Privacy News 18/12/2020

Dec 21, 2020

 European Union

EDPB adopts 2021-2023 strategy, guidelines on GDPR, PSD2, and restriction of data subject rights in 43rd plenary session

EDPB announced, on 16 December 2020, the outcome of its 43rd plenary session. In particular, the EDPB highlighted that it, among other things, adopted its strategy for 2021-2023 setting out the EDPB’s strategic objectives, issued a statement on the end of the Brexit transition period alongside an information note on data transfers under the GDPR post-Brexit, as well as adopted guidelines on restrictions of data subject rights under Article 23 of the GDPR and the final version of its guidelines on the interplay between GDPR and the Payment Services Directive 2015/2366.

More specifically, in relation to the restrictions of data subject rights, the EDPB highlighted that any restriction needs to respect the nature of the right being restricted and that any extensive restrictions that significantly undermine the fundamental rights to protection of personal data cannot be justified. In addition, the EDPB noted that these guidelines on restrictions of data subject rights will be subject to public consultation for eight weeks.

You can read the announcement here and the statement related to Brexit, here and the guidelines on restrictions under Article 23 GDPR here

The guidelines on the interplay between GDPR and the Second Payment Directive are available here.

National Authorities

 DPC releases guidance on post-Brexit data transfers

DPC published, on 14 December 2020, guidance on transfers of personal data from Ireland to the UK from 31 December 2020 (end of the transition period of the UK’s exit from the European Union).

The guidance outlines examples of ways by which Irish companies might be transferring data to a UK-based company (HR, IT, payroll function, marketing) and when they are storing data in the UK on a server or in the cloud.

UK will, after the end of the transition period and in the absence of an adequacy decision, become a third country, meaning that Irish companies intending to transfer data to the UK will need to put in place specific safeguards to protect the data such as using SCC.

You can read the guidance here.


 Garante publishes guidance on right of access

Garante announced, on 17 December 2020, that it had published guidance on the right of access. This guidance is a part of a series of informative resources that address the issue of the right of access in simple language and is part of a broader project, which aims to offer tools to easily understand what rights are afforded to individuals in the field of personal data protection.

You can read the press release here and the guidance here, both only available in Italian.



  DPC fines Twitter €450,000 for breach notification and documentation failures

The Data Protection Commission announced, on 15 December 2020, its decision to fine Twitter International Company €450,000, after completing its investigation into a data breach, commenced in January 2019.

The decision finds that Twitter failed to meet its obligations under the Article 33(1) and 33(5) of the GDPR, namely to notify the relevant supervisory authority of the personal data breach, as well as to document the personal data breach.

In relation to TIC’s compliance with Article 33(1) of the GDPR, the DPC considered the issue on whether TIC, as a data controller, was aware of the data breach, as distinct from Twitter Inc. with which it had an agreement in place to provide data processing services.

For the DPC, Twitter Inc.’s failure to notify TIC about the breach did not obviate TIC’s legal obligation to notify in accordance with the timeframe under Article 33(1) of the GDPR.

It is the data controller’s responsibility to ensure that it has internal systems and procedures in place, including with external parties such as processors to facilitate awareness and the timely notification of data breaches.

DPC highlighted, among other things, that the incident report submitted by TIC, which was identified by TIC as being the primary record in which it documented the facts, effects, and remedial action taken in respect of the breach, was deficient in terms of verifying TIC’s compliance with its obligation as controller under Article 33(1) of the GDPR and the obligation on Twitter Inc. as processor under Article 33(2) of the GDPR to notify the breach.

Based on the issues identified, the DPC issued a fine of €450,000.

You can read the press release here and the decision here.


 AEPD fines BBVA €5M for GDPR information and consent failures

AEPD issued, on 11 December 2020, a resolution in proceedings PS/00070/2019, fining Banco Bilbao Vizcaya Argentaria, SA €5 million for a violation of Article 6 and 13 of the GDPR.

BBVA used imprecise terminology to define the privacy policy, and provided insufficient information about the category of personal data processed.

BBVA failed to obtain consent before sending promotional SMS to a customer and did not have in place a mechanism for consent to be obtained by customers.

You can read the resolution, in Spanish, here.


 AEPD fines Mutua Madrileña Automovilista Sociedad de Seguros €20,000 for a violation of Article 6(1) of LOPDGDD

AEPD issued, on 14 December 2020, a resolution in proceeding PS/00586/2017, fining Mutua Madrileña Automovilista Sociedad de Seguros €20,000 for a violation of Article 6(1) of the LOPDGDD.

Mutua Madrileña processed the data without gaining valid consent from the complainant while allowing a third party to fraudulently purchase vehicle insurance on their behalf.

You can read the decision, in Spanish, here.


 AEPD fines Borjamotor €6,400 for violations of the GDPR and LSSI

AEPD issued, on 11 December 2020, a resolution in proceedings PS/00332/2020, fining Borjamotor, SA €6,400 for violations of Article 7 of the GDPR and Article 2 of the LSSI.

Borjamotor violated Article 7 of the GDPR by processing personal data for purposes other than those for which the data was originally collected.

Borjamotor violated Article 21 of the LSSI by sending direct marketing without the consent of the data subject.

You can read the resolution, in Spanish, here.


 UODO fines Virgin PLN 1.9M for lack of appropriate technical and organisational measures

UODO announced, on 14 December 2020, its decision to fine Virgin Mobile Polska PLN 1.9 million (approx. €427,000), following an inspection carried out in the company, for the lack of appropriate technical and organisational measures, which resulted in the violation of the principles of confidentiality and accountability as contained in the GDPR.

Virgin did a verification of appropriate parameters after which data would be exchanged between applications in the IT system, which had not been tested prior to its implementation. As a result of this, this vulnerability was exploited by an unauthorised person to obtain data, and it was only after the incident that appropriate actions were taken to repair the functionality in the company’s IT system.

You can read the press release here and the decision here, both only available in Polish.


 ANSPDCP fines Banca Transilvania RON 487,380 for inadequate security measures

ANSPDCP announced, on 17 December 2020, its decision to fine Banca Transilvania SA RON 487,380 (approx. €100,000) as a result of violations of article 5(1)(f) and article 32 of the GDPR.

ANSPDCP highlighted that, further to complaints regarding the breach of confidentiality and failure to secure data, it investigated the company, and found that a listed document containing a client’s statement, as well as an email containing the internal conversation between the company’s employees was posted on Facebook.

For the ANSPDCP, the circulation of this listed document led to the unauthorised disclosure of personal data of  individuals due to the fact that the company had failed to take adequate technical and organisational security measures.

You can read the announcement, only available in Romanian, here.


 CNIL issues fines against two doctors for insufficient protection of patient data

CNIL announced, on 17 December 2020, that it had issued, on 7 December 2020, two fines totalling €9,000 against two doctors for insufficient protection of patient data and failure to notify CNIL of a data breach under Articles 32 and 33 of the GDPR.

Following an online audit conducted in September 2019, CNIL had discovered that thousands of medical images stored on the servers belonging to two doctors were publicly available on the internet, which the doctors later attributed to, among other things, the settings on their medical image capturing device and the lack of encryption.

CNIL considers that it is not necessary to publish the names of the doctors but aimed to inform medical professionals of their responsibilities and the need to ensure vigilance regarding the security of personal data which they process.

You can read the decisions here and here, both only available in French.