Datainspektionen på Åland

Datainspektionen på Åland sköter om dataskyddet i den offentliga förvaltningen på Åland. Datainspektionen i Sverige bytte namn vid årsskiftet och heter nu Integritetsskyddsmyndigheten. Se närmare på imy.se

European Data Protection Board

EDPB adopted documents - 26th, 28th and 30th plenary

Finnish DPA imposes administrative fine for several deficiencies in personal data processing

The Office of the Data Protection Ombudsman’s sanctions board imposed an administrative fine on Taksi Helsinki Oy for violations of data protection legislation on 26 May. The company had not assessed the risks and effects of personal data processing before adopting a camera surveillance system that records audio and video in its taxis. Deficiencies were also noted in the information provided to customers and the documentation of personal data processing.

The Office of the Data Protection Ombudsman started an investigation on Taksi Helsinki’s personal data processing in November 2019. Serious deficiencies were found in the company’s processing of personal data.

The impact of the processing had not been assessed in accordance with data protection legislation.

Taksi Helsinki replaced its camera surveillance system with one that records both video and audio in the summer of 2019. However, the company did not assess the compliance of the related personal data processing with the GDPR.

The Deputy Data Protection Ombudsman ordered the company to conduct a balance test to evaluate, for example the necessity of personal data processing and its impact on the interests and rights of the data subjects.

Taksi Helsinki also failed to conduct the impact assessments required by the GDPR before the start of processing. Data protection impact assessments would have been required for security camera surveillance, location data processing and automated decision-making and profiling connected to the company’s loyalty scheme. The Deputy Data Protection Ombudsman ordered the company to carry out the required impact assessments.

No basis given for processing audio data

Taksi Helsinki reported that it processed the personal data of drivers, staff and the customers of its drivers with a camera surveillance system that records both video and audio. However, the company did not provide an explanation for why it only processed audio data from some of its taxis. The company later stated that the audio data had been processed by mistake.

The Deputy Data Protection Ombudsman found that the processing of audio data was not in line with the GDPR’s principle of data minimisation. She ordered Taksi Helsinki to ensure that the processing of audio data without appropriate grounds is stopped immediately.

Problems with basic data protection issues

The Deputy Data Protection Ombudsman’s investigation also revealed that Taksi Helsinki did not inform data subjects of the processing of their personal data in the manner required by data protection legislation. The notifications in the taxis did not say anything about audio recording or indicate from where customers could obtain information on it.

Neither did the company’s privacy statement contain information on the automated decision-making and profiling performed in its loyalty scheme. The Deputy Data Protection Ombudsman ordered the company to change its policies for informing customers to provide clear information on its processing of personal data. The information must also be easily accessible.

Deficiencies related to documentation and the definition of personal data processing roles were also discovered in the investigation. The Deputy Data Protection Ombudsman ordered Taksi Helsinki to rectify its procedures.

Administrative fine imposed

Several serious shortcomings in the identification of risks, compliance with data protection principles and implementation of the rights of data subjects were identified in Taksi Helsinki’s processing of personal data.

The Office of the Data Protection Ombudsman’s sanctions board imposed an administrative fine of EUR 72,000 on Taksi Helsinki. This amount was proportionate, effective and cautionary in the assessment of the board.  

The decisions of the Deputy Data Protection Ombudsman and sanctions board are not yet final and are open to appeal in the administrative court.

To read the full decisions in Finnish, click here.

For further information, please contact the Finnish DPA: tietosuoja(at)om.fi

The decision-making of the sanctions board and legal protection of controllers are provided for in the Finnish Data Protection Act. The sanctions board is made up of the Data Protection Ombudsman and his two Deputy Data Protection Ombudsmen and has the power to impose administrative fines for violations of data protection legislation. The maximum amount of the administrative fine is four percent of the company’s turnover or EUR 20 million.

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.

Europeiska dataskyddsstyrelsen – 30:e plenarmötet: Europeiska dataskyddsstyrelsens svar till icke-statliga organisationer om ungerska dekret och uttalande om artikel 23 i den allmänna dataskyddsförordningen

Bryssel den 3 juni – Under sitt 30:e plenarmöte antog Europeiska dataskyddsstyrelsen ett uttalande om registrerades rättigheter i samband med undantagstillståndet i vissa medlemsstater. Dataskyddsstyrelsen antog också en skrivelse som svar på en skrivelse från Liberties Union for Europe, Access Now och Hungarian Civil Liberties Union (HCLU) om den ungerska regeringens dekret 179/2020 av den 4 maj.

Dataskyddsstyrelsen påminner om att även i dessa speciella tider måste skyddet av personuppgifter upprätthållas vid alla nödåtgärder och bidra till respekten för de övergripande värdena demokrati, rättsstatsprincipen och grundläggande rättigheter som unionen bygger på.

Både i uttalandet och skrivelsen upprepar dataskyddsstyrelsen att den allmänna dataskyddsförordningen fortfarande gäller och gör det möjligt att agera effektivt mot pandemin samtidigt som de grundläggande fri- och rättigheterna skyddas. Dataskyddslagstiftningen möjliggör redan databehandling som krävs för att bidra till kampen mot covid-19-pandemin.

