Data Protection Weekly 01/2022

Jan 7, 2022

European Union

 

EDPB publishes guidelines on examples of data breach notifications

The EDPB published, on 3 January 2022, its Guidelines 01/2021 on Examples regarding Personal Data Breach Notification, as adopted on 14 December 2021. These guidelines aim to provide practice-oriented, case-based guidance to help data controllers in deciding how to handle data breaches and what factors to consider during risk assessment. You can read the guidelines here.  

WhatsApp requests CJEU to annul €225M fine

A summary of an action brought by WhatsApp Ireland Ltd. to the CJEU in Case T-709/21, WhatsApp Ireland v EDPB, appealing the EDPB’dispute resolution decision, following which the Irish DPC issued, on 2 September 2021, a decision to fine WhatsApp €225 million, was published, on 3 January 2022, in the Official Journal of the European Union. You can read the summary of the action here.  

National Authorities

France: CNIL publishes guidance on employees’ right of access

The CNIL published, on 5 January 2022, guidance on the right of employees to access their data and professional emails. The guidance outlines rules relating to the right of access, such as ensuring identity verification, ensuring that the response is free of charge, and ensuring that the right of access does not infringe the rights of third parties. It also contains advices on how employers should respond to an employee who wishes to access or obtain a copy of professional emails. You can read the guidance, only available in French, here.  

Germany: Berlin Commissioner publishes FAQs on vaccination certificates

The Berlin Commissioner published, on 26 November 2021, FAQs’ on vaccination certificates. The FAQs address among others, the following questions :
  • whether companies and institutions are allowed to scan the QR codes of vaccination certifications;
  • what information is visible when scanning QR codes;
  • where and for how long scanned data is stored.
You can read the FAQs, only available in German, here.  

Fines

France: CNIL fines Google €150M for inadequately facilitating refusal of cookies

The CNIL published, on 6 January 2022, decision No. SAN-2021-023, in which it fined Google LLC and Google Ireland Limited €90 million and €60 million for failing to make it as easy to reject consent to the use of cookies as it is to accept the same on google.fr and youtube.com, in violation of Article 82 of Act No.78-17 of 6 January 1978 on Data Processing, Data Files and Individual Liberties, following an online audit. You can read the press release here and the decision here, both only available in French.

France: CNIL fines Meta €60M for inadequately facilitating refusal of cookies

The CNIL published, on 6 January 2022, decision No. SAN-2021-024, in which it fined Facebook Ireland Limited €60 million for failing to make it as easy to reject consent to the use of cookies as it is to accept the same on facebook.com, in violation of Article 82 of Act No.78-17 of 6 January 1978 on Data Processing, Data Files and Individual Liberties, following an online audit. You can read the press release here and the decision here, both only available in French.

Italy: Garante fines physician €30,000 for lack of legal basis

The Garante published, on 25 November 2021, its decision in case No. 411, in which it imposed a fine of €30,000 to a physician for violations of Articles 5(1), 6, and 9 of the GDPR, following a complaint. According to the complaint, the physician had shared with third parties, information relating to medical treatments undergone by the complainant, with the aim to obtain payment from the complainant for invoices in relation to health services provided. As a result of the investigation carried out, the Garante considered that, contrary to the physician’s claim, the information concerning the fact that the complainant had undergone medical treatment constitutes health data. According to the Garante, none of the conditions set out in Article 9(2) of the GDPR, which would have allowed the physician to overcome the prohibition of the processing of sensitive data, had been met. For the Garante,the personal data processing had been carried out in the absence of a suitable legal basis and in breach of the principles of lawfulness, fairness, and transparency. To determine the amount of the fine, the Garante took into account the fact that the violation was intentional and likely to affect the reputation of the complainant. You can read the decision, only available in Italian, here.