Nyhetssamlare

Myndigheten ska utreda de personuppgiftsincidenter som tre apotekskedjor anmält och som rör personuppgifter som förts över från företagens webbshopar till Facebook.

During its May 4th plenary, the EDPB adopted:

• EDPB-EDPS Joint Opinion on the proposed Data Act

During its May 12th plenary, the EDPB adopted:

• Guidelines on the calculation of administrative fines
• Guidelines on the use of facial recognition technology in the area of law enforcement
• EDPB letter on the protection of personal data in the AML-CFT legislative proposals

• EDPB response to the joint payments industry regarding the Guidelines on the interplay of Second Payment Services Directive (PSD2) and GDPR

Innovatörer som utvecklar nya tekniker och tjänster behöver god kunskap om integritets- och dataskydd. Det ställer krav på IMY att vägleda och utbilda innovatörer. I ett pilotfall till hösten kommer vi att ge fördjupad vägledning tidigt i en utvald innovationsprocess – ett första försök med så kallad regulatorisk testverksamhet inom dataskydd.

Uppdatering 24/5 klockan 16.53: Meddelandet gäller inte längre. Faran är över.

Pandemin med covid-19 är inte över. I Sverige behöver vi vara beredda på en ökad spridning av covid-19 under kommande höst- och vintersäsong, skriver Folkhälsomyndigheten som rekommenderar ytterligare en vaccindos till äldre och riskgrupper.

Background information

Date of final decision: 8 February 2022

Cross-border case or national case: National case

Controller: Budapest Bank Zrt.

Legal Reference: Lawfulness of Processing (Article 5(1)(a), Article 6(1), Article 6(4)), Purpose Limitation (Article 5(1)(b)) Transparency (Article 12(1), Article 13), Right to Object (Article 21(1), Article 21(2)), Appropriate Measures (Article 24(1)), Data protection by design and by default (Article 25(1), Article 25(2)

Decision: Infringement of Articles 5(1)(a), 6(1), 6(4), 5(1)(b), 12(1), 13, 21(1), 21(2), 24(1), 25(1), and 25(2) of the GDPR, Order to comply with the above Articles, Imposing administrative fine in connection with the above infringements

Key words: artificial intelligence, new technologies, analysis of phone audio recording, analysis of emotions, bank, legitimate interest assessment, transparent information, right to object, privacy by design and by default, administrative fine

  Summary of the Decision Origin of the case  

In another procedure, the Hungarian SA became aware of the fact that the data controller performs automated analysis on the customer service phone calls. Due to the fact that this data processing was not clearly specified in the information provided to data subjects, the Hungarian SA started an ex officio investigation against the data controller in 2021 to review the general data processing practice of data controller regarding the automated analysis.

Key Findings

The data controller records all customer service phone calls. Each night, a software automatically analyses all new audio recordings. The software uses artificial intelligence to find keywords, and guesses the emotional state of the client at the time of the call. The result of the analysis is stored connected to the phone call within the system of the software for 45 days, along with the voice call. The result of the analysis is a list of persons sorted by the likelihood of dissatisfaction, anger based on the audio recording of the customer service phone call. Based on the result of the analysis, designated employees mark clients to be called by customer service trying to assess their reasons for dissatisfaction. No information on this particular data processing was provided to data subjects and no right of objection is technically possible, and the data processing was planned and carried on aware of this.

The impact assessment of the data controller also confirmed that the reviewed data processing uses artificial intelligence and causes high risk to the fundamental rights of data subjects. Neither the impact assessment, nor the legitimate interest assessment provided any actual risk mitigation, and the measures only on paper (information, right of objection) were insufficient and non-existent. Artificial intelligence is by nature difficult to deploy in a transparent and safe manner, additional safeguards are necessary. Due to its internal working, it is difficult to confirm the results of personal data processing by artificial intelligence, and it may be biased.

Decision

The Hungarian SA determined the serious infringement of numerous articles of the GDPR for a long period, ordered the data controller to stop processing emotional state of the clients, only continue the data processing if made compliant with the GDPR, and issued an administrative fine in HUF equal to approximately EUR 650,000.

For further information: https://www.naih.hu/hatarozatok-vegzesek?download=517:mesterseges-intelligencia-alkalmazasanak-adatvedelmi-kerdesei

Tillsyn enligt dataskyddsförordningen.

Tillsyn enligt dataskyddsförordningen. Beslut 2022-09-13.

Tillsyn enligt inkassolagen. Beslut 2022-06-30.

Tillsyn enligt dataskyddsförordningen.