I uttalandet framhävs huvudprinciperna för begränsningarna av registrerades rättigheter i samband med det undantagstillstånd som råder i vissa medlemsstater.

  • Begränsningar som genom sin allmänna, omfattande eller inkräktande karaktär gör att en grundläggande rättighet förlorar sitt grundläggande innehåll kan inte motiveras.
  • Under vissa förhållanden ger artikel 23 i den allmänna dataskyddsförordningen nationella lagstiftare möjlighet att genom en lagstiftningsåtgärd begränsa tillämpningsområdet för den personuppgiftsansvariges eller personuppgiftsbiträdets skyldigheter och registrerades rättigheter, om en sådan begränsning sker med respekt för andemeningen i de grundläggande rättigheterna och friheterna och utgör en nödvändig och proportionell åtgärd i ett demokratiskt samhälle i syfte att säkerställa viktiga mål av generellt allmänt intresse i unionen eller en medlemsstat, däribland särskilt folkhälsa.
  • Registrerades rättigheter står i centrum för den grundläggande rätten till dataskydd, och när man tolkar och läser artikel 23 i den allmänna dataskyddsförordningen bör man ha i åtanke att dessa rättigheter bör tillämpas som en allmän regel.  Eftersom begränsningar utgör undantag från den allmänna regeln bör de endast tillämpas under begränsade omständigheter.
  • Begränsningarna måste föreskrivas i lag och denna lag bör vara tillräckligt tydlig för att medborgarna ska kunna förstå under vilka förhållanden personuppgiftsansvariga har rätt att använda dem. Dessutom måste begränsningarna vara förutsebara för personer som omfattas av dem. Begränsningar som införs utan tydlig tidsgräns, som gäller retroaktivt eller vars villkor inte definierats närmare uppfyller inte kriteriet om förutsebarhet.
  • Förekomsten av en pandemi eller annan nödsituation är i sig inte ett tillräckligt skäl för att föreskriva någon form av begränsning av registrerades rättigheter. Varje begränsning måste tvärtom tydligt bidra till att säkerställa ett viktigt mål av allmänt intresse för EU eller en medlemsstat.
  • Undantagstillståndet som införts i samband med pandemin är ett rättsligt villkor som kan legitimera begränsningar av registrerades rättigheter, förutsatt att dessa begränsningar endast gäller om det är absolut nödvändigt och proportionerligt för att säkerställa folkhälsomålet. Begränsningarna måste därför vara strikt begränsade i omfattning och tid eftersom registrerades rättigheter kan begränsas men inte förvägras. Dessutom måste de garantier som föreskrivs i artikel 23.2 i den allmänna dataskyddsförordningen tillämpas fullt ut.
  • Begränsningar som antas i samband med ett undantagstillstånd och som upphäver eller skjuter upp tillämpningen av registrerades rättigheter och personuppgiftsansvarigas och personuppgiftsbiträdens skyldigheter, utan någon tydlig tidsbegränsning, skulle i praktiken innebära att dessa rättigheter upphävs helt och skulle inte vara förenliga med andemeningen i de grundläggande rättigheterna och friheterna.

Vidare har dataskyddsstyrelsens tillkännagett att den under de närmaste månaderna kommer att utfärda riktlinjer för tillämpningen av artikel 23 i den allmänna dataskyddsförordningen.

Meddelande till redaktörerna:

Observera att alla dokument som antas under Europeiska dataskyddsstyrelsens plenarmöten är föremål för nödvändiga kontroller av rättsliga aspekter, språk och formatering och kommer att läggas ut på dataskyddsstyrelsens webbplats när dessa kontroller har utförts

Thirtieth Plenary session: EDPB response to NGOs on Hungarian Decrees and statement on Article 23 GDPR

During its 30th plenary session, the EDPB adopted a statement on data subject rights in connection to the state of emergency in Member States. The Board also adopted a letter in response to a letter from Civil Liberties Union for Europe, Access Now and the Hungarian Civil Liberties Union (HCLU) regarding the Hungarian Government’s Decree 179/2020 of 4 May.

The EDPB recalls that, even in these exceptional times, the protection of personal data must be upheld in all emergency measures, thus contributing to the respect of the overarching values of democracy, rule of law and fundamental rights on which the Union is founded.

In both the statement and the letter the EDPB reiterates that the GDPR remains applicable and allows for an efficient response to the pandemic, while at the same time protecting fundamental rights and freedoms. Data protection law already enables data-processing operations necessary to contribute to the fight against the COVID-19 pandemic.

