European Data Protection Observatory
The new EU Regulation 2016/679 has undoubtedly initiated a new era in data protection: data controllers are now required to manage data with a proactive approach based on risk analysis and accountability.
In light of this, a new way of thinking about personal data has emerged that requires all stakeholders to find legal, organisational and IT solutions.
Since the Regulation is applicable all across the EU, it is necessary to consider what changes are taking place in other EU countries with regard to new provisions, interpretations, cases of application and sanctions.
For this reason, we have decided to set up a European Data Protection Observatory, which will contain the most relevant data protection news in chronological order.
USA: Zoom under investigation for privacy issues
1 April 2020
The New York Attorney's Office has launched an investigation into the Zoom videoconferencing app, which would pose privacy concerns, especially with regard to hackers' ability to easily get into conversations by sending violent or pornographic material. The FBI and the Attorney General of NY decided to launch an investigation into whether the app has in place adequate measures to protect users' privacy and personal data.
EU: Joint statement on the compatibility of data protection principles with health protection
30 March 2020
The Council of Europe, similarly to the position adopted by the EDPB on coronavirus and privacy, reaffirms the fact that the existing legal framework (specifically, Convention 108 and its modernised version "Convention 108+") sets high standards for the protection of personal data compatible with effective protection of other rights, including public and individual health.
UE: ENISA publishes tips for cybersecurity when working from home
24 March 2020
ENISA, the EU Agency for Cyberecurity, has published some recommendations for employers and workers for the management of smartworking in the period of health emergency, especially with regard to the attention to cyber security.
Iceland: EUR 20.000 fine for breach of health data
11 March 2020
The Icelandic Authority has imposed a fine of ISK 3 000 000 (approximately EUR 20 000) on the S.Á.Á organisation for a security breach pursuant to Article 5(1)(f) and Article 32 of GDPR. The security breach arose when a box was delivered to a former employee that was supposed to contain his personal belongings but instead contained a considerable amount of sensitive patient information. The breach resulted in the disclosure of the names of 3,000 patients and detailed medical records of 252 individuals.
EU: EDPB issues official statement on COVID-19 outbreak
19 March 2020
The European Data Protection Board publishes an official statement on the COVID-19 emergency, answering some common questions and underlining how the data protection principles and the GDPR do not hinder the management of the pandemic. However, the EDPB recalls that even in an emergency context, data controllers and data processor must process data lawfully and that extraordinary measures must nonetheless respect the principle of proportionality and be limited in duration to the emergency itself.
Sweden: Authority fines Google for failure to enforce the right to delisting
11 March 2020
The Swedish Data Protection Authority imposed a fine of around EUR 7 million on Google, after verifying through an audit that the company did not fully guarantee the right of individuals to have results linked to their name removed from the search engine. Google, in fact, when removing the search result, warned the site in question of the removal, which could then publish it again, thus nullifying the measure. Google now has 3 weeks to appeal against the sanction.
Italy: urgent measures imposed to strenghten the security of certified mail service
6 March 2020
Following the vulnerabilities found during an inspection to the email provider Aruba, the Authority imposed the obligation to implement measures for the strengthening of the security of its certified e-mail service, which consists in over six million accounts. The prescribed measures will allow the provider to guarantee the security of the data of data subjects by preventing identity theft and other serious risks related to the improper use of personal data.
Italy: two schools fined for publishing unnecessary teachers' data
6 March 2020
The Italian DPA has sanctioned two schools for illegally publishing on their website unnecessary information and health data in teachers' lists, The disclosure concerned 2000 individuals in one school and 1500 in the other, and included tax codes, addresses of residence, telephone numbers, e-mail addresses, number of children and, in some cases, health data.
Poland: school fined for using biometric student data
5 March 2020
The Polish DPA imposed a fine of PLN 20,000 on a school that used the students' biometric data (fingerprints) to manage access to the school canteen, without a valid legal basis. The purpose of the processing could in fact have been easily achieved with less invasive measures, among others already present in the school, such as the use of electronic cards or the provision of one's own name and identification number. Among the consequences of the processing, moreover, there was clear discrimination against students using biometric data, who could enter the canteen before other students.
UK: airline sanctioned for failure to protect customer data
4 March 2020
Cathay Pacific received a fine of £500,000 for failing to protect its customers' data (more than 110,000 UK citizens and another 9.4 million travellers from around the world) with adequate security measure. The data had been accessed illegally following a hacker attack and consisted in names, passports and identity details, dates of birth, postal and email addresses, telephone numbers and travel history.
UK: Scottish company receives £500,000 fine for unwanted calls
2 March 2020
The ICO imposed a £500,000 fine on a Scottish company for making some 193 million unwanted calls. The calls were made in "spoofing", i.e. preventing the people receiving the call from knowing the identity of the callers. The company knowingly broke the law, not only by not having valid consent from the data subjects and by not taking measures by which they could revoke it, but also by attempting to evade the investigation by not providing up-to-date contact details and by moving its headquarters abroad. For these reasons, the Authority decided to impose the maximum sanction provided for in the legislation.
Italia: Coronavirus, the DPA says no to "do-it-yourself" data collection
2 Marzo 2020
The DPA comments on the data collection activities that several public and private entities have carried out in recent weeks regarding the presence of new Coronavirus symptoms and the latest movements of workers. The Authority emphasizes that employers must refrain from collecting, including through specific requests to the individual worker, information on the presence of any symptoms of the worker and his closest contacts or falling outside the working sphere. This is because the purpose of preventing the spread of Coronavirus are carried out by public health authorities.
EU: Guidelines on processing of personal data through video devices adopted
26 February 2020
The EDPB has published the "Guidelines 3/2019 on processing of personal data through video devices", which contain theory and practical examples relating to the processing of personal data obtained from video devices.
Netherlands: Authority launches investigation into information service providers
24 February 2020
The Dutch Data Protection Authority has announced that it has launched an investigation into Dutch companies with a PSD2 authorisation to access and process payment account information, called 'account information service providers' or AISPs. The Authority wants to verify whether these companies are aware of the risks involved in processing such information and whether they are operating in compliance with data protection legislation, such as the GDPR.
EU: ENISA publishes cybersecurity guidelines for hospitals
24 February 2020
The guidelines issued by ENISA address the issue of cybersecurity for hospitals when procuring services, products and infrastructures; cybersecurity must be holistically integrated in the various processes, components and phases that influence the ICT ecosystem. The guidelines list good practices, related to the types of procurement for which they are relevant and the threats they can mitigate, providing a set of easy-to-use practices for hospitals.
EU: topics discussed during the 18th EDPB Plenary Session
20 February 2020
The European Data Protection Board (EDPB) and the EEA supervisory authorities have contributed to the assessment and review of the GDPR, as foreseen in Article 97 of the EDPB. The EDPB has also adopted guidelines to provide further clarification on the application of Articles 46.2(a) and 46.3(b) on transfers of personal data from EEA public authorities or bodies to public bodies in third countries or international organisations. In the light of the merger between Google LLC and Fitbit, the EDPB expressed its views on the need to conduct analyses of the impact of corporate mergers on the privacy and data protection rights of data subjects.
Malta: Lands Authority fined for data breach
18 February 2020
The Maltese Data Protection Authority (Information and Data Protection Commissioner), has issued a € 5,000 fine to the Lands Authority, following the discovery of a data breach originating from the online platform on the Authority's portal, caused by the failure to adopt adequate technical and organized measures to ensure the security of the processing.
Ireland: DPC's statement on Facebook's Dating feature
12 February 2020
The Irish DPA announced on its website that it had been contacted by Facebook Ireland on 3 February to communicate its intention to introduce a new Dating feature on 13 February. The Authority reportedly received no detailed information and documentation regarding the implementation of a DPA and inspected Facebook Ireland's offices on 10 February to gather information. On 11 February, Facebook allegedly informed the Authority that it had decided to postpone the release of this new feature.
Germany: the DPA launches a public consultation on anonymisation
10 February 2020
The German Data Protection Authority, (BfDI) has launched a public consultation procedure inviting comments on a BfDI document on the anonymisation of personal data under the GDPR, with particular attention to the telecommunications sector. Specifically, the document points out that the GDPR does not apply to anonymised data, but it is not clear under what circumstances data can be considered to be completely anonymised, and whether anonymisation constitutes a type of data processing, which as such would require a legal basis.
Italy: the DPA's inspection plan for January-June 2020
6 February 2020
The Italian Data Protection Authority has announced which bodies will be mainly inspected in the January-June 2020 period. Among others, multinational companies operating in the pharmaceutical and health sector, online banking services, intermediaries for electronic invoicing services, companies that process data for marketing activities.
