Privacy News 07/05/2021

May 10, 2021

National Authorities

Malta: IDPC publishes guidelines on data collection of employees’ COVID-19 vaccination status

The IDPC published, on 29 April 2021, its guidelines on the data protection aspects related to the collection of employees’ COVID-19 vaccination status.

The guidelines explain how employers intending to collect and process such information should act on the basis of a risk-based approach, by assessing the impact of such processing and carrying out a DPIA, in accordance with Article 35 of the GDPR.

For the IDPC, employers should, among other things, keep the information they process about the vaccination status accurate and up-to-date and consider, when feasible, collecting information about the vaccination status from employees without collecting copies of actual medical certificates, if not strictly necessary.

You can read the press release here and the guidelines here.

 

Fines

Germany: Federal Labour Court finds employee cannot request a copy of entire email correspondence

The German Federal Labour Court released, on 27 April 2021, its decision regarding an employee’s right to access their entire email correspondence and any emails mentioning them by name.

The Court found that the request, which was submitted under Article 15 of the GDPR, was not specific enough under the applicable civil procedural rules.

As a result, for the Court, the employer was not required to provide copies of the employee’s entire email correspondence, as well as any emails mentioning the employee by name.

You can read the press release, only available in German, here.

 

Spain: AEPD fines EDP ENERGÍA €1.5M for security and transparency violations

The AEPD issued, on 4 May 2021, its decision in proceeding PS/00236/2020 in which it imposed two fines totalling €1.5 million against EDP ENERGÍA, SAU. This decision follows various complaints received regarding the processing of personal data without consent.

The AEPD imposes a fine of €500,000 for failing to implement technical and organisational measures and obtain consent when acting through a representative, in violation of Article 25 of the GDPR.

The AEPD  also issued a further €1 million penalty for failing to provide sufficient information to data subjects when contracting through different service providers, in breach of Article 13 of the GDPR.

You can read the decision, only available in Spanish, here.

 

Spain: AEPD fines EDP Comercializadora €1.5M for GDPR security and transparency violations

The AEPD issued, on 4 May 2021, a decision in proceeding PS/00037/2020, fining EDP Comercializadora SA €1,500,000 for violations of the GDPR.

The decision highlights that EDP Comercializadora was fined €500,000 for an infringement of Article 25 of the GDPR because of the company’s failure to implement technical and organisational security measures for the protection of individuals’ personal data who entered into a contract of gas services with EDP Comercializadora through various third parties.

It also outlines that where services were contracted through a representative, there was no procedure in place requiring the representative to prove their representation of EDP Comercializadora, which exposed the data subjects to risks, such as identify theft, or economic damages.

Further to this, the decision provides that the data subjects were often asked to give consent to receiving energy-related offers, without proof that the third parties requesting such consent were authorised by EDP Comercializadora for such data processing.

Moreover, the decision highlights that a further fine of €1,000,000 was imposed on EDP Comercializadora for an infringement of Article 13 of the GDPR, due to its failure to provide sufficient information to the data subjects when contracting through different service providers.

You can read the decision, only available in Spanish, here.

 

Norway: Datatilsynet notifies Ferde of NOK 5M fine for illegal data transfer to China

Datatilsynet announced, on 6 May 2021, that it had notified Ferde AS of its decision to fine the same NOK 5,000,000 (approx. €498,065) for illegally transferring the personal data of motorists to a data processor in China.

The notification highlights that Datatilsynet’s investigations revealed that Ferde AS lacked a data processing agreement as required by Article 28(3) of the GDPR.

The investigation also further revealed that Fedre AS lacked an appropriate legal basis for the data transfer to China between 2017 and 2019, thus violating Article 44 of the GDPR.

Lastly, the notification clarifies that this is not a final decision and that a final decision will be made once comments by Ferde AS have been received.

The deadline for submitting comments is 4 June 2021.

You can read the press release, only available in Norwegian, here.