IMY har tagit fram en vägledning för politiska aktörer som beskriver hur dessa bör följa och tillämpa dataskyddsförordningen i samband med valkampanjer.

Integritetsskyddsmyndigheten (IMY) har tagit fram en vägledning för politiska aktörer som beskriver hur dessa bör följa och tillämpa dataskyddsförordningen i samband med valkampanjer.

Europeiska dataskyddsstyrelsen, EDPB, har nu antagit två nya riktlinjer om beräkning av sanktionsavgifter och om brottsbekämpande myndigheters användning av ansiktsigenkänning.

Brussels, 16 May - The EDPB adopted new Guidelines on the calculation of administrative fines, harmonising the methodology data protection authorities (DPAs) use. The guidelines also include harmonised ‘starting points’ for the calculation of a fine. Hereby, three elements are considered: the categorisation of infringements by nature, the seriousness of the infringement and the turnover of a business.

EDPB Chair, Andrea Jelinek said: “From now on, DPAs across the EEA will follow the same methodology to calculate fines. This will boost further harmonisation and transparency of the fining practice of DPAs. The individual circumstances of a case must always be a determining factor and DPAs have an important role in ensuring that each fine is effective, proportionate and dissuasive.”

The guidelines set out a 5-step calculation methodology. First, DPAs have to establish whether the case at stake concerns one or more instances of sanctionable conduct and if they have led to one or multiple infringements. The purpose is to clarify if all the infringements or only some of them can be fined.

Second, DPAs have to rely on a starting point for the calculation of the fine for which the EDPB provides a harmonised method.

Third, DPAs have to consider aggravating or mitigating factors that can increase or decrease the amount of the fine, for which the EDPB provides a consistent interpretation.

The fourth step is to determine the legal maximums of fines as set out in Art. 83 (4)-(6) GDPR and to ensure that these amounts are not exceeded.

In the fifth and last step, DPAs need to analyse whether the calculated final amount meets the requirements of effectiveness, dissuasiveness and proportionality or whether further adjustments to the amount are necessary.

The guidelines are an important addition to the framework the EDPB is building for more efficient cooperation among DPAs on cross-border cases, a strategic priority for the EDPB.

The guidelines will be submitted for public consultation for a period of 6 weeks. Following public consultation, a final version of the guidelines will be adopted, taking into account stakeholder feedback, and will include a reference table with a range of starting points for the calculation of a fine, correlating the seriousness of an infringement with the turnover of an undertaking.

The EDPB also adopted Guidelines on the use of facial recognition technology in the area of law enforcement. The guidelines provide guidance to EU and national law makers, as well as to law enforcement authorities, on implementing and using facial recognition technology systems.

EDPB Chair Andrea Jelinek said: “While modern technologies offer benefits to law enforcement, such as the swift identification of suspects of serious crimes, they have to satisfy the requirements of necessity and proportionality. Facial recognition technology is intrinsically linked to processing personal data, including biometric data, and poses serious risks to individual rights and freedoms.”

The EDPB stresses that facial recognition tools should only be used in strict compliance with the Law Enforcement Directive (LED). Moreover, such tools should only be used if necessary and proportionate, as laid down in the Charter of Fundamental Rights.

In the guidelines, the EDPB repeats its call for a ban on the use of facial recognition technology in certain cases, as it had requested in the EDPB-EDPS joint opinion on the proposal for an Artificial Intelligence Act. More specifically, the EDPB considers there should be a ban on:

• remote biometric identification of individuals in publicly accessible spaces;
• facial recognition systems categorising individuals based on their biometrics into clusters according to ethnicity, gender, as well as political or sexual orientation or other grounds for discrimination;
• facial recognition or similar technologies to infer emotions of a natural person;
• processing of personal data in a law enforcement context that would rely on a database populated by collection of personal data on a mass-scale and in an indiscriminate way, e.g. by "scraping" photographs and facial pictures accessible online.

The guidelines will be subject to public consultation for a period of 6 weeks.

 

EDPB_Press Release_2022_07

Integritetsskyddsmyndigheten (IMY) har tagit emot ett antal klagomål från bland annat Tyskland och Finland mot Klarnas Checkout-tjänst och har nu därför inlett en tillsyn av bolaget.

Uppdatering 23.45: Det viktiga meddelande som utfärdades under kvällen med anledning av rök från en båtbrand i Uddevalla är avblåst och gäller inte längre.

Today, Andrea Jelinek, Chair of the European Data Protection Board (EDPB) presented the EDPB Annual Report 2021. The report provides a detailed overview of the work carried out by the EDPB in the last year.

