Privacy News 04/06/2021

Jun 10, 2021

European Union

Commission adopts new SCCs for exchanges of personal data

The European Commission announced, on 4 June 2021, that it had adopted two sets of SCCs, one for use between controllers and processors and one for the transfer of personal data to third countries.

The Commission highlighted that the SCCs reflect the requirements under the GDPR and take into account the CJEU judgment Schrems II, with a view to ensuring a high level of data protection for citizens.

Furthermore, the Commission noted that the new SCCs also take into consideration the joint opinion of the EDPB and the EDPS, feedback from stakeholders, and the opinion of Member States’ representatives.

You can read the press release here, the Controller-Processor SCCs here, and the Third Country Transfer SCCs here.


EDPB issues 2020 Annual Report

The EDPB issued, on 2 June 2021, its 2020 Annual Report.

The annual report addresses, among other things, the EDPB’s activities in 2020, covering topics such as adopted guidance and opinions, as well as its involvement in various legislative consultations.

In addition, the annual report outlines the EDPB’s activities in relation to the evaluation of the GDPR, issues relating to COVID-19 responses, international personal data flows following the Court of the European Union’s judgment Schrems II, cross-border cooperation, and its main objectives for 2021.

You can read the executive summary here and the annual report here.


NOYB issues 560 draft cookie complaints

NOYB announced, on 31 May 2021, that it had sent 560 draft complaints to companies across 33 European jurisdictions with respect to cookie banners that NOYB deems ‘unlawful’.

NOYB outlined that 90% of the complaints relate to not providing users with a way to easily withdraw consent, and that 81% of the investigated cookie banners did not offer a reject option on the first layer of the banner, thus requiring users to access sub-layers to find a reject option.

Other issues identified by NOYB include the use of colours and contrasts which allegedly lead users to clicking the accept option, the use of legitimate interests as a legal basis for processing, the classification of essential cookies, and the use of pre-ticked consent fields.

NOYB also announced that it had developed a software that recognises the various issues with respect to cookie banners and automatically generates draft complaints.

You can read the press release here.


National Authorities

Danemark : Datatilsynet releases guidance on unsuccesful job applicant data retention

Datatilsynet released, on 28 May 202 applicants. 1, guidance regarding data retention periods for data related to unsuccessful job

The guidance outlines that while companies are not obliged to keep the personal data of unsuccessful applicants, they should make an assessment of how long it is necessary to store the information, taking into consideration the need for storage, including how long the information has legal or administrative significance, as well as the principle that the information should not be stored for longer than necessary.

The guidance states that the Datatilsynet will accept a retention period of up to three years after the end of the recruitment process for information about applicants who were not offered a position, however outlines that companies must have a specific reason for retaining data for this long.

As such, the guidance recommends that data controllers document the reasoning behind the selected retention period, particularly if that period exceeds three years.

You can read the guidance, only available in Danish, here.

Germany : HBDI releases 2020 activity report

The HBDI published, on 1 June 2021, its 2020 activity report on data protection and freedom of information. The report addresses a number of prominent topics from the year, including data protection during the COVID-19 pandemic, the use of video conferencing systems in schools, international data transfers, and access to data by former hospital employees.

It also highlights that the HBDI received a total of 1,433 reports of data breaches, with the main cause being linked to human and technical errors. The HBDI received 5,414 complaints and issued two fines and 13 orders during the reporting period.

You can read the press release here and the report here, both only available in German.

France : CNIL issues standard on data processing in context of rental management

The CNIL announced, on 27 May 2021, that it had adopted a standard on the processing of personal data in the context of rental management. The standard aims to provide a framework for all the processing operations implemented throughout the duration of a lease contract.

It includes provisions that apply to organisations renting residential premises on their behalf as well as to real estate professionals operating as representatives of the lessor. 

The standard also sets out how data protection rules apply to each stage of the rental process, retention periods, transparency obligations, data subject rights, and the obligation to carry out a DPIA, among other privacy considerations. 

You can read the press release here and the standard here, both only available in French.

France :CNIL launches consultation on draft standard on processing minors’data in context of medical and social support

The CNIL announced, on 2 June 2021, that it had launched a public consultation on a draft standard on the processing of personal data in the context of providing support to minors and young adults.

The standard sets out recommendations for professionals in the social and medical care sector on processing of data of minors young adults in compliance with Act No.78-17 of 6 January 1978 and the GDPR. 

You can read the press release here and the draft standard here, both only available in French.