Italy: telecommunications operator Tim receives 27.8 million euro fine
1 February 2020
The Italian DPA has imposed a fine of 27.8 million euros on TIM SpA for unlawful processing of data on millions of people. Among the violations, the Authority found that the call centres appointed by Tim had in many cases contacted the data subjects without their consent. Other irregularities emerged in the data breach procedures, and in the management of the apps, which contained unclear and misleading information. In addition to the severe sanction, the DPA also imposed 20 corrective measures consisting in prohibitions and requirements.
EU: EDPB guidelines on connected vehicles online for consultation
28 January 2020
The EDPB has released the Guidelines 1/2020 on processing personal data in the context of connected vehicles and mobility related applications. The Guidelines will be in public consultation until 20 March 2020.
Italy: hospital to compensate a lawyer for mistakenly publishing his health data on its site
24 January 2020
A lawyer noticed some oh his health data published on the website of the Villa Sofia-Cervello Hospital in Palermo, which were allegedly uploaded by mistake. The individual has filed a lawsuit with the hospital and will receive compensation worth 15,000 euros (compared to 200,000 euros in the initial request).
EU: Italian DPA calls for a European task force on Tik Tok
24 January 2020
The Italian DPA, following some reports received about the social network Tik Tok asked EDPB, the European Data Protection Board, to set up a European task force to launch shared investigations on its processing activites. The DPA has pointed out to its European partners the need to proceed in a determined and coordinated manner, also in consideration of the and relevance of the platform, which is mainly used by younger users and minors.
Germany: Facebook default settings do not count as informed consent
24 January 2020
The highest court in Berlin ruled on 24 January following a complaint by the Federal Consumer Association (vzbv) that Facebook is in breach of data protection law. In particular with regard to informed consent, the Court held that the transmission of geolocation information of users to third-party partners, or the use of the profile picture for commercial purposes, are settings that cannot be predefined as they require specific consent.
UK: published a guidance explaining decisions taken by the AI to individuals affected
24 January 2020
The ICO and The Alan Turing Institute have lanunched the guide "Explaining decisions made with AI". This guide, divided into 3 parts, aims to provide organisations with practical advice to help explain the processes, services and decisions provided or assisted by AI, to people affected by them. The public consultations ended on 24 January.
Italy: University Hospital fined for undue access to health records
23 January 2020
The Italian DPA announced in a press release that it has issued a 30,000 euros fine and has imposed corrective measures on the Integrated University Hospital of Verona, which had informed the Authority of three unauthorised accesses to patient files by other employees of the facility. The violation of personal data consisted in an access made "out of mere curiosity" and was ascertained during the periodic checks carried out by the Hospital itself, which announced that it will implement more stringent access filters.
Italy: the Authority publishes a complaint form for data subjects
21 January 2020
The Italian Data Protection Authority has published on its website an overview of the procedure for the submission of complaints by data subjects, explaining the tool, the method of submission and providing a complaint form in .docx and .pdf format.
Belgium: the Authority publishes a recommendation on direct marketing
17 January 2020
The Belgian Data Protection Authority has also issued a recommendation on the processing of personal data for direct marketing purposes, as the UK Data Protection Authority had already done.
Italy: energy provider receives €11.5 milion fine
17 January 2020
The Italian DPA issued a total fine of 11.5 million euros to energy provider ENI Gas e Luce for unlawful telemarketing and teleselling (8.5 million euros) and for the activation of unwanted contracts (3 million euros). As regards the first sanction, there were advertising calls made without the users' consent, absence of technical and organisational measures to record their consent (or cosnent withdrawal), and illicit acquisition of users' data from third parties.
France: CNIL to publish recommendation on cookies and tracking technologies
14 January 2020
CNIL, the French DPA, has launched a public consultation on the draft practical recommendations on cookies and tracking technologies. The aim is to clarify to operators using this technology, how to comply with the GDPR to obtain user consent, and especially, how to balance the requirements of clarity on the one hand and information completeness on the other hand. The Recommendation is in public consultation until 27 February 2020.
UK: retailer fined £500,000 for insufficient security measures
9 January 2020
DSG Retail Limited (DSG) was fined £500,000 for lack of adequate security measures. A data breach occurred that was caused by a cyber attack due to the installation of malware on thousands of tills in the company's stores. The data included first and last names, postal codes, email addresses, and card data used for transactions of approximately 14 million people.
US: $7.5 million settlement for Google+ following class action
8 January 2020
Google LLC has agreed to settle a $7.5 million class action suit against Google+, the social media platform that was discontinued in April 2019. In October and December 2018, Google acknowledged that bugs in its platform had potentially exposed users' profile information to unauthorized third parties, including name, gender, email addresses, work location and home addresses, although it did not appear that the data had been violated.
UK: ICO issues draft code of conduct for direct marketing
8 January 2020
The ICO has issued a draft code of conduct for direct marketing to promote good data processing practices in accordance with the GDPR and the e-Privacy Directive.
Spain: Vodafone is fined 44,000 euros for unlawful processing of a customer's personal data
7 January 2020
The AEPD imposed on Vodafone Spain the payment of a fine of 44,000 euros for the violation of Article 5 GDPR, specifically the principles of integrity and confidentiality. The procedure was initiated by a complaint from a private individual, who complained that the company had sent the telephone contract concluded, to the domicile of a third party, containing the customer copy of the contract, the customer's personal data, the general conditions of the rate applied and the conditions of withdrawal.
EU: sanctions imposed by Authorities in 2019
7 January 2020
According to research carried out by the Federprivacy Observatory, in 2019 € 410 million of sanctions were imposed by the 30 European Authorities. The proceedings were 190, with Italy first in terms of number of sanctions (30). The ICO, Authority of the United Kingdom, has issued a smaller number of measures, which however amount to €312 million.
EU: EU Council's draft position on the application of the GDPR
26 December 2019
The Council of the European Union has published a draft position on the application of the GDPR as part of the evaluation process of the Regulation itself. The document acknowledges that there has been a strengthening of stakeholder rights, but stresses that some issues need to be better addressed, including: scope of applicability of the GDPR, minor consent, data transfers, EU representatives, new technologies.
UK: London pharmacy fined for negligent data storage
20 December 2019
The ICO sanctioned a pharmacy that had negligently kept about 500,000 documents containing special category data. The documents contained, in addition to addresses and personal details, medical information, prescriptions and HNS number and were stored in unlocked containers, and some of them had even been water damaged. Therefore, the Authority established that the pharmacy had inadequately stored and failed to protect customer data and imposed a penalty of £275,000.
Norway: the DPA fined the city of Oslo for incorrect storage of patient data
18 December 2019
The Norwegian Data Protection Authority imposed a fine amounting to 49,300 euros on the city of Oslo for storing patient data outside the electronic medical records system in the city's nursing homes and health facilities from 2007 to November 2018. In fact, employees used worksheets where general patient health information, full names and ID numbers were included. In deciding the amount of the sanction, the Authority took into account the fact that the breach had occurred largely in the period prior to the entry into force of the GDPR, and that the City of Oslo had voluntarily notified the data breach to the DPA.
Romania: two companies fined for failing to provide the information required by the DPA
16 December 2019
The Romanian Data Protection Authority sanctioned two companies that had not provided the information requested by it under Article 83(5) GDPR, despite the first request and subsequent warning to comply within 10 days. The amount of the first sanction is 3,000 euros, the second amounts to 2,000 euros.
EU: EDPS has developed software for the privacy and data protection inspection of websites
16 December 2019
The EDPS has provided an open source software "Website Evidence Collector", to automate the privacy and data protection inspection of websites. The tool collects evidence of the processing of personal data, such as cookies, or requests to third parties. The information collected, structured in a format that is readable by both humans and machines, enables website controllers, data protection officers and end users to better understand what information is transferred and stored while visiting a website, for example, the consecutive loading of a number of web pages without giving consent or logging in.
EU: EDPB releases standard contractual clauses for contracts between controllers and processors
11 December 2019
The EDPB has published in its Register for Decisions taken by supervisory authorities and courts, the standard contractual standard between data controller and data controller adopted by the Danish Supervisory Authority. It aims to help organisations meet the requirements of Art. 28(3) and (4) since such a contract should not only contain the requirements of the GDPR, but should also specify them further, for example as regards the assistance provided by the processor to the controller.
EU: Guidelines on the criteria for the right to be forgotten by search engines
11 December 2019
The EDPB has just issued the "Guidelines 5/2019 on the criteria of the Right to be Forgotten in the search engines cases under the GDPR (part 1)", which will be in public consultation until 5 February 2020.
