Privacy News 09/07/2021

Jul 16, 2021

European Union

EDPB adopts guidelines on code of conduct, virtual voice assistants, and concepts of data controller and processor

The EDPB announced, on 8 July 2021, that it had adopted Guidelines on Codes of Conduct as a tool for transfers, Guidelines on Virtual Voice Assistants, and Guidelines on the concepts of controller and processor.

According to the EDPB, the main purpose of the Guidelines on Codes of Conduct is to clarify the application of Articles 40(3) and 46(2)(e) of the GDPR.

Regarding the final version of the Guidelines on Virtual Voice Assistants, the EDPB seek to provide recommendations on how to address virtual voice assistant compliance challenges.

The final version of the Guidelines on the concepts of controller and processor aim to provide clarifications regarding key concepts, such as joint controllers and processors.

You can read the press release here.


Netherlands : AP fines insurance agency €450.000 for data breach

The AP issued, on 7 July 2021, its decision in proceedings fining Employee Insurance Agency (UWV) €450,000 for breaching personal data security in violation of Article 13 of the GDPR.

For the AP, the UWV insufficiently guaranteed and safeguarded a risk-adjusted security level in the context of sending group messages via « My Workmap-environment » to a group of job seekers.

As a result, files containing a multitude of personal data of job seekers ended up with the wrong recipients, namely in the « My Work Folder environment » of other job seekers.

You can read the press release here and the decision here, only available in Dutch.


Spain: AEPD fines Caixabank €50,000 for unlawful direct marketing

The AEPD issued, on 8 July 2021, a decision in proceedings PS/00259/2020, fining Caixabank, SA, €50,000 for unlawfully processing personal data pursuant to Article 6(1)(f) of the GDPR.

The decision outlines that the claimant received commercial advertising from Caixabank via post, although the claimant had objected to the processing of his data for advertising purposes.

The decision notes that Caixabank responded to the allegations and claimed that it had a legitimate interest in the communications since it was neither personalised commercial communications nor was it directly addressed to the client.

The decision discusses whether the cover of the sent envelope can be considered advertising and therefore whether the information sent involved processing of personal data for direct marketing purposes in accordance with Article 4(2) of the GDPR.

Nevertheless, the decision concludes that the generic cover of advertisement could be considered advertising, and therefore involving the processing of personal data for direct marketing purposes.

You can read the decision, only available in Spanish, here.