European Union

EDPS publishes Annual Report 2020

The EDPS published, on 19 April 2021, its Annual Report 2020 providing an insight into all EDPS activities in 2020.The report presents how the EDPS continued to fulfil its role as the data protection authority for EU institutions, agencies, and bodies in the context of the COVID-19 pandemic. It also acknowledges the particular challenge and responsibility posed by the pandemic to data protection authorities, and that the EDPS established an internal COVID-19 taskforce composed of members of all the EDPS’ units and sectors to coordinate and undertake actions related to the interplay between privacy and the pandemic.

In 2020, the EPDS also demonstrated its commitment to ensuring that EUIs comply with the Court of Justice of the European Union’s judgment C-311/18 (Schrems II) by publishing its own strategic document. Protecting the data of EU citizens when processed in non-EU countries will remain a top priority for the EDPS in 2021.

Despite the pandemic, the EDPS issued a record number of legislative opinions and comments as a trusted advisor to the European Commission, the Council, and the European Parliament, with examples including, the opinions on the European strategy for data and on artificial intelligence.

You can read the press release here.

EDPB publishes final version of guidelines on targeting of social media users

The European Data Protection Board published, on 22 April 2021, the final version of its guidelines on the targeting of social media users. The guidelines aim to clarify the roles and responsibilities of social media providers and targeters. As such, it outlines the potential risks to the rights and freedoms of individuals posed by the processing of personal data and identify the main actors and their roles.

Furthermore, the guidelines seek to address the application of key data protection requirements, including lawfulness, transparency, and DPIAs.

You can read the guidelines here.

MEPs call for clear guidelines on data transfers

The European Parliament issued, on 20 April 2021, a press release highlighting that the Civil Liberties Committee has adopted a draft report urging the European Commission to issue detailed guidelines on making data transfers compliant with recent EU Court of Justice rulings.

For the MEPs’, the Commission should not conclude new adequacy decisions with third countries without taking into account the implications of EU court rulings. They also urge the Commission to assess the impact of the Court’s rulings on current data transfers to the US.

The press release also noted that MEPs have called on the Commission to launch infringement procedures against Ireland for failing to enforce effectively the GDPR.

Lastly, the press release highlights that the draft report criticises the enforcement of the GDPR by national authorities, who MEPs consider to have overlooked international data transfers and failed to take meaningful corrective decisions.

You can read the press release here.

National Authorities

 CNPD releases guidelines on geolocation tracking of employee vehicles

The CNPD released, on 15 April 2021, guidelines regarding systems allowing employers to track the location of vehicles used by employees.The guidelines underline that such systems are increasingly utilised on a wider scale and that they inherently require processing of personal data, and as such pose risks to the protection of the personal data and privacy of employees.

For the CNPD, tracking the geolocation of employees in such a manner raises implications as to whether they might be continuously monitored outside of working hours or used for purposes beyond the purposes for which the system was implemented.

In its guidelines, the CNPD recall the applicability of principles of lawful processing, transparency, necessity and proportionality as part of data minimisation, and purpose limitation.

The implementation of a system of geolocation tracking also requires a DPIA to be carried out.

You can read the guidelines only available in French, here.

Fines

 AEPD fines Xfera Móviles €150,000 for direct marketing violations

The AEPD released, on 9 March 2021, its decision in proceeding PS/00448/2020, in which it fined Xfera Móviles S.A. €150,000 for sending unwanted marketing messages, some of which included information related to third parties.

In particular, the AEPD highlighted that although the complainant had exercised their right to object to the use of their personal data for direct marketing purposes, Xfera Móviles had continued to send SMS marketing messages.

Furthermore, the AEPD found that Xfera Móviles had continued to send SMS messages despite being notified by the complainant that they had been receiving a large number of SMS messages which contained confidential information about third parties, including bank account details.

For the AEPD, Xfera Móviles had violated Articles 17, 32, and 5(1)(f) of the GDPR and Article 21 of the Law 34/2002, of July 11, on Services of the Information Society and Electronic Commerce.

You can read the decision, only available in Spanish, here.