Romania: fine for the transmission of personal data to wrong addressee
10 December 2019
The Romanian Data Protection Authority imposed a fine of 14,000 € against Hora Credit IFN SA for the transmission of documents containing personal data of a person to the wrong recipient. Although the error had already been reported to both the operator and their call centre, Hora Credit had continued to send messages to the same address. The company had not notified the breach to the DPA within 72 hours and, following an investigation, the Authority found that the operator had not taken sufficient security measures with regard to personal data.
Germany: nearly €10 million fine on a telecommunication services provider
9 December 2019
The German Federal Data Protection Authority has announced that it has imposed a fine of €9,550,000 on a telecommunications service provider, 1 & 1 Telecom GmbH, for failing to take sufficient technical and organisational measures to prevent unauthorised persons from obtaining information on customer data via the telephone support service. It appears that the authentication procedure only required the user's name and date of birth. Another sanction concerns Rapidata GmbH, which will have to pay a fine of 10,000 euros for inconsistencies in the appointment of the DPO.
Hungary: Authority fines a municipality for unlawful video surveillance
6 December 2019
The Hungarian Authority has announced that it has sanctioned the municipality of Kerepes with a fine of 5 million HUF (about 15,000 euros), which has allegedly carried out unlawful processing by video surveillance. In fact, the municipality used the legal basis of the legitimate interest (not justified for a public body), violated the principle of minimisation due to the excessive number of cameras compared to the extent of the risk, and had not provided adequate information regarding the processing.
Spain: Ikea is fined for cookie violations
5 December 2019
The AEPD has imposed a fine of 10,000 euros on Ikea Spain for violations of cookies. In fact, following a complaint, the Authority found that each time a user accessed the site, 23 cookies were automatically downloaded, for which the user's consent was not sought.
EU: ENISA publishes report on pseudonymisation techniques and best practices
3 December 2019
The ENISA report "Pseudonymisation techniques and best practices report", addresses the parameters that can influence in practice the choice of pseudonymisation techniques, such as data protection, utility, scalability and recovery. It also contains use cases related to the pseudonymisation of certain types of identifiers (IP addresses, e-mail addresses, complex data sets).
UK: ICO issues guidance on special category data
29 November 2019
ICO has published a guidance on special categories of personal data on its website, where these are identified and defined and further documents and examples are provided for each category.
France: €500,000 fine for illicit telephone marketing
26 November 2019
The CNIL has imposed a fine of 500,000 euros on a company specializing in thermal insulation of private homes. The controls were initiated in response to a complaint against the call centre activity carried out by the company, which contacted certain prospects despite the fact that they had exercised their right to object. The inspection subsequently revealed other non-compliances, such as the illegal recording of certain telephone conversations.
EDPB: guidelines on data protection by design e by default open for feedback
20 November 2019
The EDPB has published Guidelines 4/2019 on Article 25 Data Protection by Design and by Default. The guidelines will be subject to public consultation until January 2020. In addition to underlining the primary commitment of data controllers to data protection by design and by default, the EDPB encourages technology providers to use the DPbDD as a competitive advantage in the market.
Spain: AEPD publishes a guide for patients on their rights with respect to data processing
14 November 2019
The AEPD has published a guide for patients and healthcare users, which provides answers to the most frequent doubts that citizens have when their personal data are processed by healthcare entities, administrations and professionals and aims to make it easier for them to know their rights.
Spain: company fined for lack of adequate measures in confirming the identity of a data subject
11 November 2019
The Spanish DPA fined the company Madrileña Red de Gas 12,000 euros for failing to take adequate measures to confirm the identity of an interested party. The individual who made the complaint claims that the company has sent its information to a third party by email in response to an investigation.
EDPS Guidelines on the concepts of controller, processor and joint controllership
7 November 2019
The EDPS has issued guidelines which aim to provide practical guidance on the concept of controllers, processors and joint controllers. Among the topics, the distribution of mutual obligations and responsibilities, in particular in managing the exercise of the rights of the data subjects and case studies on the controller-processor relationship, separate controllership and joint controllership.
Germany: 14.5 million euro fine for illicit data retention
5 November 2019
The German DPA sanctions a leading real estate company, Deutsche Wohnen SE, with the highest fine ever issued in Germany, amounting to 14.5 million euros. The violation of the GDPR consisted in having retained the personal data of the renters for an unlimited period of time, without analyzing whether the storage was lawful or necessary. According to the report, the real estate company used a filing system that did not allow the deletion of data that were no longer necessary for the purpose for which they were collected, which consisted of data relating to financial and personal circumstances such as tax, social and health insurance data.
France: CNIL updates the its DPIA software
31 October 2019
The French Data Protection Authority updated the open source software PIA, a tool available in French and English for data controllers, which facilitates and supports the performance of Data Protection Impact Assessments (DPIA).
Austria: the DPA sanctions the Postal Service with a 18 million euro fine for unlawful use of data
29 October 2019
The Austrian Data Protection Authority (Datenschutzbehörde - DSB) has imposed a fine of EUR 18 million on the National Postal Service (Post AG). The sanction was imposed for the unlawful use of user data to obtain information on their political orientation and thus to offer specific guidelines, also in return, to political parties for marketing purposes. The unlawful processing concerned the names, addresses, age and gender of around 3 million users.
UK: ICO explores the issue of impact assessment in artificial intelligence systems
23 October 2019
The ICO has published an analysis on the conduct of a DPIA (Impact Assessment) of AI systems. In particular, the ICO recommends that the assessment should contain at least a systematic description of the treatment, the assessment of its necessity and proportionality, the risks to the rights and freedoms of the data subjects, the measures to counter the risks. It is also suggested to update it regularly in case of changes in the nature, scope, context or purpose of the processing.
Spain: AEPD sanctions Vueling for non-compliance of cookies
22 October 2019
Ireland: DPA publishes guides on data breach notification and online risks
The Irish Data Protection Commission has published a guide on data breach notification which aims to support data controllers in identifying and correctly notifying data breaches to be notified. The guide also includes case studies for a practical approach.
In addition, a guide has also been published to find out which are the greatest online risks, to prevent data security incidents and the occurrence of data breaches.
France: the Supervisor publishes a list of processing operations not requiring a DPIA
17 October 2019
The CNIL, the French Data Protection Authority, has published a list of 12 types of data processing for which the DPIA, or data protection impact assessment, is not mandatory. In November 2018, CNIL had already published a list of data processing operations that necessarily required an impact assessment.
EU: EDPS survey on IT contracts between Microsoft and the countries of the European Economic Area
17 October 2019
Cooperation between public authorities of the Member States, EU institutions and other international organisations is essential to ensure that contractual arrangements with Microsoft guarantee the same level of protection of individual rights throughout the European Economic Area (EEA). Although the investigation is still ongoing, the preliminary findings do reveal serious concerns about the compliance of the relevant contractual clauses with data protection rules, also with regard to Microsoft's role in relation to several European institutions.
Italy: hidden cameras at the workplace, the DPA on the ruling of the ECHR
17 October 2019
The President of the Italian DPA comments on the ECHR judgement on the use of hidden cameras in the workplace, pointing out that hidden video surveillance is "allowed only as a last resort, for "serious crimes" and in space and time such as to limit as much as possible the impact of control over the worker. It cannot therefore become an ordinary practice.
Spain: Authority publishes a guide to facilitate the application of privacy by design
17 October 2019
The Spanish Guarantor has published the "Privacy Guide by Design" with the aim of providing guidance to facilitate the incorporation of data protection principles and privacy requirements to new products or services from the moment they are designed.
EU: ECHR states that if proportional, the use of hidden cameras at the workplace is admissible
16 October 2019
The European Court of Human Rights ruled that, while respecting the principle of proportionality, employers may install hidden cameras without informing workers if they have reasonable grounds to suspect that they are stealing from the company. The Court ruled that in the present case the surveillance did not exceed what was strictly necessary to establish the offence, and that it was carried out in a limited period of time in a place already open to the public, and including a limited number of persons.
Poland: sanction for failure to implement adequate mechanisms for withdrawal of consent
16 October 2019
The Polish Authority imposed a fine of more than PLN 201 000 (equivalent to approximately EUR 47 000) on one company for obstructing the exercise of the right to withdraw consent to the processing of personal data. The company in question did not implement adequate technical and organisational measures that would enable the simple and effective withdrawal of consent (which according to GDPR should be as easy as granting consent) and the exercise of the right to be forgotten.
EU: EDPB publishes guidelines on data processing in the provision of online services to data subjects
16 October 2019
After a public consultation, the EDPB published the "Guidelines 2/2019 on the processing of personal data under Article 6(1)(b) GDPR in the context of the provision of online services to data subjects", which deal with the processing of personal data in contracts for online services, also taking into account the aspect of the necessity of data processing for the execution of a contract.
