European Data Protection Observatory

The new EU Regulation 2016/679 has undoubtedly initiated a new era in data protection: data controllers are now required to manage data with a proactive approach based on risk analysis and accountability.

In light of this, a new way of thinking about personal data has emerged that requires all stakeholders to find legal, organisational and IT solutions.

Since the Regulation is applicable all across the EU, it is necessary to consider what changes are taking place in other EU countries with regard to new provisions, interpretations, cases of application and sanctions.

For this reason, we have decided to set up a European Data Protection Observatory, which will contain the most relevant data protection news in chronological order.

Italy: residence for the blind fined for unlawful video surveillance

6 October 2021
The Italian Data Protection Authority fined a residence for blind people a total of €5,000 for installing a particularly invasive video surveillance system, justified by the institution for reasons of guest safety and protection against theft. Specifically, the internal cameras also filmed the corridor connecting their accommodation with the communal showers and the images were shown in real time on the monitors of the reception, with the risk that the footage could also be seen by visitors or passers-by. The DPA pointed out that the filming of guests in the corridor leading to the showers could not be justified by generic security reasons and that the same purposes could have been achieved with less invasive tools.

Italy: Bocconi University sanctioned for remote monitoring of students

29 September 2021
Bocconi University in Milan received a hefty fine of 200 000 euro from the Italian Data Protection Authority for having used invasive remote monitoring of students during examinations in lockdown periods. Following the inspection, the Authority found that two invasive software had been used: 'Lockdown Browser' and 'Respondus monitor'. The first one was used to prevent students from using their computers during examinations and therefore from looking for solutions to questions. The latter was based on artificial intelligence and monitored the student via webcam, signaling 'suspect' behavior considered abnormal, such as looking away from the monitor, absence from the monitor, or the difference between the student's photo and the webcam image.

Italy: Region fined for publishing personal data of students applying for financial aid

9 September 2021
The Italian DPA fined the Lombardy Region a total of €200,000 for publishing on its website the personal data of 104,000 students applying for (modest) financial aid for school purposes. The Authority criticised the wide dissemination of data, especially since they refer to people with low income and therefore likely to be in a state of economic hardship. This openly contrasts with the principles of the GDPR, especially with regard to the principle of minimisation, as a disproportionate activity with respect to the principle of transparency.

Ireland: €225m privacy fine for WhatsApp

2 September 2021
The Irish DPA (in agreement with the European Privacy Authorities) has imposed a €225 million maxi fine on WhatsApp for GDPR violations, consisting in the lack of complete transparency adopted by WhatsApp in 2018 to inform individuals with respect to the processing of their personal data between the Facebook group and WhatsApp. The Irish Authority also required WhatsApp to take specific corrective measures. Multiple violations and the Facebook group's consolidated turnover were considered in determining the amount of the fine.

Italy: Bologna Airport fined for insufficient protection of whistleblowers

30 July 2021
The company Aeroporto Guglielmo Marconi di Bologna was fined €40,000 because its internal whistleblowing procedure did not sufficiently protect whistleblowers. The airport company did not ensure that the software complied with these principles and that, for example, it used appropriate encryption techniques for the transmission and storage of personal data. In addition, the measures taken to protect the confidentiality of whistleblowers were insufficient and no impact assessment (DPIA) had been carried out.  The company providing the software in question was also fined a total of EUR 20,000 as a data processor under Article 28 GDPR.

Luxembourg: Record fine of €746 million on Amazon

30 July 2021
The Data Protection Authority of Luxembourg, the country where Amazon's European headquarters are located, has imposed its highest fine ever on Amazon, amounting to €746 million, or 4.2% of its 2020 turnover. The GDPR violations challenged appear to relate to users' consent for the use of certain personal data, which allow the giant to carry out targeted advertising. The authority (CNDP) has not made any official statement on its institutional page, while Amazon stated its intention to appeal because it considers the fine disproportionate.

Italy: patients have the right to choose the data to be hidden in their Electronic Health Record

5 July 2021
The Italian DPA recently returned to the subject of the Electronic Health File, sanctioning two health authorities that had failed to guarantee patients the right to hide certain data concerning them. This right allows the patient to decide, at the time when the records are generated or subsequently, that the document is visible only to himself and to the doctor who generated it. As a result of the failure to comply with this request, apparently caused by a software malfunction, the DPA intervened by sanctioning the USL of Romagna and the Azienda Provinciale per i Servizi Sanitari of Trento, in the amount of 120,000 and 150,000 Euros respectively.

Italy: €2.6 million fine on Glovo for algorithm-based discrimination

5 July 2021
The company Foodinho of the GlovoApp23 Group was sanctioned by the Italian DPA for a total of EUR 2.6 million because its algorithm for booking and assigning food and product orders was considered discriminatory by the Authority. In fact, the company had not sufficiently informed the workers about the functioning of the algorithm and did not give guarantees regarding the correctness and accuracy of the results it produced. Moreover, there was no procedure for obtaining human intervention or expressing opinions/complaints regarding the decisions taken by the algorithm.

France: IKEA fined €1.1 million for spying on employees

15 June 2021
The court of Versailles (Paris) ordered a fine of EUR 1.1 million on IKEA for illegally collecting and storing data on its French employees for years. The multinational company had allegedly violated the privacy of workers by using private detectives, collecting personal data on their lives, including any criminal convictions. The action was brought by trade unions, who claimed that the Swedish company was using this information to detect potentially disruptive workers, possible trade unionists, or to gain advantage in disputes with customers. The former CEO of the company that owns the French Ikea shops under franchise was also sentenced to two years in prison, suspended to €50,000.

Norway: Company fined EUR 15,000 for streaming CCTV surveillance images

13 May 2021
A power company installed a panoramic webcam on top of its building and the images were live streamed on YouTube and on the company's website.
The image quality was good enough to allow identification of the type of vehicles and drivers, hair color, and other personal and distinctive identifying characteristics. This allowed the identification and tracking of employees, colleagues, friends, family members, girlfriends/boyfriends, etc. In his decision, the DPA gave weight to the fact that the unlawful surveillance carried out with CCTV cameras affected a considerable number of data subjects and that the monitoring was continuous.

Norway: Municipality fined for publishing personal data on its website

13 May 2021
The municipality was fined a total of EUR 100,000 for publishing confidential personal data and national identity numbers (NIDs) on its website. Many of the cases concerned personal data, including particular data of children. The municipality infringed the requirements of data protection legislation relating to confidentiality and the issue concerns both procedural and technical shortcomings. Personal data that should have been protected were made accessible to unauthorised third parties on the municipality's website for a year.

Norway: DPA fines restaurant €20,000 for video surveillance violations

13 May 2021
The case concerns CCTV surveillance of restaurant premises. The reasons for the sanction concern the violation of the principles of lawfulness and transparency. In fact, the Authority considered that the restaurant did not have a valid legal basis for the processing of data carried out through the video surveillance system and that it was not necessary to keep the system active 24 hours a day. The DPA considered that the rights of workers and customers, who certainly had a legitimate expectation not to be filmed during dinner, had been violated.

Norway: DPA intends to fine Disqus Inc. €2.5 million

5 May 2021
The Norwegian DPA has announced that it will fine Disqus EUR 2.5 million for illegally tracking visitors to Norwegian websites using the Disqus plug-in, data which was then disclosed to third-party advertising partners. Disqus allegedly claimed to be unaware of the application of the GDPR in Norway. The reasons for the sanction: lack of a legal basis for monitoring and profiling website users and breach of the duty to inform and be transparent about the data processing carried out. Disqus will have the opportunity to comment on the draft decision issued by the Authority until 31 May.

Italy: DPA imposes 40,000 fine for unlawful processing of employee data

15 April 2021
The Italian DPA issued a €40,000 fine against a company for failing to properly inform workers about the characteristics of the company's computer system, resulting in the unlawful processing of personal data. Specifically, the system collected disaggregated data and for purposes other than those indicated in the privacy notice made available to workers, and allowed them to be identified by cross-referencing workstation data with other data available to the employer. Moreover, in a new information notice (not yet delivered to the employees at the time of the investigation), the employer indicated the legal basis of the legitimate interest.

Italy: according to the Council of State, Facebook cannot be considered free

15 April 2021
In a ruling dated 29 March 2021, the Council of State confirmed the position of the Italian DPA that the social network service offered by Facebook cannot be considered free, as claimed by the platform at the time of registration, a statement that would therefore be incorrect and misleading. In fact, the judges considered that the use of users' personal data may constitute a form of remuneration for the service offered by Facebook, as the latter uses users' personal data for commercial purposes through profiling.

EU: EDPB opinion 2021/14 on the level of data protection in the UK

13 April 2021
The EDPB has published 'Opinion 14/2021 regarding the European Commission Draft Implementing Decision pursuant to Regulation (EU) 2016/679 on the adequate protection of personal data in the United Kingdom', which assesses the level of data protection that exists in the UK in light of the UK's exit from the EU.  Analysing the legislation and practices related to data protection in the UK, the EDPB considered that these are broadly equivalent, given also the recent use of the GDPR and thus the presence of the same legal concepts. However, the UK Government has indicated that it intends to amend its privacy legislation with separate policies from those in the EU, which will need to be monitored in the future to ensure the adequacy decision is valid.

Netherlands: fined for late notification of data breach

31 March 2021 received a €450,000 fine from the Dutch Authority following the data breach caused by a hacker who breached the personal data of approximately 4,000 users, targeting employees and using their credentials to access data (credit card, contact or booking data)., however, notified the Authority of the breach 22 days after it became aware of it, which also prevented the data subjects affected from becoming aware of the breach in a timely manner and putting in place precautions to avoid identity theft and embezzlement.

Italy: DPA fines Fastweb €4.5 million for aggressive telemarketing

25 March 2021
The Italian DPA imposed a €4.5 million fine on Fastweb for aggressive telemarketing. The Authority, after hundreds of reports, found that the company had unlawfully processed the personal data of millions of users for telemarketing purposes. In many cases, the call centres used telephone numbers other than those entered in the Register of Communications Operators, and data received from third-party partners were processed without the valid consent of the users. In addition, some cases emerged in which alleged call centre operators had asked users to send their identity documents via Whatsapp in order to complete the migration of their users, and some cases of 'system errors' preventing the deletion or modification of incorrect data.

Spain: €600,000 fine on Air Europe for insufficient data security measures and late notification of data breach

17 March 2021
AEPD imposed a €600,000 fine on the airline Air Europe following notification of a security incident that resulted in unauthorised access to the contact and bank details of some 489,000 people. The Spanish authority found the technical and organisational measures to protect data security to be inadequate (for which it imposed a €500,000 fine), and the data breach was notified to the authority late (after 41 days), which led to a further €100,000 fine.

Spain: AEPD fines Vodafone 8 million for personal data infringements

11 March 2021
The Spanish Data Protection Authority has imposed the highest fine in the country, amounting to €8,150,000 (the result of four combined fines), on Vodafone. The AEPD, which intervened after 192 complaints from users over the last two years, considers that the company has not implemented technical or organisational measures to detect the lawfulness or otherwise of the measures taken to protect personal data, to identify the origin of the data, and to guarantee the right to object to processing. Vodafone Spain believes that the amount of the fine is excessive and has announced that it will file an appeal.

Italy: Lazio Region fined €75,000 for failing to appoint a data processor

11 March 2021
The Lazio Region was sanctioned by the Italian DPA for a total of EUR 75,000 for failing to appoint as data processor the cooperative that managed the  call centre in charge of the booking of healthcare services, thus processing data unlawfully from 1999 to 2019. The cooperative itself had repeatedly pointed out to Regione Lazio, the data controller, that it needed to be appointed as data processor, and had also implemented its own security measures in accordance with the GDPR: it therefore received only a warning from the DPA.

Italy: the DPA imposes €300,000 fine on the National Social Security Institute for invasive "Covid bonus" checks

9 March 2021
The DPA issued a sanction of €300,000 against INPS (national social security institute) for the way it carried out checks on applicants to the so-called 'Covid Bonus'. The Authority found that INPS failed to define the criteria for processing the data of certain categories of applicants, used unnecessary information for control purposes, used incorrect or incomplete data, and its assessment of privacy risks was inadequate. The investigation showed that INPS had not adequately designed the processing and was not able to demonstrate that it had carried out the checks in compliance with the GDPR, thus violating the principles of privacy by design, privacy by default and accountability.

Data retention and balancing investigative needs and privacy: the CJEU ruling

25 February 2021
The European Court of Justice, in its judgment of 2 March in Case C-746/18, ruled on the issue of balancing investigative needs and privacy. The most innovative aspect of the judgment is the need to make the retention of phone records selective and targeted, based on the type of data, the duration of storage, and whether or not serious crimes have been committed. In fact, the CJEU emphasises the invasiveness of data retention in the private life of citizens and the need for a check in this sense by a third authority (such as a judge). 

Italy: DPA authorises the Ministry of Health to activate a new feature of contact-tracing app "Immuni"

25 February 2021
The Italian DPA has issued an opinion on the new feature of the Immuni app, which will allow a person who has tested positive for Covid-19 to interact directly with the Covid-19 alert system by entering the unique national code (Cun) assigned by the Sistema Tessera Sanitaria (Health Insurance System) to his or her Covid-19 diagnostic test report with a positive result, together with the last eight digits of the health insurance card. The updated version of the impact assessment prepared by the Ministry was considered in line with the indications provided by the DPA.

Norway: fine for performing a credit rating on an individual without an appropriate legal basis

23 February 2021

The case stemmed from a complaint by a data subject who discovered that Aquateknikk had given him a credit rating, despite the fact that there was no relationship between the company and the data subject. In investigating the matter, the Norwegian Data Protection Authority came to the conclusion that the credit ratings were carried out without an adequate legal basis and that Aquatekinkk had no legitimate interest in carrying out this type of particularly intrusive data processing.

Spain: €6 million fine for unlawful processing and insufficient information to data subjects

19 February 2021

The Spanish DPA (AEPD) deemed CAIXABANK's processing of personal data unlawful due to the lack of information regarding the categories of personal data processed, the purposes and the legal basis of the processing, with particular regard to processing based on the legitimate interest of the company. As a result, it imposed a €2 million fine on the bank for breach of Articles 13 and 14 of the GDPR. The AEPD also found that CAIXABANK did not provide for any mechanism to collect consent from the data subject and that, in any event, such consent could not be considered valid. It also found that the processing activities based on the company's legitimate interest were not sufficiently justified, thus imposing a further fine of €4 million for breach of Article 6 of the GDPR.

Italy: €8,000 fine imposed by the DPA for theft of an external hard drive

19 February 2021

The Campania Regional Environmental Protection Agency has been fined EUR 8,000 for the theft of an external hard disk containing judicial and personal data relating to environmental offences. The hard disk contained copies of identification documents, tax documents, pay slips and a list containing analytical data relating to judicial proceedings. The agency had promptly notified the data breach to the DPA, which imposed the sanction due to the absence of the necessary measures to ensure a level of security adequate to the risk (under Article 32 GDPR).

Italy: DPA issues FAQs on the processing of Covid-19 vaccination data in workplaces

17 February 2021

The Italian DPA issued FAQs to clarify the data protection aspects linked to the relationship between work activities and Covid-19 vaccinations, including whether or not employers can request and obtain information from workers or the competent doctor regarding vaccination and the possibility for those who are not vaccinated to enter the workplace. 

