Data Protection Weekly 16/2022

Apr 22, 2022

European Union

Digital Services Act 

The final text is expected to be presented to the Council of the European Union’s competition working party April 28.

European Parliament announced the creation of a taskforce dedicated to the investigation on the Pegasus spyware

The European Parliament announced the inaugural meeting of an inquiry committee dedicated to investigating the potential use of Pegasus spyware software on and by EU member states.

You can read a press article on this matter, here.

EDPS published its annual report 2021 

The EDPS published on 20 April 2022 its Annual Report 2021. The report highlights the EDPS’ achievements regarding European Union institutions’compliance with the data protection framework. The Report also underscores the EDPS’ increasing role in advocating for the respect of privacy and data protection in EU legislation.

In 2021, the EDPS increased the use of its corrective powers. Amongst the enforcement actions taken by the EDPS this year, particular significance is attributed to the decision to order Europol to delete datasets with no established links to criminal activity, which the EDPS sees in the context of respecting the rule of law and upholding a mature checks and balances system.

With 88 Opinions, including Formal Comments, issued in 2021, compared to 27 in 2020, the EDPS addressed a record number of legislative consultations.

In the spirit of joint responsibility for the success of the GDPR, the EDPS also continued its active participation in the EDPB’s work, by proposing or partaking in a variety of initiatives.

You can read the report, here.



France: CNIL fines Dedalus Biologie €1.5m for massive health data leak (due to organisational and technical security breaches)

The CNIL published on 21 April 2022 its decision in which it imposed a fine of €1.5 M to Dedalus Biologie for violations of Articles 28,29,32  of the GDPR that led to the leakage of the medical data of nearly 500,000 people.

On 23 February 2021, the press revealed a massive leak of data relating to almost 500,000 people, data processed by the company Dedalus Biologie.

This data included, among other things :

  • first and last name;
  • the social security number;
  • the name of the prescribing doctor
  • the date of the examination
  • medical information (HIV, cancer, genetic diseases, pregnancy, etc.).

Following these revelations, the CNIL carried out controls on the company Dedalus Biologie and referred the matter to the Paris judicial court in order to block access to the site on which the leaked data was published.

During its investigation, the CNIL found several breaches of the obligations contained in the GDPR, in particular the obligation to ensure the security of personal data processed.

The breaches identified by the CNIL are as follows :

  1. Failure to comply with the obligation for the processor to respect the instructions of the data controllers (Article 29):

During a migration from one software to another, requested by two laboratories using the services of Dedalus, the latter extracted a larger volume of data than required. Dedalus processed personal data beyond the instructions given by the controllers.

  1. Failure to ensure the security of personal data (Article 32):

The CNIL found numerous technical and organisational failures in the context of the migration operations from the software to another tool, including :

  • lack of specific procedure for data migration operations;
  • lack of encryption of personal data stored on the problematic server;
  • absence of automatic deletion of data after migration to the other software;
  • absence of authentication required from the internet to access the public area of the server;
  • use of user accounts shared between several employees on the private zone of the server;
  • lack of supervision procedure and security alert escalation on the server.

These failures were the direct cause of the data breach.

  1. Failure to comply with the obligation to provide a formal legal framework for the processing operations carried out on behalf of the controller (Article 28)

The general terms and conditions of sale of Dedalus Biologie and its maintenance contracts transmitted to the CNIL, did not contain the mentions provided for in Article 28-3 of the RGPD.

You can read the press release here and the decision here, only available in French.


Hungary: NAIH fines bank €665,000 for RGPD breaches when using AI to assess customers’ emotional state

The Hungarian Data Protection Authority (NAIH) has fined a bank €665,000 for breaches of the GDPR, following the use of AI technology to assess the emotional state of its customers.

The bank automatically recorded customer calls and then, using automated means, assessed the level of customer satisfaction. This assessment was intended to rank customers and suggest which one should be contacted first.The bank argued that the objectives of the processing were quality control and improving customer satisfaction.

However, the Hungarian authority noted that no mention of this voice evaluation was made in its privacy policy.

The bank had based its processing on legitimate interest, but for the Hungarian data protection authority, the bank did not assess the proportionality of the processing and minimised the risks to the fundamental rights of the data subjects.

For the Hungarian Data Protection Authority, legitimate interest does not constitute a valid legal basis for this type of processing and considers that only the prior consent of the data subject can justify it.

The Hungarian data protection authority also found shortcomings in relation to the obligation to carry out a privacy impact assessment: the bank had identified high risks but had not put in place any significant measures to limit them.