Data Protection Weekly 45/2022

Nov 11, 2022

  European Union

A quick look at the Commission’s preparation for the Digital Services Act

The European Commission’s ongoing preparations to enforce the Digital Services Act (DSA) include pre-designation talks with the largest platforms, early engagement with the member states and drafting three critical pieces of secondary legislation, according to a presentation seen by EURACTIV.

EU states want to keep hoarding passenger data, despite ECJ ruling

On June 21, 2022, the Court of Justice of the EU (“CJEU”) decided that that the Passenger Name Record (“PNR”) Directive’s provisions providing for the processing of PNR data by competent Member State authorities are compatible with the EU Charter of Fundamental Rights (“Charter”).  However, the CJEU also decided that the PNR Directive limits the way in which Member State laws transpose some of its provisions, particularly in relation to the collection of passenger information for intra-EU flights. The court said that data processing and retention practices must be limited to what is strictly necessary to fight terrorism and serious crime. Its decision will require Member States to tailor their laws transposing the PNR Directive without the risk of violating fundamental rights. See article here.

EDPS: Effective enforcement in the digital world

The official report and video on the EDPS 2022 Conference on ‘The future of data protection: effective enforcement in the digital world’ which took place on 16 and 17 June 2022 has been released. Please click on the respective publications Report and Video.


National Authorities

Germany: The German supervisory authority reminds companies on the use of new standard contractual clauses

The State Commissioner for Data Protection (LfD) of Lower Saxony points out that shortly before the turn of the year, an important deadline ends for companies and other bodies that transfer personal data to countries outside the European Economic Area or to international organizations. Since 27 September 2021, new standard contractual clauses issued by the European Commission must be used for new contracts. For old contracts concluded before 27 September 2021, the Commission has provided for a transitional period to switch to the new clauses, which is now coming to an end. All old contracts must have been converted by 27 December 2022 at the latest. This can be found here.


Deadline for new standard contractual clauses

To support associations, companies and public bodies, the State Commissioner for Data Protection and Freedom of Information in Baden-Württemberg in Germany has therefore formulated a brief overview of tips for integrating videos into their own websites. The handout is available for download on the homepage of the State Commissioner.


Retrieving the e-prescription via electronic health card (eGK)?

On the 7th of November, the German Federal Commissioner for Data Protection and Freedom of Information (‘BfDI’) issued a statement on the use and processing of e-prescriptions in pharmacies. The BfDI , Prof. Ulrich Kelber, disapproves of the insecure system specifications for the retrieval of e-prescriptions in the pharmacies. The planned interface for the intended service is not secure enough and thus violates the GDPR . Kelber proposes a safer alternative that is functionally equivalent for insured patients, doctors and pharmacists, in which other processes are used in the background.


Advanced spell checker: Browser functionality can transmit personal data to third parties

The Hessian Commissioner for Data Protection and Freedom of Information (HBDI) is aware of specific cases in which cloud-based ‘write support’ functionalities have been activated unnoticed in connection with browser updates. In certain cases, this has resulted in unintentional transmission of personal data to the manufacturer or provider of the browser. Against this background, the HBDI urgently advises organisations in Hesse to check the settings of the browsers they use and make adjustments if necessary. If personal data has already been transmitted to the browser manufacturer without a legal basis, there is a need for further action: Any data breach must be reported by the controller to the competent supervisory authority.


Ireland: Irish DPC files Article 60 draft decision on inquiry into Yahoo

The Irish Data Protection Commission (DPC) has submitted a draft art 60 decision in an inquiry into Yahoo! EMEA Limited to other concerned Supervisory Authorities across the EU in relation to compliance with its GDPR obligations which deal with the processing of personal data, in the context of its products and services across the EU. Read the publication here.

The Netherlands: Dutch foundation launches mass privacy claim against Twitter

A Dutch foundation is planning to take legal action against social media platform Twitter for illegally collecting and trading in personal details gathered via free apps such as weather and dating apps. Read more at


Italy: Italian Supervisory Authority approves Code of Conduct under the GDPR

The Italian DPA, the Garante, has given its green light to the amended Code of Conduct pursuant to Art 40 of the GDPR for consumer credit agencies. The DPA has also accredited the Italian monitoring body (OdM) responsible for protecting consumers accessing credit services.


UK: ICO warns Department for Education after gambling companies benefit from learning records database

The UK ICO has issued a reprimand to the department of Education (DfE) following prolonged misuse of the personal data for up to 28 million children. An ICO investigation found that through poor due diligence by the DfE a database of pupil’s learning records was ultimately used by Trust Systems Software UK, an employment screening firm, to check whether people opening online gambling accounts were 18.



Spain: UPS fined EUR 70,000 for leaving parcel with a neighbour

Spanish DPA fined UPS €70,000 for leaving a parcel with a neighbour of the data subject without their previous consent, thus unlawfully disclosing the recipient’s data to a third person. According to the Spanish DPA, with reference to EDPB’s Guidelines 07/2020, in order to determine the roles of controllers and processors, what must be taken into account is the actual activity of both of them (i.e., the factual elements or circumstances of the case). The AEPD decision (Spanish) can be found here.