Privacy News 10/12/2021

Dec 13, 2021

National Authorities

Germany: Administrative Court of Wiesbaden issues preliminary decision prohibiting University from using Cookiebot

The Administrative Court of Wiesbaden issued, on 6 December 2021, a press release on its preliminary decision  where it prohibited the RheinMain University of Applied Sciences from using Cybot A/S’s consent management platform Cookiebot CMP.

The Court found that Cookiebot CMP transfers the complete IP address of the end user to the servers of a company whose headquarters are in the U.S. The end user was identifiable from a combination of a key stored in the user’s browser, which identified the website visitor, and the transferred full IP address.

According to the Court, this constitutes a transfer of personal data to a third country, outlining that it is prohibited in view of the CJEU judgment Schrems II.

The Court also noted that the University did not ask users’ consent for this transfer of data to the U.S.

As a consequence, the Court prohibited the University from integrating Cookiebot CMP on its website.

You can read the press release, in German here.


The Netherlands: AP fines Minister of Finance €2.75M for discriminatory and illegal processing of dual nationality status

The AP announced, on 7 December 2021, its decision to impose a fine of €2.75 million on the Minister of Finance, for violations of the GDPR (discriminatory and illegal processing of dual nationality status by tax authorities).

The tax authorities had kept and used the dual nationality of Dutch nationals in assessing applications for childcare allowance.  Although this wasnt the intended use of the data, the tax authorities processed the dual nationality of applicants to fight organised fraud.  The nationality of applicants were used as an indicator in a system to designate certain applicants as risky.

For the AP, tax authorities had committed serious violations of the GDPR by processing the dual nationality of applicants for childcare allowance in an unlawful and discriminatory manner.

The AP also stated that the dual nationality of Dutch citizens should have been deleted in January 2014 as it didn’t play a role in assessing application for childcare allowance.

As a consequence, for the AP, the processing of dual nationality of Dutch citizens for assessing applications and combating fraud, was unlawful and therefore prohibited.

You can read the press release, available in Dutch, here.


Finland: Ombudsman declares company’s use of WhatsApp to transfer customers’ personal data to employees unlawful

The Ombudsman published, on 8 December 2021, its decision  No. 9024/181/2019 in which it had found a cleaning company in violation of Articles 5(1)(f), 24, 25, and 32 of the GDPR, following its processing of customers’ personal data in the absence of sufficient data security measures.

You can read the press release, only available in Finnish here .


Belgium: DPA issues €100,000 fine to unnamed entity for unlawful access to national credit register

The Belgian DPA issued, on 26 April 2021, its decision in which it fined an unnamed entity operating in the financial services sector €100,000 for failure to secure access to the Central Individual Credit  register of the National Bank of Belgium from unauthorised employee access.

The decision followed a complaint regarding unlawful access to personal data and refusal of requests to exercise the data subject’s right of access.

The complainant learned, in April 2019, that their personal data contained in its file within the National Bank of Belgium’s Central Credit register had been accessed on 20 occasions by the ex-husband of the complainant.

The ex-husband of the complainant had allegedly used its professional activity to unlawfully access the NBB’s CCP register in order to inform financial discussions within their divorce proceedings.

The complainant requested, among other things:

  • a summary of the information that was accessed by the defendant (including the date of access and the identity of individual who accessed the information);
  • that the defendant implement appropriate measures to ensure the security of its processing activities;
  • the imposition of a fine, considering the gravity of the violations.

As a response, the Belgian DPA highlighted the defendant’s liability, as data controller and employer, for unlawful consultations of the CCP register by its employees and its failure to implement appropriate technical and organisational measures to prevent unauthorised processing of personal data by its employees.

As a result, the Belgian DPA ordered the defendant to ensure that access to the CCP register complies with Articles 5(1)(f) and 32 of the GDPR and imposed a fine of €100,000 for the violation of the mentioned articles.

This decision also  highligted the incompatibility of the function of the DPO with  that of a Chief Information Security Officer (CISO). The Belgian DPA seems to have taken a more functional approach to this incompability by deciding that :

  • The CISO performed risk analyses, i.e. an advisory function – as head of the department – and presented suggested mitigations measures to the management ;
  • It was up to the management to decide whether or not to adopt the suggested measures;

You can read the decision, available in Dutch, here.


Belgium : Alexandra Jaspar resigns from her position as a director at the Belgian DPA

Alexandra Jaspar chose to resign, after sounding the alarm, denouncing a DPA unable to meet its legal objectives due to various conflict of interests.

You can read a dedicated article, only available in French here.


United Kingdom:  ICO former chief denies conflict of interest in new role

Former information commissioner, Elizabeth Denham will join a private law firm that represents technology companies she used to regulate, raising questions about conflicts of interest.

You can read the Baker McKenzie press release, here.