EU: EDPS is conducting an investigation into alleged GDPR breach by the European Parliament

15 February 2021

The NGO Noyb reported to the EDPS on the breach of its data on the EU Parliament's test reservation website for Covid-19. According to the complaint, the website unlawfully transfers data on MEPs' test bookings to third parties, including entities located in the US, without the necessary safeguards following the Schrems II case. In addition, the cookie banner seems not to be accurate as it does not contain a list of all the cookies used and states "Accept all" instead of allowing the user to give targeted consent.

Netherlands: Hospital fined €440,000 for inadequate protection of medical records

11 February 2021

The Dutch Authority initiated the investigation following media reports and two notifications of data breaches relating to unauthorised access by trainees to patient records, and found structural weaknesses in the accessibility of patient records by hospital staff. In particular, although a system for automatically detecting access to medical records was in place, there were insufficient checks on the legitimacy of such accesses, and a two-factor authentication system (e.g. code or password in combination with a personal badge) was not in place.

Italy: The Italian Ministry of Economic Affairs receives a €75,000 fine for late appointment of DPO

11 February 2021

The Italian DPA ordered a €75,000 fine to the Ministry of Economic Development for having appointed the Data Protection Officer late in May 2018, despite the DPA having already reminded ministries in 2017 of the need to appoint DPOs as soon as possible. Moreover, the MISE website displayed the managers' resumes complete with their tax code, email, mobile phone and in some cases copies of their ID and health card. This was considered by the Authority to be disproportionate processing not motivated by an adequate legal basis.

EU: e-Privacy Regulation finally receives positive feedback by EU Council

11 February 2021

After a four-year process, the Council of the European Union has reached an agreement on the final version of the ePrivacy Regulation on privacy and confidentiality in the use of electronic communications services. The updated regulation will replace the existing e-Privacy Directive of 2002, introducing fundamental changes for all companies operating in the digital economy.

Italy: ASL Toscana fined €10,000 for data breach

6 February 2021

The Italian DPA sanctioned ASL Toscana Centro for a total of EUR 10,000, following an investigation into a report. The complainant complained about the way in which patients were asked to deposit their biological samples for the prevention of intestinal tumours in a refrigerator for safekeeping and about the relevant forms filled in by the participants, complaining about the absence of staff assigned to the safekeeping of the aforementioned findings and documents.

Belgium: EUR 50,000 fine on company for breach of GDPR

1 February 2021

Family Service is a marketing company that distributes pink boxes, through gynaecologists and hospitals, which include samples, special offers and information sheets for parents-to-be. The Belgian Data Protection Authority's investigation found that the company transferred personal data to third parties for commercial purposes without specific consent from the data subjects, who were not aware that the sending of the boxes implied the transfer of their data. Moreover, the fact that the boxes were distributed by gynaecologists and hospitals could have led customers to believe that the initiative came from the public sector, and not from a private company whose core business is data processing.

Italy: 70,000 euro fine on hospital for disclosing health data via press release

27 January 2021

The"San Carlo" hospital in Potenza was fined €70,000 for having disseminated, through a press release, numerous and detailed information on the health status of a patient and the treatments undertaken, following his death from Covid-19. The Garante considered that the aim of informing the population about the treatment offered by the company to Covid-19 patients could be achieved even without disseminating detailed clinical information about the patient.

Italy: DPA fines AOU Parma for mistakenly sending a medical record to another patient

27 January 2021

The University Hospital of Parma was fined €10,000 for mistakenly handing over to an heir of a deceased patient a medical record of another patient's haematochemical tests. The AOU had sent a notification of data breach to the Garante and asked the recipient to return the medical record: faced with an uncooperative attitude, it proceeded to formally request the return of the document, warning them not to use the data, and to carry out a self-assessment of the methods of managing medical records.

France: 'Credential stuffing': the CNIL sanctions a data controller and its sub-processor

27 January 2021

In France, the CNIL fined a data controller and his sub-processor EUR 150,000 and EUR 75,000 respectively for failing to take appropriate measures to deal with credential stuffing attacks on the controller's website. Since users often use the same credentials for multiple services, the attacker uses 'bots' to attempt to make large numbers of connections to sites and, when authentication is successful, it can see the information associated with the accounts in question.

Norway: Authority plans to fine Grindr €10 million

26 January 2021

The Norwegian Data Protection Authority (Datatilsynet) has sent Grindr LLC an 'advance notification' expressing its intention to issue an administrative penalty of NOK 1000000 (approximately EUR 10 million) for non-compliance with GDPR rules on consent (10% annual turnover). Grindr is a social network for gay, bisexual, trans and queer people with 13.7 million active users. The violations found by the Authority concern the fact that users were forced to accept the privacy policy in its entirety in order to use the app, by not preparing a specific request for consent to share their data (including on sexual preferences) with third parties for marketing purposes, and by not providing users with sufficient information on the sharing of their personal data.

Italy: Ausl Bologna fined for entering wrong health documents into electronic health records

14 January 2021

The Local Health Authority of Bologna received a penalty of 18,000 euro for the misplacement of health documents in 182 Electronic Health Records, 49 of which were active. The incident, which was notified to the DPA, was allegedly generated by a manual error of a technician belonging to a third party company and, after about 6 hours of patients' reports, the wrongly inserted documents were deleted. 

Italy: penalty for late reply to data subject's request for access

14 January 2021

The Italian Data  Protection Authority fined Poliambulatorio Talenti S.r.l. € 2,000 for failing to respond to the access request of a data subject within 30 days (pursuant to Article 15 GDPR), except after a further complaint by the data subject and an invitation by the DPA to respond. 

Italy: the DPA sanctions a health authority for processing biometric data for attendance purposes

14 January 2021

The Italian Data Protection Authority imposed a €30,000 fine on the Enna provincial health service (Azienda sanitaria provinciale di Enna) for the collection and processing of fingerprint data to detect the presence of employees and deter the practice of absenteeism. The DPA found that the processing was disproportionate to the purposes for which it was carried out, lacked an adequate legal basis, and that employees had not been provided with clear and complete information.

France: CNIL sanctions Interior Ministry for using drones to control Covid containment measures

12 January 2021

The French Privacy Authority (CNIL) has sanctioned the Ministry of the Interior for illegally using drones equipped with cameras, in particular to monitor compliance with containment measures. The Authority urged the Ministry to cease all drone flights, at least until a regulatory framework authorises it, as it cannot by regulation issue monetary sanctions against the State. The violations found are the lack of a DPIA under Article 35, lack of disclosure under Article 13 on the exercise of rights by the data subject, failure to take corrective measures.

Germany: Lower Saxony authority fines company EUR 10.4 million for illegal video surveillance

8 January 2021

The Lower Saxony DPA fined the company a total of EUR 10.4 million for monitoring its employees by video surveillance for at least two years without any legal basis. The company had claimed that the purpose of the installed cameras was to prevent and investigate crimes and to track the flow of goods in the warehouses. The Authority pointed out that there were less intrusive ways to prevent theft and that the video surveillance images did not have a time limit.

Italy: Garante launches new data breach notification tool

24 December 2020

The Italian Data Protection Authority has launched a new online service that makes it easier for data controllers to meet their data breach obligations. Using a self-assessment tool, users can assess the extent of the data breach and whether or not to notify the EDPS and/or the data subject. The tool also provides a notification template to be used to communicate the personal data breach to the Authority.

Italy: EUR 100,000 fine to ASL Toscana for unlawful processing of health data

17 December 2020

ASL Toscana was fined €100,000 for data processing in the context of initiative medicine that did not comply with data protection principles. The processing of particular data had been carried out without carrying out an impact assessment, on the basis of an incomplete information notice and appointment of the data processor, adopting inadequate security measures, without having drawn up a register of processing activities and without having defined the retention time of data collected through the initiative health projects by the doctors involved and the health facility.

France: CNIL fines two doctors for failing to ensure security of patients' personal data 

17 December 2020

The CNIL imposed a fine of €3000 and €6000 on two doctors who had not adequately protected their patients' personal data as required by the data controller's obligations. In fact, the Authority discovered in 2019 that thousands of medical images hosted on servers belonging to the two doctors were freely available online, as the computer networks had not been set up to ensure the cyber security of the data. Moreover, the doctors had not notified the Authority of the data breach once they became aware of it.

France: Google fined 100 million and Amazon 35 million for cookie violations

10 December 2020

The CNIL, following an inspection of the website, found that cookies were being deposited on users' computers without their express consent, many of them for advertising purposes. The Authority also found that the banner providing information on cookies was unclear as to how they worked and that the right to object could be only partially exercised by data subjects. For this reason, it imposed a fine of EUR 60 million on Google LLC and EUR 40 million on Google Ireland Limited. Similar violations were also found in the activities of Amazon Europe Core, which received a fine of EUR 35 million.

Italy: Garante publishes new FAQs on video surveillance

10 December 2020

The Italian DPA has published on its website updated FAQs on video surveillance, pointing out that video surveillance activities must be carried out in compliance with the principle of minimisation with regard to the choice of filming and location methods and the management of the various processing stages. The data processed must in any case be relevant and not excessive in relation to the purposes pursued.

Italy: DPA launches public consultation on cookies

10 December 2020

In view of the latest indications issued by the European Data Protection Board (EDPB) on the subject of cookies and the rapid progress of technology, which has in part overtaken the indications provided most recently in 2014, the Garante has launched a public consultation on the subject. The proposed guidelines, which are open to comments and proposals from stakeholders, address some new issues such as "passive" tracking systems (such as fingerprinting), "scrolling", the reiteration of requests for user consent and third-party cookies. 

Estonia: Three pharmacy networks fined for allowing prescriptions to be viewed without user consent

8 December 2020

The Estonian Authority has issued a EUR 100,000 fine against three pharmacy chains for allowing another person's current prescriptions to be viewed in e-pharmacy environment without their consent, using their personal identification code. The authority ordered the display of prescriptions to third parties to be stopped, as there was no legal basis for such access, giving pharmacies one day to comply. The spokesperson added that although it should be possible to purchase prescription drugs for other people, the solution must ensure that prescription information can only be accessed with the consent of the prescription holder. 

Sweden: Authority finds shortcomings in data management by healthcare providers

7 December 2020

The Swedish Data Protection Authority has audited eight healthcare providers regarding the way they regulate and restrict staff access to electronic health record management systems. The DPA discovered shortcomings that in seven of the eight cases lead to administrative fines of up to SEK 30 million. For example, seven providers did not carry out a risk analysis, while one provider did carry out an analysis, but it was insufficient.

France: €2,250,000 fine on Carrefour and €800,000 on Carrefour Banque

26 November 2020

The French DPA found, following investigations, serious shortcomings in the processing of data of customers and potential users of Carrefour (retail sector) and Carrefour Banque (banking sector), and therefore decided to initiate sanction proceedings against these companies. The violations included Article 13 on the information to be given to data subjects, violations on cookies, on the limitation of the duration of data retention and failure to facilitate the exercise of data subjects' rights.

Spain: focus of the AEPD on blockchain and data protection

20 November 2020

The Spanish data protection authority AEPD has published an in-depth guide on blockchain and data protection. Within the guide it states that "the blockchain is a distributed information storage technique that, depending on the configuration chosen, can work with a P2P approach and form a decentralised network of nodes. It uses certain strategies, called consensus algorithms, to validate the information stored by each participating node and implements a mechanism to detect alterations to the recorded information."

EU: journalist breaks in EU defence ministers videoconference

20 November 2020

During the meeting of European defence ministers, where they were discussing the procurement of billions of dollars of war technology and coordination of armies, the video conference was interrupted by a young journalist who broke in and even managed to speak before being removed. It seems that the infiltration was made possible by the journalist 'guessing' the access PIN.

Italy: Vodafone fined for aggressive telemarketing

16 November 2020

The Italian DPA imposed a fine of 12 million 250 thousand euros on Vodafone, after ascertaining at the end of a complex investigation that Vodafone had unlawfully processed the data of millions of users for telemarketing purposes. The critical points concern not only the violation of the obligation to obtain the consent of data subjects, but also of fundamental principles such as the accountability of the data controller and the implementation of privacy measures by design and by default.

EU: draft of new Standard Contractual Clauses available for consultation

12 November 2020

In the post-Schrems II scenario the European Commission is working on a modification of the standard contractual clauses for the transfer of personal data to third countries. The draft will be in consultation until December 10, 2020.

Romania: CJEU underlines that controllers must be able to demonstrate that consent is valid

11 November 2020

La Corte di Giustizia europea ha dovuto dirimere un caso della Corte rumena che coinvolgeva una compagnia di telecomunicazioni, la quale aveva sottoscritto alcuni contratti con i clienti che includevano una clausola con la quale il cliente accettava la conservazione del proprio documento di identità. La CGUE ha ricordato che il titolare del trattamento deve poter dimostrare che il consenso è stato liberamente espresso, e nel caso di specie questo non era possibile in quanto la casella poteva essere stata precompilata.

EU: the EDPB adopts first decision under Article 65 GDPR

10 November 2020

The European Data Protection Board has adopted the first resolution under Article 65 GDPR, to resolve a dispute related to the Irish Authority's draft decision against Twitter after the 2019 data breach. The relevant and reasoned objections of some of the authorities involved have been submitted and the decision will now be notified to the Irish authority.

EU: ENISA guidelines for security in the Internet of Things available

9 November2020

ENISA publishes the "Guidelines for Securing the Internet of Things", which aim to ensure the security of IoT devices throughout the supply chain and device life cycle. The guidelines are addressed to developers, manufacturers and all stakeholders involved in the supply chain.

California: update of data protection law

9 November 2020

With the passing of Proposition 24, the California Privacy Rights Act (CPRA) will become applicable on January 1, 2023 and amend and update the existing California Consumer Privacy Act (CCPA). The purpose of the amendment is to cover certain loopholes in existing legislation, for example, by extending data subjects' rights with respect to data rectification, restriction of processing, or opposition to automated decision making. This link provides a comparison between the ACFA and the CPRA.

Italy: the DPA initiates investigation on swab data and privacy

5 November 2020

The Itlaian DPA has initiated a preliminary investigation into the way in which swab data are managed. The first concerns Ats Milano, whose platform allowed anyone to find out if a person was positive, simply by entering the tax code and a random phone number. The second one concerns Regione Lombardia and its service "Tampone in un click", which allowed to discover if a person had tested positive for Covid-19 by entering their tax code, the last data of their health card and a random phone number. Access to this type of data is particularly dangerous as it can give rise to fraud, blackmail, discrimination at work.

Ireland: hospital fined for disposal of health data in public recycling facility

4 November 2020

The Cork University Maternity Hospital received a fine of €65,000 for disposing of special category personal data belonging to 78 patients in a public recycling facility. The data included the ethnicity of the data subjects, their religious beliefs, political opinions, identifiable biometric data, sexual orientation, medical histories and future planned programmes of care.

EU: EDPS outlines the strategy of European institutions post-Schrems II

29 October 2020
The EDPS has published a document containing the European strategy that aims to ensure and monitor the compliance of EU institutions, bodies and agencies with the European Court of Justice ruling Schrems II. The document identifies for the EU institutions and the EDPS short-term action courses (such as mapping of contracts, collaborations requiring the transfer of data to non-EU countries) and medium-term action courses, such as the production of guidelines on transfers and assessments of the level of protection offered by third countries.

