Data Protection Weekly 14/2022

Apr 8, 2022

European Union

EDPB releases statement on EU-US data flows political agreement

The EDPB published on 6 April 2022, a statement welcoming the agreement in principle on the Trans-Atlantic Data Privacy Framework between the EU and the U.S.

For EDPB Chair Andrea Jelinek, the proposed data flows framework and the commitment of the U.S. highest authorities to establish unprecedented measures is a positive first step.

However, the EDPB will conduct a review of the agreement to ensure legal certainty and examine how the agreement translates into concrete legal proposals to address the concerns raised by the CJEU.

You can read the statement here.

Parliament adopts DGA

The European Parliament adopted, on 6 April 2022, the proposal for the Data Governance Act.

The Parliament outlined that the DGA aims to build trust in data sharing, making it safer and easier, as well ensuring it is in line with data protection legislation through a range of tools, from technical solutions such as anonymisation and pooling of data, to legally binding agreements by the reusers.

Lastly, the DGA must now be adopted by the EU Council before it becomes law.

You can read the press release here and the adopted text here.


National Authorities

Latvia: DSI publishes cookie guidance and a model cookie policy

The Latvian data protection authority published on 16 March 2022, guidelines for using cookies on websites and a model cookie policy.

You can read the guidelines here and download the model cookie policy here, both only available in Latvian.


France: CNIL publishes GDPR compliance guide and self-assessment tool for AI systems

The CNIL announced, on 5 April 2022, that it had published a set of dedicated resources on artificial intelligence.

The published content is directed at three distinct audiences :

  • The general public ;
  • Data controllers and processors;
  • and AI specialists.

Notably, the CNIL published a guide on the main principles on data processing, data files and individual liberties and the GDPR, to be followed in the implementation of personal data processing based on AI systems.

The Cnil also published a self-assessment guide for AI Systems. It offers an analysis grid to allow organisations to assess for themselves the maturity of their AI systems with regard to the GDPR.

You can read the press release here, the guide on AI and GDPR compliance here, and the self-assessment tool here, all only available in French.



Ireland: DPC fines Bank of Ireland €463,000 following a data breach

The DPC announced on 5 April 2022, that it had published its decision in which it imposed a fine of €463,000 and issued a reprimand on Bank of Ireland Group plc, for violations of Articles 32, 33, and 34 of the GDPR, following the receipt of an inquiry relating to a data breach by the Bank of Ireland.

The inquiry commenced in respect of 22 personal data breach notifications that the Bank of Ireland made to the DPC between 9 November 2018 and 27 June 2019.

The incidents included unauthorised disclosures of customer personal data to the CCR and accidental alterations of customer personal data on the CCR.

For the DPC, 19 of the incidents reported met the definition of a personal data breach under the GDPR.

During its investigation, the DPC found that :

  • Article 33(1) of the GDPR was infringed by the Bank of Ireland’s failure to report the personal data breach without undue delay.
  • Article 33(3) of the GDPR was infringed by the Bank of Ireland for failure to provide sufficient detail to the DPC in respect of some personal data breaches.
  • Article 34 of the GDPR was infringed by the Bank of Ireland for failure to issue communications to data subjects without undue delay in circumstances where the personal breaches were likely to result in a high risk to the data subjects’rights and freedoms.
  • Article 32 of the GDPR was infringed by the Bank of Ireland for failure to implement appropriate technical and organisational measures to ensure an appropriate level of security.

As a consequence, the DPC imposed an administrative of €463,000 on the Bank of Ireland in respect of the infringement of Articles 32(1), 33(1), 33(3), and 34 of the GDPR.

You can read the decision here.