EDPB Chair, Andrea Jelinek said: "2021 was the EDPB’s fourth year of existence and the first year of implementation of the multiannual EDPB Strategy 2021-2023. It was a very productive year, in which we completed many key actions to reach the objectives set out in our Strategy. Although we continued working mostly remotely due to the continuing impact of the COVID-19 pandemic, we made significant progress on a number of important files. To make this possible, we held over 380 EDPB meetings, including plenaries and expert subgroup meetings.”

In early 2021, the EDPB adopted its two-year Work Programme for 2021-2022. The Work Programme follows the priorities set out in the Strategy for 2021-2023 and puts the EDPB’s strategic objectives into practice. The Work Programme and Strategy helped guide the EDPB’s work in 2021 and will continue to guide its work in the years to come.

Over the past year, the EDPB continued to pay a great deal of attention to international transfers of personal data. In 2021, the EDPB adopted its final version of the Recommendations on supplementary measures following the Schrems II ruling by the Court of Justice of the EU, taking on board the input received from stakeholders during public consultation. In addition, the EDPB adopted opinions on the UK draft adequacy decisions, under both the GDPR and the Law Enforcement Directive (LED), as well as its opinion on the draft adequacy decision for the Republic of Korea. The EDPB also adopted guidance documents on other international transfer tools, such as Codes of Conduct, and adopted joint opinions, together with the EDPS, on the new sets of Standard Contractual Clauses (SCCs) issued by the European Commission for the transfer of personal data to controllers and processors established outside the EEA.

A second area in which the EDPB carried out important work, was digital policy. Among others, the EDPB and EDPS adopted joint opinions on the proposal for a Data Governance Act (DGA) and the draft Artificial Intelligence Act. Furthermore, the Members of the Board adopted a statement on the Digital Service Package and Data Strategy.

Law Enforcement formed another priority area for the EDPB in 2021. Not only did the EDPB adopt its first opinion on an adequacy decision under the LED, the EDPB also adopted recommendations on the LED adequacy referential, aiming to standardise the adequacy procedure under the LED. In addition, the EDPB carried out an evaluation of the LED itself.

In 2021, the EDPB adopted 8 guidelines and recommendations on topics such as personal data breach notifications, connected vehicles and virtual voice assistants, as well as 6 guidelines and recommendations in their final version following public consultation.

Another key task of the EDPB is to ensure consistency in enforcement and cooperation between national authorities. In 2021, the EDPB adopted 35 Art. 64 GDPR consistency opinions. Most of these opinions concern binding corporate rules and accreditation requirements for certification bodies and code of conduct monitoring bodies.

In July 2021, the EDPB adopted its very first Art. 66 GDPR Urgent Binding Decision following a request from the Hamburg supervisory authority (SA), which had adopted provisional measures against Facebook Ireland ltd.

In the same month, the EDPB also adopted its second Art. 65 GDPR binding decision which sought to address the lack of consensus on certain aspects of a draft decision issued by the Irish SA, acting as lead SA, regarding WhatsApp Ireland Ltd. and the subsequent objections expressed by a number of concerned supervisory authorities.

The GDPR requires the EEA SAs to cooperate closely to ensure the consistent application of the GDPR and protection of individuals’ data protection rights across the EEA.

• Between 1 January and 31 December 2021, there were 506* cross-border cases out of which 375 originated from a complaint, while 131 had other origins, such as investigations, legal obligations and/or media reports.
• The One-Stop-Shop mechanism demands cooperation between the LSA and the CSAs. The LSA leads the investigation and plays a key role in the process of reaching consensus between the CSAs, in addition to working towards reaching a coordinated decision about the data controller or processor. Between 1 January 2021 and 31 December 2021, there were 209 draft decisions, of which 141 resulted in final decisions.
• The mutual assistance procedure allows SAs to ask for information from other SAs or to request other measures for effective cooperation, such as prior authorisations or investigations. Between 1 January 2021 and 31 December 2021, SAs initiated 243 formal mutual assistance procedures. They initiated 2418 informal mutual assistance procedures. Mutual assistance is also used by the SAs requesting the competent SA to handle complaints they received which do not relate to cross-border processing as defined by the GDPR.

To read the EDPB Annual Report 2021, click here

Note to editors:

* References to case register entries in these statistics do not have a 1-to-1 correlation to the number of cross-border complaints handled per country as multiple complaints may be bundled in one case register entry which therefore can relate to multiple cross-border cases. Depending on the Member State legislation, supervisory authorities may have handled complaints outside of the Art. 60 procedure in accordance with their national law.

