Privacy News 19/03/2021

Mar 22, 2021

 European Union

EDPB publishes 2021-2022 working program

The EDPB published, on 16 March 2021, its working program for 2021 and 2022. It outlined its main priorities for 2021 and 2022, which include the adoption of guidelines and recommendations in relation to facilitated compliance with the GDPR, effective enforcement and cooperation of national supervisory authorities, the adoption of a fundamental rights-based approach to new technologies, as well as the promotion of high standards at an EU and global level for data transfers.



National Authorities


 CNIL updates FAQs on cookies guidelines and recommendations ahead of entry into force

The CNIL released, on 18 March 2021, an updated version of its FAQs on its guidelines and recommendations on cookies and other trackers, which will come in force on 1 April 2021.

The FAQs cover general questions regarding the beginning of CNIL compliance audits from April 2021, scope of application, audience measurement cookies, conditions for obtaining valid consent from users for the use of cookies, and the manner in which users should be able to opt-out from the use of cookies and other trackers.

You can read the CNIL FAQs here, only available in French.



 AEPD fines Vodafone €8.15M for commercial communications failures

The AEPD announced, on 11 March 2021, its decision, in proceeding PS/00059/2020, to fine Vodafone €8.15 million for carrying out marketing and commercial prospecting actions through telephone calls and by sending electronic commercial communications through emails and SMS messages.

The AEPD imposed the following fines on Vodafone:

  • €4 million for violating Article 28 of the GDPR because the data processors used by Vodafone did not provide sufficient guarantees to implement appropriate technical and organisational measures, and there was no prior written authorisation from Vodafone Spain on the technical and organisational measures employed;
  • €2 million for violating Article 44 of the GDPR because Vodafone had approved an international data transfer without taking sufficient measures as required under the GDPR;
  • €150,000 for violating Article 21(1) of Law No. 34/2002, of 11 July 2002, on Information Society Services and Electronic Commerce because Vodafone had performed marketing actions using random numbers and email addresses of prospects, without cross-referencing with internal lists of individuals who had opted out of receiving direct marketing, as well as the Robinson List;
  • €2 million for violating Article 48(1)(b) of the LOPDGDD because Vodafone continued processing individuals’ personal data through the sending of commercial communications, despite the individuals having objected to such processing.

The decision   also explains that, among the aggravators considered by the AEPD to impose the aforementioned fines, were, the continuous fines Vodafone Spain had received from January 2018 to February 2020, on more than 50 occasions.

You can read the decision, only available in Spanish, here.


 AEPD fines Air Europa €600,000 for GDPR security and notification failures

The AEPD announced, on 17 March 2021, its decision, in proceeding PS/00179/2020, to fine Air Europa Lineas Aereas, SA. €600,000, following a notification of a security breach to the AEPD regarding unauthorised access to contact details and bank accounts, affecting approximately 489,000 individuals and 1,500,000 data records.

The AEPD outlined that it had imposed a fine of €500,000 on Air Europa for violating Article 32(1) of the GDPR because of its failure to have in place appropriate technical and organisational measures to ensure an adequate level of security, and €100,000 for violating Article 33 of the GDPR because it had notified the AEPD of the breach with a delay of 41 days.

You can read the decision, only available in Spanish, here.

 AEPD fines Heredad De Urena €4,000 for privacy and cookie policy failures

The AEPD issued, on 15 March 2021, a resolution in proceedings PS/00375/2020, fining Heredad De Urena, SL €4,000 for violations of Article 13 of the GDPR and Article 22(2) of the LSSI.
The resolution highlights that Heredad violated Article 13 of the GDPR in its failure to have an adequate privacy policy and violated Article 22(2) for failure to have a ‘cookies policy’ on its website.

You can read the resolution, only available in Spanish, here.


 Garante fines Ministry €75,000 for failure to appoint DPO and for unlawful publication of data

The Garante announced, on 11 March 2021, that it had fined the Ministry of Economic Development €75,000 for failing to appoint a DPO as required under the GDPR and for the unlawful publication of the CVs of 5,000 managers.

The Garante noted that MISE had failed to appoint a DPO by the established deadline, as well as that its investigation had shown that a list of managers and their CVs, including personal data, such as names, mobile numbers, and tax codes, had been published on MISE’s website.

For the Garante, there was no adequate legal basis for the online publication of these datas. This dissemination of CVs also constitutes disproportionate processing of personal data.

You can read the decision here, only available in Italian.


 Garante fines INPS €300,000 for unlawful data processing when handing COVID-19 bonuses

The Garante announced, on 9 March 2021, that they had fined the National Institute of Social Security €300,000 for not complying with data protection principles in the context of handing out COVID-19 bonuses.

The Garante noted that it had launched an investigation on the INPS’s processing of data of persons holding political positions and had found that the processing did not comply with Privacy by Design and by Default, and accountability under the GDPR.

The Garante  also highlighted that the INPS had processed and cross-referenced data of those who held political positions and those who had requested the COVID-19 bonus without ensuring the lawfulness and transparency of the processing, and the correctness of the data.

In light of the sensitive nature of the data processed, the INPS had failed to conduct a DPIA with respect to the rights and freedoms of the data subjects.

You can read the decision here, only available in Italian.