The statement recalls the main principles related to the restrictions on data subject rights in connection to the state of emergency in Member States:

•    Restrictions which are general, extensive or intrusive to the extent that they void a fundamental right of its basic content cannot be justified.
•    Under specific conditions, Article 23 GDPR allows national legislators to restrict via a legislative measure the scope of the obligations of controllers and processors and the rights of data subjects when such a restriction respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to safeguard important objectives of general public interest of the Union or of a Member State, such as in particular public health.
•    Data subject rights are at the core of the fundamental right to data protection and Article 23 GDPR should be interpreted and read bearing in mind that their application should be the general rule. As restrictions are exceptions to the general rule, they should only be applied in limited circumstances.
•    Restrictions must be provided for ‘by law’, and the law establishing restrictions should be sufficiently clear as to allow citizens to understand the conditions in which controllers are empowered to resort to them. Additionally, restrictions must be foreseeable for persons subject to them. Restrictions imposed for a duration not precisely limited in time, which apply retroactively or are subject to undefined conditions, do not meet the foreseeability criterion.
•    The mere existence of a pandemic or any other emergency situation alone is not a sufficient reason to provide for any kind of restriction on the rights of data subjects; rather, any restriction must clearly contribute to the safeguard of an important objective of general public interest of the EU or of a Member State.  
•    The emergency state, adopted in a pandemic context, is a legal condition, which may legitimise restrictions of data subject rights, provided these restrictions only apply insofar as it is strictly necessary and proportionate in order to safeguard the public health objective. Thus, restrictions must be strictly limited in scope and in time, since data subject rights can be restricted but not denied. Additionally, the guarantees provided for under Article 23(2) GDPR must fully apply.
•    Restrictions adopted in the context of a state of emergency suspending or postponing the application of data subject rights and the obligations incumbent to data controllers and processors, without any clear limitation in time, would equate to a de facto blanket suspension of those rights and would not be compatible with the essence of the fundamental rights and freedoms.

Furthermore, the EDPB announced it will issue guidelines on the implementation of Article 23 of the GDPR in the coming months.

The agenda of the 30th pleanry is available here

Note to editors:
Please note that all documents adopted during the EDPB Plenary are subject to the necessary legal, linguistic and formatting checks and will be made available on the EDPB website once these have been completed.

Finnish DPA imposed three administrative fines for data protection violations

The Office of the Data Protection Ombudsman’s sanctions board imposed administrative fines on three companies for violations of data protection legislation on 18 May. These violations concerned giving insufficient information on data protection rights, neglecting to conduct a data protection impact assessment and the unnecessary collection of personal data.

Deficiencies in information provided in connection with change-of-address notifications

The individuals who filed a complaint with the Data Protection Ombudsman had received communications and direct marketing from various companies after making change-of-address notifications to Posti Oy, which is the leading postal service operator in Finland. The investigation carried out by the Office of the Data Protection Ombudsman revealed that Posti had not informed the data subjects of their rights, including the right to object the disclosure of data, in connection with making change-of-address notifications.

The company should have informed its customers clearly about their right to object to the processing of their personal data. Posti had submitted such notifications only to customers who bought additional services in addition to making the change-of-address notification.
Posti had notified the Data Protection Ombudsman that it would look into possibilities for improving the transparency of personal data processing already in 2017. The company finally improved its practices for informing customers in 2020, after the Office of the Data Protection Ombudsman had contacted Posti again. The violations affected 161,000 customers in 2019 alone.

The sanctions board imposed an administrative fine of EUR 100,000 on Posti Oy.

The data protection impact assessment on the processing of employee location data had been neglected

The second decision concerned a complaint made to the Data Protection Ombudsman about how Kymen Vesi Oy processed the location data of its employees by tracking vehicles with a vehicle information system. The controller had not made the impact assessment required by the GDPR before starting to process the location data. The location data was used for monitoring working hours, among other things.

A data protection impact assessment is required if the processing is likely to result in a high risk to the rights and freedoms of data subjects. The assessment is necessary for example if the location data of vulnerable individuals is processed or the location data is used for systematic monitoring. The decision of situations in which a data protection impact assessment of the processing of location data is required can be found on the Data Protection Ombudsman’s website.
The sanctions board imposed an administrative fine of EUR 16,000 on Kymen Vesi Oy.

Job applicants’ personal data was collected unnecessarily

In the third case, the Data Protection Ombudsman had been notified about a company collecting unnecessary personal data from job applicants and employees. According to the Finnish Act on the Protection of Privacy in Working Life, the employer is only permitted to process data that is necessary in light of the employment relationship. Deficiencies were also discovered in the controller’s documentation related to compliance with the GDPR.

The company had asked for information on matters such as religious beliefs, state of health, possible pregnancy and family status of the data subjects.
The Data Protection Ombudsman ordered the company to delete the unnecessary data and issued a reprimand on the deficiencies in documentation. The sanctions board also imposed an administrative fine of EUR 12,500 on the company.

The decisions are not final since those can be appealed in the administrative court. The Office of the Data Protection Ombudsman publishes the name of the organisation on which the administrative fine was imposed if the matter is considered to be of public significance or the organisation could be confused with another.

Sanctions must be proportionate, efficient and cautionary

This was the first time that the sanctions board imposed administrative fines for violations of data protection regulations. The board has the right to impose administrative fines for data protection violations. The maximum amount of the administrative fine is 4 % of the company’s turnover or EUR 20 million.
The sanctions board is made up of the Data Protection Ombudsman and two Deputy Data Protection Ombudsmen, with the Data Protection Ombudsman serving as chairman. The decision-making of the sanctions board and legal protection of controllers are provided for in the Finnish Data Protection Act.

To read the full decisions in Finnish, click here

For further information, please contact the Finnish DPA: reijo.aarnio(at)om.fi

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.

