European Union
Brexit: A transitional period after December 31?
According to Politico, EU and UK officials are exploring options for continuing data flows beyond the December 31 deadline, as negotiations on an adequacy deal remain on hold.
Both sides are considering a six-month extension for the data feeds, which would leave more time to negotiate a deal.
Given the uncertainty of the adequacy negotiations, UK Minister of State for Media and Data John Whittingdale continues to advise UK businesses to put in “other legal mechanisms to continue transferring data personal “.
You can read the press release here
National Authorities
Garante publishes FAQs on video surveillance
The Garante announced on 5 December 2020 that it had published its ‘FAQs’ on video surveillance.
The FAQs apply to the installation of video surveillance systems by both private and public entities and address the concerns raised by the entry into force of the GDPR and keep into consideration the EDPB Guidelines 3/2019 on Processing of Personal Data Through Video Devices.
The FAQs address, among other things, transparency obligations in relation to the installation of video surveillance systems, data retention requirements for the recording of the system, whether a Data Protection Impact Assessment must be carried out.
You can read the FAQs here, only available in Italian.
Fines
CNIL fines Amazon €35M for cookie violations
CNIL announced, on 10 December 2020, its deliberation imposing on Amazon Europe Core Sarl a fine of €35 million for cookie violations under Article 82 of the Act No.78-17 of 6 January 1978 on Information Technology, Data Files and Civil Liberties (as amended to implement the GDPR).
The CNIL highlighted that after conducting investigations from 12 December 2019 to 19 May 2019 on the website amazon.fr, it found that when a user visited the website, cookies were placed automatically on their computer in the absence of any action by the user.
Regarding this automatic cookies placement, CNIL found that such placement of cookies at the time the user entered the website was incompatible with the requirement to obtain the user’s prior consent.
CNIL also found that there was insufficient information provided to users upon entering the Amazon website as the information banner stated that by using the website, users accept the use of cookies, and so found that the user could not understand that cookies placed on their device would be used for displaying personalised ads.
Also, CNIL considered that, Amazon had not complied with its obligation to adequately inform users about the use of cookies for advertisement purposes.
You can read the decision, in French, here and in English here.
CNIL fines Google and Google Ireland €100M for cookie violations on google.fr
CNIL announced, on 10 December 2020, that it had issued two fines totalling €100 million against Google LLC and Google Ireland Limited for cookie violations.
CNIL had, on March 2020, completed an audit of google.fr which revealed that cookies used for marketing purposes, were automatically install on user equipment without affirmative action.
Three violations of Article 82 of the Act No.78-17 of 6 January 1978 on Information Technology, Data Files and Civil Liberties (as amended to implement the GDPR) were highlighted by the French data protection authority:
- Cookies for marketing purposes, which are non-essential for the provision of Google’s services, were automatically placed on the users’ equipment without their prior consent.
- The information banner was accompanied by two buttons to ‘Remind me later’ and ‘Access now’, which does not provide the user with any information in relation to the automatic placement of cookies on the users’ equipment.
- The opt-out mechanism was partially defective : when a user desactivated personalised ads through the ‘Consult now’ button, one of the advertisement cookies remained on their computer.
As a result, CNIL imposed a fine of €60 million against Google LLC, as the developer of the Google Search engine, and €40 million against Google Ireland Limited, Google’s European headquarters, which CNIL found to be jointly responsible in determining the purposes and manner in which cookies are utilized.
You can read the decision, in French, here and in English, here.
Datainspektionen fines Regional Board SEK 2.5M for security failures
The Swedish data protection authority announced, on 3 December 2020, that it had fined Östergötland’s Regional Board SEK 2.5 million (approx. €244,000), for violating Articles 5(1)(f) and (2), 24(1), and 32(1) and (2) of the GDPR.
Datainspektionen highlighted that the Regional Board failed to carry out a risk analysis before authorising healthcare professionals and medical secretaries to access the patients’ information and had not limited staff access to such information.
Datainspektionen also stated that as a risk analysis had not been conducted prior to the authorisation of staff access, this meant that no legal basis had been established for the processing of the patients’ personal data.
The Swedish data protection authority also found that no technical and organisational measures had been taken to ensure that staff access to patients’ information was limited to only what needed.
You can read the decision, only available in Swedish, here
Datainspektionen completes audit of Capio St. Göran’s Hospital, imposes fine of SEK 30M
The Swedish data protection authority announced, on 3 December 2020, that it has completed an audit of Capio St. Göran’s Hospital AB assessing its systems for controlling access of staff to medical records and issuing a fine of SEK 30 MIllion (approx. €3 million) for non-implementation of sufficient technical and organisational measures.
Datainspektionen found that the health provider had violated Articles 5(1)(f) and 32(1) and (2) of the GDPR by failing to carry out a risk analysis before determining staff permissions to access patients’ records and by not limiting staff access to the medical records to what needed.
You can read the decision, only available in Swedish, here.
Datainspektionen fines Aleris Närsjukvård SEK 12M for inadequate technical security measures
The Swedish data protection authority announced, on 3 December 2020, that it has completed an audit of Aleris Närsjukvård AB assessing its systems for controlling access of staff to medical records and issuing a fine of SEK 12 million (approx. €1.2 million).
Datainspektionen found that the health provider had violated Articles 5(1)(f) and 32(1) and (2) of the GDPR by failing to carry out a risk analysis before determining staff permissions to access patients’ records and by not limiting staff access to the medical records to what needed.
You can read the decision, only available in Swedish, here.