Spain: AEPD publishes guidelines on data protection by default

28 October 2020
The Spanish DPA (AEPD) has recently published the "Guidelines for Data Protection by Default", in which it identifies the strategies that must govern data protection by default. The specific measures for its implementation are indicated in relation to the amount of data collected, the extent of processing, the period of retention and the accessibility of the data.

UE: EDPB Guidelines 4/2019 on data protection by design and by default

20 October 2020

After a public consultation, the EDPB has adopted the guidelines on data protection by design and by default. These guidelines analyze the responsibilities of the data controller, the implementation of processing principles and provide some practical examples.

UK: data theft, 22 million euro fine to British Airways

16 October 2020
British Airways has received a £20 million fine for the theft of customer personal data following a hacker attack in 2018. The sanction is the highest so far imposed by the British Authority and is motivated by the amount and type of data stolen, which includes contact details and credit card details, as well as by additional security measures the company could have taken to mitigate the risks. 

EU: EDPB guidelines on the concept of relevant and reasoned objection (in consultation)

12 October 2020
The EDPB publishes in consultation the "Guidelines 9/2020 on relevant and reasoned objection under Regulation 2016/679", which deepen the concept of relevant and reasoned objection under Article 65 GDPR, i.e. an objection to the draft decision, proposed by the lead supervisory authority to the other supervisory authorities concerned, which determines whether a processing substantially affects data subjects in more than one Member State.

EU: the CJEU on the indiscriminate collection of data by Member States for security reasons 

6 October 2020
The European Court of Justice confirms that Member States cannot require providers of electronic communications services to transmit or store traffic and location data indiscriminately for anti-crime or national security purposes. Such interference is possibile only if the Member State is facing a serious threat to national security, but the retention must be strictly limited in time and the State must develop effective protection measures and subject them to review by a Court or an independent administrative authority.

Germany: according to SAs, Microsoft 365 is not yet GDPR-compliant

2 October 2020
The data protection supervisory authorities of the German states have concluded that the online Terms of Use of Microsoft 365 and its Data Processing Addendum seem to show that, despite recent updates including post-Schrems II, the service does not yet fully comply with data protection principles.

Germany: H&M heavilily fined for employee privacy violation

1 October 2020
The clothing chain H&M has been fined €35, 3 m for the privacy violation of hundreds of employees of the Nuremberg branch, which was ongoing since 2014. In fact, special categories of personal information relating to family issues, health and religious beliefs was stored. The Authority underlines that the high amount of the fine is due to the scale of the violation and is designed to deter other companies from invading the privacy of their employees.

Italy: hospital fined for unlawful processing of personal data

30 September 2020
The Italian DPA applied a 80,000 euro fine to a hospital that had unlawfully processed the data of over 2000 aspiring nurses. On its website the data of the candidates were freely accessible and some included health data, which in some cases could also be modified. The company that managed the platform for the online collection of participants' applications was also sanctioned with a 60,000 euro fine.

France: the CNIL recommendation on cookies

29 September 2020
The French data protection authority is publishing a recommendation on cookies that interprets the EDPB guidelines on cookies, cookie walls and the legitimacy of consent provided based on these at national level. The recommendation is not binding, but presents how CNIL establishes the appropriate way to comply with Reg. 679/2016.

EU: the European Union's new approach to cyber attacks

25 September 2020
The European Parliament has published a document that analyses the new approach to cybersecurity and cyber attacks. These are causing globally about 530 billion euros of damage (as well as significant risks related, for example, to personal data) and are continuing to grow. The EU, in addition to promoting a European cyber security strategy, through Decision 7299/19 and EU Reg. 2019/796 has identified ways to impose sanctions and restrictions on individuals who threaten the Union or its Member States through cyber attacks.

USA: the White Paper of the Department of Commerce for the post-Schrems II

18 September 2020
The U.S. Department of Commerce has published a White Paper, introduced by a statement underlining the difficulty posed by the now well-known Schrems II judgment on the invalidity of the Privacy Shield, used in most cases for data transfers from the EU to the US. The statement highlights the tools and safeguards that the US has put in place to ensure a level of protection equivalent to that of the EU. The administration emphasizes that it is working with the European Commission to find a solution that will put order in the data transfer procedures without placing the burden of compliance on individual companies and undermining trade relations between the EU and the US.

Belgium: hospital receives warning for violation of the right of information and access

18 September 2020
The Belgian Data Protection Authority issued a warning against a public hospital which had refused an employee access to the results of an audit that had led to his dismissal. The DPA considered that Articles 15(3) and 12(4) had been violated with respect to the right of access and Articles 12, 13 and 14 with respect to the right to information of the data subject.

Germany: patient dies due to hospital cyberattack

18 September 2020
Due to a cyberattack against the hospital in Düsseldorf, Germany, whose computer systems were blocked, a woman died while being transferred to a hospital 30 km away. This is the first confirmed case of death following a cyberattack; the perpetrators were found by the police and could now be charged with murder, in addition to cybercrime. In 2017, during the attacks of the notorious ransomware Wannacry, thousands of hospitals around the world had been blocked, causing dozens of victims due to delayed treatment.

UK: the DPA makes available a tool to manage and prove accountability

11 September 2020
The UK Data Protection Authority has recently released a beta version of the Accountability Framework, a tool that helps companies assess the risks of the processes they carry out, decide what technical and organizational measures need to be put into practice and be able to prove the adoption of these measures, to make compliance an integrated issue in business processes.

EU: EDPB task force to support data controllers and controllers in post-Schrems II data processing

4 September 2020
In the light of the Schrems II judgment, the EDPB has created a taskforce which, in addition to analysing complaints received from European citizens regarding the transfer of their data to the USA, will prepare guidelines to support data controllers and data processors in the management of data processing to third countries. The EDPB is aware that identifying and implementing additional measures to achieve a level of protection equivalent to the European standard is not an easy task since there are no ready-made solutions.

EU: EDPB guidelines on the targeting of social media users

2 September 2020
The EDPB has published (in consultation until October 2020) the "Guidelines 8/2020 on the targeting of social media users". Targeting is not only based on information knowingly provided by online users, but also on data observed or deduced through tracking technologies. The document then analyzes the targeting process, the data protection requirements to be met and the risks for stakeholders, as well as clarifying roles and responsibilities of the stakeholders.

EU: EDPB guidelines on the concepts of controller and processor in the GDPR (public consultation)

2 September 2020
The EDPB has published (in consultation until October 2020) the "Guidelines 07/2020 on the concepts of controller and processor in the GDPR", i.e. the guidelines on the concept of controller and processor in the GDPR. The document defines both roles and details their respective tasks and responsibilities. Joint controllership, the division of roles and the responsibility towards stakeholders are also analysed.

Spain: company sanctioned for insufficient information about cookies and privacy policy in English only

6 August 2020
The company Just Landed received a fine of 3,000 euros for failing to provide sufficient information about cookies and, at the same time, received a warning due to insufficient compliance with the information obligations under art. 13 GDPR (the company's privacy policy was drafted in English only).

France: Spartoo fined for violation of the principle of minimisation

5 August 2020
The online retailer Spartoo, based in France but operating in several European countries, received a fine of €250,000 for fully recording all telephone conversations (including personal data such as addresses and bank details) and only partially encrypting said bank details. The French Authority therefore considered that there was a violation of the principle of minimization as well as the information obligations under Article 13 GDPR, since the company's data protection information was partly incorrect.

Spain: company fined for unsolicited phone calls for marketing purposes

28 July 2020
The AEPD imposed a fine of 1,200 euros on a company for having called a subject offering them a promotion, despite the fact that the person concerned was registered in the public objections register, thus exercising the right to object to processing pursuant to art. 21 GDPR. The company had in fact not complied with the obligation to check the objections register before making phone calls for marketing purposes, which is why the Authority decided to impose the sanction.

Spain: AEPD updates its guide on the use of cookies

28 July 2020
The Spanish Data Protection Authority has updated its Guide to the use of cookies following the publication in May of an updated version of the Guidelines 05/2020 on consent by the EDPB. The new Guidelines mainly examined the validity of the "continue browsing" option as a way to give consent to cookies by users, and the so-called "cookie walls".

EU: EDPB publishes FAQ on Schrems II case

24 July 2020
The European Data Protection Board has published a document containing questions and answers on the invalidation of the Privacy Shield, which provide some clarifications for companies that transfer data to the United States.

EU: Guidelines 06/2020 on the interplay of the PSD2 and the GDPR  

17 July 2020
The EDPB has published Guidelines 06/2020 on the interplay of the Second Payment Services Directive and the GDPR (version in consultation), which analyze the interrelation between the Second Payment Services Directive and the GDPR. In particular among the topics addressed: legal bases for processing data according to the PSD2, the notion of express consent, the processing of special categories of personal data.

UE: the statement of the EDPB on the Schrems II case

17 July 2020
The EDPB has adopted a statement on the Schrems II case. With regard to the EU-US Privacy Shield, the EDPB stresses that the European Union and the United States should jointly build a new regulatory framework that fully complies with European data protection provisions. With regard to standard contractual clauses, the EDPB notes the obligation of the data exporter to make a prior assessment, analysing the content of the SCC, the specific circumstances of the transfer and the legal framework applicable in the country of the data importer.  
The EDPB also notes the duties of the competent supervisory authorities (SA) to suspend or prohibit a transfer of data to a third country under the SCC if, in the opinion of the competent SA and in the light of all the circumstances of such transfer, such clauses are not or cannot be complied with in that third country and if the protection of the transferred data cannot be ensured by other means. 

EU: the CGUE invalidates the Privacy Shield

16 July 2020
The European Court of Justice has issued a historic judgment (so-called Schrems II) that invalidates the Privacy Shield, considering it unable to guarantee a sufficient level of protection to European citizens whose data are processed in the United States, especially in relation to the American legislative public surveillance instrments, which are deemed excessive and disproportionate to the criteria of European law. The standard contractual clauses that remain valid can only be used after an assessment of their actual ability to ensure data protection in the country of destination.

Italy: telecommunication operators fined for unlawful processing for promotional purposes

13 July 2020
Following reports and investigation and inspection activities, the DPA has decided to sanction WindTre SpA for a total of 17 million euros following the receipt by hundreds of users of unwanted promotional communications, made without consent by text message, e-mail, fax, phone calls and automated calls. The subjects complained that they could not exercise their right to revoke their consent and to object to the processing. 
Another telephone operator, Iliad, was found to be deficient in other respects, including those related to employee access to traffic data and received a fine of 800,000 euros.

Italy: DPA reprimand for medical report in the Electronic Health Record of wrong patient

9 July 2020
The Italian Guarantor has warned the IRCCS Policlinico San Matteo Foundation for a data violation in which a patient's medical report had mistakenly ended up in the Electronic Health Record of a patient of the same name, who had filed a complaint. The Authority decided not to apply other corrective measures to the Foundation, which clarified that it was a mere human error and re-audited the procedure for the correct identification of the patient. 

EU: the European Commission's document on Brexit - data protection and data transfer

9 July 2020
The European Commission has published the document "Getting ready for changes - Communication on readiness at the end of the transition period between the European Union and the United Kingdom", in which several issues are analyzed, including data protection and data transfer. During the transition period, the GDPR and the free exchange of data between the UK and the EU will continue to apply. As of 1 January 2021, the UK will become a third country and the transfer of data to the UK can continue if it complies with the rules and safeguards provided by EU law. It is underlined that the EU will work to ensure that by the end of 2020 an adequacy decision can be reached, if possible, with the UK.

EU: EDPB adopts new guidelines on the right to be forgotten in search engines

7 July 2020
The European Data Protection Board adopted, after a public consultation, the "Guidelines 5/2019 on the criteria of the Right to be Forgotten in the search engines cases under the GDPR".

Netherlands: heavy penalty for violation of the right of access of data subjects

6 July 2020
The Dutch DPA has imposed a fine of €830,000 on the Institute for Credit Registration (BKR) for making it excessively difficult and expensive for data subjects to access their data. The procedure could only be done in writing and once a year and had to be accompanied by a copy of the subject's passport. In addition, the response time could be up to 28 days, unless the data subject decided to pay a fee. The Data Protection Authority found these restrictions unreasonable.

Italy: company sanctioned for leaving the former employee's email account active

2 July 2020
The Italian DPA imposed a penalty of 15,000 euros on a company that had left the former employee's e-mail account active even after the termination of employment, automatically forwarding incoming e-mails. The company did not provide sufficient information in this regard and did not respond to the requests for access and deletion of the data subject. 

Germany: €1,240,000 fine for insufficient technical and organizational measures

30 June 2020
A health insurance company received a fine of €1,240,000 from the German DPA of Baden-Württemberg for implementing insufficient technical and organizational measures to prevent data processing for marketing purposes without the consent of the data subjects. In particular, the company organized contests during which it collected personal data from participants, sending promotional communications only to those who had given their consent. Apparently, the measures implemented were not sufficient to prevent about 500 people from receiving promotional material anyway without their consent, and despite the collaboration with the Authority, the latter decided to impose the sanction.

EU: EDPS Opinion 4/2020 on the EC Whitepaper on artificial intelligence

29 June 2020
The EDPS has published the opinion on "White Paper on Artificial Intelligence - A European approach to excellence and trust", a document prepared by the European Commission. The EDPS focuses not only on the document as a whole, but also on some specific aspects, such as the risk-based approach, the application of AI/IV legislation, as well as specific requirements for remote biometric identification (including facial recognition).

Belgium: DPA sanctions association that contacted former donors for a fundraiser

26 June 2020
The Belgian DPA sanctioned (€1,000) a non-profit organization for a former donor who received postal requests despite having asked for his data to be deleted and opposed subsequent mailings. While the non-profit organization claimed the legitimacy of the communications based on its legitimate interest, the DPA noted that the same is based on 3 requirements: 1) purpose, which must be legitimate, 2) necessity (the processing must be necessary for the pursuit of the legitimate purpose 3) balance (the interest of the data controller must outweigh that of the data subject).

EU: study on the impact of GDPR on artificial intelligence

25 June 2020
The European Parliament has published a study that addresses the relationship between GDPR and artificial intelligence and specifically the challenges and opportunities for individuals and society, as well as ways in which risks can be mitigated and opportunities seized through existing regulations and technology. 

Spain: DPA publishes a document on biometric identification and authentication process

24 June 2020
The Spanish DPA (AEPD) has published together with the EDPS a paper containing 14 points on biometric identification and the authentication process that often generate confusion.

EU: Communication from the European Commission two years after the application of the GDPR

24 June 2020
The European Commission has published two years after the application of the GDPR the Communication of the Parliament and the Council on data protection as a pillar to strengthen the protection of EU citizens and the EU approach to the digital transition.

Spain: lawyer sends summons letters with personal data of other clients on the back

20 June 2020
A Spanish lawyer mistakenly sent some summons letters to the tenants of a residential building using sheets of paper that had already printed on the back personal information of other clients, including a minor. The Spanish authority considered that there was a violation of Article 32 GDPR which requires the data controller to "ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services" and therefore imposed a € 2000 fine. 

