Privacy News 22/10/2021

Oct 25, 2021

European Union

EDPB adopts Guidelines on Restrictions of data subject rights under Article 23 of the GDPR

The EDPB published, on 19 October 2021, the final version of the Guidelines 10/2020 on Restrictions under Article 23 GDPR, adopted on 13 October 2021.

The Guidelines aim to recall the conditions surrounding the use of such restrictions by EU Member States or the EU legislator in light of the Charter of Fundamental Rights and the GDPR. It provide an analysis of the criteria to apply restrictions, the assessments that need to be observed, how data subjects can exercise their rights after the restrictions are lifted, and the consequences of infringements of Article 23 of the GDPR.

You can read the press release here and the Guidelines here.


 National Authorities

Garante publishes guide on setting secure passwords

The Garante announced, on 20 October 2021, the publication of a guide on creating and managing secure passwords for digital devices and services.

The guide outlines, among other things, how to choose a good password, how to manage all those that are part of daily life and how to keep them safe from malicious attacks.

You can read the announcement here and the guide here, both only available in Italian.


CNPD releases annual activity report for 2020

The CNPD released, on 19 October 2021, its annual activity report for 2020.

The CNPD highlighted the following key statistics for 2020, noting that it had:

  • received 655 requests for information in writing;
  • submitted 24 opinions of draft laws or Grand-Ducal regulations, principally pertaining to anti-money laundering and countering the financing of terrorism, video surveillance for the purposes of police activities, the creation of a National Security Authority;

You can read the press release here and the report here, both only available in French.



DPC fines Twitter €450,000 for issues surrounding data breach notification

The DPC announced, on 18 October 2021, that it had issued a decision to fine Twitter International Company €450,000 for failure to notify a personal data breach on time to the DPC and failure to adequately document the breach in violation of Articles 33(1) and 33(5) of the GDPR.

The decision relates to a personal data breach notification made to the DPC, on 8 January 2019, following a breach which occurred at Twitter International’s processor, Twitter Inc., whereby a bug had caused the accounts of Twitter users, to become unprotected.

  • received 485 complaints from individuals regarding a violation of data protection legislation or of their data subject rights, with 26% of requests constituting requests for erasure or rectification;
  • received 379 data breach notifications; and
  • conducted eight on-site investigations.

You can read the press release here.