Data Protection Weekly 5/2022

Feb 4, 2022

European Union

EDPB adopts opinion on certification criteria

You can read the press release here.

 

National Authorities

France: CNIL publishes standards on management of commercial activities and unpaid debts

The CNIL announced, on 3 February 2022, that it had adopted two new standards on commercial management activities and the management of unpaid debts, following a public consultation. It also published FAQs’ on both standards.

You can read the standard on commercial management activities here, the standard on the management of unpaid debts here, and the FAQs here, all only available in French.

Fines

Spain: AEPD fines Vodafone €3.94M for accountability and unappropriate security measures

The AEPD published, on 1 February 2022, its decision in which it imposed a fine of €3.94 million on Vodafone España, S.A.U., violation of Articles 5(1)(f) and 5(2) of the GDPR for not implementing appropriate security measures to prevent fraudulent replication of SIM cards, and not being able to prove that Vodafone implemented such measures.

Nine customers lodged complaints with the AEPD against Vodafone after being victims of fraud, due to the deceitful use of their SIM cards.

According to the AEPD, fraudsters obtained a replica of the data subjects’ SIM cards through Vodafone, and carried out various bank transfers and concluded contracts at the expense of those affected.

Following its investigations, the AEPD found that Vodafone had not properly checked the identity of the fraudsters before issuing the SIM cards.

Vodafone was unable to prove that they had verified the identity of the requester of the replication.

For the AEPD, Vodafone’s security measures were insufficient, as any person who had the basic personal data of a data subject could obtain a replica of the data subject’s SIM card, without any supplementary requirements.

Based on its investigation, AEPD found the following violations of the GDPR:

  • According to the AEPD, Vodafone violated Article 5(1)(f) of the GDPR as it did not act with enough diligence to prevent the circumvention of their security measures against the theft of identity.Vodafone should have known the risk as the measures in place were clearly insufficient and inadequate.
  • Accountability principle & Privacy by design : Vodafone breached Article 5(2) of the GDPR, for a lack of proper analysis,  implementation, and updating of the security measures.

As a result, the AEPD imposed a fine of €3.94 million on Vodafone for violation of Articles 5(1)(f) and 5(2) of the GDPR.To determine this amount, the Garante took into consideration the following aggravating factors : the seriousness of the violations, their durations and repeated nature, the number of data subjects involved

You can read the decision, only available in Spanish, here.

 

Spain: AEPD fines Orange Espagne €700,000 for failing to implement appropriate security measures to ensure the confidentiality of personal data

The AEPD published, on 2 February 2022, its decision in which it imposed a fine of €700,000 on Orange Espagne S.A.U., for violations of Article 5(1)(f) of the GDPR, following its failure to implement appropriate security measures to ensure the integrity and confidentiality of personal data.

Two customers lodged complaints with the AEPD against Orange Espagne after being victims of fraud, due to the deceitful use of their SIM cards.

Following its investigations, the AEPD found that the security measures implemented by Orange Espagne were insufficient because it enabled the personal data to be transferred to the fraudulent third party.

For the AEPD, Orange Espagne had not properly checked the identity of the fraudulent applicants before issuing the SIM cards, and therefore violated the principles of integrity and confidentiality under Article 5(1)(f) of the GDPR.

As a result, the AEPD imposed a fine of €700,000 on Orange Espagne.

You can read the decision, only available in Spanish, here.

 

Belgium:  DPA imposes €250,000 fine on IAB Europe for TCF violations of GDPR

The Belgian DPA published, on 2 February 2021, its decision in which it imposed a fine of €250,000 on IAB Europe pursuant to Article 101 of the LCA and further ordered IAB Europe to comply with Articles 5(1)(a), 5(1)(f), 6, 12, 14, 24, 25, 30, 32, 25, 37, 38, and 39 of the GDPR, following an investigation into the TCF.

Since 2019, the Belgian DPA had received a series of complaints targeting IAB Europe and challenging the conformity of the IAB TCF with the GDPR.

Following an investigation, the Belgian DPA determined that IAB Europe acts as a data controller for the Transparency and Consent Framework.

For the Belgian DPA, IAB Europe had :

  • failed to appoint a data protection officer and to conduct a DPIA
  • provided generic information to users through the consent management platform interface;
  • failed to keep a register of processing activities;.
  • failed to implement organisational and technical measures ( Breach of Data Protection by Design and Data Protection by Defaul principles);
  • failed to establish a legal basis for the processing of the TC String, and offered inadequate legal grounds for the subsequent processing by adtech vendors;

As a result, the Belgian DPA imposed a fine of €250,000 on IAB Europe and compliance order: IAB Europe must present an action plan to bring its activities into compliance within two months and complete compliance within a maximum period of six months.

You can read the Belgian DPA’s press release here, the decision here,