Netherlands: a guide for the processing of sick employees' personal data
11 October 2019
The Dutch Data Protection Authority has published a comprehensive employer's guide which addresses the most common concerns regarding the way in which sick employees' data are processed. In particular, the Supervisor specifies which data the employer may ask the employee for, which data he/she may record, and clarifies the management of absence systems.
Germany: Ethics Commission publishes recommendations for Artificial Intelligence management
9 October 2019
The Data Ethics Commission has published recommendations to the German Government on the strategy to be adopted in the regulation of artificial intelligence. It has also published an Opinion (here in English) in which it establishes guidelines for the ethical and human-centred development of AI systems. These two documents show a "hard" approach to Artificial Intelligence from Germany that could have a strong impact on the future discipline of AI at European level.
Greece: administrative penalty for a telephone service provider
7 October 2019
The Hellenic Authority imposed a 200,000 euro fine for violation of Article 25 (data protection by design) and Article 5(1) (principle of accuracy) on the telephone service provider 'OTE', because despite the fact that some customers had registered in the opposition register, they received unsolicited calls from third-party companies for the promotion of products and services. In addition, due to a malfunction of the "Unsubscribe" link, about 8000 people were unable to exercise their right of objection, which is why the DPA imposed an additional fine of 200,000 euros.
EU: latest version of ePrivacy Regulation published
4 October 2019
The Council of the European Union has published the latest version of the proposal for the ePrivacy Regulation concerning the respect for private life and the protection of personal data in electronic communicationsons.
Romania: Authority imposes 170.000 euro fine on bank for data breach
1 October 2019
The Romanian DPA has sanctioned Raiffeisen Bank and the online credit platform Vreau Credit for a total of 170,000 euros for the violation of Articles 32-33 GDPR. The investigation was initiated following the notification of a breach in which two employees of Raiffeisen Bank, using data from the identity documents of certain natural persons (transmitted on WhatsApp by Vreau Credit employees) carried out investigations to determine their suitability for credit, performing simulations against 1177 individuals. Raiffeisen Bank has therefore not implemented adequate technical and organizational measures to ensure an adequate level of security and has not assessed the risks presented by the processing, which has led to unauthorized access to personal data, and unauthorized disclosure of personal data by the bank employees. Furthermore, Vreau Credit SRL did not notify the supervisory authority of the breach of personal data security until the end of the investigation, although the security incident had been detected in December 2018.
EU: Google to comply with requests for erasure of sensitive data from search engines in the EU
24 September 2019
The EU Court of Justice has ordered Google to comply with requests for the erasure of sensitive data from data subjects; the operator of a search engine is required to carry out the deindexing in the corresponding versions of the engine in all the Member States, in combination with measures which effectively prevent EU internet users carrying out a search on the basis of the name of the data subject from having access, through the list of results displayed as a result of that search, to the links which are the subject of that request, or at least to strongly discourage those users.
"Privacy sweep 2019": the international survey on the management of data breaches
23 Settembre 2019
The Italian Data Protection Authority, together with the authorities of 17 other countries around the world, has launched the "Privacy sweep 2019", an international investigation into the management of data breaches by public and private entities, in which they will examine the procedures adopted to manage violations. In Italy, investigations will focus on companies operating in the e-commerce sector.
Belgium: €10,000 fine for disproportionate use of electronic identity card to obtain a loyalty card
19 September 2019
The Belgian authority imposed a fine of €10,000 on a retailer who had requested the use of an electronic identity card as the only means of issuing a loyalty card. The identity document contains much more data than is necessary for the creation of the card, and its processing would be disproportionate to the purpose. This constitutes an infringement of the principle of minimisation and the absence of valid consent, since the user did not have a real alternative. In fact, users who did not want to use their identity card for this purpose, would not have had access to discounts dedicated to customers with loyalty cards.
Poland: the DPA imposes the highest GDPR penalty to date for maxi data breach
19 September 2019
The Polish Data Protection Supervisor has announced the highest fine ever issued for violations of the GDPR: about 645,000 euros (PLN 2.8 million) against the online retailer Morele.net, which had suffered a massive date breach that affected more than 2.2 million users. The retailer was sanctioned for not having put in place the necessary security measures to protect customer data.
UK: a company was fined for making calls to persons who had not given their consent
18 September 2019
The ICO imposed a $150,000 fine on Superior Style Home Improvements Ltd for making commercial calls for a period of 11 months to people whose numbers were registered with the Telephone Preference Service (TPS) and who had not given their consent to receive them.
Germany: data protection Authorities examine a proposal for a model that determines the level of administrative fines
17 September 2019
The German Conference of Data Protection Authorities has examined a proposal for the development of a model for calculating the amount of an administrative penalty under the GDPR that is systematic, transparent and comprehensible. The Authority's press release does not contain the criteria on which the model will be based, which will probably be made known when it is finally adopted.
UK: ICO makes available guidance for organisations after Brexit
11 September 2019
The ICO has published on its website a series of resources and tools designed to guide companies, both small and medium enterprises as well as large organizations, in the processing of data in the case of a no-deal Brexit. The DPA states that the UK intends to maintain GDPR standards even after the exit from the EU, so companies that do not exchange data with EEA countries will not have to make major changes, otherwise ICO offers some tools to define the activities to be implemented.
UK: gender identity clinic accidentally discloses nearly 2000 email addresses
6 September 2019
A gender identity clinic near London sent an email for an art competition to its patients, CC-ed in almost 2000 email addresses. When the clinic noticed the error, it was no longer able to recall the email. The violation, which will be notified to the ICO, is an example of a data breach attributable to a 'human error' within the organisation.
Spain: the Data Protection Authority publishes a list of processing operations not subject to DPIA
4 September 2019
The Spanish Data Protection Authority has published a list of the processing activites that do not require a Data Protection Impact Assessment (DPIA), with the aim of implifying their identification by the data controllers. Among the exempt processing operations are, for example, those carried out in order to comply with legal obligations and in the internal management of SMEs for purposes of accounting, payroll and occupational safety management.
Latvia: DPA imposes € 7000 penalty on online retailer
3 September 2019
The Latvian Data State Inspectorate (DSI) has imposed a fine of 7000 euros on an online retailer for non-compliance with the GDPR as regards the data subject's right to erasure (the company had ignored the repeated requests of a user to delete his data), and for non-cooperation with the Supervisory Authority. In establishing the sanction, the Authority also took into account the gravity of the violation, the number of persons involved and the turnover of the previous year.
Bulgaria: tax agency fined 2,6 milion euro for massive data breach of taxpayers
2 September 2019
The President of the Bulgarian DPA, Ventsislav Karadjov, has announced that the Authority will impose a fine of about 2.6 million euros on the Revenue Agency, which has suffered a data breach that has impacted 4.1 million taxpayers. The Authority took into account the Agency's responsibilities in reporting the breach and contacting the persons concerned, as well as the large amount of data involved. The Agency defended itself by claiming that unauthorised access to and extraction of data took place despite the security measures taken and that it will appeal.
USA: YouTube to pay $200 million for violating children's privacy
30 August 2019
Google has agreed to pay a sum of $200 million to settle the Federal Trade Commission's accusations that YouTube had infringed children's privacy laws by collecting their data without parental consent in order to send them highly targeted advertising. This sanction represents the maximum amount so far imposed in violation of the Children Online Privacy Protection Act, which prohibits online services from collecting personal data from children under 13 years of age.
Bulgaria: bank fined for data breach affecting 33,000+ clients
28 August 2019
Bulgarian bank DSK Bank has been fined 1 million levs (more than 500,000 euros) for a data breach affecting more than 33,000 customers. The data consisted in the first and last names, addresses, copies of identity documents and other personal information of persons who had applied for loans from the bank. The sanction was imposed due to the lack of adequate technical and organizational measures protecting their clients' personal data.
Greece: bill to harmonise national legislation with GDPR approved
27 August 2019
On Monday, August 26, the Greek Parliament approved by a large majority the bill that will bring the national law into line with Regulation 2016/679. Although the Regulation had already become applicable in Greece, as in all EU Member States in May 2018, Athens had not yet produced the necessary legislation to specify how some provisions of the GDPR would apply in the country. The country would have risked severe penalties if it had not included the Regulation in the body of its national law.
Spain: according to the Court of Cassation, energy consumption data are personal data
26 August 2019
The Spanish Court of Cassation has ruled that data resulting from the measurement of individual electricity consumption, such as the times of use of electricity, the premises in which it is used or the appliances connected, are personal data. In fact, it is possible to trace the consumption habits of individuals, the times at which they are at home, whether they live alone or not, and can be linked to the identification data of consumers, including their first and last names. However, as the collection of this data is justified by the need to verify compliance with the law of businesses and consumers, the Supreme Court considers that the legal basis is the general interest, and that it is therefore not necessary to seek the consent of consumers.
