voluntary action of the user. Giving data subjects information and control will increase their trust in the solutions and their potential uptake. The goal of interoperability should not be used as an argument to extend the collection of personal data beyond what is necessary.

Moreover, contact tracing apps need to be part of a comprehensive public health strategy to fight the pandemic, such as testing and subsequent manual contact tracing for the purpose of improving effectiveness of the performed measures.

Ensuring interoperability is not only technically challenging and sometimes impossible without disproportionate trade-offs, but also leads to a potential increased data protection risk. Therefore, controllers need to ensure measures are effective and proportionate and must assess whether a less intrusive alternative can achieve the same purpose.

The EDPB adopted a statement on the processing of personal data in the context of reopening the Schengen borders following the COVID-19 outbreak. The measures allowing a safe reopening of the borders currently envisaged or implemented by Member States include testing for COVID-19, requiring certificates issued by health professionals and the use of a voluntary contact tracing app. Most measures involve processing of personal data.

The EDPB recalls that data protection legislation remains applicable and allows for an efficient response to the pandemic, while at the same time protecting fundamental rights and freedoms. The EDPB stresses that the processing of personal data must be necessary and proportionate, and the level of protection should be consistent throughout the EEA. In the statement, the EDPB urges the Member States to take a common European approach when deciding which processing of personal data is necessary in this context.

The statement also addresses the GDPR principles that Member States need to pay special attention to when processing personal data in the context of reopening the border. These include lawfulness, fairness and transparency, purpose limitation, data minimisation, storage limitation, security of data and data protection by design and by default. Moreover, the decision to allow the entrance into a country should not only be based on the automated individual decision making technologies. In any case, such decisions should be subject to suitable safeguards, which should include specific information to the data subject and the right to obtain human intervention, to express his or her point of view, to obtain an explanation of the decision reached after such assessment and to challenge the decision. Automated individual decision measures should not apply to children.

Finally, the EDPB highlights the importance of a prior consultation with competent national supervisory authorities when Member States intend to process personal data in this context.

The EDPB adopted a response to a letter from MEP Moritz Körner on the relevance of encryption bans in third countries for assessing the level of data protection when personal data are transferred to countries where these bans exist. According to the EDPB, any ban on encryption or provisions weakening encryption would seriously undermine compliance with GDPR security obligations applicable to controllers and processors, be that in a third country or in the EEA. Security measures are one of the elements the European Commission must take into account when assessing the adequacy of the level of protection in a third country.

A second letter to MEP Körner addresses the topic of laptop camera covers. MEP Körner highlighted that this technology could help comply with the GDPR and suggested new laptops should be equipped with it. In its reply, the Board clarifies that while laptop manufacturers should be encouraged to take into account the right to data protection when developing and designing such products, they are not responsible for the processing carried out with those products and the GDPR does not establish legal obligations for manufacturers, unless they also act as controllers or processors. Controllers must evaluate the risks of each processing and choose the appropriate safeguards to comply with GDPR, including the privacy by design and by default enshrined in Article 25 GDPR.

Finally, the EDPB adopted a letter to the Committee of European Auditor Oversight Bodies (CEAOB). The EDPB received a proposal from the CEAOB, which gathers the national auditor oversight bodies at EU level, to cooperate and receive feedback on negotiations of draft administrative arrangements for the transfer of data to the US Public Company Accounting Oversight Board (PCAOB). The EDPB welcomes this proposal and indicates that it is available to hold an exchange with the CEAOB to clarify any potential questions on data protection requirements related to such arrangements in light of the EDPB Guidelines 2/2020 on Art. 46 (2) (a) and 46 (3) (b) GDPR for transfers of personal data between EEA and non-EEA public authorities. The exchange could also involve the PCAOB if the CEAOB and its members deem it beneficial for their work on these arrangements.

The agenda of the 32nd plenary is available here

Note to editors:
Please note that all documents adopted during the EDPB Plenary are subject to the necessary legal, linguistic and formatting checks and will be made available on the EDPB website once these have been completed.

