Data Protection Weekly 47/2022

Nov 24, 2022

European Union

Digital infrastructure, AI roadmap tangible results of transatlantic cooperation

The US administration and European Commission will meet in Washington on 5 December, the third in the context of the Trade and Technology Council (TTC), an EU-US initiative launched last year to provide a permanent platform for cooperation. The agenda includes an AI joint roadmap outlining the tools and methodologies for AI risk management as a first practical step to operationalise trustworthy AI. A pilot project on privacy-enhancing technologies has also been identified to be launched in the first quarter of 2023, the project objectives have yet to be announced. The full story is here.


Leading MEPs tackle enforcement in AI regulation

This week the European Parliament’s co-rapporteurs circulated a new batch of compromise amendments focused on the enforcement structure of the AI Act: The amendments address areas such as stronger enforcement powers, more stringent post-market monitoring of high-risk AI systems, right of redress, and joint-investigations by member state authorities. More detail can be read here.


EDPB: Recommendations 1/2022 on the Application for Approval and the elements and principles to be found in Controller Binding Corporate Rules (Art. 47 GDPR)

During its November plenary, the EDPB adopted Recommendations on the application for approval and on the elements and principles to be found in Controller Binding Corporate Rules. These recommendations form an update of the existing BCR-C referential, which contain criteria for BCR-C approval, and merge it with the standard application form for BCR-C. You can read more about it here.


EDPS: European Data Protection Supervisor press release and opinion on cyber security

“The cybersecurity of products with digital elements is of utmost importance to protect effectively individuals’ fundamental rights in the digital age, including their rights to privacy and data protection. Harmonised cybersecurity requirements across the EU should reduce the risks for Europeans of being victims of cyber-attacks and of the vast consequences that these may entail, such as the theft and misuse of their personal data.” – writes Wojciech Wiewiórowski in his Opinion on the proposed Regulation on EU-wide cybersecurity requirements for products with digital elements.

Amongst the recommendations given, the EDPS advises that:

  • data protection by design and default principles are part of the cybersecurity requirements
  • synergies envisaged between relevant bodies and organisations are clarified
  • the cybersecurity certificate does not mean that a particular product with digital elements is compliant with the GDPR.

Please click on the respective publications Press Release and Opinion.


EU Council mulls broad national security carveouts in IoT cybersecurity law

The Czech presidency of the EU Council has circulated a first compromise text on the proposed Cyber Resilience Act, dated 18 November. The Act is horizontal legislation intended to introduce essential cybersecurity requirements for connected devices and their related services. The presidency added wording saying that the regulation should not prevent member states from imposing national restrictions on products with digital elements based on national security grounds, including by banning them from their markets. You can read more here.


New Interoperable Europe Act to deliver more efficient public services through improved cooperation between national administrations on data exchanges and IT solutions

The European Commission has adopted the Interoperable Europe Act proposal and its accompanying Communication to strengthen cross-border interoperability and cooperation in the public sector across the EU. The Act will support the creation of a network of sovereign and interconnected digital public administrations and will accelerate the digital transformation and by extension support and enhance better public services and trusted data flows between Europe’s public sector and its businesses and citizens. The press release is here.


National Authorities

Germany: Baden-Württemberg’s DPA approves Code of Conduct for Processors: “Requirements for Processors under Article 28 of the GDPR – Trusted Data Processor”

The State Commissioner for Data Protection and Freedom of Information Baden-Württemberg (LfDI) approved a code of conduct for processors.

The code of conduct (CoC) is a self-regulation tool with the aim of creating more clarity and legal certainty for service providers. By making a voluntary commitment to the new CoC, processors make it visible to the outside world that they follow the guidelines set out in the CoC and submit to its monitoring by a monitoring body accredited by the DPA. The monitoring body is the point of contact for complaints and will regularly monitor compliance with the CoC.

Commissioner Dr. Stefan Brink stated “self-regulation is an excellent way to tailor data processing to the needs of industries – the GDPR provides this possibility, which we are now implementing.” For more details, see press release (in German).


Italy: Italy outlaws facial recognition tech, except to fight crime

The Italian DPA Garante prohibited the use of facial recognition and ‘smart glasses’ as it issued a rebuke to two municipalities experimenting with the technologies. Facial recognition systems using biometric data will not be allowed until a specific law is adopted or at least until the end of next year, the privacy watchdog said. The exception is when such technologies play a role in judicial investigations or in the fight against crime. Reuters article here.


Italy: The Garante investigate online newspaper subscription methods

Italy’s DPA, the Garante, continues its investigation into the legitimacy of online newspapers subscription methods including the requirement of user consent to web tracking in return for content access. The Garante seeks to assess with Italian publishers “the operating methods of the mechanism in question and the different types of choices available to the user.” Furthermore, the Garante is also looking to validate that legislation on the protection of personal data is being respected “with regard to the correctness and transparency of the treatments and the fundamental requirement of the freedom of consent.” The press release can be found (in Italian) here.


France: France says non to Office 365 and Google Workspace in school

The French Ministry of National Education has urged educational institutions to stop using free versions of Google Workspace and Microsoft Office 365 for schools and students. The Ministry said the offerings are incompatible with the EU’s General Data Protection Regulation (GDPR), the Schrems II judgment of the Court of Justice of the European Union (CJEU) and France’s internal doctrines. See article here.


UK: UK finalises landmark data decision with South Korea to help unlock millions in economic growth

UK organisations will be able to share personal data securely with the Republic of Korea before the end of the year as the UK finalises legislation for its first independent adequacy decision. Read press release here.


 UK: International transfers: empowering innovation and growth whilst protecting people’s personal information

The UK’s Information Commissioner’s Office (ICO) has published an update to guidance on international transfers. The update includes a new section on transfer risk assessments (TRAs) and a TRA tool. Read the publication here.



France: DISCORD INC. fined EUR 800,000 for GDPR violations

The French data protection authority (CNIL) fined DISCORD INC. 800,000 euros for failing to comply with several obligations of the GDPR, in particular with regard to the data retention periods and security of personal data. The press release can be found here.


Portugal: CNPD imposes first fine for breach of obligation to appoint a data protection officer 

The Portuguese DPA (CNPD) imposed a fine on and issued two reprimands against Setúbal Municipal Council for infringing several rules in the processing of the personal data of Ukrainian refugees through the Municipal Refugee Helpline. The administrative fine amounted to €170,000, which was imposed for breaching the principle of data integrity and confidentiality, as well as for breaching the obligation to appoint a data protection officer (“DPO”). The press release can be found here.


Romania: Sanctions for violations of the GDPR

The Romanian National Supervisory Authority for Personal Data Processing (‘ANSPDCP’) published, on 16 November, its decision in which it imposed a fine of €28,000 and two warnings on Raiffeisen Bank S.A., for multiple violations of the GDPR following an investigation.

As a result of the investigation carried out, the ANSPDCP found that Raiffeisen Bank had not implemented adequate technical and organisational measures in order to ensure a level of security corresponding to the data processing risk associated with the rights and freedoms of natural persons in violation of the GDPR. In particular, the ANSPDCP found that Raiffeisen Bank had not taken the necessary measures to ensure that any processors acting under its (controller) authority – and having access to its clients’ personal data – only processed personal data when authorised to do so.

Furthermore, the ANSPDCP found that Raiffeisen Bank had violated its own integrity and confidentiality obligations, and had processed its clients’ personal data without adequate security, including protection against unauthorised or illegal processing.

Press Release here: Comunicat_Presa_16_11_2022 (