Data Protection Weekly 51/2021

Dec 31, 2021

National Authorities

UK: ICO launches consultation on its regulatory responsibilities and powers

The ICO announced, on 20 December 2021, that it had launched a public consultation to gather views on its approach to exercising its regulatory responsibilities.

You can read the press release here, the statutory guidance on the ICOs regulatory action here, and the Statutory Guidance on PECR powers here,



Luxembourg: CNPD fines public body €1,000 for unlawful processing of sensitive data

The CNPD published, on 26 November 2021, its decision in Case No. 34FR/2021, in which it imposed a fine of €1,000 on an unnamed public body for violations of Article 15(2) of the Act of 1 August 2018 on the Protection of individuals with regard to the processing of personal Data in criminal and national Security matters, following a complaint.

On 26 September 2018, the claimant exercised their right of access to their personal data processed by the public body and their right to erasure based on Article 15 of the Act.

Via a letter dated 10 December 2018, the public body confirmed the deletion of certain personal data, but refused to delete other data, claiming that their retention period had not expired.

The CNPD noted that the allegedly deleted files were found in a ‘trash’ folder.

According to the CNPD, the contents of the ‘trash’ folder was never erased.

Therefore, many documents were still stored, thus violating Article 15(2) of the Act by not allowing the data subject to retain control over their sensitive data.

In order to decide whether to impose an administrative fine for the breach of Article 15(2) of the Act, the CNPD considered the nature of the violation as particularly serious (as it relates to the processing of personal data in criminal matters and national security).

You can read the decision, only available in French, here.


France: CNIL fines SlimPay €130,000 following data breach

The CNIL published, on 30 December 2021, its decision No. 2021-020 to fine SlimPay SA €130,000 for violations of Articles 28(3), 32 and 34 of the GDPR, following a data breach.

SlimPay had, in 2015, carried out an internal research project, during which it used the personal data contained in its databases.

When the research project ended in July 2016, the data remained stored on a server, without appropriate security measures and was freely accessible on the internet.

According to CNIL, it was not until February 2020 that SlimPay became aware of the data breach, which affected approximately 12 million people.

For the CNIL, SlimPay had failed to implement security measures to protect the personal data which included civil status data (last name, first name), postal and electronic addresses, telephone numbers, and banking information of more than 12 million people, thus violating Article 32 of the GDPR.

The CNIL also found that some of the contracts concluded by the company did not contain all the required clauses to ensure that such subcontractors undertake to process personal data in accordance with the GDPR.

Some of the contracts did not even contain any of the required clauses, in violation of Article 28(3) of the GDPR.

Given the nature of the personal data (including banking information), the volume of persons concerned (more than 12 million), the possibility of identifying the persons affected by the violation from the data accessible, and the possible consequences for the persons concerned, SlimPay should have informed all affected data subjects, which it had failed to do, in violation of Article 34 of the GDPR.

You can read the decision, only available in French here.