Europeiska dataskyddsstyrelsen – 28:e plenarmötet: Yttrande enligt artikel 64 i den allmänna dataskyddsförordningen om utkast till standardavtalsklausuler som den slovenska tillsynsmyndigheten överlämnat, beslut om publiceringsregister enligt artikel 60 i

Bryssel den 20 maj – Under sitt 28:e plenarmöte antog Europeiska dataskyddsstyrelsens ett yttrande enligt artikel 64 i den allmänna dataskyddsförordningen om det utkast till standardavtalsklausuler som den slovenska tillsynsmyndigheten överlämnat och beslutade om offentliggörande av ett register som innehåller beslut inom ramen för mekanismen för en enda kontaktpunkt.

Europeiska dataskyddsstyrelsens antog sitt yttrande om de utkast till standardavtalsklausuler för avtal mellan personuppgiftsansvariga och personuppgiftsbiträden som den slovenska tillsynsmyndigheten överlämnat till dataskyddsstyrelsen. Yttrandet syftar till att säkerställa en konsekvent tillämpning av artikel 28 i den allmänna dataskyddsförordningen, enligt vilken personuppgiftsansvariga och personuppgiftsbiträden måste upprätta ett avtal eller en annan rättsakt där parternas respektive skyldigheter fastställs. Enligt artikel 28.6 i den allmänna dataskyddsförordningen kan dessa avtal eller andra rättsakter helt eller delvis baseras på standardavtalsklausuler som antas av en tillsynsmyndighet. I yttrandet ger dataskyddsstyrelsen flera rekommendationer som kan behöva beaktas för att dessa utkast till standardavtalsklausuler ska betraktas som standardavtalsklausuler. Om alla rekommendationer genomförs kommer den slovenska tillsynsmyndigheten att kunna anta detta utkast till avtal som standardavtalsklausuler i enlighet med artikel 28.8 i den allmänna dataskyddsförordningen.

Dataskyddsstyrelsens kommer på sin webbplats att offentliggöra ett register över beslut som fattats av de nationella tillsynsmyndigheterna enligt samarbetsförfarandet inom mekanismen för en enda kontaktpunkt (artikel 60 i den allmänna dataskyddsförordningen).

Enligt den allmänna dataskyddsförordningen är tillsynsmyndigheterna skyldiga att samarbeta i ärenden som inbegriper flera länder för att se till att förordningen tillämpas konsekvent – den så kallade mekanismen för en enda kontaktpunkt. Inom ramen för den enda kontaktpunkten ansvarar den ansvariga tillsynsmyndigheten för att utarbeta utkasten till beslut och samarbetar med de berörda tillsynsmyndigheterna för att nå samförstånd. Fram till slutet av april 2020 hade de ansvariga tillsynsmyndigheterna antagit 103 slutliga beslut inom ramen för mekanismen för en enda kontaktpunkt. Europeiska dataskyddsstyrelsens har för avsikt att offentliggöra sammanfattningar på engelska som dess sekretariat utarbetat. Informationen kommer att offentliggöras efter att den validerats av den ansvariga tillsynsmyndigheten och i enlighet med de villkor som föreskrivs i nationell lagstiftning.

Meddelande till redaktörerna:

Observera att alla dokument som antas under Europeiska dataskyddsstyrelsens plenarmöten är föremål för nödvändiga kontroller av rättsliga aspekter, språk och formatering och kommer att läggas ut på dataskyddsstyrelsens webbplats när dessa kontroller har utförts.

EDPB_Press Release_2020_08

Twenty-eighth Plenary session: Art. 64 GDPR Opinion on draft SCCs submitted by the SI SA, Publication register of Art. 60 GDPR (OSS) Decisions

Brussels, 20 May - During its 28th EDPB plenary session, the EDPB adopted an Art. 64 GDPR opinion on the draft Standard Contractual Clauses submitted by the Slovenian Supervisory Authority (SA) and decided on the publication of a register containing ‘one-stop-shop’ decisions.

The EDPB adopted its opinion on the draft Standard Contractual Clauses (SCCs) for controller-processor contracts submitted to the Board by the Slovenian Supervisory Authority. The opinion aims to ensure the consistent application of Article 28 GDPR, which imposes an obligation on controllers and processors to enter into a contract or other legal act stipulating the parties’ respective obligations. According to Article 28(6) GDPR, these contracts or other legal acts may be based, in whole or in part, on standard contractual clauses adopted by a Supervisory Authority. In the opinion, the Board makes several recommendations that need to be taken into account in order for these draft SCCs to be considered as Standard Contractual Clauses. If all recommendations are implemented, the Slovenian SA will be able to adopt this draft agreement as Standard Contractual Clauses pursuant to Article 28(8) GDPR.

The EDPB will publish a register containing decisions taken by national supervisory authorities following the One-Stop-Shop cooperation procedure (Art. 60 GDPR) on its website.

Under the GDPR, Supervisory Authorities have a duty to cooperate on cases with a cross-border component to ensure a consistent application of the regulation - the so-called one-stop-shop (OSS) mechanism. Under the OSS, the Lead Supervisory Authority (LSA) is in charge of preparing the draft decisions and works together with the concerned SAs to reach consensus. Up to end of April 2020, LSAs have adopted 103 final OSS decisions. The EDPB intends to publish summaries in English prepared by the EDPB Secretariat. The information will be made public after the validation of the LSA in question and in accordance with the conditions provided by its national legislation.

