Privacy News 09/04/2021

Apr 12, 2021

 European Union

 EDPB and EDPS adopt joint opinion on Digital Green Certificate proposals

The EDPB and the EDPS released, on 6 April 2021, a joint opinion on the European Commission’s proposals for a Digital Green Certificate. These proposals aim at facilitate free movement within the EU by establishing a common framework for the issuance, verification and acceptance of interoperable COVID-19 vaccination, testing, and recovery certificates.

In their joint opinion, the EDPB and EDPS outline that the use of Digital Green Certificates must not result in the direct, or indirect, discrimination, of individuals and must be fully in line with the fundamental principles of necessity, proportionality and effectiveness.

These proposals should also contain appropriate safeguards and expressly state that any access to, and subsequent use of, individuals’ data by EU Member States is not permitted once the pandemic has ended.

Finally, the joint opinion includes some recommendations for further clarifications regarding the role of the European Commission, the categories of data concerned, the identification of data controllers and data processors, data storage periods, and data transfers.

You can read the joint opinion here.


The European Parliamentary Research Service publish a report on EU-UK private-sector data flows after Brexit

The European Parliamentary Research Service published on 9 April 2021, a report on EU-UK private-sector data flows after Brexit.

This report assesses adequacy challenges and transfer instruments under the GDPR. It also considers possible mechanisms for data transfer in the absence of an adequacy decision, such as SCCs, BCRs and code of conducts.

You can read the report here.


National Authorities

 AEPD releases annual report

The AEPD released, on 6 April 2021, its annual report.

The annual report highlights that in 2020, the AEPD generally focussed on ensuring health care measures, control of the pandemic, and the fundamental right to data protection.

In 2020, 10,324 claims were filed with the AEPD. The complaints raised most frequently by citizens refer to internet services, improper insertion in delinquency files, video surveillance, receiving unsolicited advertising, and debt claims.

In 2020, the most frequent areas in sanctioning procedures are video surveillance, internet services, public administration, and telecommunications.

You can read the report here, only available in Spanish.


 Berlin Commissioner releases annual report

The Berlin Commissioner released, on 8 April 2021, the annual report for 2020.

The Berlin Commissioner received 4,868 complaints against public and private organizations, issued 308 warnings and 47 fines, totaling €77,250.

Of the 925 data breaches reported to the Berlin Commissioner, 821 came from private organizations.

Regarding the EU cross-border cases, the Berlin Commissioner lead 29 proceedings in accordance with Article 56 of the GDPR.

You can read the report here, only available in German.



 Garante fines Fastweb €4.5M for unsolicited telemarketing activities

The Garante announced, on 2 April 2021, that it had fined Fastweb, S.p.a. €4.5 million for processing the personal data of millions of users for telemarketing purposes, without obtaining their consent.
An investigation into Fastweb was launched following hundreds of complaints from users regarding unwanted promotional calls received without their consent. The calls appeared to originate from unregistered numbers.

For the Garante, the security measures of the customer management systems were inadequate.

The DPA also critized the maintenance of contact lists provided to Fastweb by external partners that did not acquire user consent to share such data.

As a result, the Garante has ordered Fastweb to strengthen their security measures to prevent unauthorized disclosure and only use the personal data of individuals who have given their consent for such data to be used by third parties.

You can read the decision here, only available in Italian.