Data Protection Weekly 9/2024

Mar 11, 2024


SABI: UODO President meets with Polish member of CEDPO

On 8 March 2024, Mirosław Wróblewski, President of the Polish data protection authority (UODO), engaged in discussions with the Board of SABI, a founding member of CEDPO, led by its President Maciej Byczkowski. SABI highlighted its initiatives to establish professional standards for data protection officers (DPOs) and addressed the current challenges faced by DPOs. Mr Wróblewski emphasised the crucial role of DPOs in the data protection system and the need to ensure their independence. This meeting marks the beginning of a series of interactions between UODO and the DPO community to foster dialogue and cooperation. UODO is planning further meetings and consultations to engage with DPOs, with a specific focus on DPO independence scheduled for early April. You can read the press release here (in Polish).

 European Union

CJEU: Clarification of GDPR rules on the auctioning of personal data for advertising purposes

The Court of Justice of the European Union (CJEU) has clarified the application of GDPR in the context of auctioning personal data for advertising in case C-604/22 involving IAB Europe. The case addresses the legality of Real-Time Bidding systems where user data is auctioned to advertisers. The CJEU confirmed that a ‘Transparency and Consent String’ (TC String), used to store user preferences, is personal data under GDPR. IAB Europe, a key player in digital advertising, was deemed a ‘joint controller’ for data processed up to the point of user consent recording in the TC String. However, its role as a controller for subsequent data processing depends on its influence over those processes. This judgment follows a 2022 decision by the Belgian data protection authority, which found IAB Europe’s handling of the TC String to be non-compliant with GDPR, imposing corrective measures and a fine. The judgment underscores the necessity for explicit user consent and clarifies the responsibilities of digital advertising stakeholders under GDPR. You can read the press release here and the full decision here.

CJEU: Joint liability of Europol and Member State for damage arising from unlawful data processing

The Court of Justice of the European Union (CJEU) ruled in case C-755/21, that Europol and the Member State in which damage has occurred arising from unlawful data processing carried out in the context of cooperation between Europol and that Member State are to be jointly and severally liable for that damage. This case followed an appeal by Mr Marian Kočner, who sought compensation from Europol for the public disclosure of his private communications, which he claimed caused non-material damage. The CJEU overturned a prior judgment, clarifying that victims need only demonstrate that unlawful data processing occurred during cooperation between Europol and a Member State, without specifying the responsible entity. Ultimately, the CJEU recognised Mr Kočner’s right to privacy and awarded him €2,000 in damages for the violation of his private life and the adverse impact on his honour and reputation. You can read the press release here and the full decision here.

National Authorities

France: CNIL urges caution with online genetic tests

The French data protection authority (CNIL) is raising concerns about the popularity and risks associated with online genetic testing kits, particularly those used for genealogical purposes. These kits, while marketed for recreational use, involve the collection of highly sensitive personal data, including ethnicity, phenotypic traits, and health-related information, which can reveal extensive details about an individual and their family. In France, genetic tests are legally restricted to specific contexts such as medical care, judicial inquiries, or research, with hefty fines for unauthorised use or provision. The lack of clarity and security in data handling by companies selling these kits poses risks of data breaches and misuse, potentially leading to discrimination or other harms. The CNIL monitors and can impose significant fines on entities violating data protection laws, emphasising the need for stringent oversight in this sensitive area. You can read the press release here ( in French).

Spain: AEPD publishes a blogpost on evaluating human intervention in automated decisions

The Spanish data protection authority (AEPD) publishes a blogpost emphasising the critical role of human intervention in automated decision-making processes. The GDPR’s Article 22 mandates that individuals have the right to not be subjected to decisions based solely on automated processing with significant effects, barring specific exceptions. The AEPD references the WP 251 Guidelines to explain that meaningful human involvement is required to prevent classification as solely automated processing. Such involvement must be by an individual who is competent and authorised to influence the decision, considering all relevant information. The post advocates for a thorough assessment of human intervention, focusing on aspects like competence, authority, and diligence, to ensure the individual has the necessary means, information, and time for informed involvement. The AEPD’s guidance underscores the importance of a systematic evaluation to guarantee effective human oversight in automated decision-making settings. You can read the full blogpost here (in Spanish).