Belgian DPA imposes fine of 1000 euro on a controller for not responding to a request to object to the processing of his data for marketing purposes

The Belgian DPA has imposed a fine of 1000 euro on a controller for not responding to a request from a citizen to object to the processing of his data for marketing purposes (article 15.3 GDPR), and for not collaborating with the authority (article 31 GDPR).

In a previous decision, the Belgian DPA had ordered the controller to meet the request of the plaintiff and to notify the Belgian DPA of the action taken on the request. The controller did not react to this injunction. When the controller, at a later stage, was asked why they did not comply with the injunction of the Belgian DPA, the controller demonstrated a cavalier attitude and a complete lack of interest for both the application of the GDPR and the procedure. For this attitude, as well as the established infringement of the right to object, the Belgian DPA decided to eventually impose a 1000 euro fine.

To read the full decision in French, click here

For further information, please contact the Belgian DPA: contact@apd-gba.be

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.

Europeiska dataskyddsstyrelsen – 31:a plenarmötet: Inrättande av en arbetsgrupp om TikTok, svar till ledamöter av Europaparlamentet om brottsbekämpande myndigheters användning av Clearview AI, svar till Enisas rådgivande grupp, svar på öppet brev från NOY

Bryssel den 10 juni – Under sitt 31:a plenarmöte beslutade dataskyddsstyrelsen att inrätta en arbetsgrupp för att samordna potentiella åtgärder och få en mer omfattande överblick över TikToks databehandling och praxis inom EU. Dataskyddsstyrelsen antog också en skrivelse om brottsbekämpande myndigheters användning av Clearview AI. Dessutom antog dataskyddsstyrelsen ett svar till Enisas rådgivande grupp och en skrivelse som svar på ett öppet brev från NOYB.

Dataskyddsstyrelsen tillkännagav sitt beslut om att inrätta en arbetsgrupp för att samordna potentiella åtgärder och få en mer omfattande överblick över TikToks databehandling och praxis inom EU.

Som svar på Europaparlamentsledamoten Körners begäran rörande TikTok uppger dataskyddsstyrelsen att den redan har utfärdat riktlinjer och rekommendationer som bör beaktas av alla personuppgiftsansvariga vars databehandling omfattas av den allmänna dataskyddsförordningen, särskilt när det gäller överföring av personuppgifter till tredjeländer, materiella och formella villkor för offentliga myndigheters tillgång till personuppgifter eller användning av tillämpningsområdet för den allmänna dataskyddsförordningen, särskilt i fråga om behandling av uppgifter om minderåriga. Dataskyddsstyrelsen påminner om att den allmänna dataskyddsförordningen gäller för en personuppgiftsansvarigs behandling av personuppgifter när behandlingen avser erbjudande av varor och tjänster till registrerade i unionen, även om denne inte är etablerad i unionen.

I sitt svar till ledamöter av Europaparlamentet om Clearview AI instämde dataskyddsstyrelsen i betänkligheterna rörande viss utveckling av ansiktsigenkänningstekniken. Dataskyddsstyrelsen påminner om att brottsbekämpande myndigheter enligt dataskyddsdirektivet för brottsbekämpning (EU) nr 2016/680 endast får behandla biometriska uppgifter för att identifiera fysiska personer i enlighet med de strikta villkoren i artiklarna 8 och 10 i direktivet.

Dataskyddsstyrelsen hyser tvivel om huruvida det i unionens eller medlemsstaternas lagstiftning finns en rättslig grund för användning av tjänster av det slag som Clearview AI erbjuder. I dagsläget, och utan att det påverkar framtida eller pågående utredningar, kan det därför inte fastställas om brottsbekämpande myndigheters användning av sådana tjänster är laglig.

Utan att det påverkar ytterligare analys på grundval av ytterligare uppgifter som lämnats anser dataskyddsstyrelsen därför att EU:s brottsbekämpande myndigheters användning av en tjänst som Clearview AI i nuläget troligen inte stämmer överens med EU:s system för dataskydd.

