Privacy News 01/10/2021

Oct 7, 2021

European Union

EDPB launches taskforce to address NOYB cookie complaints

The EDPB announced, on 27 September 2021, that it had set up a taskforce to coordinate the response to complaints concerning cookie banners filed by NOYB. The taskforce had been established in accordance with Article 70(1)(u) of the GDPR and aims to promote cooperation, information sharing, and best practices between the relevant supervisory authorities. It will exchange views on legal analysis and possible infringements and provide support to activities on the national level. You can read the press release here.  

EDPB adopts opinion on draft South Korea adequacy decision

The EDPB announced, on 27 September 2021, that it had adopted its opinion on the European Commission’s draft adequacy decision for the Republic of Korea. For the EDPB, the core aspects of the Korean data protection framework are essentially equivalent to those of the EU, but it called on the Commission to further clarify certain aspects and to closely monitor the situation. You can read the press release here and the opinion here.  

Fines

HmbBfDI fines Vattenfall €901,389 for violating transparency principles

The HmbBfDI announced, on 24 September 2021, that it had fined Vattenfall Europe Sales GmbH €901,388.84 for violating the data protection transparency obligations under Articles 12 and 13 of the GDPR. According to the HmbBfDI, the customers had not been adequately informed about the internal data comparison related to contract inquiries for special contracts (associated with special bonus payments) which the company had carried out from August 2018 to December 2019. Around 500,000 people had been affected. You can read the press release here, only available in German.  

Datatilsynet fines Ferde NOK 5M for illegal data transfer to China

Datatilsynet announced, on 28 September 2021, that it had issued a fine of NOK 5 million (approx. €496,000) to Ferde AS for illegally transferring the personal data of motorists to a data processor in China. Datatilsynet found that the company had violated a number of basic obligations that the company has under the GDPR. The company had not had a valid basis for transferring personal data to China. You can read the decision here, only available in Norwegian.  

Garante fines Luigi Bocconi University €200,000 for use of US proctoring software and various violations of the GDPR

The Garante published, on 29 September 2021, its decision to fine Luigi Bocconi University €200,000 for using Respondus, a US proctoring app used to invigilate examinations remotely during the COVID-19 pandemic, for various violations of the GDPR. For the Garante, students were not sufficiently informed of the processing of their personal data carried out through the proctoring software, including failing to mention the tracking of students’ behaviour during the test, the subsequent processing by profiling, the audio-video recording and the photograph taken by the system at the beginning of the test, therefore violating Article 5(1)(a), 12 and 13 of the GDPR. In addition, in consideration of the plethora of information collected on students during the examinations, which exceeded what was strictly necessary for the purposes of the examinations, both the principles of data minimisation under Article 5(1)(c) and of Data Protection by Design and by Default under Article 25 of the GDPR had been breached. The Garante found that the processing of biometric data through the Respondus application had been carried out without a suitable legal basis, in violation of Article 9 of the GDPR (the University had identified consent as the appropriate legal basis, but in light of the imbalance of power between students and the University, consent could not be relied upon in these circumstances). Referencing the CJEU decision Schrems II, the Garante found that the University had transferred personal data to a third country, the US, without having proved that it has verified and ensured that the transfer in question was carried out in compliance with the conditions referred to in Chapter V of the GDPR, in violation of Articles 44 and 46 of the GDPR. You can read the decision here , only available in Italian.