Data Protection Weekly 09/2022

Mar 4, 2022

European Union


LIBE Committee holds public hearing on GDPR implementation and enforcement

The LIBE Committee of the European Parliament announced, on 2 March 2022, that it will hold a public hearing on the implementation and enforcement of the GDPR on 17 March 2022, following the European Parliament’s resolution calling for an improvement in these areas in March 2021.

This hearing will aim at taking stock of the implementation and enforcement of the GDPR, the challenges faced by the stakeholders and possible ways of improvement. It will consist of three panels :

  • Panel 1 – Exercising data subjects’rights ;
  • Panel 2 – Focus on the enforcement scheme ;
  • Panel 3 – Big cases and cross-border challenges.

You can read the press release here and the draft programme here.


A new EU-US data transfer agreement, this spring?

According to the website Legal360, U.S. and European Union negotiators are close to finalizing a new transatlantic data transfer agreement in order to simplify the exchange of personal data between the two regions. It could be announced as early as this spring.

You can read the article, here.

Noyb launch its second round of action against deceptive cookie banners

You can read the press release here.


National Authorities

Germany: DSK publishes updated guidance on direct marketing

The DSK published, on 18 February 2022, a revised guidance on the processing of personal data for direct marketing purposes under the GDPR. It supplements, information obligations and the conditions for consent.

You can read the guidance, only available in German, here.


Liechtenstein: DSS addresses use of Google Analytics

The Liechtensteiner data protection authority issued, on 3 March 2022, a statement addressing the use of Google Analytics.

In its 2020 activity report, the DSS had already highlighted the data protection issues that arise with the use of Google Analytics. Since the Schrems II case, the Liechtensteiner data protection authority does not find any legal basis to justify the transfer of personal data to the US associated with the use of Google Analytics, despite the possible anonymisation of IP adresses, a feature in Google Analytics that can be implemented by website operators.

The DSS also noted that NOYB filed complaints with the DSS against three Liechtenstein companies and institutions, which were withdrawn after the quick cessation of use of Google Analytics by the companies concerned.

The DSS call on affected entities to design their websites in compliance with data protection rules and to use alternative, data protection-compliant solutions instead of Google Analytics.

You can read the press release, only available in German, here.


The Netherlands: AP investigates on effective online transparency

The AP announced, on 2 March 2022, that in the context of the Collaborative Platform for Digital Supervisors (SDT), it have started an investigation into how companies, institutions, and governments can inform internet users in a way that is understood by everyone.

The AP and the supervisors of the SDT will publish manuals dedicated to effective online transparency.

You can read the press release, only available in Dutch, here.



Poland: UODO fines Fortum Marketing over PLN 4.9M (€1M) for failure to implement technical and organisational security measures

The UODO published, on 28 February 2022, its decision in DKN.5130.2215.2020 in which it fined Fortum Marketing and Sales Polska S.A. PLN 4,9 (approx. €1M), for violations of Articles 5(1)(f), 24(1), 25(1), 28(1) and 32 of the GDPR, following an investigation into a data breach.

This investigation concerned the copying of a customer database by unthautorised third parties. For the UODO, the data breach happened when changes were introduced in the ICT environment by Fortum’s data processor, as the server lacked appropriate configuration to ensure the security of data transmission from the new server to other ICT elements used to process personal data.

Based on its investigation, UODO found the following violations of the GDPR :

  • According to the UODO, Fortum violated article 25(1) of the GDPR as it did not carry out audits, inspections, to verify that its processor fulfilled its obligations under the GDPR.
  • According to the UODO, the technical and organisational measures applied by Fortum, met the requirements specified in Article 32 of the GDPR to a limited extent as Fortum did not adhere to its own practice of implementing changes in its IT environment based on internal regulations.

As a result, the UODO imposed a fine of PLN 4,9 (approx. €1M) on Fortum.

You can read the decision, only available in Polish, here.