Privacy News 13/11/2020

Nov 16, 2020

 European Union

The European Commission publishes its updated Standard Contractual Clauses

On November 12, 2020, the European Commission launched a public consultation on its project on standard contractual clauses for the transfer of personal data to third countries and its annex.

The CSCs listed in the annex are considered to offer appropriate guarantees within the meaning of Article 46 (1) and (2) (c) of the GDPR.

The standard contractual clauses now cover all scenarios ((DC / DC; DC / DP; DP/ DP; DP / DC)

You can read the published documents here


EDPB adopts surveillance and supplementary transfer recommendations following Schrems II

 You can read the Supplementary Transfer Measures Recommendations here and the Surveillance Recommendations here.


The European Data Protection Board makes its first decision under the one-stop-shop mechanism (article 65 of the GDPR)

As part of the “one-stop-shop” mechanism, the Irish DPC, as the ” lead ” authority, proposed a financial sanction against Twitter International Group. This sanction proposal had been submitted to the other DPAs concerned. They formulated “relevant and reasoned” objections, in particular on the quality of Twitter International Group as a data controller and on the amount of the sanction.     

The Irish DPC rejected these objections and seized the European Data Protection Board in accordance with Article 60 (4) of the GDPR, thus initiating the dispute resolution procedure.

On November 9, 2020, the European Data Protection Committee adopted its binding decision and will soon notify it to the Irish authority, which will be required to respect it in its final decision.

You can read the press release here


CJEU issues judgment in Orange România case, addresses consent under GDPR

 The Court of Justice of the European Union (‘CJEU’) issued, on 11 November 2020, its judgment in Orange România SA v. ANSPDCP

The judgment addresses a dispute between a telecommunication services provider and the Romanian National Supervisory Authority for Personal Data Processing as to the obligations of the provider in the context of contractual negotiations with a customer when it comes to copying and storing a copy of the customer’s identity document.

The CJEU declared that a contract for the provision of telecommunications services containing a clause stating that the customer has consented to the collection and storage of his/her identity document cannot demonstrate that customer has validly given his/her consent where the box referring to that clause has been ticked by the data controller before the contract was signed.

Consent is in the same way not validly collected when the customer is misled as to the possibility of terminating the contract if he refuses to consent to the processing of his data, or when the freedom to choose to object to that collection and storage is affected by the requirement to complete an additional form setting out that refusal.

Consent under the GDPR is not validly given in the case of silence, pre-ticked boxes, or inactivity, as well as if the data subject’s consent is given in the context of a written declaration which also concerns other matters, that declaration must be presented in an intelligible and easily accessible form, using clear and plain language.

You can read the press release here and the judgment here.


National Authorities

 Germany: LfDI publishes a checklist on data transfers to third countries post Schrems II

In addition to the publications of the EDPB, the data protection authority of Rhineland-Palatinate published, on November 10, 2020, its checklist for carrying out data transfers to third countries, in accordance with the GDPR.

This checklist emphasizes in particular that organizations must: 

  • Analyze the various processes in order to determine whether data is transmitted to third countries;
  • Check whether the third country has an adequacy decision or whether there are appropriate guarantees in accordance with Article 46 of the GDPR;
  • Check whether the third country has a level of data protection equivalent to that of the EU or whether additional technical, organizational or legal measures can be implemented to guarantee an equivalent level of data protection.

 You can read the checklist, in German, here



  AEPD fines Miguel Ibanez Bezanilla 3,000 euros for illegal cookie practices and lack of security measures

The AEPD published, on November 10, 2020, a resolution in the PS / 00185/2020 procedure, condemning Miguel Ibanez Bezanilla SL to a fine of 3,000 euros for illegal practices in terms of cookies and lack of security measures.

Following an individual complaint, the AEPD noted a number of shortcomings:

  • Regarding the website’s security policy, it collected users’ personal data using an “http” protocol without having the minimum level of security required.
  • Regarding the privacy policy, this referred to the old data protection law, and had not been adapted to the regulations in force.
  • Regarding cookies, the website did not have a first layer or banner providing information about cookies. The legal notices of the website, presented generic information on cookies but no indication was provided on the retention period of cookies and third-party cookies.
  • The website legal notices did not provide for the possibility of rejecting all cookies.

As a result, the AEPD found a violation of Articles 13 and 32 of the GDPR, as well as Article 22, paragraph 2, of Law No. 34/2002, of July 11, 2002, on the services of the company of information and electronic commerce.

You can read the decision, in Spanish, here

  AEPD fines Vodafone €30,000 for inadequate precautions in processing third party and client data

The AEPD announced, on November 3, 2020, its decision, in procedure PS / 00341/2020, to impose a fine of 30,000 euros on Vodafone España, SAU following a complaint that Vodafone had dealt with personal data of the applicant for a service contract with a third party, without his consent.

Vodafone España, SAU also failed to take the necessary precautions to verify the authenticity of the third party in question.

You can read the decision, in Spanish, here. 


  AEPD fines Xfera Móviles 20,000 euros for lack of cooperation

The AEPD announced, on November 6, 2020, its resolution, in procedure PS / 00365/2019, to impose a fine of 20,000 euros on Xfera Móviles , SA for violation of article 31 of the GDPR.

Xfera Móviles did not cooperate with the AEPD in an investigation into the alleged violations of Article 6 (b) and (f) of the GDPR.

These violations were not observed by the AEPD. However, Xfera Móviles had not responded to its request for information, nor provided any documents to certify that it had processed the applicant’s data as part of their contractual relationship.

You can read the decision, in Spanish, here.