Privacy News 16/04/2021

Apr 19, 2021

 European Union

EDPB launches consultation on guidance on certification criteria assessment

The EDPB launched, on 14 April 2021, a public consultation on the guidance on certification criteria assessment.

For the EDPB, this guidance should be read in line with the Guidelines 1/2018 on certification and identifying certification criteria according to Articles 42 and 43 of the Regulation and Guidelines 4/2018 on the accreditation of certification bodies under Article 43 of the GDPR.

The new guidance aims to refine parts of the Guidelines 1/2018 in order to assist stakeholders involved in the drafting of certification criteria in the context of certification; and supervisory authorities to provide consistent evaluations in the context of certification criteria approval (for both national schemes and EU data protection seals).

It also outlines a non-exhaustive list of recommendations and states that the assessment of certification criteria will be carried out on a case-by-case basis.

Comments can be submitted via the online form by 26 May 2021.

You can read the press release here and the guidance here.


EDPB welcomes with vigilance UK adequacy finding

The EDPB released, on 15 April 2021, its opinions on the European Commission’s draft decision that the UK ensures an adequate level of protection for personal data.

For the EDPB, the UK’s adequacy assessment is unique given it was an EU Member State until recently and therefore acknowledges there are many areas of convergence between the UK and EU regimes. However, a number of “challenges” still remain.

You can read the Opinion 14/2021 here, and Opinion 15/2021 here.


National Authorities

 DPC launches inquiry into Facebook following publication of dataset online

The DPC announced, on 14 April 2021, that it had launched an inquiry pursuant to Section 110 of the Data Protection Act 2018 into Facebook Ireland, following the availability of a dataset online.  For the DPC, having considered the information provided by Facebook Ireland, provisions of the GDPR may have been or are being infringed.

You can read the press release here.


 HmbBfDI initiates urgent proceedings against Facebook following WhatsApp’s privacy policy updates

The Hamburg Commissioner for Data Protection and Freedom of Information announced, on 13 April 2021, that it had brought urgent proceedings against Facebook Ireland Ltd., on the basis of Article 66 of the GDPR, following the recent updates to WhatsApp’s privacy policy.

A decision should be taken before 15 May 2021.

You can read the press release, only available in German, here.



 AEPD fines Vodafone Spain €150,000 for unlawful data processing

The AEPD issued, on 13 April 2021, a decision in proceeding PS/00085/2021, fining Vodafone España, S.A.U €150,000 for sending SMS with invoices to the claimant, despite the termination of their contractual relationship.

As the claimant had, in the past, requested the deletion of their personal data upon termination of their telephone contract, by continuing to process the individual’s personal data without a legitimate purpose, Vodafone violated Article 6(1) of the GDPR.

You can read the decision, only available in Spanish, here.