Privacy News 04/12/2020

Dec 8, 2020

 IAB Europe publishes guidance for DPIAs in digital advertising under GDPR

The Interactive Advertising Bureau (IAB) Europe announced on November 30, 2020 that it has published its guide on data protection impact assessments for digital advertising in the context of the GDPR.

The guide describes the DPIA process in the context of data processing for digital advertising purposes to help businesses understand and comply with their obligations.

It also explains how to integrate the DPIA process into the product design and development phases.

Specifically, the guide addresses, among other things, the following points:

– what a DPIA is and when it is necessary;

– how to conduct a DPIA;

– the processes and stages of a DPIA;

– risk assessment and risk analysis.

You can read the press release here and the guidance here.



 AEPD fines Telefónica Móviles España €75,000  for unlawful data processing

EDPB announced on November 25, 2020, that AEPD had issued a resolution fining Telefónica Móviles España, S.A.U.75,000 € for violation of Article 6, paragraph 1, of the GDPR.

Telefónica Móviles had illegally processed the personal data of the plaintiff by sending several invoices corresponding to a third party.

AEPD considers this to be a blatant violation of Article 6(1) GDPR: Telefónica Móviles processed the applicant’s personal data without any legal basis.

You can read the press release here


 AEPD fines Comercio Online Levante €3,000 for GDPR violations

On December 1, 2020, AEPD issued a decision in procedure PS/00287/2020 fining Comercio Online Levante, S.L.  3000 € for violations of the GDPR.

When the complainant logged into his user account, he had access to the personal data of a third party.

For AEPD, the company Comercio Online Levante violated the principle of integrity and confidentiality under article 5, paragraph 1, point f) of the GDPR.

By allowing access to the data of a third party, Comercio Online Levante also violated article 32 GDPR regarding the security of data processing.

You can read the decision, in Spanish, here.


 AEPD fines Voltimum €2,000 for unlawful direct marketing activities

On December 1, 2020, AEPD published a resolution in the procedure PS/00241/2020, fining Voltimum, SA, 2,000 € for unlawful direct marketing activities.

Voltimum had not stopped sending direct marketing messages to the complainant even though the complainant had unsubscribed, thus violating Article 21 of Law 34/2002, of July 11, 2002, on Information Society Services and Electronic Commerce.

You can read the decision, in Spanish, here.


 AEPD fines Dr Marín Cirugia Plástica €4,000 for transparency and cookie violations

On December 2, 2020, the AEPD issued a resolution in procedure PS/00317/2020, fining Dr. Marín Cirugia Plástica, S.L.P. 4,000 € for violation of Article 13 of the GDPR and article 22(2) of Law 34/2002, of July 11, on Services of the Information Society and Electronic Commerce.

Dr. Marín Cirugia Plástica’s website did not contain a privacy policy or a cookie policy.

You can read the decision, in Spanish, here.


 AEPD fines Losada Advocats 10,000 euros for inadequate security measures

AEPD published, on December 2, 2020, a resolution in procedure PS/00322/2020 fining Losada Advocats S.L. 10,000 € for not taking adequate measures to ensure the security of personal data.

In accordance with Article 32 GDPR, the controller and the processor must implement appropriate technical and organisational measures to ensure a level of security appropriate to the risks presented by the processing and incurred by the data subjects.

Basic personal data, such as surnames, first names and addresses, were accessible to all. This is a blatant violation of Article 5(1)(f) of the GDPR.

You can read the decision, in Spanish, here.


 ICO fines OSL £50,000 for sending nuisance marketing texts

On December 4, 2020, ICO announced that it had fined OSL Financial Consultation Limited, a mortgage broker, £50,000 for sending 174,342 abusive marketing messages between March and June 2020.

Since the individuals concerned had not been given a choice as to whether or not to accept these marketing sms (opt-in/opt-out), there was no legal basis for OSL to process their personal data.

You can read the decision here.