Privacy News 20/11/2020

Nov 24, 2020

The annual AFCDP university will be held in all-digital form on Tuesday, January 26, 2021.

More infos to come.

National Authorities

 APD makes new tools available for DPOs

The APD recently published new tools for DPOs on its website.

It provides them with

  • a 13-step plan to help organizations assess their current data protection policy and adapt it to GDPR requirements;
  • a model of the processing register;
  • a 7-step plan for schools on how to process personal data;
  • some templates of demand for advice / information request to the DPO.
  • a PowerPoint presentation of the principles and challenges of the GDPR.

You can access the toolbox, in French, here.


 Spain: AEPD issues guidance on technologies and data protection for public administration

The AEPD published guidance on technologies and data protection for public administrations.

The document analyzes the technologies used by the administrations and highlights the important aspects in terms of data protection as well as the associated potential risks.

You can read the press release here and the guidance here, both only available in Spanish.



 ICO fines Ticketmaster £ 1.25million for failing to protect 9.4million customers’ payment details

On November 13, 2020, the ICO announced that it had fined Ticketmaster UK Limited £ 1.25 million for failing to secure its customers’ personal data and for failing to implement security measures appropriate to prevent a cyberattack on the chatbot provided by Inbenta Technologies for its online payment page.

This cyberattack potentially affected 9.4 million EEA customers between February 2018 and June 23, 2018.

These data breaches included personal data such as names, payment card numbers, usernames and passwords of data subjects to access Ticketmaster, expiration dates and verification value numbers (CVV).

For ICO, these breaches constitute a serious breach of the GDPR and the payment card industry data security standard (PCI-DSS).

You can read the press release here.


 Garante fines Vodafone 12.2 million euros for unlawful telemarketing activities

The Garante announced, on November 16, 2020, that it had imposed a fine of 12.2 million euros on Vodafone Italia SpA . for unlawful telemarketing activities.

The investigation into the telemarketing practices of Vodafone and its sales network was initiated due to hundreds of complaints about unsolicited marketing calls.

This investigation revealed serious violations in terms of consent collection, accountability and Privacy by Design.

Vodafone used fictitious telephone numbers which were not entered in the register of communications operators in order to carry out telemarketing activities.

Vodafone had received marketing lists from business partners without the free, informed and specific consent of those affected.

Vodafone had adopted inadequate security measures with regard to the systems for managing the personal data of prospects and customers: Vodafone employees asked people to send identity documents via Whatsapp , with the potential aim of carrying out business spamming, phishing or other illegal activities.

For the Guarantor, Vodafone’s behavior constitutes a violation of Articles 5 (1) and (2), 6 (1), 7, 15 (1), 16, 21, 24, 25 (1), 32, and 33 of GDPR.

You can read the decision, in Italian, here


 AEPD imposes a fine of € 50,000 on Conseguridad for failure to appoint a DPO

 Conseguridad SL (a private security company) had set up a video surveillance system recording anyone entering and working on its premises.

However, the company had not appointed a DPO: none of the rights enshrined in the GDPR could therefore be exercised.

For the AEPD, this is a violation of articles 37 , paragraph 1, point b), of the GDPR and of articles 34, paragraph 1, paragraph ñ, and 34, paragraph 3 of the LOPDGDD

You can read the decision (in Spanish)  here