EU: EDPB Declaration on the data protection impact of the interoperability of contact tracing app

17 June 2020
The EDPB adopted the Declaration on the interoperability of contact tracing apps was adopted, as well as the Declaration on the opening of borders and related data protection rights during the 32nd Plenary Meeting. The first document, based on Guidelines 04/2020 on the use of location data, offers an in-depth analysis of several concepts including transparency, legal basis, ownership. The second document describes measures for a reopening of borders between Member Countries, including tests for COVID-19, certificates issued by health professionals, voluntary use of contact tracing apps.

Belgium: company fined for unlawful processing of personal data

16 June 2020
The Belgian authority imposed a sanction on a company that had carried out unlawful processing of personal data by sending marketing communications to a person who, although not registered in the database, had the same name as a person who was part of it. The person concerned had requested information about the collection of their data and had opposed their processing, requesting their cancellation. The company had not responded satisfactorily to the data subject, nor to the requests of the data protection authority in this regard.

UE: EDPS 3/2020 opinion on the strategy for data

16 June 2020
The European Data Protection Supervisor (EDPS) has adopted Opinion 3/2020 on the European strategy for data. The Strategy was published by the European Commission on 19 February 2020 and is part of a broader set of strategic documents, including the Communication on Shaping Europe's digital future and the White Paper on Artificial Intelligence.

France: a GDPR guide for application developers

June 2020
The French DPA (CNIL) has developed a guide for application developers, which serves to keep in mind the GDPR principles in the design and system construction phase, in order to protect users' personal data.

Spain: home delivery app sanctioned for not appointing a DPO

14 June 2020
The food delivery app Glovo, based in Spain and widely used in Europe, had not appointed a Data Protection Officer (DPO) to whom data subjects' requests could be directed. Following a request for clarification from the Spanish Data Protection Authority (AEPD), Glovo motivated the choice by stating that it did not fall within the parameters indicated in art. 37 GDPR, but subsequently appointed a DPO. The AEPD subsequently decided to impose a 25,000 euro fine.

Italy: bank receives 600,000 euro fine for data breach

14 June 2020
The Italian DPA has imposed to a bank the payment of a sanction of 600 thousand euros at the end of an investigation concerning a data breach, communicated by the bank itself, caused by abusive access to the personal data of over 700 thousand customers, between April 2016 and July 2017 and then in the period prior to the application of the GDPR. The abusive accesses concerned various information, including personal and contact details, profession, level of study, details of identification documents and information relating to the employer, salary, loan amount, payment status, "approximate credit rating of the client" and Iban code).

Spain: Twitter fined for violation of information and consent collection obligations

9 June 2020
The Spanish Data Protection Authority has imposed a sanction of 30,000 € on Twitter for violating information and consent collection obligations regarding the use of cookies, which are automatically loaded on the browsers of users who access the website automatically and without any kind of action by them.

Hungary: company fined for denying former employee access to their mail archive

8 June 2020
The Hungarian DPA imposed a fine of about 565 Euros (200,000 HUF) on a company that denied a former employee access to its archived emails. The company will also have to cooperate with the former employee to review the email archive within 15 days in order to identify private content, without prejudice to the company's right not to provide full access to the archived emails, including information covered by trade secret.

Italy: statement on the DPIA presented by the Ministry of Health on the contact tracing app "Immuni"

3 June 2020
The Italian DPA has published a statement regarding the Data Protection Impact Assessment carried out by the Ministry of Health for the app "Immuni" created to contrast the COVID-19 epidemic, in which the technological characteristics, operating principles and purposes of the application and its risk profiles are analyzed. The DPA provides for the adoption of technical and organizational measures to solve some critical issues arising from the app, noting that there are still some critical issues intrinsic to the specific technological architecture used.

China: the new Civil Code strengthens privacy and data protection obligations

28 May 2020
The People's Republic of China has adopted a new Civil Code: in particular, the new provisions of the Civil Code aim to strengthen the right to privacy and the protection of personal data in China, introducing obligations for data controllers, including the adoption of security measures and requirements for the collection, use and processing of personal data.

UE: ENISA provides cybersecurity resources during the COVID-19 period

May 2020
The European Cybersecurity Agency has made available on its website a section on cybersecurity risks during the COVID-19 health emergency, using infographics, videos, articles and other resources to clarify to smartworking workers and small and medium-sized enterprises how to prevent and manage cyber risks.

Germany: Court of Justice rules on cookies on Planet49 case

28 May 2020
The German Federal Court of Justice issued a ruling in the Planet49 case on which the European Court of Justice had ruled on 1 October 2019, reiterating the requirements for deeming consent to cookies valid, including a clear prohibition on the use of pre-filled boxes and active confirmation by the user.

UE: EDPB releases Guidelines 05/2020 on consent

4 May 2020
The EDPB has issued the new Guidelines 05/2020 on consent under Regulation 2016/679, which update the Guidelines issued by the Article 29 Working Party dated 10 April 2018.  The changes focus primarily on the validity of the consent given by the data subject with regard to the so-called cookie walls, and with respect to the concept of unambiguous indication of wishes.

Belgium: € 50,000 fine for DPO appointment violation

30 April 2020
A Belgian organisation received a €50,000 fine for failing to cooperate with the Authority and for the appointment of its Data Protection Officer. The DPO also worked within the company as Director of Audit, Compliance and Risk Management, thus presenting a conflict of interest.

EU: EDPB publishes guidelines 03/2020 and 04/2020 on the COVID-19 outbreak

21 April 2020
During the 23rd Plenary Session, the EDPB has adopted the 03/2020 Guidelines on the processing of health data for research purposes in the context of the COVID-19 outbreak e le 04/2020 Guidelines 04/2020 on the use of location data and contact tracing tools in the context of the COVID-19 outbreak.

EU: Guide to tracking apps in the context of the COVID-19 outbreak

16 April 2020
The European eHealth Network, an independent network connecting national eHealth authorities designated by Member States, has published a guidance document on the use of contact tracing apps in response to the Coronavirus pandemic. The 'Toolbox' is part of the EU coordinated approach for the use of mobile apps in the fight against COVID-19, as set out in the European Commission Recommendation of 8 April 2020.

EU: Guidance on Apps supporting the fight against COVID 19 pandemic in relation to data protection

16 April 2020

To ensure a consistent approach across the EU and give precise references to Member States and app developers, the European Commission has published a document outlining the features and requirements that apps should have to ensure compliance with privacy and asset protection legislation, in particular the GDPR and the ePrivacy Directive.

EU: EDPB mandates subgroups to deepen data processing in the COVID-19 context

7 April 2020

The European Data Protection Board (EDPB) announced that it has mandated sub-groups of experts to investigate various aspects of data processing in the context of the COVID-19 crisis. 

More specifically, a subgroup of technology experts will focus on the use of aggregated geolocation data and their anonymisation, application of data protection principles to the available tools for tracking and tracing individuals and their location, general legal analysis of the applications used to contain the deployment of COVID-19, safeguards to ensure compliance with data protection principles, recommendations for contact tracing applications and limitation of measures taken in response to COVID-19 to a specific time period;
and a sub-group of experts on compliance, e-government and health that will focus on health data processing to advance scientific and medical research, application of data protection principles (such as legality, proportionality, transparency, respect of data subjects' rights and limitation of retention) to the processing of health data, re-use of medical research data in relation to COVID-19 data sharing, dissemination of information and data subjects' rights in emergency situations.

USA: Zoom under investigation for privacy issues

1 April 2020
The New York Attorney's Office has launched an investigation into the Zoom videoconferencing app, which would pose privacy concerns, especially with regard to hackers' ability to easily get into conversations by sending violent or pornographic material. The FBI and the Attorney General of NY decided to launch an investigation into whether the app has in place adequate measures to protect users' privacy and personal data.

EU: Joint statement on the compatibility of data protection principles with health protection

30 March 2020
The Council of Europe, similarly to the position adopted by the EDPB on coronavirus and privacy, reaffirms the fact that the existing legal framework (specifically, Convention 108 and its modernised version "Convention 108+") sets high standards for the protection of personal data compatible with effective protection of other rights, including public and individual health.

UE: ENISA publishes tips for cybersecurity when working from home

24 March 2020
ENISA, the EU Agency for Cyberecurity, has published some recommendations for employers and workers for the management of smartworking in the period of health emergency, especially with regard to the attention to cyber security.

Iceland: EUR 20.000 fine for breach of health data 

11 March 2020
The Icelandic Authority has imposed a fine of ISK 3 000 000 (approximately EUR 20 000) on the S.Á.Á organisation for a security breach pursuant to Article 5(1)(f) and Article 32 of GDPR. The security breach arose when a box was delivered to a former employee that was supposed to contain his personal belongings but instead contained a considerable amount of sensitive patient information. The breach resulted in the disclosure of the names of 3,000 patients and detailed medical records of 252 individuals.

EU: EDPB issues official statement on COVID-19 outbreak

19 March 2020
The European Data Protection Board publishes an official statement on the COVID-19 emergency, answering some common questions and underlining how the data protection principles and the GDPR do not hinder the management of the pandemic. However, the EDPB recalls that even in an emergency context, data controllers and data processor must process data lawfully and that extraordinary measures must nonetheless respect the principle of proportionality and be limited in duration to the emergency itself. 

Sweden: Authority fines Google for failure to enforce the right to delisting

11 March 2020
The Swedish Data Protection Authority imposed a fine of around EUR 7 million on Google, after verifying through an audit that the company did not fully guarantee the right of individuals to have results linked to their name removed from the search engine. Google, in fact, when removing the search result, warned the site in question of the removal, which could then publish it again, thus nullifying the measure. Google now has 3 weeks to appeal against the sanction.

Italy: urgent measures imposed to strenghten the security of certified mail service

6 March 2020
Following the vulnerabilities found during an inspection to the email provider Aruba, the Authority imposed the obligation to implement measures for the strengthening of the security of its certified e-mail service, which consists in over six million accounts. The prescribed measures will allow the provider to guarantee the security of the data of data subjects by preventing identity theft and other serious risks related to the improper use of personal data.

Italy: two schools fined for publishing unnecessary teachers' data

6 March 2020
The Italian DPA has sanctioned two schools for illegally publishing on their website unnecessary information and health data in teachers' lists, The disclosure concerned 2000 individuals in one school and 1500 in the other, and included tax codes, addresses of residence, telephone numbers, e-mail addresses, number of children and, in some cases, health data.

Poland: school fined for using biometric student data

5 March 2020
The Polish DPA imposed a fine of PLN 20,000 on a school that used the students' biometric data (fingerprints) to manage access to the school canteen, without a valid legal basis. The purpose of the processing could in fact have been easily achieved with less invasive measures, among others already present in the school, such as the use of electronic cards or the provision of one's own name and identification number. Among the consequences of the processing, moreover, there was clear discrimination against students using biometric data, who could enter the canteen before other students.

UK: airline sanctioned for failure to protect customer data

4 March 2020
Cathay Pacific received a fine of £500,000 for failing to protect its customers' data (more than 110,000 UK citizens and another 9.4 million travellers from around the world) with adequate security measure. The data had been accessed illegally following a hacker attack and consisted in names, passports and identity details, dates of birth, postal and email addresses, telephone numbers and travel history. 

UK: Scottish company receives £500,000 fine for unwanted calls

2 March 2020
The ICO imposed a £500,000 fine on a Scottish company for making some 193 million unwanted calls. The calls were made in "spoofing", i.e. preventing the people receiving the call from knowing the identity of the callers. The company knowingly broke the law, not only by not having valid consent from the data subjects and by not taking measures by which they could revoke it, but also by attempting to evade the investigation by not providing up-to-date contact details and by moving its headquarters abroad. For these reasons, the Authority decided to impose the maximum sanction provided for in the legislation.

Italia: Coronavirus, the DPA says no to "do-it-yourself" data collection

2 March 2020
The DPA comments on the data collection activities that several public and private entities have carried out in recent weeks regarding the presence of new Coronavirus symptoms and the latest movements of workers. The Authority emphasizes that employers must refrain from collecting, including through specific requests to the individual worker, information on the presence of any symptoms of the worker and his closest contacts or falling outside the working sphere. This is because the purpose of preventing the spread of Coronavirus are carried out by public health authorities.

EU: Guidelines on processing of personal data through video devices adopted

26 February 2020
The EDPB has published the "Guidelines 3/2019 on processing of personal data through video devices", which contain theory and practical examples relating to the processing of personal data obtained from video devices.

Netherlands: Authority launches investigation into information service providers

24 February 2020
The Dutch Data Protection Authority has announced that it has launched an investigation into Dutch companies with a PSD2 authorisation to access and process payment account information, called 'account information service providers' or AISPs. The Authority wants to verify whether these companies are aware of the risks involved in processing such information and whether they are operating in compliance with data protection legislation, such as the GDPR. 

EU: ENISA publishes cybersecurity guidelines for hospitals

24 February 2020
The guidelines issued by ENISA address the issue of cybersecurity for hospitals when procuring services, products and infrastructures; cybersecurity must be holistically integrated in the various processes, components and phases that influence the ICT ecosystem. The guidelines list good practices, related to the types of procurement for which they are relevant and the threats they can mitigate, providing a set of easy-to-use practices for hospitals.

EU: topics discussed during the 18th EDPB Plenary Session

20 February 2020
The European Data Protection Board (EDPB) and the EEA supervisory authorities have contributed to the assessment and review of the GDPR, as foreseen in Article 97 of the EDPB. The EDPB has also adopted guidelines to provide further clarification on the application of Articles 46.2(a) and 46.3(b) on transfers of personal data from EEA public authorities or bodies to public bodies in third countries or international organisations. In the light of the merger between Google LLC and Fitbit, the EDPB expressed its views on the need to conduct analyses of the impact of corporate mergers on the privacy and data protection rights of data subjects.

Malta: Lands Authority fined for data breach

18 February 2020
The Maltese Data Protection Authority (Information and Data Protection Commissioner), has issued a € 5,000 fine to the Lands Authority, following the discovery of a data breach originating from the online platform on the Authority's portal, caused by the failure to adopt adequate technical and organized measures to ensure the security of the processing.

Ireland: DPC's statement on Facebook's Dating feature

12 February 2020
The Irish DPA announced on its website that it had been contacted by Facebook Ireland on 3 February to communicate its intention to introduce a new Dating feature on 13 February. The Authority reportedly received no detailed information and documentation regarding the implementation of a DPA and inspected Facebook Ireland's offices on 10 February to gather information. On 11 February, Facebook allegedly informed the Authority that it had decided to postpone the release of this new feature.

Germany: the DPA launches a public consultation on anonymisation

10 February 2020
The German Data Protection Authority, (BfDI) has launched a public consultation procedure inviting comments on a BfDI document on the anonymisation of personal data under the GDPR, with particular attention to the telecommunications sector. Specifically, the document points out that the GDPR does not apply to anonymised data, but it is not clear under what circumstances data can be considered to be completely anonymised, and whether anonymisation constitutes a type of data processing, which as such would require a legal basis.

Italy: the DPA's inspection plan for January-June 2020

6 February 2020
The Italian Data Protection Authority has announced which bodies will be mainly inspected in the January-June 2020 period. Among others,  multinational companies operating in the pharmaceutical and health sector, online banking services, intermediaries for electronic invoicing services, companies that process data for marketing activities.

