Data Protection Weekly 7/2022

Feb 18, 2022

European Union

EDPB launches first coordinated enforcement action on use of cloud by public sector

The EDPB announced, on 15 February 2022, that it had launched today its first coordinated enforcement action.

In the coming months, 22 national supervisory authorities across the European Economic Area, including the EDPS will launch investigations into the use of cloud-based services by the public sector. This series of actions follows the EDPB’s decision to set up a Coordinated Enforcement Framework in October 2020.

The Coordinated Enforcement Framework is a key action of the EDPB under its 2021-2023 Strategy, together with the creation of a Support Pool of Experts. These two initiatives aim to streamline enforcement and cooperation among Supervisory Authorities.

Over 75 public bodies will be addressed across the EEA, including EU institutions and covering a wide range of sectors, such as health, finance, tax, education, and central buyers or providers of IT services.

You can read the press release here.


EDPS publishes preliminary remarks on modern spyware Pegasus

The EDPS published, on 15 February 2022, its preliminary remarks on modern spyware such as Pegasus. For the EDPS, the revelations made about the Pegasus spyware raised very serious questions about the possible impact of modern spyware tools on fundamental rights, and particularly on the rights to privacy and data protection.

You can read the preliminary remarks here.


ENISA publishes cybersecurity best practices

The ENISA announced, on 14 February 2022, thatt it had published a set of cybersecurity best practices for public and private organisations in the EU.

You can read the cybersecurity best practices here.

National Authorities

France: For 2022, CNIL prioritises enforcement in direct marketing, cloud services, and monitoring employees working from home

The CNIL published, on 15 February 2022, its priority areas for enforcement in 2022, specifically focussing on direct marketing, employee monitoring in the context of working from home, and cloud computing services as part of the EU’s first joint enforcement action involving 22 data protection authorities.

The CNIL intends to clarify the extent to which professionals working in the direct marketing sector comply with the GDPR, especially data brokers.

You can read the press release here, only available in French.


France: CNIL publishes 2022-2024 strategic plan

The CNIL announced, on 17 February 2022, that it had published its 2022-2024 strategic plan.

In particular, the plan outlines the following three priority areas :

  • promoting control and respect for the rights of individuals;
  • promoting the GDPR as an asset of trust for organisations; and
  • prioritising targeted regulatory actions on subjects with high stakes for privacy.

You can read the strategy here, only available in French.



Spain: AEPD fines Amazon Road Transport €2M for unlawful processing of criminal conviction data

The AEPD published, on 11 February 2022, its decision in Proceeding No. PS-00267-2020, in which it imposed a fine of €2,000,000 on Amazon Road Transport Spain S.L. for a violation of Articles 6(1) and 10 of the GDPR, following a request for candidates’ criminal records during the hiring process, based on consent.

A representative of the General Union of Workers filed a claim with the AEPD, noting that, for the hiring of self-employed contractors, Amazon Road Transport requested certificates of absence of a criminal record, specifically requiring the consent of the candidates, so that this data can be transferred to group companies and their supplier located outside the European Economic Area.

Amazon Road Transport claimed that, when obtaining a negative certificate, data relating to criminal convictions or offences is not processed, since the certificate does not contain any data relating to the commission of crimes, and as such, do not fall under Article 10 of the GDPR

The AEPD rejected the claims of Amazon Road Transport regarding the processing of negative criminal conviction certificates, and refused to accept their interpretation of Article 10 of the GDPR,

As a result, the AEPD imposed the fine of €2,000,000 on Amazon Road Transport, and ordered the same to cease requiring the certificate of absence of a criminal record from applicants, delete all the information of the certificates already provided, and adapt its processing in accordance to the requirements of Article 6(1) of the GDPR.

For the AEPD, Amazon Road Transport had not violated Articles 7 and 49(1) of the GDPR, relating to international data transfers.

You can read the decision, here, only available in Spanish.