The European Data Protection Board (EDPB) is an independent European body, established by the General Data Protection Regulation (GDPR), which aims to ensure the consistent application of data protection rules across the European Economic Area (EEA). It achieves this aim by promoting cooperation between national Supervisory Authorities (SAs) and issuing general, EEA-wide guidance regarding the interpretation and application of data protection rules.

The EDPB comprises the Heads of the EU SAs and the European Data Protection Supervisor (EDPS). The European Commission has the right to participate in the activities and meetings of the EDPB without voting rights. The SAs of the EEA countries (Iceland, Liechtenstein and Norway) are also members of the EDPB, although they do not hold the right to vote.

 

EDPB_Press Release_Statement_04

Uppdatering kl 09.43 torsdag 12 maj 2022: Det viktiga meddelande som utfärdades på grund av en brand i Uppsala gäller inte längre.

Brussels, 5 May - The European Data Protection Supervisor (EDPS) and the European Data Protection Board (EDPB) published their Joint Opinion  on the proposed Data Act.

The EDPS and EDPB welcome the efforts made to ensure that the Data Act does not affect the current data protection framework. At the same time, since the Data Act would also apply to highly sensitive personal data, the EDPS and EDPB urge the co-legislators to ensure that data subjects’ rights are duly protected. The access, use and sharing of personal data by entities other than data subjects should occur in full compliance with all data protection principles and rules. Moreover, products should be designed in such a way that data subjects are offered the possibility to use devices anonymously or in the least privacy intrusive way possible.  

The Data Act aims to establish harmonised rules on the access to, and use of, data generated from a broad range of products and services, including connected objects (‘Internet of Things’), medical or health devices and virtual assistants. The Data Act also aims to enhance data subjects’ right to data portability under Art. 20 of the General Data Protection Regulation.

Wojciech Wiewiórowski, EDPS, said: “Data must be processed according to European values if we aim to shape a safer digital future. As we move to create new opportunities for data use, we must ensure that the existing data protection framework remains fully intact. Access to data by public authorities should always be properly defined and limited to what is strictly necessary and proportionate, which is not the case under the draft Data Act.”

The EDPS and EDPB advise the co-legislators to provide limitations or restrictions on the use of data generated by the use of a product or service by any entity other than data subjects, in particular where the data at issue is likely to allow precise conclusions to be drawn concerning data subjects’ private lives, or would otherwise entail high risks for the rights and freedoms of data subjects. The EDPS and EDPB recommend introducing clear limitations regarding the use of the relevant data for purposes of direct marketing or advertising; employee monitoring; calculating, modifying insurance premiums; credit scoring. Limitations on the use of data should also be provided to protect vulnerable data subjects, in particular minors.

The EDPS and EDPB express their deep concerns about the lawfulness, necessity and proportionality of the obligation to make data available to EU Member States’ public sector bodies and to EU institutions, bodies, offices and agencies (EUIs) in case of “exceptional need”. In their Joint Opinion, the EDPS and EDPB stress that any limitation on the right to the protection of personal data requires a legal basis that is adequately accessible and foreseeable. The legal basis must also define the scope and manner of the exercise of powers by the competent authorities, and be accompanied by safeguards to protect data subjects against arbitrary interference. The EDPS and EDPB urge the co-legislators to define much more stringently the hypotheses of emergency or “exceptional need”, and which public sector bodies and EUIs should be able to request data.

As regards enforcement, the EDPS and EDPB welcome the designation of data protection supervisory authorities as competent authorities responsible for monitoring the application of the Data Act insofar as the protection of personal data is concerned. The EDPS and EDPB ask the co-legislators to designate national data protection authorities as coordinating competent authorities under the Data Act.

Andrea Jelinek, EDPB Chair, said: “It is crucial to solidly embed the GDPR in the overall regulatory architecture that is being developed for the digital market. Not just for this proposal, but also concerning other legislative proposals, such as the Data Governance Act or the Digital Markets Act. A clear distribution of competences amongst the relevant regulators will need to be ensured, as well as efficient cooperation to avoid the risk of fragmented supervision, the establishment of a parallel set of rules and to ensure legal certainty for organisations and data subjects.”

 

Every year in early May we celebrate peace and unity in Europe through Europe Day, to commemorate the signing of the 'Schuman Declaration'. This year, on 7 May, the EU institutions invite you to a wide range of online and on-site activities across the EU Member States, as well as in the home of the EU institutions in Brussels, Luxembourg and Strasbourg. 

EDPB and EDPS will be both present with a common booth at the European Commission ’s headquarters – the Berlaymont building – from 10:00 to 18:00 on Saturday 7 May.

For more information about Europe Day 2022 visit: https://europeday.europa.eu/index_en