The agenda of the 28th plenary is available here

Note to editors:
Please note that all documents adopted during the EDPB Plenary are subject to the necessary legal, linguistic and formatting checks and will be made available on the EDPB website once these have been completed.

Fine proposed for Danish recruitment company

The Danish Data Protection Authority considers that in a case on the right of access, the Danish recruitment company JobTeam has not met the basic requirements of the General Data Protection Regulation (GDPR) that personal data must be processed lawfully, fairly and transparently.

JobTeam has been reported to the police and a fine of DKK 50.000 has been proposed. The company had erased personal data subject to the access request of a data subject during the period after the request was submitted and prior to the company's reply. The Data Protection Authority became aware of the case on the basis of a complaint.

Good data processing

‘Where a controller deletes information on the individual directly linked to the failure to meet an access request, the controller unlawfully denies the possibility of a review of the right of access by the data by the Data Protection Authority and the Courts. This is a violation of the citizen’s fundamental rights and is not an example of good data processing,” says Astrid Mavrogenis, Head of Unit in the Danish Data Protection Authority.

Fine proposal

The Data Protection Agency has decided to report JobTeam to the police and recommended that the company should pay a fine.

It is the view of the Danish Data Protection Agency that a breach of the fundamental principles of the regulation concerning processing security for an company in a case such as the one in question cannot, in principle, be penalised by a fine lower than DKK 50.000, if the basic requirement of effective and dissuasive penalties laid down by the regulation must be complied with at the same time. At the same time, when setting the amount of the fine, the Authority emphasises that the fine must be proportionate.

In most European countries, national data protection authorities can issue administrative fines themselves, but the rules are different in, inter alia, Denmark.

After having clarified and assessed the case, the Data Protection Authority (DPA) reports the data controller to the police. The police then considers whether there are grounds for bringing a charge, and finally any financial penalty will be decided by a court.

  

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.

Wrongful to publish sensitive personal data on Region Örebro County’s website

The Swedish Data Protection Authority’s investigation shows that the Healthcare Committee in Region Örebro County made a mistake when publishing on the region’s website sensitive personal data about a patient admitted to a forensic psychiatric clinic.

The Swedish Data Protection Authority received a complaint against the Healthcare Committee in Region Örebro County, in which claims that sensitive personal data about a patient admitted to forensic psychiatry clinic had been published on the region’s website was put forward.

– Our investigation into the matter shows that sensitive personal data has wrongfully been published and thereby made accessible to the public on the region’s website”, says Elin Hallström, Legal Advisor at the Swedish Data Protection Authority.

The Swedish Data Protection Authority’s audit shows that there are no written instructions relating to the publication of documents and personal data on the website in place. Instructions for publishing information are instead communicated orally. In this case, the instructions had not been followed which led to the accidental publication of the document, suggesting that the Committee had not taken sufficient organizational measures to ensure that personal data is protected from being wrongfully published on the region’s website.

– For this reason, we are now ordering the Committee to establish written instructions and introduce measures that ensure that those who publishes personal data on the region’s website does so in accordance with set instructions.

In its decision, the Swedish Data Protection Authority also concludes that in terms of publication the Committee had neither a legitimate purpose, nor a legal basis, nor fulfilled the requirements for an exemption from the general prohibition against handling sensitive personal data in the General Data Protection Regulation.

The Swedish Data Protection Authority orders the Committee to bring its personal data handling into compliance and furthermore issues an administrative fine of 120 000 Swedish kronor (approx. 11 000 euro) against the Committee.

The published document in question has been removed from the region’s website.

To read the press release in Swedish, click here

To read the full decision in Swedish, click here

For further information, please contact the Swedish SA: datainspektionen@datainspektionen.se   

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.

EDPB adopts letter on Polish presidential elections data disclosure & discusses recent Hungarian government decrees in relation to the coronavirus during the state of emergency

During its 26th plenary session, the EDPB adopted a letter in response to requests from MEPs Metsola and Halicki regarding the Polish presidential elections taking place via postal vote. Additionally, an exchange of information took place on the recent Hungarian government decrees in relation to the coronavirus during the state of emergency
 
In its response to the MEPs Metsola and Halicki, the EDPB indicates that it is aware that data of Polish citizens was sent from the national PESEL (personal identification) database to the Polish Post by one of the Polish ministries and acknowledges that this issue requires special attention.

The Board underlines that, according to the GDPR, personal data, such as names and addresses, and national identification numbers (such as the Polish PESEL ID), must be processed lawfully, fairly and in a transparent manner, for specified purposes only. Public authorities may disclose information on individuals included in electoral lists, but only when this is specifically authorised by Member State law. The EDPB underlined that the disclosure of personal data – from one entity to another – always requires a legal basis in accordance with EU data protection laws. As previously indicated in the EDPB statement on the use of personal data in political campaigns (2/2019), political parties and candidates - but also public authorities, particularly those responsible for public registers - must stand ready to demonstrate how they have complied with data protection principles. The EDPB also underlined that, where elections are conducted by the collection of postal votes, it is the responsibility of the state to ensure that specific safeguards are in place to maintain the secrecy and integrity of the personal data concerning political opinions.