Lithuania: web hosting company suffers data breach that impacts on 14 million users
25 August 2019
Hostings, a well-known Lithuanian web hosting company, has suffered a data breach that affected about 14 million users. The company had actually used an encryption algorithm, which however doesn't seem to have been enough to protect from the hacker attack. The company reset the users' passwords as a preventive measure and sent them an email with the indications for the reset and to inform them about the types of personal data that have been violated, as well as having communicated the data breach to the competent authorities.
USA: maxi data breach for one of the major credit card issuers
30 July 2019
Capital One Financial Corp, one of the largest credit card issuers in the U.S., has announced that it has been the subject of a cyber attack that has affected about 105 million U.S. citizens and 6 million Canadian citizens. The data breach has affected social security numbers, bank account numbers and many other personal data. According to investigators, the breach was possible through a breach in the Amazon cloud services firewall, that was exploited by a former software engineer to steal data.
Sweden: first fine of the DPA to a school that used facial recognition on students
30 July 2019
The Swedish DPA issued its first fine (SEK 200,000) to a high school that used facial recognition to test students' participation in lessons. The high school board stated that it had asked the students for their consent to use their biometric data for facial recognition, but the Authority considered that consent was not an adequate legal basis because the students were in a position of dependence vis-à-vis the school board, and that there were other less privacy-intrusive ways to track school attendance.
Italy: the DPA's provision on the notification of data breaches
30 July 2019
A specific measure on the notification of data breaches has been adopted by the Guarantor for the protection of personal data with the aim of assisting companies, banks and public administrations in fulfilling their privacy obligations; with a view to simplification, it has also prepared a notification model containing all the information required by law.
Greece: €150,000 sanction for an employer processing employee data in violation of the GDPR
30 July 2019
The Hellenic Data Protection Authority recently imposed a €150,000 fine on an employer who was unlawfully processing its employees' data. In fact, the choice of the legal basis for the processing (Article 5(1)) was inappropriate, and the processing itself proved to be unfair and non-transparent, as employees were told that their data was processed on the basis of consent, while they were processed under a legal basis of which they had never been informed. The employer also violated the principle of accountability by transferring the burden of proof of compliance to the data subjects.
Germany: embedding a 'like' button on a site makes the website operator joint controller with Facebook
29 July 2019
The Court of Justice of the European Union, in the decision Fashion ID GmbH & Co.KG v Verbraucherzentrale NRW eV. stated that website operators incorporating a "like" button that refers to a Facebook page are joint controllers with the latter. This means that they are obliged to enter into an agreement with Facebook and to inform the data subjects accordingly. The case concerned a German e-commerce company, which had been sued by a consumer protection association. It is not relevant, therefore, that the website operators do not have access to the data processed by Facebook, as it is the operators themselves who decide to insert the "like" button to increase the visibility of their products on the social network.
France: the CNIL has imposed a fine of € 180,000 on an insurance company for failing to adequately protect the data of users of its website
18 July 2019
In June 2018, the CNIL received a report from one of the company's customers indicating that, from his account, he had been able to access the personal data of other customers.
An online audit revealed that the company's customers' accounts were accessible via referenced hyperlinks on a search engine. Customer documents and data were also accessible by changing the numbers at the end of the URLs displayed in the browser. These documents included copies of driver's licenses, registration cards, bank identity documents and documents to determine whether a person had been subject to a driving disqualification or an accident.
On the basis of the investigations conducted, the CNIL considered that the company had breached its obligation to guarantee personal data under Article 32 of the GDPR, and consequently imposed a fine of 180,000 euros. In particular, it took into account the seriousness of the breach, due to the nature of the data and documents in question. It also took into account the number of persons concerned, as the lack of security affected the accounts of several thousand customers and persons who had terminated the contract with the company. However, the CNIL took into account the company's responsiveness in correcting the lack of security and its cooperation with the CNIL.
EDPB issues Guidelines on video surveillancea
10 July 2019
The EDPB has published the Guidelines on the processing of data through video devices, which investigate the effects of traditional and 'intelligent' video surveillance, and the consequences of these processing activities on people. While this invasive processing can be justified by public security reasons that are greater than the risks, other purposes such as marketing or attendance control can be more insidious and unnecessarily impactful. The EDPB recommends the use of video surveillance as a 'back-up measure' when the purpose cannot be achieved by other less intrusive means.
UK: Marriott to receive more than £99 milion fine for data breach
9 July 2019
ICO has notified its intention to sanction the Marriott Hotel £99,200,396 for the breach date notified in November 2018, caused by insufficient due diligence in security measures to protect customers' data. The data violated belonged to 339 million guests from all over the world, of which about 30 million were residents of the European Economic Area, and 7 million were residents of the United Kingdom.
UK: ICO intends to fine British Airways for breaches of data protection law
8 July 2019
British Airways has been fined 138 million pounds (204 million euros) following the hacker attack, which occurred in 2018, in which the credit card details of 380.000 passengers were copied. The fine amounts to 1.5% of the company's total turnover in 2017. The company claims to be surprised at the decision, as it has done everything possible to promptly remedy the incident.
UK: DPA to investigate how TikTok protects children's data
1 July 2019
The Data Prortection responded to the Online Harms White Paper, a white paper containing the government's plans to maintain the safety of Internet users. Among other topics, the DPA confirms that it is investigating Tiktok because the app doens not seem to sufficiently protect children and their data. In addition, although the app requires a minimum age of 13 years, in practice there is no verification system that prevents access.
Italy: DPA imposes €1 million fine on Facebook for Cambridge Analytica case
28 June 2019
The Italian Data Protection Authority has imposed a €1 million fine on Facebook for the Cambridge Analytica case. The sanction, being based on a 2016 case, was imposed on the basis of the former Italian Privacy Code and follows the measure of January 2019, in which the Authority had forbidden Facebook to continue to unlawfully process the data of Italian users.
Romania: first fine on a bank for violation of the principle of minimisation
27 June 2019
The first sanction by the Romanian DPA was imposed on Unicredit bank, for violation of Article 25 (principle of data protection by design and by default) and the principle of minimization, and amounts to 130,000 euros. The infringement concerns the fact that the beneficiaries of the payments could see through a statement of account some data of the payer that went beyond what was necessary, such as their address and tax code.
Egypt approves first national law on data protection
24 June 2019
Although it is not strictly related to Europe, it is certainly significant that Egypt has passed its first national data protection law, which protects Egyptian citizens and European citizens living in Egypt. Companies will be required to obtain the consent of individuals before collecting, processing or disseminating their data. Any company found to have violated the law will face no less than three months of imprisonment and fines ranging from EGP 100,000 to 1,000,000. The law is also very strict regarding the unauthorized transfer of data abroad, which would result in a sanction of between EGP 300,000 and 3,000,000.
UK: ICO fines telecoms company for sending unlawful text messages
24 June 2019
The ICO imposed a £100,000 fine on the telecommunications company 'EE Limited', which in early 2018 sent over 2.5 million direct marketing text messages to its clients without their consent. The company defended itself by claiming that these were service messages, but the ICO found the messages contained direct marketing content and promoted products and services. The DPA reminded that companies sending promotional content must act in accordance with applicable laws, or face fines of up to £500,000.
France: company receives € 20,000 sanction for disproportionate video surveillance of employees
18 June 2019
The French DPA (CNIL) imposed a fine of €20,000 on a company for setting up a video surveillance system which placed its employees under constant video surveillance. The company also failed to provide adequate information technology to its employees, and to implement appropriate information security measures. The company had already been inspected in previous years, but the violations had continued despite the recommendations, hence the decision to impose a fine.
Spanish DPA publishes recommendations on anonymisation processes
14 June 2019
The AEPD, has published recommendations for those who perform anonymisation processes. The document analyzes the limits of the effectiveness of these processes, the extent to which the information is really anonymous and how to quantify the risk of re-identification. K-anonymity is also analyzed, a technique that allows to analyze the degree of identification that could present a set of apparently anonymous data.
Spain: La Liga receives a fine of 250,000 euros
12 June 2019
The Spanish football league Liga was fined 250.000 euros by the Spanish DPA because its official app activated the microphone and GPS of the smartphones on which it was installed without informing users. This was done to check if the phone owners were watching the game with an official subscription or if they were using pirate streaming channels. La Liga has announced that they will appeal.