Italy: telecommunications operator Tim receives 27.8 million euro fine

1 February 2020
The Italian DPA has imposed a fine of 27.8 million euros on TIM SpA for unlawful processing of data on millions of people. Among the violations, the Authority found that the call centres appointed by Tim had in many cases contacted the data subjects without their consent. Other irregularities emerged in the data breach procedures, and in the management of the apps, which contained unclear and misleading information. In addition to the severe sanction, the DPA also imposed 20 corrective measures consisting in prohibitions and requirements.

EU: EDPB guidelines on connected vehicles online for consultation

28 January 2020
The EDPB has released the Guidelines 1/2020 on processing personal data in the context of connected vehicles and mobility related applications. The Guidelines will be in public consultation until 20 March 2020.

Italy: hospital to compensate a lawyer for mistakenly publishing his health data on its site

24 January 2020
A lawyer noticed some oh his health data published on the website of the Villa Sofia-Cervello Hospital in Palermo, which were allegedly uploaded by mistake. The individual has filed a lawsuit with the hospital and will receive compensation worth 15,000 euros (compared to 200,000 euros in the initial request).

EU: Italian DPA calls for a European task force on Tik Tok

24 January 2020
The Italian DPA, following some reports received about the social network Tik Tok asked EDPB, the European Data Protection Board, to set up a European task force to launch shared investigations on its processing activites. The DPA has pointed out to its European partners the need to proceed in a determined and coordinated manner, also in consideration of the and relevance of the platform, which is mainly used by younger users and minors.

Germany: Facebook default settings do not count as informed consent

24 January 2020
The highest court in Berlin ruled on 24 January following a complaint by the Federal Consumer Association (vzbv) that Facebook is in breach of data protection law. In particular with regard to informed consent, the Court held that the transmission of geolocation information of users to third-party partners, or the use of the profile picture for commercial purposes, are settings that cannot be predefined as they require specific consent.

UK: published a guidance explaining decisions taken by the AI to individuals affected

24 January 2020
The ICO and The Alan Turing Institute have lanunched the guide "Explaining decisions made with AI". This guide, divided into 3 parts, aims to provide organisations with practical advice to help explain the processes, services and decisions provided or assisted by AI, to people affected by them. The public consultations ended on 24 January.

Italy: University Hospital fined for undue access to health records

23 January 2020
The Italian DPA announced in a press release that it has issued a 30,000 euros fine and has imposed corrective measures on the Integrated University Hospital of Verona, which had informed the Authority of three unauthorised accesses to patient files by other employees of the facility. The violation of personal data consisted in an access made "out of mere curiosity" and was ascertained during the periodic checks carried out by the Hospital itself, which announced that it will implement more stringent access filters.

Italy: the Authority publishes a complaint form for data subjects

21 January 2020
The Italian Data Protection Authority has published on its website an overview of the procedure for the submission of complaints by data subjects, explaining the tool, the method of submission and providing a complaint form in .docx and .pdf format.

Belgium: the Authority publishes a recommendation on direct marketing

17 January 2020
The Belgian Data Protection Authority has also issued a recommendation on the processing of personal data for direct marketing purposes, as the UK Data Protection Authority had already done.

Italy: energy provider receives €11.5 milion fine

17 January 2020
The Italian DPA issued a total fine of 11.5 million euros to energy provider ENI Gas e Luce for unlawful telemarketing and teleselling (8.5 million euros) and for the activation of unwanted contracts (3 million euros). As regards the first sanction, there were advertising calls made without the users' consent, absence of technical and organisational measures to record their consent (or cosnent withdrawal), and illicit acquisition of users' data from third parties.

France: CNIL to publish recommendation on cookies and tracking technologies

14 January 2020
CNIL, the French DPA, has launched a public consultation on the draft practical recommendations on cookies and tracking technologies. The aim is to clarify to operators using this technology, how to comply with the GDPR to obtain user consent, and especially, how to balance the requirements of clarity on the one hand and information completeness on the other hand. The Recommendation is in public consultation until 27 February 2020.

UK: retailer fined £500,000 for insufficient security measures

9 January 2020
DSG Retail Limited (DSG) was fined £500,000 for lack of adequate security measures. A data breach occurred that was caused by a cyber attack due to the installation of malware on thousands of tills in the company's stores. The data included first and last names, postal codes, email addresses, and card data used for transactions of approximately 14 million people. 

US: $7.5 million settlement for Google+ following class action

8 January 2020
Google LLC has agreed to settle a $7.5 million class action suit against Google+, the social media platform that was discontinued in April 2019. In October and December 2018, Google acknowledged that bugs in its platform had potentially exposed users' profile information to unauthorized third parties, including name, gender, email addresses, work location and home addresses, although it did not appear that the data had been violated.

UK: ICO issues draft code of conduct for direct marketing

8 January 2020
The ICO has issued a draft code of conduct for direct marketing to promote good data processing practices in accordance with the GDPR and the e-Privacy Directive.

Spain: Vodafone is fined 44,000 euros for unlawful processing of a customer's personal data

7 January 2020
The AEPD imposed on Vodafone Spain the payment of a fine of 44,000 euros for the violation of Article 5 GDPR, specifically the principles of integrity and confidentiality. The procedure was initiated by a complaint from a private individual, who complained that the company had sent the telephone contract concluded, to the domicile of a third party, containing the customer copy of the contract, the customer's personal data, the general conditions of the rate applied and the conditions of withdrawal.

EU: sanctions imposed by Authorities in 2019

7 January 2020
According to research carried out by the Federprivacy Observatory, in 2019 € 410 million of sanctions were imposed by the 30 European Authorities. The proceedings were 190, with Italy first in terms of number of sanctions (30). The ICO, Authority of the United Kingdom, has issued a smaller number of measures, which however amount to €312 million.

EU: EU Council's draft position on the application of the GDPR

26 December 2019
The Council of the European Union has published a draft position on the application of the GDPR as part of the evaluation process of the Regulation itself. The document acknowledges that there has been a strengthening of stakeholder rights, but stresses that some issues need to be better addressed, including: scope of applicability of the GDPR, minor consent, data transfers, EU representatives, new technologies.

UK: London pharmacy fined for negligent data storage

20 December 2019
The ICO sanctioned a pharmacy that had negligently kept about 500,000 documents containing special category data. The documents contained, in addition to addresses and personal details, medical information, prescriptions and HNS number and were stored in unlocked containers, and some of them had even been water damaged. Therefore, the Authority established that the pharmacy had inadequately stored and failed to protect customer data and imposed a penalty of £275,000.

Norway: the DPA fined the city of Oslo for incorrect storage of patient data

18 December 2019
The Norwegian Data Protection Authority imposed a fine amounting to 49,300 euros on the city of Oslo for storing patient data outside the electronic medical records system in the city's nursing homes and health facilities from 2007 to November 2018. In fact, employees used worksheets where general patient health information, full names and ID numbers were included. In deciding the amount of the sanction, the Authority took into account the fact that the breach had occurred largely in the period prior to the entry into force of the GDPR, and that the City of Oslo had voluntarily notified the data breach to the DPA.

Romania: two companies fined for failing to provide the information required by the DPA

16 December 2019
The Romanian Data Protection Authority sanctioned two companies that had not provided the information requested by it under Article 83(5) GDPR, despite the first request and subsequent warning to comply within 10 days. The amount of the first sanction is 3,000 euros, the second amounts to 2,000 euros.

EU: EDPS has developed software for the privacy and data protection inspection of websites

16 December 2019
The EDPS has provided an open source software "Website Evidence Collector", to automate the privacy and data protection inspection of websites. The tool collects evidence of the processing of personal data, such as cookies, or requests to third parties. The information collected, structured in a format that is readable by both humans and machines, enables website controllers, data protection officers and end users to better understand what information is transferred and stored while visiting a website, for example, the consecutive loading of a number of web pages without giving consent or logging in.

EU: EDPB releases standard contractual clauses for contracts between controllers and processors

11 December 2019
The EDPB has published in its Register for Decisions taken by supervisory authorities and courts, the standard contractual standard between data controller and data controller adopted by the Danish Supervisory Authority. It aims to help organisations meet the requirements of Art. 28(3) and (4) since such a contract should not only contain the requirements of the GDPR, but should also specify them further, for example as regards the assistance provided by the processor to the controller.

EU: Guidelines on the criteria for the right to be forgotten by search engines

11 December 2019
The EDPB has just issued the "Guidelines 5/2019 on the criteria of the Right to be Forgotten in the search engines cases under the GDPR (part 1)", which will be in public consultation until 5 February 2020.

Romania: fine for the transmission of personal data to wrong addressee

10 December 2019
The Romanian Data Protection Authority imposed a fine of 14,000 € against Hora Credit IFN SA for the transmission of documents containing personal data of a person to the wrong recipient. Although the error had already been reported to both the operator and their call centre, Hora Credit had continued to send messages to the same address. The company had not notified the breach to the DPA within 72 hours and, following an investigation, the Authority found that the operator had not taken sufficient security measures with regard to personal data.

Netherlands: heavy fine for the use of biometric employee data for time attendance records

4 December 2019
A Dutch company received a fine of €725,000 for using employees' fingerprint data for time attendance. The Data Protection Authority considered that the consent given by the employees was neither free nor explicit, and given the type of particular data, that there was neither a valid legal basis for consent nor for securiy reasons.

Germany: nearly €10 million fine on a telecommunication services provider

9 December 2019
The German Federal Data Protection Authority has announced that it has imposed a fine of €9,550,000 on a telecommunications service provider, 1 & 1 Telecom GmbH, for failing to take sufficient technical and organisational measures to prevent unauthorised persons from obtaining information on customer data via the telephone support service. It appears that the authentication procedure only required the user's name and date of birth. Another sanction concerns Rapidata GmbH, which will have to pay a fine of 10,000 euros for inconsistencies in the appointment of the DPO.

Hungary: Authority fines a municipality for unlawful video surveillance

6 December 2019
The Hungarian Authority has announced that it has sanctioned the municipality of Kerepes with a fine of 5 million HUF (about 15,000 euros), which has allegedly carried out unlawful processing by video surveillance. In fact, the municipality used the legal basis of the legitimate interest (not justified for a public body), violated the principle of minimisation due to the excessive number of cameras compared to the extent of the risk, and had not provided adequate information regarding the processing.

Spain: Ikea is fined for cookie violations

5 December 2019
The AEPD has imposed a fine of 10,000 euros on Ikea Spain for violations of cookies. In fact, following a complaint, the Authority found that each time a user accessed the site, 23 cookies were automatically downloaded, for which the user's consent was not sought. 

EU: ENISA publishes report on pseudonymisation techniques and best practices

3 December 2019
The ENISA report "Pseudonymisation techniques and best practices report", addresses the parameters that can influence in practice the choice of pseudonymisation techniques, such as data protection, utility, scalability and recovery. It also contains use cases related to the pseudonymisation of certain types of identifiers (IP addresses, e-mail addresses, complex data sets).

UK: ICO issues guidance on special category data

29 November 2019
ICO has published a guidance on special categories of personal data on its website, where these are identified and defined and further documents and examples are provided for each category.

France: €500,000 fine for illicit telephone marketing

26 November 2019
The CNIL has imposed a fine of 500,000 euros on a company specializing in thermal insulation of private homes. The controls were initiated in response to a complaint against the call centre activity carried out by the company, which contacted certain prospects despite the fact that they had exercised their right to object. The inspection subsequently revealed other non-compliances, such as the illegal recording of certain telephone conversations.

EDPB: guidelines on data protection by design e by default open for feedback

20 November 2019
The EDPB has published Guidelines 4/2019 on Article 25 Data Protection by Design and by Default. The guidelines will be subject to public consultation until January 2020. In addition to underlining the primary commitment of data controllers to data protection by design and by default, the EDPB encourages technology providers to use the DPbDD as a competitive advantage in the market.

Spain: AEPD publishes a guide for patients on their rights with respect to data processing

14 November 2019
The AEPD has published a guide for patients and healthcare users, which provides answers to the most frequent doubts that citizens have when their personal data are processed by healthcare entities, administrations and professionals and aims to make it easier for them to know their rights.

Spain: company fined for lack of adequate measures in confirming the identity of a data subject

11 November 2019
The Spanish DPA fined the company Madrileña Red de Gas 12,000 euros for failing to take adequate measures to confirm the identity of an interested party. The individual who made the complaint claims that the company has sent its information to a third party by email in response to an investigation.

EDPS Guidelines on the concepts of controller, processor and joint controllership

7 November 2019
The EDPS has issued guidelines which aim to provide practical guidance on the concept of controllers, processors and joint controllers. Among the topics, the distribution of mutual obligations and responsibilities, in particular in managing the exercise of the rights of the data subjects and case studies on the controller-processor relationship, separate controllership and joint controllership. 

Germany: 14.5 million euro fine for illicit data retention

5 November 2019
The German DPA sanctions a leading real estate company, Deutsche Wohnen SE, with the highest fine ever issued in Germany, amounting to 14.5 million euros. The violation of the GDPR consisted in having retained the personal data of the renters for an unlimited period of time, without analyzing whether the storage was lawful or necessary. According to the report, the real estate company used a filing system that did not allow the deletion of data that were no longer necessary for the purpose for which they were collected, which consisted of data relating to financial and personal circumstances such as tax, social and health insurance data.

France: CNIL updates the its DPIA software

31 October 2019
The French Data Protection Authority updated the open source software PIA, a tool available in French and English for data controllers, which facilitates and supports the performance of Data Protection Impact Assessments (DPIA).

Austria: the DPA sanctions the Postal Service with a 18 million euro fine for unlawful use of data

29 October 2019
The Austrian Data Protection Authority (Datenschutzbehörde - DSB) has imposed a fine of EUR 18 million on the National Postal Service (Post AG). The sanction was imposed for the unlawful use of user data to obtain information on their political orientation and thus to offer specific guidelines, also in return, to political parties for marketing purposes. The unlawful processing concerned the names, addresses, age and gender of around 3 million users.

UK: ICO explores the issue of impact assessment in artificial intelligence systems

23 October 2019
The ICO has published an analysis on the conduct of a DPIA (Impact Assessment) of AI systems. In particular, the ICO recommends that the assessment should contain at least a systematic description of the treatment, the assessment of its necessity and proportionality, the risks to the rights and freedoms of the data subjects, the measures to counter the risks. It is also suggested to update it regularly in case of changes in the nature, scope, context or purpose of the processing.

Spain: AEPD sanctions Vueling for non-compliance of cookies

22 October 2019
The Spanish DPA has imposed a fine of 30,000 euros (reduced to 18,000 with a single payment) on the airline Vueling for a non-conformity of cookies on its website. In fact, it was not really possible for users to refuse cookies, because the page, instead of allowing their granular acceptance or refusal, referred to the settings of the browser used, without giving sufficient information.

Ireland: DPA publishes guides on data breach notification and online risks

October 2019
The Irish Data Protection Commission has published a guide on data breach notification which aims to support data controllers in identifying and correctly notifying data breaches to be notified. The guide also includes case studies for a practical approach.
In addition, a guide has also been published to find out which are the greatest online risks, to prevent data security incidents and the occurrence of data breaches.

