Data Protection Weekly 13/2022

Apr 1, 2022

European Union

European Commission publishes factsheet on new transatlantic data transfer framework

The European Commission released, on 25 March 2022, statement and factsheet on the ‘agreement in principle’ for a new transatlantic data transfer framework.

NOYB issued, on 25 March 2022, a statement following the announcement. In its statement, NOYB noted that it expects the development of a legal text to take a couple of months to be drafted, with lawyers involved in the negotiations still needing to find fully functioning solutions to the issues raised by the Schrems II Case.

According to Max Schrems ,”The final text will need more time, once this arrives we will analyse it in depth, together with our US legal experts. If it is not in line with EU law, we or another group will likely challenge it. In the end, the CJEU will decide a third time. We expect this to be back at the CJEU within months from a final decision.”

You can read the European Commission press release here and factsheet here, the NOYB statement here.


National Authorities

Germany: TLfDI publishes paper on the GDPR compliance of Facebook fan pages

The Thuringian data protection authority  published, on 25 March 2022, a short report on the compliance of Facebook fan pages with data protection law.

The short paper assesses Facebook fan pages’ compliance with the GDPR and the TTDSG, reaching the conclusion that:

  • there is no effective legal basis for the storage of information in the end-user’s terminal equipment triggered by a visit to a fan page ;
  • the information obligations under Article 13 of the GDPR are not met.

You can read the short report here, only available in German.



Sweden: IMY fines Klarna €725 513 for lack of transparency

The Swedish Authority for Privacy Protection published, on 29 March 2022, its decision in DI-2019-4062, as issued on 28 March 2022, in which it ordered a fine of SEK 7.5 million (approx. €725,513) to Klarna Bank AB, for violations of Articles 5(1)(a), 5(2), 12(1), 13(1), 13(2), and 14(2)(g) of the GDPR following an audit.

During an audit, the IMY had examined how Klarma inform users on its websites about how it processes personal data in accordance with the GDPR. According to the Swedish autority for Privacy Protection, Klarna had continuously changed during the audit, the information it provided on how the company handles personal data.

As a result of the audit, the IMY stated that Klarna :

  • did not provide information on the purpose and legal basis for which personal data was processed in one of its services.
  • provided incomplete and misleading information about who the recipients were of different categories of personal data when data was shared with Swedish and foreign credit information companies.
  • did not provide information regarding to which countries outside the EU or EEA personal data was transferred, or on where and how the individual could obtain information about the safeguards that applied to the transfer to third countries.
  • provided insufficient information about data subjects’ rights, including the right to delete data, the right to data portability, and the right to object to the processing of one’s personal data.

As a result, the IMY imposed a fine of SEK 7.5 million (approx. €725,513) against Klarna for the GDPR violations discovered during the audit.

You can read the press release, only available in Swedish, here.


Romania: ANSPDCP fines Condor €2,000 for inappropriate technical and organisational  security measures

The ANSPDCP announced, on 28 March 2022, its decision in which it had imposed a fine of €2,000 on Condor SA for a violation of Article 32 of the GDPR, following an investigation initiated in response to a complaint.

The investigation was carried out in March 2022, following a complaint by an individual alleging that Condor had disclosed personal data of employees and former employees to unauthorised persons.

During the course of its investigation, the ANSPDCP found that there was unauthorised access to data which included information relating to employees and former employees. The ANSPDCP also noted that Condor did not present evidence  regarding the adoption od-f sufficient appropriate technical and organisational measures to ensure the confidentiality of the personal data relating to employees or former employees.

As a consequence, the ANSPDCP imposed a fine of €2,000 on Condor for the violation of Article 32 of the GDPR.

You can read the press release, only available in Romanian, here.