Italy: DPA blocks illicit acquisition of consent through points collection program
12 June 2019
The Italian DPA has intervened to limit the promotional activity of Pampers which, through an online form on its website, required users participating in the company's points collection program, to give their consent to receive commercial communications on their email address. In fact, subjects could not express a free and specific consent for the individual processing purposes that the company intended to carry out, and did not receive adequate information regarding the purposes and methods of processing their data for promotional purposes.
EDPB publishes updated GDPR Guidelines
12 June 2019
The EDPB has published updated versions of its "Guidelines 4/2018 on accreditation of certification bodies pursuant to Article 43 of the General Data Protection Regulation" and the "Guidelines 1/2018 on certification and identification of certification criteria in accordance with Articles 42 and 43 of the Regulation". The new version of Guidelines 4/2018 contains guidelines on the specifications for "additional" accreditation requirements to the ISO/IEC 17065/2012 standard and in accordance with Article 43(1)(b) and Article 43(3) of the GDPR.
France: company receives 400,000 euros penalty for failing to adequately protect its website users' data
6 June 2019
Following a complaint by an individual, the CNIL imposed a fine of 400,000 euros on a real estate management company, which had not protected its website users' data properly. In fact, the user could access, from their personal account on the site, the documents saved by other users by slightly modifying the URL displayed in the browser. The alleged violations are the non-compliance with the security requirements of Article 32 of the GDPR, and the fact that the data were stored beyond the time required to carry out the processing activities.
UK: ICO launches tool to help companies identify legal basis
1 June 2019
The UK Data Protection Authority has developed an interactive tool for companies to identify the most appropriate legal basis for their processing activities. At the end of the questionnaire, the tool provides a response with a rating for each legal basis, including some recommended actions and links to useful tools.
Belgium: Authority fines mayor for unlawful processing for electoral purposes
29 May 2019
The Belgian Data Protection Authority has announced the imposition of a fine of € 2000 on an mayor for unlawful data processing. The mayor allegedly did not observe the principle of purpose limitation; in fact he had obtained some e-mail addresses as part of an urban planning project, which he re-used for electoral campaign purposes. In quantifying the sanction, the DPA took into account the limited number of persons affected, the nature, gravity and duration of the offence. This is the first sanction imposed by the Belgian DPA under the GDPR.
EU: European Commission publishes guidelines on the free flow of non-personal data
29 May 2019
As part of the broader European strategy called "Digital Single Market", the European Commission has published the Guidelines on the free flow of non-personal data, where the recent FFD Regulation is analysed. The Guidelines aim to help businesses understand the interactions between the new legislation and the GDPR, and thus the relationship between personal and non-personal data, including the situation where the two are combined.
EU: managing risks related to the processing of children's data
27 May 2019
In its latest newsletter, the EDPS emphasises the processing of children's data and its associated risks, as well as European and international standards which increasingly recognise children's data as categories of data on which specific precautions should be taken. Due to the lesser awareness that children have of their rights and the risks associated with processing, the GDPR and the data protection standard for EU institutions provide for certain limitations, such as the prohibition to implement an automated decision-making process.
Netherlands: the DPA causes data breach by sending CC-email
24 May 2019
The Dutch Data Protection Authority (PA) has caused a data breach. A spokesperson sent an email to 38 addresses including journalists, editors and others, placing them in the CC field. This allowed each recipient to see who else had received the e-mail. The DPA does not think that a 'self-notification' to the Authority is necessary, as it considers the violation to be minimal, and states that if the recipients of the e-mails know each other, the CC e-mail can be functional to the work activities.
Belgium: implementation of the NIS Directive, the law is GDPR-inspired
24 May 2019
Belgium is the first European country to have transposed the content of the NIS Directive in a national law (here is the text in the original language). This is the first European legislation on cybersecurity, which is part of the broader "EU cybersecurity strategy". The implementation of the NIS introduces a number of obligations for essential service operators and digital service providers. The link with the GDPR is evident: the obligations imposed by the NIS include both technical and organizational security measures, as well as notification obligations in the event of incidents with a negative impact on access, secrecy, integrity and authenticity of networks and information systems used by the individual market operator. In addition, a DPO must be appointed for all essential service operators and digital service providers.
UK: the ICO provides a self-assessment tool to determine when to notify a breach to the Data Protection Authority
22 May 2019
The UK DPA has created a self-assessment tool to help organisations understand when to notify a breach to the Data Protection Authority. The ICO stresses that a breach should not always be reported, but only when, following an assessment of the probability and severity of the risks to the freedom and rights of individuals, it is likely there will be a risk. The tool is based on multiple choice questions and can be completed in two minutes.
Ireland: the Data Protection Officer warns against spyware attacking Whatsapp
14 May 2019
The Data Protection Commissioner has issued a press release regarding a security incident reported to them by WhatsApp, according to which spyware could exploit a vulnerability in the program to steal personal data by installing it through a voice call. The Authority is still trying to investigate possible damages and advises users to update the app to the latest version available.
UK: company faces £120,000 fine for sending 3,5 milion direct marketing text messages
7 May 2019
The ICO sanctioned Hall and Hanley, a company that had sent 3,560,211 direct marketing sms without getting data subjects' consent through third parties. Hall and Hanley claims to have obtained consent through user subscription to four sites. However, the ICO points out that only two of these mentioned the company in question, and that in any case people were required to provide their data in order to subscribe, which is against the law.
Spain: the DPA publishes a guide on data breach in English
30 April 2019
A few days ago, the Spanish Data Protection Authority (AEPD) issued a document entitled "Guide on personal data breach management and notification", a guide to managing and reporting data breaches. In addition to definitions, classification of incidents and a 'guided' approach to data breach management, the document also contains a form for notification to the DPA and the main parameters to be considered to determine whether notification to data subjects is necessary.
Ireland: Data Protection Commission opens statutory inquiry into Facebook
25 April 2019
In a press release, the Data Protection Commission declared that it has opened an official investigation after Facebook admitted that it had stored hundreds of millions of passwords of Facebook, Facebook Lite and Instagram users in plaintext format due to an internal error.
The IAPP publishes FAQs on the compliance of companies to the California Consumer Privacy Act
17 April 2019
The International Association of Privacy Professionals (IAPP) has released a series of answers to key questions relating to the application of the California Consumer Privacy Act (CCPA). In fact, compliance with the GDPR, while useful for implementing data protection mechanisms, does not necessarily equal compliance with the Californian data protection law. Companies may therefore need to make some changes to comply with the CCPA, for example companies that 'sell' data subjects' data to third parties.
UK: ICO fines website for sharing personal data of new mothers with marketing agencies
12 April 2019
The site 'Bounty', was fined by the ICO for sharing personal data of new and soon-to-be mothers with 39 organizations, including marketing agencies Acxiom, Equifax, Indicia and Sky, for direct marketing purposes. Bounty shared 34 million pieces of sensitive data, belonging to both new mothers and their children, including gender and date of birth. The ICO considers the violation as particularly severe both for the number of data shared and for the fact that Bounty has not been transparent with respect to its intention to use and share the data with third parties for marketing purposes. In light of the fact that the violation occurred between June and April 2018 when the Data Protection Act was still in force, the ICO imposed a fine of £400,000, which could have been much higher if it had occurred after May 25, 2018.
Denmark: the Data Protection Authority has ruled on the application of GDPR to voice recordings
11 April 2019
The Danish Data Protection Authority has ruled on the need for companies to obtain explicit consent when recording customer calls. The case concerned Denmark's largest telecommunications company, which had informed customers that it would record their calls, but had not provided any opt-in or opt-out mechanism by which interested parties could decide not to be registered. According to the GDPR, consent to the processing of data must be given freely, unless this is done under legal bases other than consent, such as a legal obligation or the existence of a contract.
UK: ICO fines production company for unlawfully filming in a maternity clinic
10 April 2019
The ICO fined True Vision Products £120,000 for illegally filming patients in a maternity clinic with CCTV cameras (equipped with a microphone). The clinic authorised the TVP to take video footage to make a documentary on still births (and as such was qualified as data controller). The ICO decided to sanction the TVP for not adequately informing the patients and not asking for their consent to be filmed. In fact, the TVP had only put up signs and left flyers above the tables in the clinic waiting room. Moreover, if a patient wanted to revoke her consent to the filming, there was no way to interrupt the filming, except through the explicit request to be assisted in a room without cameras.
UK: a White Paper on Internet security and online harms is published
8 April 2019
The UK Department of Digital, Culture, Media and Sport has published a white paper on the risks posed by online content. Specifically, the document contains proposals for the regulation of the Internet and the protection against the spread of extremist, illegal or harmful content. It also proposes the establishment of an autonomous body to analyse and control the major web operators, and to impose fines of up to one billion pounds. The aim is to force large online companies to be transparent about their content and any damage they may cause, to drastically reduce misinformation content, especially in times of elections, and as regards citizens, to activate a media literacy campaign to help them recognize fake news and harmful content.