EDPB Chair, Andrea Jelinek, added: “Elections form the cornerstone of every democratic society. That is why the EDPB has always dedicated special attention to the processing of personal data for election purposes. We encourage data controllers, especially public authorities, to lead by example and process personal data in a manner which is transparent and leaves no doubt regarding the legal basis for the processing operations, including disclosure of data.”

However, the EDPB stresses that enforcement of the GDPR lies with the national supervisory authorities. The EDPB is not a data protection supervisory authority in its own right and, as such, does not have the same competences, tasks and powers as the national supervisory authorities. In the first instance, the assessment of alleged GDPR infringements falls within the competence of the responsible and independent national supervisory authority. Nevertheless, the EDPB will continue to pay special attention to the developments of personal data processing in connection to democratic elections and remains ready to support all members of the Board, including the Polish Supervisory Authority, in such matters.

During the plenary, the Hungarian Supervisory Authority provided the Board with information on the legislative measures the Hungarian government has adopted in relation to the coronavirus during the state of emergency. The Board considers that further explanation is necessary and has thus requested that the Hungarian Supervisory Authority provides further information on the scope and the duration, as well as the Hungarian Supervisory Authority’s opinion on the necessity and proportionality of these measures. The Board will discuss this further during its plenary session next Tuesday.

The agenda of the 26th plenary is available here

Note to editors:
Please note that all documents adopted during the EDPB Plenary are subject to the necessary legal, linguistic and formatting checks and will be made available on the EDPB website once these have been completed.

The Swedish Data Protection Authority issues fine against the National Government Service Centre

The Swedish Data Protection Authority imposes an administrative fine of 200,000 Swedish kronor (approximately 18,700 euro) on the National Government Service Centre for failing to notify affected parties as well as the Data Protection Authority about a personal data breach in due time.

The Data Protection Authority (DPA) initiated an investigation against the National Government Service Centre (NGSC) upon having received a number of personal data breach notifications concerning an error in the IT system for salary administration. The error entailed the possibility of unauthorised access to personal data of both personnel of authorities using the system and of the personnel of the NGSC.

- Our investigation shows that it has taken too long for the NGSC to inform the concerned parties about the error and furthermore that the NGSC has failed to report the personal data breach to the DPA in due time. The documentation of the breach, as required under the GDPR, was also found incomplete with regards to the NGSC’s personnel and their data, says Elin Hallström, legal advisor, who has been leading the DPA’s audit.

The DPA noted that it took almost five months for the NGSC to notify the concerned parties and close to three months before the DPA received a data breach notification.

- When a data breach of this kind is discovered by a processor such as the NGSC in this case, it is important to inform the controllers as soon as possible so that they can report the breach to the DPA and take further actions to mitigate any related risks. The NGSC has failed to act in time.

In its decision the DPA orders the NGSC to introduce internal routines for the documentation of personal data breaches and to verify that those routines are abided by. Together with this order the DPA imposes an administrative fine on the NGSC of in total 200,000 Swedish kronor.

The National Government Service Centre coordinates the administration of government agencies by offering administrative support services to other government agencies. It offers basic services in the areas of salary administration, financial administration and eCommerce.

To read the press release in Swedish, click here
To read the full decision in Swedish, click here
For further information, please contact the Swedish SA: datainspektionen@datainspektionen.se   

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.

Twenty-fourth Plenary Session: adopted documents

Twenty-fourth Plenary session: EDPB doubles down on COVID-19 guidance in newly adopted letters

During its 24th plenary session, the EDPB adopted three letters, reinforcing several elements from its earlier guidance on data protection in the context of fighting the COVID-19 outbreak.

In reply to a letter from the United States Mission to the European Union, the EDPB looks into transfers of health data for research purposes, enabling international cooperation for the development of a vaccine. The US Mission enquired into the possibility of relying on a derogation of Art. 49 GDPR to enable international flows.

The EDPB tackled this topic in detail in its recently adopted guidelines (03/2020) on the processing of health data for scientific research. In its letter, the EDPB reiterates that the GDPR allows for collaboration between EEA and non-EEA scientists in the search for vaccines and treatments against COVID-19, while simultaneously protecting fundamental data protection rights in the EEA.

When data are transferred outside of the EEA, solutions that guarantee the continuous protection of data subjects’ fundamental rights, such as adequacy decisions or appropriate safeguards (included in Article 46 GDPR) should be favoured, according to the EDPB.  

However, the EDPB considers that the fight against COVID-19 has been recognised by the EU and Member States as an important public interest, as it has caused an exceptional sanitary crisis of an unprecedented nature and scale. This may require urgent action in the field of scientific research, necessitating transfers of personal data to third countries or international organisations.
 
In the absence of an adequacy decision or appropriate safeguards, public authorities and private entities may also rely upon derogations included in Article 49 GDPR

Andrea Jelinek, the Chair of the EDPB, said: “The global scientific community is racing against the clock to develop a COVID-19 vaccine or treatment. The EDPB confirms that the GDPR offers tools giving the best guarantees for international transfers of health data and is flexible enough to offer faster temporary solutions in the face of the urgent medical situation.”

The EDPB also adopted a response to a request from MEPs Lucia Ďuriš Nicholsonová and Eugen Jurzyca.