Spain: AEPD issues provisional measures against Worldcoin in Spain

The Spanish data protection authority (AEPD) enforced a provisional measure against Tools for Humanity Corporation, halting the collection and processing of personal data in Spain for their Worldcoin project and demanding the blocking of data already collected. This decision follows numerous complaints, highlighting issues such as insufficient information provided to users, the collection of minors’ data, and the inability to withdraw consent. The AEPD’s action, addressing the high risks associated with the processing of biometric data, a category requiring special protection, aims to prevent immediate data processing, potential data sharing with third parties, and uphold fundamental data protection rights. This provisional ban is valid for up to three months, underscoring the urgency and significance of safeguarding personal data rights under exceptional circumstances as outlined in the GDPR. You can read the press release here (in Spanish).

Portugal: CNPD warns citizens against providing biometric data to Worldcoin project

The Portuguese data protection authority (CNPD) has issued a warning urging citizens to carefully consider before providing their biometric data to the Worldcoin project. Following multiple complaints regarding the data collection process, particularly concerning the data of minors gathered without parental consent, the CNPD highlighted the risks associated with sharing such sensitive information. In response to extensive media coverage and public concern, the CNPD is advancing its investigation into Worldcoin’s data practices in Portugal. Meanwhile, the CNPD advises individuals to thoroughly review information about data handling provided by Worldcoin and stresses the importance of informed consent, especially advising against the biometric data collection of minors. You can read the press release here (in Portuguese).

Italy: Garante opens an investigation into OpenAI’s “Sora”

The Italian data protection (Garante) has opened an investigation against OpenAI, scrutinising the new AI model ‘Sora’, which generates videos from text instructions. This action responds to potential concerns over user data processing within the EU, especially Italy. OpenAI is required to clarify ‘Sora’s availability and its applicability to EU and Italian users. The company must detail the algorithm’s training process, the nature of data collected and processed, especially whether it is personal data; whether particular categories of data are collected; and what sources are used. In addition, if Sora is made available to EU users, OpenAI will be expected to demonstrate that its user information and data processing procedures comply with EU rules, thus ensuring compliance with the European legal framework. You can read the press release here.


Italy: Garante fines UniCredit 2.8 million euros over data breach

The Italian data protection (Garante) has imposed a fine of €2.8 million on UniCredit Bank for a personal data breach in 2018 that affected thousands of customers and former customers. An extensive cyber-attack on their mobile banking portal allowed unauthorised access to personal details of approximately 778,000 individuals. The Garante found UniCredit had not implemented sufficient technical, organisational and security measures to prevent such cyber-attacks and to stop customers from using weak PINs. In a related action, NTT Data Italia was fined €800,000 for reporting the breach to UniCredit past the regulatory deadline and subcontracting work without authorisation. These fines reflect the scale of the breach, its seriousness, and the entities’ economic capacity, although mitigating factors like corrective measures taken by UniCredit were also considered. You can read the press release here.

Italy: Garante fines Medical device company for privacy breach in diabetic app

The Italian data protection (Garante) has fined a medical device company €300,000 for privacy violations involving an app for diabetic patients. A €250,000 fine was levied for sending emails that exposed the recipients’ email addresses, revealing their health conditions to each other. Additionally, a €50,000 fine was imposed for failing to provide comprehensive privacy information to patients. The incident highlighted the company’s lack of adequate technical and organisational measures to prevent data breaches. Further investigations revealed additional violations, such as the inadequate explanation of the legal basis for personal data processing when linking patient accounts to healthcare professionals, undermining data processing transparency and accuracy. This case underscores the critical need for stringent data protection practices, especially when handling sensitive health information. You can read the press release here.

UK: ICO imposes £80,000 fine on Pinnacle Life for “predatory” spam call campaign

The UK data protection authority (ICO) has fined Pinnacle Life, a Wigan-based company, £80,000 for conducting an unsolicited spam call campaign targeting nearly 48,000 individuals registered on the Telephone Preference Service (TPS). Over a year, Pinnacle Life made unauthorised attempts to market life insurance, often employing aggressive, misleading tactics. These included feigning association with victims’ insurers and exploiting pandemic fears. Some employees reportedly insulted or persistently harassed individuals who resisted. The ICO’s investigation also hinted at Pinnacle Life’s efforts to evade compliance by rebranding. This enforcement underscores the ICO’s dedication to combating intrusive marketing practices, highlighting the importance of reporting such nuisances. This case was initiated by a single complaint, exemplifying the impact of public vigilance in curbing unauthorised telemarketing. You can read the press release here.