Italy: DPA sanctions online platform "Rousseau"
4 April 2019
The Italian Data Protection Authority issued a €50,000 fine against the so-called "Rousseau platform" (an online platformwhich runs the 5-Star Movement's website) due to significant deficiencies in its security systems, despite the site improvement operations that had been undertaken. The DPA requires that specific technical and IT changes be implemented, and that a rigorous data protection impact assessment be carried out which "specifically refers to the e-voting functionalities of the platform".
France: the CNIL publishes binding rules on the processing of biometric data in the workplace
28 March 2019
The French Data Protection Authority, the CNIL, has published a "Model Regulation" that addresses the use of biometric systems to control access to premises, devices and applications in the workplace. This document defines the binding rules for data controllers who are subject to the French data protection law and who process biometric data of employees for these purposes. Specifically, a list is provided of the types of personal data that may be collected and processed for these purposes, the period of data retention is defined and the technical and organizational measures to be implemented to ensure the security of personal data are specified.
Poland: the Data Protection Authority sanctioned a company for failing to inform data subjects about the processing of their data
26 March 2019
The Polish Data Protection Authority imposed a fine of 943,000 zlotys, or 220,000 euros, on a company for violating the requirements of Article 14 of the Regulation by not informing six million people about the processing of their data. The data controller did not inform the data subjects, precluding them from exercising their rights under the GDPR, including the right to object. According to the Authority, the company was aware of the obligation to provide information directly to persons, hence the amount of the sanction.
UK: pensions company is fined for sending nearly 2 million spam emails
26 March 2019
A Kent pensions company received a £40,000 fine for sending (via a third party) nearly 2 million direct marketing emails between 31 October 2016 and 31 October 2017 without the consent of the data subjects. The company had even sought the advice of a privacy consultant and a lawyer, who had given their positive opinion to the campaign. The ICO points out that despite this, the responsibility to comply with the law remains with the company and that they should have approached the DPA for clarification on the feasibility and risks of this campaign. In general, the ICO reiterates that by law, no mail can be sent to those who have not given their consent, and that this is also true for companies that use third parties to do the direct marketing for them.
Denmark: fine of €160,000 imposed on a company for violation of the minimisation principle
25 March 2019
The Danish Data Protection Authority has recommended a fine of 1.2 kronor (about 160,000 euros) against a taxi company that had preserved its customers' phone number beyond the the 2-year-period indicated in their own data retention policy. The company deleted the names and addresses of the persons concerned, but retained their telephone numbers because of an alleged difficulty in deleting them from the computer system. The DPA did not consider the justification to be valid and also found the data to be only partly anonymised; in fact, it was still possible to trace the identity of the data subjects through their telephone number. The fine is significant as it amounts to 2.8% of the annual turnover of the company, proving the DPA's intention to adhere to the maximum 4% provided for in the GDPR.
Italy: inspection activity carried out by the DPA in 2018
25 March 2019
In the Newsletter no. 451 of March 25, 2019, the Italian Data Protection Authority took stock of the results of the inspection activities carried out in 2018, noting that in the private sector inspections were mainly focused on the processing operations carried out: by credit institutions; by rating companies; by local healthcare companies and then transferred to third parties for research purposes; by companies that carry out telemarketing activities; by companies that offer "money transfer" services; by insurance companies through the installation of "black boxes" on vehicles; by companies that offer healthcare services through apps.
Italy: the DPA's inspection activities will also be carried out by the Financial Police
25 March 2019
With the Resolution of 14/2/2019, the Italian DPA has approved the inspection plan that will take place in the period of January-June 2019 with the aid of the Financial Police, and that will focus mainly on credit institutions, on the health sector, on the national statistical system (SISTAN), on the federated identity system (SPID), on companies that perform marketing activities and profiling of those who adhere to loyalty cards, public bodies.
Finland: the DPA investigates the possibility of Nokia smartphone sending personal data to servers in China
21 marzo 2019
The Finnish DPA initiated an investigation after a user of a Nokia 7 Plus smartphone noticed that the device, produced in Finland by the company Hmd Global, appeared to be sending data to a server in China. When asked, Hmd said there was no actual sending of data from his mobile phones to third parties, but that a problem in the software of some phones caused them to attempt to send data to an external server.
EU: Facebook admits of having stored 200-600 milion passwords in readable format
21 March 2019
Facebook has admitted that it has kept between 200 and 600 million user passwords in a readable format, that were therefore not encrypted and potentially accessible to employees. Facebook allegedly found out during a routine internal audit in January, and is implementing strategies to alert affected users and encourage them to change their passwords. The issue is also significant because many users use their Facebook profile to access a multitude of online services. It seems that the data have not been disseminated or used in a malicious way, but the European Data Protection Authorities are watching the matter. The German Ombudsman says: "This matter will be meticulously investigated by data protection authorities. First, it needs to be clarified whether Facebook has breached its notification obligations under the Data Protection Regulation. The problem seems to have been known since January. Independently of this, the Irish Data Protection Authority, which is responsible in Europe, will certainly consider initiating a sanction procedure and we will also discuss the case in the European Data Protection Council.
Norway: the DPA sanctions a municipality for violation of GDPR requirements
18 March 2019
The Norwegian Municipality of Bergen was sanctioned by the Norwegian Data Protection Authority for 1,600,000 NOK (about 160,000 euros) for a flaw in the platform used, which made accessible to students and staff of a school files containing username and password belonging to more than 35,000 students, and other personal data such as addresses and social security numbers, thus violating the security requirements of the GDPR. Here is the provision issued by the DPA (in Norwegian).
Netherlands: the quality of data breach registers varies between organisations
17 March 2019
A recent study carried out on behalf of the Dutch Antitrust Authority examined the quality of the data breach registers. The results show that only 60% of the records analysed are properly compiled, correctly describing the facts, the consequences and the security measures taken. In order to facilitate the development of plans and procedures that allow organizations to learn from errors and correct their data management structures, the Dutch Data Protection Authority has published some practical suggestions for better recording of data breaches.
Netherlands: the Dutch DPA has released its GDPR sanctioning policy
14 March 2019
The DDPA (Dutch Data Protection Authority) has divided the value of the sanctions into four categories according to their severity (Cat.1 from 0 to 200,000 euros; Cat.2 from 120,000 to 500,000; Cat.3 from 300,000 to 750,000 euros; Cat.4 from 450,000 to 1 million euros). It also provided examples of how to quantify the sanction within these ranges based on the size of the company and a number of aggravating circumstances (number of persons involved, the behaviour of the company, the type of data involved, and others). Sanctions of more than one million euros should be applied if the above are not considered sufficient. An analysis is available here in English.
Norway: the DPA publishes a guide for software development in accordance with the principles of privacy by design and by default
13 March 2019
The Norwegian Data Protection Supervisor (State of the European Economic Area where the GDPR became applicable on 20 July 2018), has published a guide for the development of software in accordance with the principles of the GDPR. The aim is to help organizations understand and meet the data protection by design and by default requirements provided for in Article 25 of the Regulation. The guide, divided into sections, is available in English and Norwegian, and security technicians and software developers from the private and public sectors cooperated in drafting it.
EDPB publishes Opinion 5/2019 on the relationship between the ePrivacy Directive and the GDPR
12 March 2019
The EDPB published Opinion 5/2019 on the relationship between the ePrivacy Directive and the GDPR that includes the competence, tasks and powers of the European Data Protection Authorities. Above all, the document deals with the respective areas of competence and application (even in cases where the two regulations intersect), and their coexistence.
France: CNIL launches freely accessible online training on GDPR
11 March 2019
The French DPA has published a freely accessible online training course entitled "The RGPD Workshop" which offers the opportunity to understand the GDPR. The course, designed for data protection professionals, but also for those who simply want to learn more about GDPR, can be used to check the compliance of their organizations and raise awareness among employees. The "Atelier RGPD" consists of 4 modules with images, tests, evaluations, concrete cases, followed by a final test that grants the right to a certificate.
EDPB publishes a document on cooperation between national privacy authorities
8 March 2019
The EDPB has recently published the document "First overview on the implementation of the GDPR and the roles and means of the national supervisory authorities", which addresses the cooperation between national data protection authorities, including for cross-border cases, as one of the key issues for the implementation of the GDPR (European Regulation) at the local level.
Italy: privacy and cybersecurity, how the new protocol between the DPA and the Intelligence protects citizens
6 March 2019
The Privacy Guarantor will forward to the Intelligence the news of data breaches relevant to cybernetic security, received from the subjects subject to notification in case of violation of personal data. This is one of the positive effects of the new Protocol of Intent signed between the Guarantor Authority for the protection of personal data and the Secret Services to ensure that cybernetic security activities are in line with the GDPR and Legislative Decree 18 May 2018 n.51, so-called "law enforcement" directive.