France: the Supervisor publishes a list of processing operations not requiring a DPIA

17 October 2019
The CNIL, the French Data Protection Authority, has published a list of 12 types of data processing for which the DPIA, or data protection impact assessment, is not mandatory. In November 2018, CNIL had already published a list of data processing operations that necessarily required an impact assessment.

EU: EDPS survey on IT contracts between Microsoft and the countries of the European Economic Area

17 October 2019
Cooperation between public authorities of the Member States, EU institutions and other international organisations is essential to ensure that contractual arrangements with Microsoft guarantee the same level of protection of individual rights throughout the European Economic Area (EEA). Although the investigation is still ongoing, the preliminary findings do reveal serious concerns about the compliance of the relevant contractual clauses with data protection rules, also with regard to Microsoft's role in relation to several European institutions.

Italy: hidden cameras at the workplace, the DPA on the ruling of the ECHR

17 October 2019
The President of the Italian DPA comments on the ECHR judgement on the use of hidden cameras in the workplace, pointing out that hidden video surveillance is "allowed only as a last resort, for "serious crimes" and in space and time such as to limit as much as possible the impact of control over the worker. It cannot therefore become an ordinary practice.

Spain: Authority publishes a guide to facilitate the application of privacy by design

17 October 2019
The Spanish Guarantor has published the "Privacy Guide by Design" with the aim of providing guidance to facilitate the incorporation of data protection principles and privacy requirements to new products or services from the moment they are designed.

EU: ECHR states that if proportional, the use of hidden cameras at the workplace is admissible

16 October 2019
The European Court of Human Rights ruled that, while respecting the principle of proportionality, employers may install hidden cameras without informing workers if they have reasonable grounds to suspect that they are stealing from the company. The Court ruled that in the present case the surveillance did not exceed what was strictly necessary to establish the offence, and that it was carried out in a limited period of time in a place already open to the public, and including a limited number of persons.

Poland: sanction for failure to implement adequate mechanisms for withdrawal of consent

16 October 2019
The Polish Authority imposed a fine of more than PLN 201 000 (equivalent to approximately EUR 47 000) on one company for obstructing the exercise of the right to withdraw consent to the processing of personal data. The company in question did not implement adequate technical and organisational measures that would enable the simple and effective withdrawal of consent (which according to GDPR should be as easy as granting consent) and the exercise of the right to be forgotten. 

EU: EDPB publishes guidelines on data processing in the provision of online services to data subjects

16 October 2019
After a public consultation, the EDPB published the "Guidelines 2/2019 on the processing of personal data under Article 6(1)(b) GDPR in the context of the provision of online services to data subjects", which deal with the processing of personal data in contracts for online services, also taking into account the aspect of the necessity of data processing for the execution of a contract.

Netherlands: a guide for the processing of sick employees' personal data

11 October 2019
The Dutch Data Protection Authority has published a comprehensive employer's guide which addresses the most common concerns regarding the way in which sick employees' data are processed. In particular, the Supervisor specifies which data the employer may ask the employee for, which data he/she may record, and clarifies the management of absence systems.

Germany: Ethics Commission publishes recommendations for Artificial Intelligence management

9 October 2019
The Data Ethics Commission has published recommendations to the German Government on the strategy to be adopted in the regulation of artificial intelligence. It has also published an Opinion (here in English) in which it establishes guidelines for the ethical and human-centred development of AI systems. These two documents show a "hard" approach to Artificial Intelligence from Germany that could have a strong impact on the future discipline of AI at European level.

Greece: administrative penalty for a telephone service provider

7 October 2019
The Hellenic Authority imposed a 200,000 euro fine for violation of Article 25 (data protection by design) and Article 5(1) (principle of accuracy) on the telephone service provider 'OTE', because despite the fact that some customers had registered in the opposition register, they received unsolicited calls from third-party companies for the promotion of products and services. In addition, due to a malfunction of the "Unsubscribe" link, about 8000 people were unable to exercise their right of objection, which is why the DPA imposed an additional fine of 200,000 euros.

EU: latest version of ePrivacy Regulation published

4 October 2019
The Council of the European Union has published the latest version of the proposal for the ePrivacy Regulation concerning the respect for private life and the protection of personal data in electronic communicationsons.

Romania: Authority imposes 170.000 euro fine on bank for data breach

1 October 2019
The Romanian DPA has sanctioned Raiffeisen Bank and the online credit platform Vreau Credit for a total of 170,000 euros for the violation of Articles 32-33 GDPR. The investigation was initiated following the notification of a breach in which two employees of Raiffeisen Bank, using data from the identity documents of certain natural persons (transmitted on WhatsApp by Vreau Credit employees) carried out investigations to determine their suitability for credit, performing simulations against 1177 individuals. Raiffeisen Bank has therefore not implemented adequate technical and organizational measures to ensure an adequate level of security and has not assessed the risks presented by the processing, which has led to unauthorized access to personal data, and unauthorized disclosure of personal data by the bank employees. Furthermore, Vreau Credit SRL did not notify the supervisory authority of the breach of personal data security until the end of the investigation, although the security incident had been detected in December 2018.

EU: Google to comply with requests for erasure of sensitive data from search engines in the EU

24 September 2019
The EU Court of Justice has ordered Google to comply with requests for the erasure of sensitive data from data subjects; the operator of a search engine is required to carry out the deindexing in the corresponding versions of the engine in all the Member States, in combination with measures which effectively prevent EU internet users carrying out a search on the basis of the name of the data subject from having access, through the list of results displayed as a result of that search, to the links which are the subject of that request, or at least to strongly discourage those users.

"Privacy sweep 2019": the international survey on the management of data breaches

23 Settembre 2019
The Italian Data Protection Authority, together with the authorities of 17 other countries around the world, has launched the "Privacy sweep 2019", an international investigation into the management of data breaches by public and private entities, in which they will examine the procedures adopted to manage violations. In Italy, investigations will focus on companies operating in the e-commerce sector.

Belgium: €10,000 fine for disproportionate use of electronic identity card to obtain a loyalty card

19 September 2019
The Belgian authority imposed a fine of €10,000 on a retailer who had requested the use of an electronic identity card as the only means of issuing a loyalty card. The identity document contains much more data than is necessary for the creation of the card, and its processing would be disproportionate to the purpose. This constitutes an infringement of the principle of minimisation and the absence of valid consent, since the user did not have a real alternative. In fact, users who did not want to use their identity card for this purpose, would not have had access to discounts dedicated to customers with loyalty cards.

Poland: the DPA imposes the highest GDPR penalty to date for maxi data breach

19 September 2019
The Polish Data Protection Supervisor has announced the highest fine ever issued for violations of the GDPR: about 645,000 euros (PLN 2.8 million) against the online retailer, which had suffered a massive date breach that affected more than 2.2 million users. The retailer was sanctioned for not having put in place the necessary security measures to protect customer data.

UK: a company was fined for making calls to persons who had not given their consent

18 September 2019
The ICO imposed a $150,000 fine on Superior Style Home Improvements Ltd for making commercial calls for a period of 11 months to people whose numbers were registered with the Telephone Preference Service (TPS) and who had not given their consent to receive them. 

Germany: data protection Authorities examine a proposal for a model that determines the level of administrative fines

17 September 2019
The German Conference of Data Protection Authorities has examined a proposal for the development of a model for calculating the amount of an administrative penalty under the GDPR that is systematic, transparent and comprehensible. The Authority's press release does not contain the criteria on which the model will be based, which will probably be made known when it is finally adopted.

UK: ICO makes available guidance for organisations after Brexit

11 September 2019
The ICO has published on its website a series of resources and tools designed to guide companies, both small and medium enterprises as well as large organizations, in the processing of data in the case of a no-deal Brexit. The DPA states that the UK intends to maintain GDPR standards even after the exit from the EU, so companies that do not exchange data with EEA countries will not have to make major changes, otherwise ICO offers some tools to define the activities to be implemented.

UK: gender identity clinic accidentally discloses nearly 2000 email addresses

6 September 2019
A gender identity clinic near London sent an email for an art competition to its patients, CC-ed in almost 2000 email addresses. When the clinic noticed the error, it was no longer able to recall the email. The violation, which will be notified to the ICO, is an example of a data breach attributable to a 'human error' within the organisation.

Spain: the Data Protection Authority publishes a list of processing operations not subject to DPIA

4 September 2019
The Spanish Data Protection Authority has published a list of the processing activites that do not require a Data Protection Impact Assessment (DPIA), with the aim of implifying their identification by the data controllers. Among the exempt processing operations are, for example, those carried out in order to comply with legal obligations and in the internal management of SMEs for purposes of accounting, payroll and occupational safety management.

Latvia: DPA imposes € 7000 penalty on online retailer

3 September 2019
The Latvian Data State Inspectorate (DSI) has imposed a fine of 7000 euros on an online retailer for non-compliance with the GDPR as regards the data subject's right to erasure (the company had ignored the repeated requests of a user to delete his data), and for non-cooperation with the Supervisory Authority. In establishing the sanction, the Authority also took into account the gravity of the violation, the number of persons involved and the turnover of the previous year.

Bulgaria: tax agency fined 2,6 milion euro for massive data breach of taxpayers

2 September 2019
The President of the Bulgarian DPA, Ventsislav Karadjov, has announced that the Authority will impose a fine of about 2.6 million euros on the Revenue Agency, which has suffered a data breach that has impacted 4.1 million taxpayers. The Authority took into account the Agency's responsibilities in reporting the breach and contacting the persons concerned, as well as the large amount of data involved. The Agency defended itself by claiming that unauthorised access to and extraction of data took place despite the security measures taken and that it will appeal.

USA: YouTube to pay $200 million for violating children's privacy

30 August 2019
Google has agreed to pay a sum of $200 million to settle the Federal Trade Commission's accusations that YouTube had infringed children's privacy laws by collecting their data without parental consent in order to send them highly targeted advertising. This sanction represents the maximum amount so far imposed in violation of the Children Online Privacy Protection Act, which prohibits online services from collecting personal data from children under 13 years of age. 

Bulgaria: bank fined for data breach affecting 33,000+ clients

28 August 2019
Bulgarian bank DSK Bank has been fined 1 million levs (more than 500,000 euros) for a data breach affecting more than 33,000 customers. The data consisted in the first and last names, addresses, copies of identity documents and other personal information of persons who had applied for loans from the bank. The sanction was imposed due to the lack of adequate technical and organizational measures protecting their clients' personal data.

Greece: bill to harmonise national legislation with GDPR approved

27 August 2019
On Monday, August 26, the Greek Parliament approved by a large majority the bill that will bring the national law into line with Regulation 2016/679. Although the Regulation had already become applicable in Greece, as in all EU Member States in May 2018, Athens had not yet produced the necessary legislation to specify how some provisions of the GDPR would apply in the country. The country would have risked severe penalties if it had not included the Regulation in the body of its national law.

Spain: according to the Court of Cassation, energy consumption data are personal data

26 August 2019
The Spanish Court of Cassation has ruled that data resulting from the measurement of individual electricity consumption, such as the times of use of electricity, the premises in which it is used or the appliances connected, are personal data. In fact, it is possible to trace the consumption habits of individuals, the times at which they are at home, whether they live alone or not, and can be linked to the identification data of consumers, including their first and last names. However, as the collection of this data is justified by the need to verify compliance with the law of businesses and consumers, the Supreme Court considers that the legal basis is the general interest, and that it is therefore not necessary to seek the consent of consumers.

Lithuania: web hosting company suffers data breach that impacts on 14 million users

25 August 2019
Hostings, a well-known Lithuanian web hosting company, has suffered a data breach that affected about 14 million users. The company had actually used an encryption algorithm, which however doesn't seem to have been enough to protect from the hacker attack. The company reset the users' passwords as a preventive measure and sent them an email with the indications for the reset and to inform them about the types of personal data that have been violated, as well as having communicated the data breach to the competent authorities.

USA: maxi data breach for one of the major credit card issuers

30 July 2019
Capital One Financial Corp, one of the largest credit card issuers in the U.S., has announced that it has been the subject of a cyber attack that has affected about 105 million U.S. citizens and 6 million Canadian citizens. The data breach has affected social security numbers, bank account numbers and many other personal data. According to investigators, the breach was possible through a breach in the Amazon cloud services firewall, that was exploited by a former software engineer to steal data.

Sweden: first fine of the DPA to a school that used facial recognition on students

30 July 2019
The Swedish DPA issued its first fine (SEK 200,000) to a high school that used facial recognition to test students' participation in lessons. The high school board stated that it had asked the students for their consent to use their biometric data for facial recognition, but the Authority considered that consent was not an adequate legal basis because the students were in a position of dependence vis-à-vis the school board, and that there were other less privacy-intrusive ways to track school attendance.

Italy: the DPA's provision on the notification of data breaches

30 July 2019
A specific measure on the notification of data breaches has been adopted by the Guarantor for the protection of personal data with the aim of assisting companies, banks and public administrations in fulfilling their privacy obligations; with a view to simplification, it has also prepared a notification model containing all the information required by law.

Greece: €150,000 sanction for an employer processing employee data in violation of the GDPR

30 July 2019
The Hellenic Data Protection Authority recently imposed a €150,000 fine on an employer who was unlawfully processing its employees' data. In fact, the choice of the legal basis for the processing (Article 5(1)) was inappropriate, and the processing itself proved to be unfair and non-transparent, as employees were told that their data was processed on the basis of consent, while they were processed under a legal basis of which they had never been informed. The employer also violated the principle of accountability by transferring the burden of proof of compliance to the data subjects.

Germany: embedding a 'like' button on a site makes the website operator joint controller with Facebook

29 July 2019
The Court of Justice of the European Union, in the decision Fashion ID GmbH & Co.KG v Verbraucherzentrale NRW eV. stated that website operators incorporating a "like" button that refers to a Facebook page are joint controllers with the latter. This means that they are obliged to enter into an agreement with Facebook and to inform the data subjects accordingly. The case concerned a German e-commerce company, which had been sued by a consumer protection association. It is not relevant, therefore, that the website operators do not have access to the data processed by Facebook, as it is the operators themselves who decide to insert the "like" button to increase the visibility of their products on the social network.

France: the CNIL has imposed a fine of € 180,000 on an insurance company for failing to adequately protect the data of users of its website

18 July 2019
In June 2018, the CNIL received a report from one of the company's customers indicating that, from his account, he had been able to access the personal data of other customers.
An online audit revealed that the company's customers' accounts were accessible via referenced hyperlinks on a search engine. Customer documents and data were also accessible by changing the numbers at the end of the URLs displayed in the browser. These documents included copies of driver's licenses, registration cards, bank identity documents and documents to determine whether a person had been subject to a driving disqualification or an accident.
On the basis of the investigations conducted, the CNIL considered that the company had breached its obligation to guarantee personal data under Article 32 of the GDPR, and consequently imposed a fine of 180,000 euros. In particular, it took into account the seriousness of the breach, due to the nature of the data and documents in question. It also took into account the number of persons concerned, as the lack of security affected the accounts of several thousand customers and persons who had terminated the contract with the company. However, the CNIL took into account the company's responsiveness in correcting the lack of security and its cooperation with the CNIL.

