European Union

CJEU ruling- Case C-534-20:  German provisions governing the termination of a DPO’s employment are compatible with EU law, but subject to restrictions

In its judgment of 22 June 2022 (Case C-534/20), the CJEU ruled on the question whether the GDPR allows the applicability of the German provisions governing the dismissal of a DPO pursuant to the Federal Data Protection Act (BDSG).

According to the CJEU, the German provisions, according to which the employment of a DPO can only be terminated for good cause, even if the termination is not related to the performance of his duties, are in principle not contrary to EU law.

However, the achievement of the objectives of the GDPR must not be jeopardised by the interpretation of the German Regulation, i.e. the DPO must continue to be sufficiently competent for his activities.

Termination must be possible even if the strict requirements of the employee-friendly application of the German Employment Protection Act are not met.

You can read the ruling, here.

National Authorities

France: CNIL publishes data-sharing guidance for charities

The CNIL published on 20 June 2022, guidelines dedicated to the sharing of personal information between charitable associations and foundations according to the GDPR.

You can read the guidelines, only available in French, here.

Fines

Italy: Garante orders stop on Google Analytics transfers

The Garante published on 23 May 2022, a decision concerning the use of Google Analytics, following a complaint. For the Garante, the use of Analytics on a website operated by an Italian company, which involved a transfer of personal data to Google LLC in the US, was in breach of Art 44 GDPR as neither the SCCs, nor the supplementary measures implemented, provided an adequate level of protection.

 Keyfacts:

• The Italian company used the free version of Analytics and had not implemented the IP-Anonyimization feature;
• The website users personal data (including IP address) were transferred to Google LLC in the US (as data importer) and towards further sub-processors in third countries ;
• As a defensive argument the company claimed its limited power to negotiate with the provider regarding the security measures and data transfers ;
• Company was using an automatic online service for the management of its privacy and cookie policy.

Guarante findings:

• The data transfer is unlawfull as it lacks the adequate safeguard measures (breach of art. 44/46 of the GDPR);
• The data exporter shall evaluate the legal background and practices in the third countries involved in the transfer; such assessment shall not be based solely on subjective elements.
• Encryption is not sufficient if the data importer hold the decryption keys;
• The automatically generated privacy policy lacked minimum information requirements on data transfers.

Guarante decision:

The Guarante did not impose a fine to the Company, and noted its lack of contractual power.
However it has imposed to suspend the transfer should the company fail to implement adequate safeguards within 3 months.

You can read the decision, only available in Italian, here.