European Union
Commission publishes report on implementation of specific GDPR provisions
The European Commission announced, on 6 January 2021, that its Directorate-General for Justice and Consumers had published its Report on the Implementation of Specific Provisions of Regulation (EU) 2016/679. This report aims to present the implementation by EU Member States of Articles 8(1), 9(4), 23(1)(c) and (e), 23(2), 85(1) and (2), and 89(2), (3), and (4) of the GDPR.
The report addresses, among other things, the implementation of conditions applicable to children’s consent in relation to information society services, the processing of special categories of personal data, the restrictions to the exercise of data subjects’ rights, the relationship between the right to the protection of personal data and the right to freedom of expression and information, and national derogations for processing for scientific or historical research purposes, statistical purposes, and public interest purposes.
You can access the press release here and the report here.
National Authorities
CNPD publishes 2021 activity plan
The CNPD published, on 6 January 2021, its activity plan for 2021.
The plan outlines that the CNPD will introduce, in relation to the implementation of the GDPR, requirements and procedures for the approval of codes of conduct and measures to guarantee the application of the principles of Privacy by Design and by Default.
In addition to new guidelines, the CNPD will work on children data processing, cookies, and privacy policies. Moreover, and in relation to audits and supervision, the plan states that the CNPD will focus on video surveillance and call centers.
Additionally, CNPD will focus heavily on raising public awareness, new processing of personal data in the labour and electoral contexts, as well as in the homogeneous application in the EU of the legal data protection regime.
Futhermore, the CNPD intends to deepen the debates on the processing of personal data using artificial intelligence technologies, as well as on the processing of personal data in the context of teleworking.
You can read the plan, in Portuguese, here.
Fines
Garante fines Reti Televisive Italiane €10,000 for fairness and transparency violation
The Garante announced, on 23 December 2020, that it had fined Reti Televisive Italiane S.p.a. €10,000 for violating the principle of fairness and transparency, as outlined in both the data protection legislation and the Deontological Code of Journalists.
The Garante outlined that journalists must refrain from using pressure and artifice to collect news that could be accessed through journalism instruments. Journalists of the TV programme ‘Le Iene’ entered the office of a doctor pretending to have health conditions and recorded the dialogue without the doctor’s consent, only partially covering their face and masking their voice.
For the Garante, the journalists could have collected the same news through other means, such as an official interview.
You can read the decision, in Italian, here.
LfD issues €10.4 million fine against notebooksbilliger.de for employee video monitoring without a legal basis
The LfD Niedersachsen issued, on 8 January 2021, a €10.4 million fine against notebooksbilliger.de AG for video monitoring its employees for over two years without any legal basis.
The LfD Niedersachsen noted that the cameras recorded workplaces, sales rooms, warehouses, and common areas, among other places, and that notebooksbilliger.de claimed that the aim of the video camera installation was to prevent and investigate criminal offences and to track the flow of goods in the warehouses.
However, the LfD Niedersachsen stipulated that, in order to prevent theft, a company must first examine milder means, such as random bag checks when employees are leaving the business premises.
In addition, the LfD Niedersachsen noted that video surveillance to uncover criminal offences is also only lawful if there is justified suspicion against specific persons, and that, if this is the case, it may be permissible to monitor them with cameras for a limited period of time.
At notebooksbilliger.de, video surveillance was neither limited to a specific period of time nor to specific employees, and that, in many cases, the recordings were saved for 60 days, which is significantly longer than necessary.
You can read the press release, in German, here.
CNIL issues €20,000 fine to Nestor for sales prospecting without consent
The CNIL announced, on 5 January 2021, that its restricted committee had issued, on 8 December 2020, a decision in which it imposed a fine of €20,000 against Nestor SAS for sending prospecting emails to 653,033 recipients without their consent since 2017, violating Article L.34-5 of the Postal and Electronic Communications Code (‘CPCE’), as well as for other violations of the GDPR.
CNIL outlined that recipients included individuals who had created an account on Nestor’s website or application without making a purchase, as well as those whose data was collected through the internet. Also, the online form for the collection of personal data did not inform the individuals about the collection of the data and, on the mobile app, no information relating to data protection was provided to users.
As a result, CNIL found Nestor in violation of Articles 12 and 13 of the GDPR regarding the requirement to inform the data subject of certain information concerning the processing of their personal data. In addition, Nestor had failed to comply with the obligation to respect the data subject right to access copies of their personal data held in the company’s database and to implement appropriate data security measures, such as the use of a strong password during the creation of an account on the website or mobile application.
You can read the decision, in French, here.
UODO fines ID Finance Poland PLN 1M for inadequate technical and organisational security measures
The UODO announced, on 31 December 2020, its decision to fine ID Finance Poland PLN 1 million (approx. €250,000) for its failure to implement adequate technical and organisational measures to ensure the security of data.
The UODO noted that the company had not responded to indications about security gaps and that an unauthorised person had subsequently copied and deleted the data in the company’s server also demanding a ransom.
The UODO had established that the breach had taken place following a failed attempt to restore appropriate security configuration and that the controller, despite being notified about the vulnerability from cybersecurity specialists, failed to exercise due diligence with respect to its security systems and its processor.
In addition, the UODO noted that controllers should be able to identify breaches quickly and effectively to take appropriate action as well as investigate the incident and take appropriate remedial action.
Moreover, the UODO highlighted that the lack of quick response by the processor does not reduce the controller’s responsibility for the data breach and that, in calculating the fine, it took into consideration, among others, the scale of the breach and the controller’s delay in taking appropriate remedial action.
You can read the decision, in Polish, here.
ANSPDCP fines ING Bank RON 14,620 for personal data violations
The ANSPDCP announced, on 30 December 2020, that it had imposed a fine of RON 14,619.90 (approx. €3,000) on ING Bank NV Amsterdam (Bucharest branch), following its investigation into the bank. The ANSPDCP noted that due to a system error, the bank failed to terminate its business relationship with an individual and close their account upon the individual’s request in 2017.
As such, the ANSPDCP found that the bank continued to process the individual’s personal data in violation of Articles 5 and 6 of the GDPR. For the ANSPDCP, the bank failed to comply with the principles of lawfulness, fairness, and transparency, as well as the principles of purpose limitation and data minimisation.
You can read the decision, in Romanian, here.