EDPB issues Guidelines on video surveillancea

10 July 2019
The EDPB has published the Guidelines on the processing of data through video devices, which investigate the effects of traditional and 'intelligent' video surveillance, and the consequences of these processing activities on people. While this invasive processing can be justified by public security reasons that are greater than the risks, other purposes such as marketing or attendance control can be more insidious and unnecessarily impactful. The EDPB recommends the use of video surveillance as a 'back-up measure' when the purpose cannot be achieved by other less intrusive means.

UK: Marriott to receive more than £99 milion fine for data breach 

9 July 2019
ICO has notified its intention to sanction the Marriott Hotel £99,200,396 for the breach date notified in November 2018, caused by insufficient due diligence in security measures to protect customers' data. The data violated belonged to 339 million guests from all over the world, of which about 30 million were residents of the European Economic Area, and 7 million were residents of the United Kingdom.

UK: ICO intends to fine British Airways for breaches of data protection law

8 July 2019
British Airways has been fined 138 million pounds (204 million euros) following the hacker attack, which occurred in 2018, in which the credit card details of 380.000 passengers were copied. The fine amounts to 1.5% of the company's total turnover in 2017. The company claims to be surprised at the decision, as it has done everything possible to promptly remedy the incident.

UK: DPA to investigate how TikTok protects children's data

1 July 2019
The Data Prortection responded to the Online Harms White Paper, a white paper containing the government's plans to maintain the safety of Internet users. Among other topics, the DPA confirms that it is investigating Tiktok because the app doens not seem to sufficiently protect children and their data. In addition, although the app requires a minimum age of 13 years, in practice there is no verification system that prevents access.

Italy: DPA imposes €1 million fine on Facebook for Cambridge Analytica case

28 June 2019
The Italian Data Protection Authority has imposed a €1 million fine on Facebook for the Cambridge Analytica case. The sanction, being based on a 2016 case, was imposed on the basis of the former Italian Privacy Code and follows the measure of January 2019, in which the Authority had forbidden Facebook to continue to unlawfully process the data of Italian users.

Romania: first fine on a bank for violation of the principle of minimisation

27 June 2019
The first sanction by the Romanian DPA was imposed on Unicredit bank, for violation of Article 25 (principle of data protection by design and by default) and the principle of minimization, and amounts to 130,000 euros. The infringement concerns the fact that the beneficiaries of the payments could see through a statement of account some data of the payer that went beyond what was necessary, such as their address and tax code.

Egypt approves first national law on data protection

24 June 2019
Although it is not strictly related to Europe, it is certainly significant that Egypt has passed its first national data protection law, which protects Egyptian citizens and European citizens living in Egypt. Companies will be required to obtain the consent of individuals before collecting, processing or disseminating their data. Any company found to have violated the law will face no less than three months of imprisonment and fines ranging from EGP 100,000 to 1,000,000. The law is also very strict regarding the unauthorized transfer of data abroad, which would result in a sanction of between EGP 300,000 and 3,000,000.

UK: ICO fines telecoms company for sending unlawful text messages

24 June 2019
The ICO imposed a £100,000 fine on the telecommunications company 'EE Limited', which in early 2018 sent over 2.5 million direct marketing text messages to its clients without their consent. The company defended itself by claiming that these were service messages, but the ICO found the messages contained direct marketing content and promoted products and services. The DPA reminded that companies sending promotional content must act in accordance with applicable laws, or face fines of up to £500,000.

France: company receives € 20,000 sanction for disproportionate video surveillance of employees

18 June 2019
The French DPA (CNIL) imposed a fine of €20,000 on a company for setting up a video surveillance system which placed its employees under constant video surveillance. The company also failed to provide adequate information technology to its employees, and to implement appropriate information security measures. The company had already been inspected in previous years, but the violations had continued despite the recommendations, hence the decision to impose a fine.

Spanish DPA publishes recommendations on anonymisation processes

14 June 2019
The AEPD, has published recommendations for those who perform anonymisation processes. The document analyzes the limits of the effectiveness of these processes, the extent to which the information is really anonymous and how to quantify the risk of re-identification. K-anonymity is also analyzed, a technique that allows to analyze the degree of identification that could present a set of apparently anonymous data.

Spain: La Liga receives a fine of 250,000 euros

12 June 2019
The Spanish football league Liga was fined 250.000 euros by the Spanish DPA because its official app activated the microphone and GPS of the smartphones on which it was installed without informing users. This was done to check if the phone owners were watching the game with an official subscription or if they were using pirate streaming channels. La Liga has announced that they will appeal.

Italy: DPA blocks illicit acquisition of consent through points collection program

12 June 2019
The Italian DPA has intervened to limit the promotional activity of Pampers which, through an online form on its website, required users participating in the company's points collection program, to give their consent to receive commercial communications on their email address. In fact, subjects could not express a free and specific consent for the individual processing purposes that the company intended to carry out, and did not receive adequate information regarding the purposes and methods of processing their data for promotional purposes.

EDPB publishes updated GDPR Guidelines

12 June 2019
The EDPB has published updated versions of its "Guidelines 4/2018 on accreditation of certification bodies pursuant to Article 43 of the General Data Protection Regulation" and the "Guidelines 1/2018 on certification and identification of certification criteria in accordance with Articles 42 and 43 of the Regulation". The new version of Guidelines 4/2018 contains guidelines on the specifications for "additional" accreditation requirements to the ISO/IEC 17065/2012 standard and in accordance with Article 43(1)(b) and Article 43(3) of the GDPR.

France: company receives 400,000 euros penalty for failing to adequately protect its website users' data

6 June 2019
Following a complaint by an individual, the CNIL imposed a fine of 400,000 euros on a real estate management company, which had not protected its website users' data properly. In fact, the user could access, from their personal account on the site, the documents saved by other users by slightly modifying the URL displayed in the browser. The alleged violations are the non-compliance with the security requirements of Article 32 of the GDPR, and the fact that the data were stored beyond the time required to carry out the processing activities.

UK: ICO launches tool to help companies identify legal basis

1 June 2019
The UK Data Protection Authority has developed an interactive tool for companies to identify the most appropriate legal basis for their processing activities. At the end of the questionnaire, the tool provides a response with a rating for each legal basis, including some recommended actions and links to useful tools.

Belgium: Authority fines mayor for unlawful processing for electoral purposes

29 May 2019
The Belgian Data Protection Authority has announced the imposition of a fine of € 2000 on an mayor for unlawful data processing. The mayor allegedly did not observe the principle of purpose limitation; in fact he had obtained some e-mail addresses as part of an urban planning project, which he re-used for electoral campaign purposes. In quantifying the sanction, the DPA took into account the limited number of persons affected, the nature, gravity and duration of the offence. This is the first sanction imposed by the Belgian DPA under the GDPR.

EU: European Commission publishes guidelines on the free flow of non-personal data

29 May 2019
As part of the broader European strategy called "Digital Single Market", the European Commission has published the Guidelines on the free flow of non-personal data, where the recent FFD Regulation is analysed. The Guidelines aim to help businesses understand the interactions between the new legislation and the GDPR, and thus the relationship between personal and non-personal data, including the situation where the two are combined. 

EU: managing risks related to the processing of children's data

27 May 2019
In its latest newsletter, the EDPS emphasises the processing of children's data and its associated risks, as well as European and international standards which increasingly recognise children's data as categories of data on which specific precautions should be taken. Due to the lesser awareness that children have of their rights and the risks associated with processing, the GDPR and the data protection standard for EU institutions provide for certain limitations, such as the prohibition to implement an automated decision-making process.

Netherlands: the DPA causes data breach by sending CC-email

24 May 2019
The Dutch Data Protection Authority (PA) has caused a data breach. A spokesperson sent an email to 38 addresses including journalists, editors and others, placing them in the CC field. This allowed each recipient to see who else had received the e-mail. The DPA does not think that a 'self-notification' to the Authority is necessary, as it considers the violation to be minimal, and states that if the recipients of the e-mails know each other, the CC e-mail can be functional to the work activities. 

Belgium: implementation of the NIS Directive, the law is GDPR-inspired

24 May 2019
Belgium is the first European country to have transposed the content of the NIS Directive in a national law (here is the text in the original language). This is the first European legislation on cybersecurity, which is part of the broader "EU cybersecurity strategy". The implementation of the NIS introduces a number of obligations for essential service operators and digital service providers. The link with the GDPR is evident: the obligations imposed by the NIS include both technical and organizational security measures, as well as notification obligations in the event of incidents with a negative impact on access, secrecy, integrity and authenticity of networks and information systems used by the individual market operator. In addition, a DPO must be appointed for all essential service operators and digital service providers.

UK: the ICO provides a self-assessment tool to determine when to notify a breach to the Data Protection Authority

22 May 2019
The UK DPA has created a self-assessment tool to help organisations understand when to notify a breach to the Data Protection Authority. The ICO stresses that a breach should not always be reported, but only when, following an assessment of the probability and severity of the risks to the freedom and rights of individuals, it is likely there will be a risk. The tool is based on multiple choice questions and can be completed in two minutes.

Ireland: the Data Protection Officer warns against spyware attacking Whatsapp

14 May 2019
The Data Protection Commissioner has issued a press release regarding a security incident reported to them by WhatsApp, according to which spyware could exploit a vulnerability in the program to steal personal data by installing it through a voice call. The Authority is still trying to investigate possible damages and advises users to update the app to the latest version available.

UK: company faces £120,000 fine for sending 3,5 milion direct marketing text messages

7 May 2019
The ICO sanctioned Hall and Hanley, a company that had sent 3,560,211 direct marketing sms without getting data subjects' consent through third parties. Hall and Hanley claims to have obtained consent through user subscription to four sites. However, the ICO points out that only two of these mentioned the company in question, and that in any case people were required to provide their data in order to subscribe, which is against the law.

Spain: the DPA publishes a guide on data breach in English

30 April 2019
A few days ago, the Spanish Data Protection Authority (AEPD) issued a document entitled "Guide on personal data breach management and notification", a guide to managing and reporting data breaches. In addition to definitions, classification of incidents and a 'guided' approach to data breach management, the document also contains a form for notification to the DPA and the main parameters to be considered to determine whether notification to data subjects is necessary.

Ireland: Data Protection Commission opens statutory inquiry into Facebook

25 April 2019
In a press release, the Data Protection Commission declared that it has opened an official investigation after Facebook admitted that it had stored hundreds of millions of passwords of Facebook, Facebook Lite and Instagram users in plaintext format due to an internal error.

The IAPP publishes FAQs on the compliance of companies to the California Consumer Privacy Act

17 April 2019
The International Association of Privacy Professionals (IAPP) has released a series of answers to key questions relating to the application of the California Consumer Privacy Act (CCPA). In fact, compliance with the GDPR, while useful for implementing data protection mechanisms, does not necessarily equal compliance with the Californian data protection law. Companies may therefore need to make some changes to comply with the CCPA, for example companies that 'sell' data subjects' data to third parties.

UK: ICO fines website for sharing personal data of new mothers with marketing agencies

12 April 2019
The site 'Bounty', was fined by the ICO for sharing personal data of new and soon-to-be mothers with 39 organizations, including marketing agencies Acxiom, Equifax, Indicia and Sky, for direct marketing purposes. Bounty shared 34 million pieces of sensitive data, belonging to both new mothers and their children, including gender and date of birth. The ICO considers the violation as particularly severe both for the number of data shared and for the fact that Bounty has not been transparent with respect to its intention to use and share the data with third parties for marketing purposes. In light of the fact that the violation occurred between June and April 2018 when the Data Protection Act was still in force, the ICO imposed a fine of £400,000, which could have been much higher if it had occurred after May 25, 2018.

Denmark: the Data Protection Authority has ruled on the application of GDPR to voice recordings

11 April 2019
The Danish Data Protection Authority has ruled on the need for companies to obtain explicit consent when recording customer calls. The case concerned Denmark's largest telecommunications company, which had informed customers that it would record their calls, but had not provided any opt-in or opt-out mechanism by which interested parties could decide not to be registered. According to the GDPR, consent to the processing of data must be given freely, unless this is done under legal bases other than consent, such as a legal obligation or the existence of a contract.

UK: ICO fines production company for unlawfully filming in a maternity clinic

10 April 2019
The ICO fined True Vision Products £120,000 for illegally filming patients in a maternity clinic with CCTV cameras (equipped with a microphone). The clinic authorised the TVP to take video footage to make a documentary on still births (and as such was qualified as data controller). The ICO decided to sanction the TVP for not adequately informing the patients and not asking for their consent to be filmed. In fact, the TVP had only put up signs and left flyers above the tables in the clinic waiting room. Moreover, if a patient wanted to revoke her consent to the filming, there was no way to interrupt the filming, except through the explicit request to be assisted in a room without cameras.

UK: a White Paper on Internet security and online harms is published

8 April 2019
The UK Department of Digital, Culture, Media and Sport has published a white paper on the risks posed by online content. Specifically, the document contains proposals for the regulation of the Internet and the protection against the spread of extremist, illegal or harmful content. It also proposes the establishment of an autonomous body to analyse and control the major web operators, and to impose fines of up to one billion pounds. The aim is to force large online companies to be transparent about their content and any damage they may cause, to drastically reduce misinformation content, especially in times of elections, and as regards citizens, to activate a media literacy campaign to help them recognize fake news and harmful content.

Italy: DPA sanctions online platform "Rousseau" 

4 April 2019
The Italian Data Protection Authority issued a €50,000 fine against the so-called "Rousseau platform" (an online platformwhich runs the 5-Star Movement's website) due to significant deficiencies in its security systems, despite the site improvement operations that had been undertaken. The DPA requires that specific technical and IT changes be implemented, and that a rigorous data protection impact assessment be carried out which "specifically refers to the e-voting functionalities of the platform".

France: the CNIL publishes binding rules on the processing of biometric data in the workplace

28 March 2019
The French Data Protection Authority, the CNIL, has published a "Model Regulation" that addresses the use of biometric systems to control access to premises, devices and applications in the workplace. This document defines the binding rules for data controllers who are subject to the French data protection law and who process biometric data of employees for these purposes. Specifically, a list is provided of the types of personal data that may be collected and processed for these purposes, the period of data retention is defined and the technical and organizational measures to be implemented to ensure the security of personal data are specified.

Poland: the Data Protection Authority sanctioned a company for failing to inform data subjects about the processing of their data

26 March 2019
The Polish Data Protection Authority imposed a fine of 943,000 zlotys, or 220,000 euros, on a company for violating the requirements of Article 14 of the Regulation by not informing six million people about the processing of their data.  The data controller did not inform the data subjects, precluding them from exercising their rights under the GDPR, including the right to object. According to the Authority, the company was aware of the obligation to provide information directly to persons, hence the amount of the sanction.

UK: pensions company is fined for sending nearly 2 million spam emails 

26 March 2019
A Kent pensions company received a £40,000 fine for sending (via a third party) nearly 2 million direct marketing emails between 31 October 2016 and 31 October 2017 without the consent of the data subjects. The company had even sought the advice of a privacy consultant and a lawyer, who had given their positive opinion to the campaign. The ICO points out that despite this, the responsibility to comply with the law remains with the company and that they should have approached the DPA for clarification on the feasibility and risks of this campaign. In general, the ICO reiterates that by law, no mail can be sent to those who have not given their consent, and that this is also true for companies that use third parties to do the direct marketing for them.