The EDPB replies that data protection laws already take into account data processing operations necessary to contribute to fighting an epidemic, therefore - according to the EDPB - there is no reason to lift GDPR provisions, but to observe them. In addition, the EDPB refers to the guidelines on the issues of geolocation and other tracing tools, as well as the processing of health data for research purposes in the context of the COVID-19 outbreak.

Andrea Jelinek, Chair of the EDPB, added: “The GDPR is designed to be flexible. As a result, it can enable an efficient response to support the fight against the pandemic, while at the same time protecting fundamental human rights and freedoms. When the processing of personal data is necessary in the context of COVID-19, data protection is indispensable to build trust, to create the conditions for social acceptability of any possible solution and, therefore, to guarantee the effectiveness of these measures”.

The EDPB received two letters from Sophie In 't Veld MEP, raising a series of questions regarding the latest technologies that are being developed in order to fight the spread of COVID-19.

In its reply, the EDPB refers to its recently adopted guidelines (04/2020) on the use of location data and contact tracing apps, which highlight – among other elements - that such schemes should have a voluntary nature, use the least amount of data possible, and should not trace individual movements, but rather use proximity information of users.

The agenda of the 23rd plenary is available here

Note to editors:
Please note that all documents adopted during the EDPB Plenary are subject to the necessary legal, linguistic and formatting checks and will be made available on the EDPB website once these have been completed.

European Data Protection Board - Twenty-third Plenary session: EDPB adopts further COVID-19 guidance

During its 23rd plenary session, the EDPB adopted guidelines on the processing of health data for research purposes in the context of the COVID-19 outbreak and guidelines on geolocation and other tracing tools in the context of the COVID-19 outbreak.

The  guidelines on the processing of health data for research purposes in the context of the COVID-19 outbreak aim to shed light on the most urgent legal questions concerning the use of health data, such as the legal basis of processing, further processing of health data for the purpose of scientific research, the implementation of adequate safeguards and the exercise of data subject rights.

The guidelines state that the GDPR contains several provisions for the processing of health data for the purpose of scientific research, which also apply in the context of the COVID-19 pandemic, in particular relating to consent and to the respective national legislations. The GDPR foresees the possibility to process certain special categories of personal data, such as health data, where it is necessary for scientific research purposes.

In addition, the guidelines address legal questions concerning international data transfers involving health data for research purposes related to the fight against COVID-19, in particular in the absence of an adequacy decision or other appropriate safeguards.  

Andrea Jelinek, Chair of the EDPB, said: “Currently, great research efforts are being made in the fight against COVID-19. Researchers hope to produce results as quickly as possible. The GDPR does not stand in the way of scientific research, but enables the lawful processing of health data to support the purpose of finding a vaccine or treatment for COVID-19”.

The guidelines on geolocation and other tracing tools in the context of the COVID-19 outbreak aim to clarify the conditions and principles for the proportionate use of location data and contact tracing tools, for two specific purposes:
1.    using location data to support the response to the pandemic by modelling the spread of the virus in order to assess the overall effectiveness of confinement measures;
2.    using contact tracing, which aims to notify individuals who may have been in close proximity to someone who is eventually confirmed as a carrier of the virus, in order to break the contamination chains as early as possible.

The guidelines emphasise that both the GDPR and the ePrivacy Directive contain specific provisions allowing for the use of anonymous or personal data to support public authorities and other actors at both national and EU level in their efforts to monitor and contain the spread of COVID-19. The general principles of effectiveness, necessity, and proportionality must guide any measures adopted by Member States or EU institutions that involve processing of personal data to fight COVID-19.

The EDPB stands by and underlines the position expressed in its letter to the European Commission (14 April) that the use of contact tracing apps should be voluntary and should not rely on tracing individual movements, but rather on proximity information regarding users.

Dr. Jelinek added: “Apps can never replace nurses and doctors. While data and technology can be important tools, we need to keep in mind that they have intrinsic limitations. Apps can only complement the effectiveness of public health measures and the dedication of healthcare workers that is necessary to fight COVID-19. At any rate, people should not have to choose between an efficient response to the crisis and the protection of fundamental rights.”

In addition, the EDPB adopted a guide for contact tracing apps as an annex to the guidelines. The purpose of this guide, which is non-exhaustive, is to provide general guidance to designers and implementers of contact tracing apps, underlining that any assessment must be carried out on a case-by-case basis.

Both sets of guidelines will exceptionally not be submitted for public consultation due to the urgency of the current situation and the necessity to have the guidelines readily available.

The agenda of the 23rd plenary is available here

Note to editors:
Please note that all documents adopted during the EDPB Plenary are subject to the necessary legal, linguistic and formatting checks and will be made available on the EDPB website once these have been completed.

Twenty-first plenary session of the European Data Protection Board - Letter concerning the European Commission's draft Guidance on apps supporting the fight against the COVID-19 pandemic

Wednesday, 15 April, 2020 - Following a request for consultation from the European Commission, the European Data Protection Board adopted a letter concerning the European Commission's draft Guidance on apps supporting the fight against the COVID-19 pandemic. This Guidance on data protection and privacy implications complements the European Commission’s Recommendation on apps for contact tracing, published on 8 April and setting out the process towards a common EU toolbox for the use of technology and data to combat and exit from the COVID-19 crisis.
 