Slutligen hänvisar dataskyddsstyrelsen till sina riktlinjer för behandling av personuppgifter genom videoenheter och tillkännager att den kommer att titta närmare på brottsbekämpande myndigheters användning av ansiktsigenkänningsteknik.

I sitt svar på en skrivelse från Europeiska unionens cybersäkerhetsbyrå (Enisa) med begäran om att dataskyddsstyrelsen ska utse en företrädare till Enisas rådgivande grupp utsåg dataskyddsstyrelsen Gwendal Le Grand, vice generalsekreterare för CNIL, till företrädare. Den rådgivande gruppen hjälper Enisas verkställande direktör att upprätta ett årligt arbetsprogram och säkerställa kommunikation med berörda parter.

Dataskyddsstyrelsen antog ett svar på ett öppet brev från NOYB om samarbetet mellan tillsynsmyndigheterna och förfarandena för enhetlighet. I sin skrivelse påpekar dataskyddsstyrelsen att den hela tiden har arbetat för att förbättra samarbetet mellan tillsynsmyndigheterna och förfarandena för enhetlighet. Dataskyddsstyrelsen är medveten om att det finns saker som behöver förbättras, däribland skillnader i administrativ nationell processlagstiftning och -praxis samt tiden och resurserna som behövs för att lösa gränsöverskridande fall. Dataskyddsstyrelsen upprepar att den engagerar sig för att hitta lösningar inom sitt kompetensområde.

Meddelande till redaktörerna:
Observera att alla dokument som antas under Europeiska dataskyddsstyrelsens plenarmöten är föremål för nödvändiga kontroller av rättsliga aspekter, språk och formatering och kommer att läggas ut på dataskyddsstyrelsens webbplats när dessa kontroller har utförts.

EDPB_Press Release_2020_10

Belgian Data Protection Authority imposed a fine of 5.000 EUR on local election candidate

The Litigation Chamber of the Belgian Data Protection Authority imposed a fine of 5.000 EUR on a candidate in local elections for using the staff registry of a municipality to send election propaganda (in the form of a letter) to staff members. The Belgian municipality in question filed the complaint against the candidate.

The Litigation Chamber established the following elements:
-    A legal person (in this case the municipality) is entitled to file a complaint with the DPA.
-    Contrary to what was said by the defendant, the communication didn’t amount to normal communication between a municipal councilor, which the defendant was at the time, and municipal staff. The content of the letter sent shows that it was indeed election propaganda.
-    A violation of article 5, 1., b (purpose limitation) occurred, considering that the staff register is not meant to be used for other purposes than the internal management of the municipality
-    The Litigation Chamber could find no legal basis for a lawful processing of data from the staff register and therefore also concluded in a violation of articles 5, 1., a) and 6, 1 (lawfulness of processing).
The imposition of a fine of 5.000 EUR was done on the basis of previous similar decisions by the Litigation Chamber of the BE DPA, where it had found that further processing of data gathered for municipal purposes with the intent of using them for political propaganda violated the principles of lawful processing and of purpose limitation.
The Litigation Chamber also considers that the defendant’s other positions in public service should have led him to a greater respect for rules on electoral campaigning, which include data protection rules.

To read the full decision in French, click here

For further information, please contact the Belgian DPA: contact@apd-gba.be

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.

Thirty-first Plenary session: Establishment of a taskforce on TikTok, Response to MEPs on use of Clearview AI by law enforcement authorities, Response to ENISA Advisory Group, Response to Open Letter NYOB

During its 31st plenary session, the EDPB decided to establish a taskforce to coordinate potential actions and to acquire a more comprehensive overview of TikTok’s processing and practices across the EU, and adopted a letter with regard to the use of Clearview AI by law enforcement authorities. In addition, the EDPB adopted a response to the ENISA advisory group and a letter in response to an Open Letter from NOYB.

