Data Protection Weekly 3/2022

Jan 21, 2022

European Union


EDPB publishes  study on appropriate safeguards under Article 89(1) GDPR for scientific research processing

The EDPB published, on 7 September 2021, a legal study on the appropriate safeguards under Article 89(1) of the GDPR for the processing of personal data for scientific research purposes.

You can read the study here.

Parliament adopts DSA

The European Parliament announced, on 20 January 2022, that it had adopted, an agreed text for the proposal for the DSA, having introduced several amendments to the European Commission’s proposal.

The Parliament has introduced amendments to the DSA regarding among others, the scope of application, targeted advertising, prohibition of targeting minors and vulnerable groups for displaying ads, prohibition of nudging tehniques (Dark patterns).

The Parliament is now set to enter into negotiations with the Council of the EU.

You can read the press release here.

EDPS publishes Opinion on proposal for Regulation on transparency and targeting of political advertising

The EDPS announced, on 20 January 2022, that it had published its Opinion on a proposal for Regulation on the transparency and targeting of political advertising.

You can read the opinion here.

EDPB adopts Guidelines on Right of Access

According to the press release published on 19 January 2022, the EDPB adopted guidelines on the right of Access during its january  plenary session.

The Guidelines will be subject to public consultation for a period of 6 weeks.

You can read the press release here.


Portugal: CNPD fines Municipality of Lisbon €1.25M for  unlawful processing of personal data of protestors

The CNPD published, on 14 December 2021, its decision in case No. 2021/569, in which it imposed €1.25 million on the Municipality of Lisbon for violations of the articles 5(1)(a), (c), and (e), 6, 9(1), 13, and 35 of the GDPR, following processing of protestors’ sensitive personal data.

The Municipality of Lisbon had collect the personal data of protesors, including sensitive personal data and share such data with third parties.

According to the CNPD, by sending notice of protest demonstrations, containing the personal data of protestors, to third party entities, the Municipality had processed sensitive personal data without a legal basis.

The CNPD also found that the Municipality had undertaken the processing without informing the data subjects, without defining a policy of conservation of their personal data, and without having carried out a DPIA yet mandatory in this situation.

The €1.25 million fine is the sum of 225 fines from different violations the Municipality’s conduct had had amounted to since 2018.

For the CNPD, the duration of the violations and the number of data subjects affected are factors that aggravate the fines as they reveal a persistent lack of commitment to the legal obligations that the Municipality was supposed to fulfil.

You can read the press release here, only available in Portuguese.

Italy: Garante fines Enel Energia €26.5M for multiple data protection violations and aggressive telemarketing

The Garante published, on 19 January 2022, its decision in case No. 443, as issued on 16 December 2021, in which it imposed a fine of €26,513,977 to Enel Energia S.p.A, for violations of Articles 5(1)(a), 5(1)(d), 5(2), 6(1), 12, 13, 21, 24, 25(1), 30, and 31 of the GDPR, following numerous complaints submitted by individuals.

In particular, the Garante reported that it had received numerous complaints regarding:

  • unsolicited marketing and promotional calls ;
  • late or non-response to requests for the exercise of the right of access to personal data or opposition to processing for marketing purposes ;
  • and various problems deriving from the processing of  personal data in the context of energy supply services, including the activities carried out through the company website and app.

Based on its investigation, Garante found the following violations of the GDPR :

  1.  Lack of cooperation with the supervisory authority: Enel Energia did not provide any response to Garante’s repeated requests for additional information and clarifications, thus violating article 31 of the GDPR.
  2. Accountability principle & Privacy by design: Enel Energia was unable to prove its compliance to GDPR in relation to unwanted promotional calls carried out by its processors. The company also failed to bind its processors to adopt appropriate technical and organizational  safety measures, which resulted in a breach ot its responsabilities as the data controller
  3. Accuracy principle and lawfullness of processing: The company violated the principle of accuracy by erroneously associating personal data to different users which led to undue communication of personal data without legitimate base.
  4. Transparency principle: Enel Energia violated the transparency principle by not providing timely and necessary feedback about users’ requests for exercising their right of access and to object. For the Garante, Enel Energia also violated the transparency principle by presenting to its users two conflicting statements relative to the identity of the data controller and failing to provide data subjects with  necessary informations to identify the recipients of their personal data.
  5. Violation of the right to object: Enel Energia violated the article 21 of the GDPR by sending promotional communications by e-mail, despite the opposition of the user and lack of consent for the communication of marketing and promotional messages.

In consideration of the above, the Garante imposed a fine of €26,513,977 to Enel Energia. To determine this amount, the Garante took into consideration the following aggravating factors : the seriousness of the violations, their durations and repeated nature, the number of data subjects involved.

You can read the decision here, only available in Italian.