Andrea Jelinek, Chair of the EDPB, said: “The EDPB welcomes the Commission’s initiative to develop a pan-European and coordinated approach as this will help to ensure the same level of data protection for every European citizen, regardless of where he or she lives.”
 
In its letter, the EDPB specifically addresses the use of apps for the contact tracing and warning functionality, because this is where increased attention must be paid in order to minimise interferences with private life while still allowing data processing with the goal of preserving public health.
 
The EDPB considers that the development of the apps should be made in an accountable way, documenting with a data protection impact assessment all the implemented privacy by design and privacy by default mechanisms. In addition, the source code should be made publicly available for the widest possible scrutiny by the scientific community.
 
The EDPB strongly supports the Commission’s proposal for a voluntary adoption of such apps, a choice that should be made by individuals as a token of collective responsibility.
 
Finally, the EDPB underlined the need for the Board and its Members, in charge of advising and ensuring the correct application of the GDPR and the E-Privacy Directive, to be fully involved in the whole process of elaboration and implementation of these measures. The EDPB recalls that it intends to publish Guidelines in the upcoming days on geolocation and tracing tools in the context of the COVID-19 out-break.

The EDPB’s letter is available here: https://edpb.europa.eu/letters_en
 
The agenda of the 21th plenary session is available here: https://edpb.europa.eu/our-work-tools/agenda/2020_en#agenda_490

Twentieth plenary session of the European Data Protection Board - scope of upcoming guidance on data processing in the fight against COVID-19

During the 20th plenary session, the European Data Protection Board assigned concrete mandates to its expert subgroups to develop guidance on several aspects of data processing in the fight against COVID-19. This follows the decision made last Friday during the EDPB's 19th plenary session. The EDPB will issue guidance on the following topics:

1.    geolocation and other tracing tools in the context of the COVID-19 outbreak – a mandate was given to the technology expert subgroup for leading this work;
2.    processing of health data for research purposes in the context of the COVID-19 outbreak – a mandate was given to the compliance, e-government and health expert subgroup for leading this work.

Considering the high priority of these 2 topics, the EDPB decided to postpone the guidance work on teleworking tools and practices in the context of the COVID-19 outbreak, for the time being.

Andrea Jelinek, Chair of the EDPB, said: “The EDPB will move swiftly to issue guidance on these topics within the shortest possible notice to help make sure that technology is used in a responsible way to support and hopefully win the battle against the corona pandemic. I strongly believe data protection and public health go hand in hand."

The agenda of the 20th plenary session is available here

Fine imposed for preventing the Supervisory Authority from performing an inspection

The President of the Personal Data Protection Office imposed a fine of PLN 20 000 on Vis Consulting Sp. z o.o. in liquidation with the seat in Katowice, a company from telemarketing industry, for making it impossible to conduct inspection. Additionally, the company’s owner is subject to criminal liability for this.

The President of the Personal Data Protection Office (UODO) decided to conduct inspection activities at the penalised company, in connection with the findings made in the course of another inspection performed at the company conducting telemarketing activities. It was established that the company has a cooperation contract with regard to outsourcing of telemarketing services with Vis Consulting Sp. z o.o. Therefore, the supervisory authority found it necessary to conduct inspection activities at the entity which actually operated the telephone calls and processed the data.

Unfortunately, the UODO’s inspectors, after prior notification on the planned inspection, did not find anyone at the address indicated in the National Court Register (KRS). On the spot, there was only a company which leased office space to Vis Consulting Sp. z o.o. (so called virtual office).  

The inspectors managed, however, to contact Vis Consulting by telephone, and its proxy informed that the inspection would not take place.   
Therefore, the President of the UODO concluded that the company in no way wished to cooperate with the personal data protection authority. On two consecutive days of the planned inspection activities, the company made it impossible to carry out the inspection twice. Furthermore, on the date on which the inspectors attempted to conduct inspection at Vis Consulting Sp. z o.o., its authorities decided to liquidate that entity.

In the opinion of the President of the Office, this company does not comply with the obligations relating to the processing of personal data and, at least intentionally, avoids to be subject of inspection by the supervisory authority. Thus the company infringed the provisions of Article 31 of the GDPR with regard to Article 58(1)(e) and (f) of the GDPR referring to cooperation with the supervisory authority and enabling it access to all personal data and any information.
Hence, the President of the UODO concluded that the conditions for imposing a fine on the company were satisfied. In determining the amount of the fine, the supervisory authority did not identify any attenuating circumstances affecting the amount of the fine.

In connection with suspicion of commission of an offence under Article 108 (1) of the Act on the Protection of Personal Data by the President of the Company, the supervisory authority notified the District Public Prosecutor’s Office in Katowice thereof. According to that provision, the prevention or hindering of conducting inspection of compliance with the personal data protection provisions shall be subject to a fine, restriction of personal liberty or imprisonment for up to two years. The Public Prosecutor’s Office has already lodged an indictment against the President of the Company to the court.

To read the press release is Polish, click here

To read the full decision in Polish, click here

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this news release should be directed to the supervisory authority concerned.

Sidor