The EDPB announced its decision to establish a taskforce to coordinate potential actions and to acquire a more comprehensive overview of TikTok’s processing and practices across the EU.

In response to MEP Körner’s request regarding TikTok, the EDPB indicates that it has already issued guidelines and recommendations that should be taken into account by all data controllers whose processing is subject to the GDPR, in particular when it comes to the transfer of personal data to third countries, substantive and procedural conditions for access to personal data by public authorities or the application of the GDPR territorial scope, in particular when it comes to the processing of minors’ data. The EDPB recalls that the GDPR applies to the processing of personal data by a controller, even if it is not established in the Union, where the processing activities are related to the offering of goods or services to data subjects in the Union.

In its response to MEPs regarding Clearview AI, the EDPB shared its concerns regarding certain developments in facial recognition technologies. The EDPB recalls that under the Law Enforcement Directive (EU) 2016/680, law enforcement authorities may process biometric data for the purpose of uniquely identifying a natural person only in accordance with the strict conditions of Articles 8 and 10 of the Directive.

The EDPB has doubts as to whether any Union or Member State law provides a legal basis for using a service such as the one offered by Clearview AI. Therefore, as it stands and without prejudice to any future or pending investigation, the lawfulness of such use by EU law enforcement authorities cannot be ascertained.

Without prejudice to further analysis on the basis of additional elements provided, the EDPB is therefore of the opinion that the use of a service such as Clearview AI by law enforcement authorities in the European Union would, as it stands, likely not be consistent with the EU data protection regime.

Finally, the EDPB refers to its guidelines on the processing of personal data through video devices and announces upcoming work on the use of facial recognition technology by law enforcement authorities.

In response to a letter from the European Union Agency for Cybersecurity (ENISA) requesting that the EDPB nominate a representative to the ENISA Advisory group, the Board appointed Gwendal Le Grand, Deputy Secretary-General CNIL, as representative. The Advisory Group assists the Executive Director of ENISA with drawing up an annual work programme and ensuring communication with the relevant stakeholders.

The EDPB adopted a response to an Open Letter by NOYB regarding cooperation between the Supervisory Authorities and the consistency procedures. In its letter, the Board indicates it has been working constantly on the improvement of the cooperation between the Supervisory Authorities and the consistency procedures. The Board is aware that there are issues requiring improvement, such as the differences in national administrative procedural laws and practices, together with the time and resources needed to resolve cross-border cases. The Board reiterates it is committed to finding solutions, where these lie within its competence.

The agenda of the 31st plenary is available here

Note to editors:
Please note that all documents adopted during the EDPB Plenary are subject to the necessary legal, linguistic and formatting checks and will be made available on the EDPB website once these have been completed.

The Spanish Data Protection Authority fined the company Iberdrola for not responding to the request for information with 4,000 euros

Sanction procedure opened for not responding to the request for information made in order to investigate the facts identified in a complaint. The complainant requested the exclusion of his data from a debts file -Asnef - by an alleged debt to the energy supply company -Iberdrola-.
 
The complaint was transferred to Iberdrola and it was required to forward to the AEPD the information and documents requested in the letter. After receiving no response, the complaint was accepted.
 
Investigations were then carried out and the entity was again required to report on the facts denounced. This new request was also not answered. In a nutshell, Iberdrola had not provided the information required and consequently hindered the investigative powers that each supervisory authority has, infringing Article 58.1 of the GDPR.
 
This infringement is typified in Article 83.5(e) of the GDPR and is classified for prescription purposes as very serious. It has also been taken into account that Iberdrola is a large undertaking, not newly created and therefore should have established procedures for the fulfilment of the obligations under the data protection regulations, including provide any information required by the supervisory authority. For this reason, it was sanctioned with 5,000 euros, reduced to 4,000 euros as it benefited from voluntary payment reduction according to the Spanish Procedure Law.

To read the full decision in Spanish, click here

For further information, please contact the Spanish DPA: prensa@aepd.es

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.

Sidor