European Union

Commission publishes proposal for Data Act

The European Commission published, on 23 February 2022, its proposal for a Regulation on Harmonised Rules on Fair Access to and Use of Data (Data Act).

The objectives of the Draft Data Act are the following :

• facilitate access to and the use of data by consumers and businesses, while preserving incentives to invest in ways of generating value through data;
• provide for the use by public sector bodies and EU institutions, agencies, or bodies of data held by enterprises in certain situations where there is an exceptional data need;
• facilitate switching between cloud and edge services;
• put in place safeguards against unlawful data transfer without notification by cloud service providers; and
• provide for the development of interoperability standards for data to be reused between sectors.

According to the explanatory memorandum, the Draft Data Act is consistent with existing rules on the processing of personal data, including the GDPR and the ePrivacy Directive. It complements the recently adopted DGA and the DMA proposal.

The Draft Data Act envisages basic rules for all sectors as regards to the rights to the use of data, such as in the areas of smart machinery or consumer goods.

According to the article 1(2), it applies to :

• manufacturers of products and suppliers of related services placed on the market in the EU and the users of such products or services;
• data holders that make data available to data recipients in the EU;
• data recipients in the EU to whom data are made available;
• public sector bodies and EU institutions, agencies, or bodies that request data holders to make data available where there is an exceptional need to that data for the performance of a task carried out in the public interest and the data holders that provide the data in response to such request; and
• providers of data processing services offering such services to customers in the EU.

You can read the questions and answers here, and download the Draft Data Act here.

Commission launches online consultation platform on European Digital Identity

You can read the press release here.

National Authorities

The Netherlands: Dutch Government publishes a DPIA on Microsoft

The Dutch Government published, on 16 February 2022, a DPIA, which assessed the data protection risks of the professional use of Microsoft Teams in combination with OneDrive, SharePoint Online, and the Azure Active Directory. This DPIA was conducted by the Ministry of Justice, SURF B.V and the SSLM Rijk (the negotiator for Microsoft, Google, and Amazon Web Service products and services for Dutch government organisations)

You can read the press release here and download the DPIA here.

Ireland: DPC publishes 2021 annual report

The DPC published, on 24 February 2022, its annual report for 2021. According to the report, the funding of the DPC by the Government has increased year-on-year from €1.7 million in 2013 to €19.1 million in 2021.

You can read the press release here and the report here.

Fines

Italy: Garante fines T.S.M. €40,000 for violation of data subject rights

The Garante issued, on 27 January 2022, its decision in Case No. 23, in which it imposed a fine of €40,000 on T.S.M. s.r.l., for violations of Articles 13, 15, 21 of the GDPR and articles 157 and 166(2) of the Personal Data Protection Code, following a complaint submitted by an individual.

In order to participate in a professional training course, the complainant had been requested by the organisers to fill some forms in the name of T.S.M. The complainant requested the organisers to provide informations on the same and submitted to T.SM a request for the exercise of its rights of access, erasure, and object.

Thereafter, T.S.M. confirmed to the complainant the deletion of their personal data, without providing the complainant, the information required under Article 15 of the GDPR and without ensuring that it had taken note of the complainant’s objection to future processing.

Based on its investigation, the Garante found that the forms in questions had required the complainant to attach a copy of their identity document and health card, but didn’t contain any information on the processing of personal data nor did they clarify the contractual relationship between T.S.M. and the course organisers.

Therefore, the Garante held that T.S.M. was in violation of :

• Article 13 of the GDPR, as it had failed to clarify its role and the scope of the processing of personal data ;
• Articles 15 and 21 of the GDPR, having provided incomplete information to the complainant, making it impossible to exercise those rights and depriving them of control over their personal data ;
• Articles 157 and 166(2) of the Code, for failure to respond to the requests for information and documents submitted by the Garante, thus hindering the investigation.

You can read the decision, only available in Italian, here.