European Union

Parliament adopts resolutions on data transfers following Schrems II ruling

The LIBE Committee of the European Parliament announced, on 20 May 2021, that the European Parliament had adopted, with 541 in favour, 1 against and 151 abstaining, a resolution urging the European Commission to issue guidelines on making data transfers compliant with the CJEU Schrems II decision.

The resolution welcomes the EDPB 01/2020 recommendations on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data and the EDPB-EDPS Joint Opinion 2/2021 on standard contractual clauses for the transfer of personal data to third countries and calls on the Commission to fully integrate these in its proposals, alongside relevant EU court judgments.

In this regard, the LIBE Committee outlined that once this is achieved businesses and individuals should have at their disposal a toolbox of measures to bring protection up to the level required by the GDPR.

Furthermore, the resolution emphasises that the Commission should not conclude new adequacy decisions with third countries without taking into account the implications of EU court rulings and ensuring full GDPR compliance.

Moreover, the resolution expresses disappointment with the Irish DPC and its decision to initiate the Schrems court case instead of independently triggering enforcement procedures based on GDPR rules, while also criticising the DPC’s long processing times.

Further to this, the resolution calls on the Commission to launch infringement procedures against Ireland for failing to effectively enforce the GDPR, and asks that national authorities across Europe halt transfers of data that could be accessed in bulk in the US if the Commission reaches an adequacy decision regarding that country.

More broadly, the resolution criticises national authorities in the EU for failing to enforce the GDPR properly, outlining that MEPs consider them to have overlooked international data transfers and failed to take meaningful corrective decisions.

You can read the press release here.

  National Authorities

Italy: Garante adopts code of conduct on commercial information

The Garante announced, on 17 May 2021, that it had approved the final version of the Code of Conduct on Commercial Information, drawn up by the National Association of Commercial Information and Credit Management Companies.

The Garante outlined that the code provides for a framework of rules on the processing of commercial information, compliance with which will be monitored by a monitoring body external to ANCIC.

Under the ANCIC code, companies which offer information on the commercial reliability of entrepreneurs and managers will be able to process the personal data of surveyed subjects without requesting their consent, based on their legitimate interests. However, the Garante noted that they will have to guarantee greater protection to the interested parties, informing them correctly on the processing operations carried out and comprehensively facilitating the exercise of data subject rights, such as the rights to object, to rectify and to update their personal data.

In addition, the Garante noted that the code will enter into effect following its publication in the Official Gazette.

You can read the press release here and the code here, both only available in Italian.

France: CNIL publishes 2020 annual report

The CNIL published, on 18 May 2021, its 2020 annual activity report, reviewing the highlights and key figures from CNIL’s supervisory activities from the past year. In particular, the report highlights that data protection regulation in the context of COVID-19 was a key priority for CNIL in 2020, having consulted and advised on a number of issues, including the use of remote communication technologies and surveillance devices to try to slow the epidemic, and public initiatives, to help ensure that the implementation of health information systems are respectful of data subject rights.

Furthermore, the report reviews CNIL’s activities with respect to cookie regulation, noting the entry into effect of its updated guidelines and final recommendations on cookies and other trackers, and outlining that it is now actively monitoring compliance with the same.

In addition, the reports reveals that CNIL received 13,585 complaints in 2020, marking a 62.5% increase since the implementation of the GDPR, and 2,825 personal data breach notifications, 24% more than in 2019, with a particularly notable increase in breaches caused by ransomware attacks, which made up more than 500 of such breaches.

In terms of sanctions, CNIL revealed that it had imposed a total of 11 fines in 2020 totalling approximately €138.5 million, noting that its sanctions related to a wide variety of players and sectors and that the most prevalent violations were of rules relating to data security, and providing information and obtaining consent from individuals, in particular concerning the use of cookies.

You can read the annual report here, only available in French.

Spain: AEPD publishes guide on data protection and employment relationships

The AEPD published, on 18 May 2021, a guide to facilitate compliance with data protection regulations in the context of employment relationships.

The guide outlines the appropriate legal basis that could apply to the processing of personal data in the employment context, namely processing necessary for the performance of a contract and legal obligation, found under Articles 6(1)(b) and 6(1)(c) of the GDPR, respectively.

In addition, the guide sets out the data protection-related obligations of employers, including complying with the data minimisation principle, as well as the rights of employees, including access, rectification, and erasure of their personal data.

The guide also outlines, among other things, that automated decisions regarding the promotion, renewal, or termination of an employee’s contract are allowed, highlighting, however, that a DPIA should be carry out prior to the design and implementation of algorithms, and that employees may be required to carry identification cards, highlighting that information on the same should be kept at a minimum.

Other areas discussed within the guide include the protection of victims of gender violence, geolocation, conducting periodic surveillance of the health status of employees, and video surveillance.

You can read the press release here and the guide here, both only available in Spanish.

Germany: Bundestag passes draft law to strengthen powers of BfDI

The Bundestag passed, on 18 May 2021, a draft law to strengthen the powers of the Federal Commissioner for Data Protection and Freedom of Information (BfDI) outside the scope of the GDPR.

You can read the draft law, only available in German, here.

Belgium: DPA approves EU Cloud Code of Conduct, the first transnational EU code of conduct

The Belgian DPA announced, on 20 May 2021, that it had approved the EU Cloud Code of Conduct, which constitutes the first transnational code of conduct to be adopted with the EU since the entry into force of the GDPR, following approval from the EDPB of the same.

The EU Cloud Code of Conduct aims to establish good data protection practices for cloud services providers and will contribute to a better protection of personal data processed in the cloud in Europe.

SCOPE Europe has been accreditated as the monitoring body for the code.

You can read the press release here and the SCOPE Europe accreditation decision here.