Denmark: fine of €160,000 imposed on a company for violation of the minimisation principle

25 March 2019
The Danish Data Protection Authority has recommended a fine of 1.2 kronor (about 160,000 euros) against a taxi company that had preserved its customers' phone number beyond the the 2-year-period indicated in their own data retention policy. The company deleted the names and addresses of the persons concerned, but retained their telephone numbers because of an alleged difficulty in deleting them from the computer system. The DPA did not consider the justification to be valid and also found the data to be only partly anonymised; in fact, it was still possible to trace the identity of the data subjects through their telephone number. The fine is significant as it amounts to 2.8% of the annual turnover of the company, proving the DPA's intention to adhere to the maximum 4% provided for in the GDPR.

Italy: inspection activity carried out by the DPA in 2018

25 March 2019
In the Newsletter no. 451 of March 25, 2019, the Italian Data Protection Authority took stock of the results of the inspection activities carried out in 2018, noting that in the private sector inspections were mainly focused on the processing operations carried out: by credit institutions; by rating companies; by local healthcare companies and then transferred to third parties for research purposes; by companies that carry out telemarketing activities; by companies that offer "money transfer" services; by insurance companies through the installation of "black boxes" on vehicles; by companies that offer healthcare services through apps.

Italy: the DPA's inspection activities will also be carried out by the Financial Police

25 March 2019
With the Resolution of 14/2/2019, the Italian DPA has approved the inspection plan that will take place in the period of January-June 2019 with the aid of the Financial Police, and that will focus mainly on credit institutions, on the health sector, on the national statistical system (SISTAN), on the federated identity system (SPID), on companies that perform marketing activities and profiling of those who adhere to loyalty cards, public bodies.

Finland: the DPA investigates the possibility of Nokia smartphone sending personal data to servers in China

21 March 2019
The Finnish DPA initiated an investigation after a user of a Nokia 7 Plus smartphone noticed that the device, produced in Finland by the company Hmd Global, appeared to be sending data to a server in China. When asked, Hmd said there was no actual sending of data from his mobile phones to third parties, but that a problem in the software of some phones caused them to attempt to send data to an external server. 

EU: Facebook admits of having stored 200-600 milion passwords in readable format

21 March 2019
Facebook has admitted that it has kept between 200 and 600 million user passwords in a readable format, that were therefore not encrypted and potentially accessible to employees. Facebook allegedly found out during a routine internal audit in January, and is implementing strategies to alert affected users and encourage them to change their passwords. The issue is also significant because many users use their Facebook profile to access a multitude of online services. It seems that the data have not been disseminated or used in a malicious way, but the European Data Protection Authorities are watching the matter. The German Ombudsman says: "This matter will be meticulously investigated by data protection authorities. First, it needs to be clarified whether Facebook has breached its notification obligations under the Data Protection Regulation. The problem seems to have been known since January. Independently of this, the Irish Data Protection Authority, which is responsible in Europe, will certainly consider initiating a sanction procedure and we will also discuss the case in the European Data Protection Council.

Norway: the DPA sanctions a municipality for violation of GDPR requirements

18 March 2019
The Norwegian Municipality of Bergen was sanctioned by the Norwegian Data Protection Authority for 1,600,000 NOK (about 160,000 euros) for a flaw in the platform used, which made accessible to students and staff of a school files containing username and password belonging to more than 35,000 students, and other personal data such as addresses and social security numbers, thus violating the security requirements of the GDPR. Here is the provision issued by the DPA (in Norwegian).

Netherlands: the quality of data breach registers varies between organisations

17 March 2019
A recent study carried out on behalf of the Dutch Antitrust Authority examined the quality of the data breach registers. The results show that only 60% of the records analysed are properly compiled, correctly describing the facts, the consequences and the security measures taken. In order to facilitate the development of plans and procedures that allow organizations to learn from errors and correct their data management structures, the Dutch Data Protection Authority has published some practical suggestions for better recording of data breaches.

Netherlands: the Dutch DPA has released its GDPR sanctioning policy

14 March 2019
The DDPA (Dutch Data Protection Authority) has divided the value of the sanctions into four categories according to their severity (Cat.1 from 0 to 200,000 euros; Cat.2 from 120,000 to 500,000; Cat.3 from 300,000 to 750,000 euros; Cat.4 from 450,000 to 1 million euros). It also provided examples of how to quantify the sanction within these ranges based on the size of the company and a number of aggravating circumstances (number of persons involved, the behaviour of the company, the type of data involved, and others). Sanctions of more than one million euros should be applied if the above are not considered sufficient. An analysis is available here in English.

Norway: the DPA publishes a guide for software development in accordance with the principles of privacy by design and by default

13 March 2019
The Norwegian Data Protection Supervisor (State of the European Economic Area where the GDPR became applicable on 20 July 2018), has published a guide for the development of software in accordance with the principles of the GDPR. The aim is to help organizations understand and meet the data protection by design and by default requirements provided for in Article 25 of the Regulation. The guide, divided into sections, is available in English and Norwegian, and security technicians and software developers from the private and public sectors cooperated in drafting it.

EDPB publishes Opinion 5/2019 on the relationship between the ePrivacy Directive and the GDPR

12 March 2019
The EDPB published Opinion 5/2019 on the relationship between the ePrivacy Directive and the GDPR that includes the competence, tasks and powers of the European Data Protection Authorities. Above all, the document deals with the respective areas of competence and application (even in cases where the two regulations intersect), and their coexistence.

France: CNIL launches freely accessible online training on GDPR

11 March 2019
The French DPA has published a freely accessible online training course entitled "The RGPD Workshop" which offers the opportunity to understand the GDPR. The course, designed for data protection professionals, but also for those who simply want to learn more about GDPR, can be used to check the compliance of their organizations and raise awareness among employees. The "Atelier RGPD" consists of 4 modules with images, tests, evaluations, concrete cases, followed by a final test that grants the right to a certificate.

EDPB publishes a document on cooperation between national privacy authorities

8 March 2019
The EDPB has recently published the document "First overview on the implementation of the GDPR and the roles and means of the national supervisory authorities", which addresses the cooperation between national data protection authorities, including for cross-border cases, as one of the key issues for the implementation of the GDPR (European Regulation) at the local level. 

Italy: privacy and cybersecurity, how the new protocol between the DPA and the Intelligence protects citizens

6 March 2019
The Privacy Guarantor will forward to the Intelligence the news of data breaches relevant to cybernetic security, received from the subjects subject to notification in case of violation of personal data. This is one of the positive effects of the new Protocol of Intent signed between the Guarantor Authority for the protection of personal data and the Secret Services to ensure that cybernetic security activities are in line with the GDPR and Legislative Decree 18 May 2018 n.51, so-called "law enforcement" directive.

EDPB: information note for the processing of data in case of a "hard Brexit"

27 February 2019
The EDPB has drafted an information note concerning what public and private European operators will have to do in relation to the transfer of personal data to the UK in the event of a no-deal Brexit or hard Brexit, a scenario that is becoming increasingly concrete if no agreement is reached at midnight on 29 March 2019.

USA: TikTok receives $5.7 million fine for collecting personal data from minors under 13 years of age without parental consent

27 February 2019
The Federal Trade Commission (US Consumer Protection Authority) has ruled that TikTok, a social network for creating and sharing short videos, will have to pay a $5.7 million fine for collecting personal data from children under the age of 13 without obtaining parental consent. The site required users to enter their first and last name, username, email address, as well as a short biography and a profile photo. In addition to the sanction, TikTok will also have to remove the videos of all users under 13 years of age.

EDPS: European Data Protection Supervisor publishes 2018 report

26 February 2019
The European Data Protection Supervisor has published the report for the year 2018 where it presents the data, statistics and actions carried out by the European Data Protection Supervisor (EDPS) last year, as well as the objectives and activities planned for 2019.

Belgium: Data Protection Authority publishes list of data processing operations requiring a DPIA

25 February 2019
The Belgian Data Protection Authority has issued (in French and Danish) the list of the types of processing activities requiring a DPIA, (Data Protection Impact Assessment), as required by Article 35(4) of the GDPR for all national Data Protection Authorities.

Spain: the DPA develops a software that creates a register of processing operations

24 February 2019
The Spanish Data Protection Authority has developed and made available online "Facilita", a free and easy-to-use software, that produces a register of processing operations in Word format. The software is intended only for SMEs that carry out simple and elementary data processing, but can be an excellent tool for compliance for companies that do not implement any processing that poses particular risks for data subjects.

Hungary: first GDPR sanctions

15 February 2019
The Hungarian National Freedom of Information Authority (NAIH) has recently adopted two decisions concerning the violation of data protection rules. The identities of the two companies have not been disclosed, but one of them appears to have received a fine of EUR 3,135 (HUF 1,000,000), representing 6.5% of its annual turnover, for violating the principle of the right of access. The second case concerns a bank which unlawfully disclosed data following incorrect entry but which did not receive a sanction.

Italy: the DPA sanctions a doctor who used patient data for election purposes

14 February 2019
The Italian DPA has ordered a doctor to pay a fine of € 16,000 for using the data of about 3,500 former patients to send them letters in which he asked them to vote for one of the candidates in the elections of 4 March 2018. The sanction is based on two aspects: first, he had not made available a privacy policy either at the time of registration of the data, or at the time of the first communication to the data subjects (as set out in the Privacy Code), and he had used the data of patients for purposes other than treatment, for which he had not required specific consent.

EDPB publishes its Work Program for the years 2019 and 2020

12 February 2019
The EDPB is releasing its 2019 and 2020 Work Program, which focuses on new technologies and specific data protection issues. New activities and guidelines include the complex issue of international transfers, ePrivacy and online services, the application of GDPR (including outside the EU), and the issue of financial data related to digital payments and e-invoices.

Spain: AEPD publishes study on how the digital footprint of devices affects citizens' privacy

7 February 2019
The Spanish Data Protection Agency (AEPD) has published an article on online profiling activities related to the footprint of the device: the data extracted from each connected device, in fact, allows the identification of the user and the creation of a unique profile based on navigation habits, geolocation, system configuration, applications and installed software, mouse movements, etc.. Some of the most critical points are the failure to comply with the principles of transparency and minimization, the use of particular data without the awareness of users, the frequent inability for users to avoid data collection or to exercise the rights set out in the GDPR. The document then sets out some of the available measures to contain the monitoring of devices, as well as a series of recommendations for manufacturers and developers who want to take advantage of the data obtained with this information. 

Germany: Antitrust restricts Facebook's data collection

7 February 2019
The German Antitrust Authority criticises Facebook's activity in Germany, which, being in a dominant position on the market, collects and combines data deriving also from other platforms of the Facebook group, as well as from websites and apps linked to it, without having obtained a clear and GDPR-compliant consent from users. The German Privacy Authority supports the Competition Authority's decision and calls on Facebook to act swiftly to rethink its data processing.

Italy: role of the employment adviser after full application of Regulation (EU) 679/2016

7 February 2019
The Italian DPA responded to a question on the role of the employment consultant addressed last September by the National Council, stating that when the employment consultants process the data of their clients' employees, or for the performance of their profession, they assume the role of Data Processor.

Italy: fusion between Authorities, what are the advantages in times of big data and GDPR

5 February 2019
According to numerous opinions on the opportunities in the digital age, a fusion between AGCM (Competition Authority), AGCOM (Media Safeguards Authority) and the Data Protection Authority is advisable, also in light of the Lazio TAR rulings no. 335 and 336 in which the judge suggests to start working in that direction. The objective is clear: the protection of the citizen and his data today has multiple aspects and keeping the control bodies separate diminishes the citizen's protection.

France: data, competition and trade practices

31 January 2019
Processes of convergence between the Data Protection Authorities and Competition Authorities. The first step comes from France where the CNIL has signed an agreement with the DGCCTF (the French Competition Authority).

Infographic containing data on the application of the GDPR from 25 May 2018 to present

29 January 2019
The European Commission has published an infographic containing data on compliance and application of the GDPR since 25 May 2018, when the Regulation became applicable. The most relevant data are the following: in less than a year, there were 95,180,000 reports to national DPAs regarding alleged violations of data processing laws; 41,502 reports of data breaches and 3 cases of issuance of administrative sanctions in application of the GDPR.

The Council of Europe issues Guidelines on Artificial Intelligence and Data Protection

25 January 2019
The Consultative Committee for the Protection of Personal Data has adopted a report on Artificial Intelligence and Data Protection. The report examines the problems and challenges that Artificial Intelligence poses with respect to the use of data, and the measures that can be taken to develop AI applications that do not violate human rights and fundamental freedoms, also providing practical guidance for operators, producers and developers.

EDPB: Privacy Shield, Brexit, Q&A clinical studies, DPIA, certification guidelines, EU and Australia collaboration

24 January 2019
The latest news on the activities of the European Data Protection Board includes the publication of the report on the second annual review of the Privacy Shield (EU-US), the possible consequences of Brexit in the field of data protection, the adoption of an opinion on clinical studies, the adoption of the Guidelines on certification, the start of a collaboration between the EU and Australia on data protection.

France: the CNIL imposes a fine of 50 million euros on Google

21 January 2019
The Select Committee of the CNIL, the French supervisory authority, has imposed a fine of 50 million euros on the company GOOGLE LLC, in accordance with the General Data Protection Regulation (GDPR), for lack of transparency, inadequate information and lack of valid consent regarding the customization of ads.

France: use of user interfaces and consequences on the ability to make informed choices

18 January 2019
The French DPA publishes the document "The form of choices". The Digital Innovation Laboratory of the French Authority examines the use of design in "graphic interfaces" in order to understand positive and negative practices for website users. 

Italy: the Italian DPA verifies the GDPR-conformity of the Codes of Conduct

16 January 2019
The Italian Data Protection Authority has verified the compliance of the Codes of Deontology and Good Conduct for the processing of personal data for historical, statistical and scientific purposes and defensive investigations with the EU Regulation 2016/679 on the protection of personal data. 

Europe: study on the use of chip implants for workers

15 January 2019
The European Parliament has published a study on the use of chip implants and has explored their possible applications in the workplace, also considering the legal issues that may arise (including those related to the protection of particular data that would be processed), as well as ethical, health and safety issues.

Italy: opening of consultation on the requirements laid down in the general authorisations to processing

11 January 2019
The Italian Privacy Guarantor has identified the general authorizations for processing that are compatible with the EU Reg. 679/2016 and with Legislative Decree 101/2018 updating the Italian Privacy Code. In order to collect comments or proposals, it has launched a public consultation; interested parties can send their contributions to:

France: sanctions for failure to maintain data security

27 December 2018
Large penalties of € 250,000 have been imposed on a French telephone company that has not complied with its obligation to ensure the security of the personal data of its site's users.

San Marino: Personal Data Protection Act

21 December 2018
On 21 December 2018, the Republic of San Marino issued a Law (171/2018) on the Protection of Individuals with regard to the Processing of Personal Data, which came into force on 5 January 2019. Among the contents, which are evidently based on the GDPR and the Italian Privacy Code, there is also the institution of an Authority responsible for the protection of personal data (Title VI).

UK: personal data protection and Brexit

13 December 2018
Brexit: The British Authority has published a data processing guide for companies based in the UK and operating in the European Economic Area in the event that no exit agreement is reached. These are important indications, as the absence of a withdrawal agreement could have significant consequences for the transfer of data between the United Kingdom and the other Member States.