EDPB: information note for the processing of data in case of a "hard Brexit"
27 February 2019
The EDPB has drafted an information note concerning what public and private European operators will have to do in relation to the transfer of personal data to the UK in the event of a no-deal Brexit or hard Brexit, a scenario that is becoming increasingly concrete if no agreement is reached at midnight on 29 March 2019.
USA: TikTok receives $5.7 million fine for collecting personal data from minors under 13 years of age without parental consent
27 February 2019
The Federal Trade Commission (US Consumer Protection Authority) has ruled that TikTok, a social network for creating and sharing short videos, will have to pay a $5.7 million fine for collecting personal data from children under the age of 13 without obtaining parental consent. The site required users to enter their first and last name, username, email address, as well as a short biography and a profile photo. In addition to the sanction, TikTok will also have to remove the videos of all users under 13 years of age.
EDPS: European Data Protection Supervisor publishes 2018 report
26 February 2019
The European Data Protection Supervisor has published the report for the year 2018 where it presents the data, statistics and actions carried out by the European Data Protection Supervisor (EDPS) last year, as well as the objectives and activities planned for 2019.
Belgium: Data Protection Authority publishes list of data processing operations requiring a DPIA
25 February 2019
The Belgian Data Protection Authority has issued (in French and Danish) the list of the types of processing activities requiring a DPIA, (Data Protection Impact Assessment), as required by Article 35(4) of the GDPR for all national Data Protection Authorities.
Spain: the DPA develops a software that creates a register of processing operations
24 February 2019
The Spanish Data Protection Authority has developed and made available online "Facilita", a free and easy-to-use software, that produces a register of processing operations in Word format. The software is intended only for SMEs that carry out simple and elementary data processing, but can be an excellent tool for compliance for companies that do not implement any processing that poses particular risks for data subjects.
Hungary: first GDPR sanctions
15 February 2019
The Hungarian National Freedom of Information Authority (NAIH) has recently adopted two decisions concerning the violation of data protection rules. The identities of the two companies have not been disclosed, but one of them appears to have received a fine of EUR 3,135 (HUF 1,000,000), representing 6.5% of its annual turnover, for violating the principle of the right of access. The second case concerns a bank which unlawfully disclosed data following incorrect entry but which did not receive a sanction.
Italy: the DPA sanctions a doctor who used patient data for election purposes
14 February 2019
EDPB publishes its Work Program for the years 2019 and 2020
12 February 2019
The EDPB is releasing its 2019 and 2020 Work Program, which focuses on new technologies and specific data protection issues. New activities and guidelines include the complex issue of international transfers, ePrivacy and online services, the application of GDPR (including outside the EU), and the issue of financial data related to digital payments and e-invoices.
Spain: AEPD publishes study on how the digital footprint of devices affects citizens' privacy
7 February 2019
The Spanish Data Protection Agency (AEPD) has published an article on online profiling activities related to the footprint of the device: the data extracted from each connected device, in fact, allows the identification of the user and the creation of a unique profile based on navigation habits, geolocation, system configuration, applications and installed software, mouse movements, etc.. Some of the most critical points are the failure to comply with the principles of transparency and minimization, the use of particular data without the awareness of users, the frequent inability for users to avoid data collection or to exercise the rights set out in the GDPR. The document then sets out some of the available measures to contain the monitoring of devices, as well as a series of recommendations for manufacturers and developers who want to take advantage of the data obtained with this information.
Germany: Antitrust restricts Facebook's data collection
7 February 2019
The German Antitrust Authority criticises Facebook's activity in Germany, which, being in a dominant position on the market, collects and combines data deriving also from other platforms of the Facebook group, as well as from websites and apps linked to it, without having obtained a clear and GDPR-compliant consent from users. The German Privacy Authority supports the Competition Authority's decision and calls on Facebook to act swiftly to rethink its data processing.
Italy: role of the employment adviser after full application of Regulation (EU) 679/2016
7 February 2019
The Italian DPA responded to a question on the role of the employment consultant addressed last September by the National Council, stating that when the employment consultants process the data of their clients' employees, or for the performance of their profession, they assume the role of Data Processor.
Italy: fusion between Authorities, what are the advantages in times of big data and GDPR
5 February 2019
According to numerous opinions on the opportunities in the digital age, a fusion between AGCM (Competition Authority), AGCOM (Media Safeguards Authority) and the Data Protection Authority is advisable, also in light of the Lazio TAR rulings no. 335 and 336 in which the judge suggests to start working in that direction. The objective is clear: the protection of the citizen and his data today has multiple aspects and keeping the control bodies separate diminishes the citizen's protection.
France: data, competition and trade practices
31 January 2019
Processes of convergence between the Data Protection Authorities and Competition Authorities. The first step comes from France where the CNIL has signed an agreement with the DGCCTF (the French Competition Authority).
Infographic containing data on the application of the GDPR from 25 May 2018 to present
29 January 2019
The European Commission has published an infographic containing data on compliance and application of the GDPR since 25 May 2018, when the Regulation became applicable. The most relevant data are the following: in less than a year, there were 95,180,000 reports to national DPAs regarding alleged violations of data processing laws; 41,502 reports of data breaches and 3 cases of issuance of administrative sanctions in application of the GDPR.
The Council of Europe issues Guidelines on Artificial Intelligence and Data Protection
25 January 2019
The Consultative Committee for the Protection of Personal Data has adopted a report on Artificial Intelligence and Data Protection. The report examines the problems and challenges that Artificial Intelligence poses with respect to the use of data, and the measures that can be taken to develop AI applications that do not violate human rights and fundamental freedoms, also providing practical guidance for operators, producers and developers.
EDPB: Privacy Shield, Brexit, Q&A clinical studies, DPIA, certification guidelines, EU and Australia collaboration
24 January 2019
The latest news on the activities of the European Data Protection Board includes the publication of the report on the second annual review of the Privacy Shield (EU-US), the possible consequences of Brexit in the field of data protection, the adoption of an opinion on clinical studies, the adoption of the Guidelines on certification, the start of a collaboration between the EU and Australia on data protection.
France: the CNIL imposes a fine of 50 million euros on Google
21 January 2019
The Select Committee of the CNIL, the French supervisory authority, has imposed a fine of 50 million euros on the company GOOGLE LLC, in accordance with the General Data Protection Regulation (GDPR), for lack of transparency, inadequate information and lack of valid consent regarding the customization of ads.
France: use of user interfaces and consequences on the ability to make informed choices
18 January 2019
The French DPA publishes the document "The form of choices". The Digital Innovation Laboratory of the French Authority examines the use of design in "graphic interfaces" in order to understand positive and negative practices for website users.
Italy: the Italian DPA verifies the GDPR-conformity of the Codes of Conduct
16 January 2019
The Italian Data Protection Authority has verified the compliance of the Codes of Deontology and Good Conduct for the processing of personal data for historical, statistical and scientific purposes and defensive investigations with the EU Regulation 2016/679 on the protection of personal data.
Europe: study on the use of chip implants for workers
15 January 2019
The European Parliament has published a study on the use of chip implants and has explored their possible applications in the workplace, also considering the legal issues that may arise (including those related to the protection of particular data that would be processed), as well as ethical, health and safety issues.
Italy: opening of consultation on the requirements laid down in the general authorisations to processing
11 January 2019
The Italian Privacy Guarantor has identified the general authorizations for processing that are compatible with the EU Reg. 679/2016 and with Legislative Decree 101/2018 updating the Italian Privacy Code. In order to collect comments or proposals, it has launched a public consultation; interested parties can send their contributions to: firstname.lastname@example.org.
France: sanctions for failure to maintain data security
27 December 2018
Large penalties of € 250,000 have been imposed on a French telephone company that has not complied with its obligation to ensure the security of the personal data of its site's users.
San Marino: Personal Data Protection Act
21 December 2018
On 21 December 2018, the Republic of San Marino issued a Law (171/2018) on the Protection of Individuals with regard to the Processing of Personal Data, which came into force on 5 January 2019. Among the contents, which are evidently based on the GDPR and the Italian Privacy Code, there is also the institution of an Authority responsible for the protection of personal data (Title VI).
UK: personal data protection and Brexit
13 December 2018
Brexit: The British Authority has published a data processing guide for companies based in the UK and operating in the European Economic Area in the event that no exit agreement is reached. These are important indications, as the absence of a withdrawal agreement could have significant consequences for the transfer of data between the United Kingdom and the other Member States.