Privacy News 22/01/2021

Jan 25, 2021

 European Union

EDPB announces public consultation on guidelines on data breach notification examples

The EDPB announced, on 18 January 2021, that it will launch a public consultation on its Guidelines 01/2021 on Examples regarding Data Breach Notification.

The guidelines consider that since the EDPB’s Guidelines on Personal Data Breach Notification under Regulation 2016/679 did not address all practical issues in sufficient detail, the need has arisen for a practice-oriented, case-based guidance that utilises the experiences gained by supervisory authorities since the GDPR entered into force.

These guidelines aim to help data controllers in deciding how to handle data breaches and what factors they should consider during risk assessment. It address, among other things, examples in relation to ransomware, internal human risk, lost/stolen devices and paper documents, social engineering…

Comments should be sent from 18 January 2021 until 2 March 2021 at the latest.

 

EDPB and EDPS publish joint opinion on SCCs, call for clarification

The EDPB published, on 18 January 2021, the EDPB and EDPS joint opinions on the two of the European Commission’s draft SCCs, with one opinion on the draft SCCs for contracts between controllers and processors and one opinion on the draft SCCs for the transfer of personal data to third countries.

These annotated versions of each set of the Commission’s draft SCCs contain comments and suggested changes.

You can read the Third Country Transfer SCCs Opinion here with its annex here and the Controller-Processor SCCs Opinion here with its annexes here and here.

 

Presidency releases revised draft ePrivacy Regulation

The Presidency of the Council of the European Union released, on 5 January 2020, its revised text of the proposed Draft ePrivacy Regulation.

The Draft ePrivacy Regulation recalls that the Presidency is proposing to simplify the text and to further align it with the GDPR, introducing modifications to ensure GDPR consistency and legal certainty for users and businesses.

You can read the Draft ePrivacy Regulation here.

 

National Authorities

 BfDI issues statement on EDPB and EDPS joint opinions on Commission’s draft SCCs

The Federal Commissioner for Data Protection and Freedom of Information issued, on 15 January 2021, a statement on the EDPB and the EDPS adopted joint opinions on two sets of the European Commission’s draft SCCs.

The BfDI welcomed the joint opinions, noting that the German position that it had developed with its colleagues from the federal states could be found in several parts of the joint opinions.

You can read the statement, only available in German, here.

 

 CNIL publishes report on its role and privacy challenges during pandemic

The CNIL published, on 21 January 2021, its report on its activities during the Coronavirus pandemic, specifically the role of the regulator and the challenges for the protection of personal data in such times of crisis, in order to better inform professionals and individuals.

The CNIL detailed that its role included working alongside public authorities, participating in public discussion, and carrying out enforcement activities.

The CNIL also stated that everyday activities which posed challenges to the use of personal data in the context of the pandemic included the rapid implementation of remote working, remote learning, and telemedicine.

You can read the press release here and the report here, both only available in French.

 

 CNIL finds deficiencies with Coronavirus data processing measures and intends to carry out further checks

The CNIL announced, on 21 January 2021, that it has issued, on 14 January 2021, a second opinion on the implementation of information systems and data processing operations related to tackling the Coronavirus pandemic.

In particular, CNIL noted that it has issued its opinion to the Parliament as well as that the opinion concerns four data processing operations, namely the SI-DEP and ContactCovid records, the mobile tracing app, and the Covid Vaccine information system.

More specifically, while for the SI-DEP record system CNIL considered that the system has complied with data retention requirements, for the ContactCovid record, CNIL highlighted that there remained some deficiencies related to user authentication, the transmission of data to unauthorised third parties, as well as data security and management.

On this basis, CNIL stated that the ContactCovid record system must comply with the proportionality principle and retention requirements as stipulated in the GDPR.

You can read the press release here and the opinion here, both only available in French.

 

Fines

 UODO fines Medical University of Silesia PLN 25,000 for data breach notification failures

The UODO announced, on 18 January 2021, its decision to fine the Medical University of Silesia PLN 25,000 (approx. €5,520) for failing to notify the UODO and the affected data subjects of a data breach relating to examinations conducted via videoconferences at the end of May 2020.

Due to an employee’s failure to close access to the virtual room where the exam took place, the recordings of students were available not only to the examiners, but also to other people who had access to the system, and any third party could, by using a direct link, have access to the exam recordings and the data of the examined students presented during identification.

Personal data disclosed included images, identity document number, name and surname, address, year of study, group, field of study, information about the subject taken, the answers given during the exam.

You can read the press release here and the decision here, both only available in Polish.

 

 AEPD fines Alterna €50,000 for processing personal data without consent

The AEPD issued, on 21 January 2021, a decision in proceeding PS/00232/2020, fining Alterna Operador Integral SL €50,000 for processing personal data without obtaining consent, thus violating Article 6(1) of the GDPR.

The decision highlights that Alterna processed the personal data of the claimant in its own name, as a data controller, and conducted telemarketing activities through its own business networks.

You can read the decision, only available in Spanish, here.