European Union
EDPB adopts final version of recommendations on supplementary measures
The EDPB announced, on 21 June 2021, that it had adopted, on 18 June 2021, the final version of its Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data.
The recommendations, which were first adopted in November 2020, following the CJEU judgment in the Schrems II Case, aim to assist controllers and processors acting as data exporters with their duty to identify and implement appropriate supplementary measures where needed, to ensure an essentially equivalent level of protection to data transferred to third countries.
You can read the press release here and the recommendations here.
National Authorities
Ireland : DPC publishes guidance on the collection of personal data prior to viewing a property
The DPC announced, on 22 June 2021, that it had released guidance on the Collection of Personal Data Prior to Viewing a Property.
The guidance notes that property companies requesting any form of personal data from prospective clients for the purposes such as arranging a viewing, entering into a letting agreement or closing a sale, become data controllers under the GDPR.
Furthermore, the guidance highlights that the GDPR and the Data Protection Act 2018 place obligations on data controllers to ensure they comply with all of the principles of data protection law.
The guidance also outlines some of the key issues that arise in the context of estate agents collecting personal data for the purpose of arranging viewings of a property.
You can read the guidance here.
France : CNIL publishes proposed methodology for assessing third-country data transfers
The CNIL published, on 23 June 2021, a proposed methodology for identifying and processing data transfers outside the EU, and in particular to the US, to aid organisations in carrying out third country assessments, as required by the judgment of the CJEU in the Schrems II Case.
The proposed methodology aims to complement and clarify, from an operational point of view, the EDPB Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data. It may be used to precisely identify third-country transfers, by means of a technical and legal inventory, and to implement an action plan adapted to the specific organisation.
Identifying transfers
As a first step, CNIL recommends making an inventory of the transfers of personal data linked to digital tools, highlighting that an inventory should make it possible to highlight any transfers of data outside the EU carried out as part of business activities and support functions.
The key business functions involved in this exercise are the organisation’s DPO, information systems department, the purchasing department, the operational managers of the various services, and any digital service providers, to specify the scope of any transfers.
CNIL also recommends identifying all digital tools used by the organisation, as well as all vendor contracts, and using the inventory of both these technical and legal elements to complete a summary document listing the flows outside the EU of personal data implemented within the framework of the activities.
Defining an action plan
As a second step, CNIL recommends creating an action plan.
CNIL recommends carrying out risk assessments with respect to personal data flows, in addition to assessing whether the transfers have a legal basis, and possible solutions following such analysis.
According to the CNIL, it will be necessary to identify the supervision of transfers and the transfer tools put in place and to assess the effectiveness of the tool used in relation to the legislation of the country to which the data is being transferred, emphasising that in the event that the effectiveness of the tool is likely to be reduced due to the application of the legislation of the third country, the implementation of additional measures will be required.
Further to the above, CNIL highlighted the following possible outcomes to the third-country assessment:
- Continue data transfers outside the EU.
- Continue transfers outside the EU by defining new guarantees, such as:
- additional technical measures ;
- additional contractual measures such as the addition of clauses approved by the EDPB in contracts ; and
- additional organisational measures such an organisational awareness and internal documentation.
- End transfers without a legal basis and redefine the data management policy.
You can read the proposed methodology here, only available in French.
Fines
Italy: Garante fines Iren €3M for telemarketng based on invalid third-party consent
The Garante announced, on 22 June 2021, that it had issued a decision to fine Iren Mercato SpA, a company operating in the energy sector, €3 million for carrying out telemarketing activities without valid consent in violation of Articles 5(1) and (2), 6(1) and 7(1) of the GDPR.
Following various conplaints and reports, the Garante had found that the personal data that Iren processed for its telemarketing activities had been obtained indirectly from a third-party source, Nethex Digital Marketing Srl, which in turn had acquired the data, as an independent data controller, from two additional companies.
These two latter companies had obtained the necessary consent from their customers for the telemarketing activities carried out by both themselves and by third parties, including Nethex, but this consent did not extend to the transfer of customer data from Nethex to Iren.
Therefore, the Garante found that Iren, having failed to verify that all its telemarketing activies were based on free, specific, and informed consent, was in breach of the principles of lawfulness, transparency and accountability.
You can read the Garante’s newsletter here and the decision here, both only available in Italian.
Luxembourg : CNPD imposes €18,000 fine to company for DPO violations
The CNPD announced, on 7 June 2021, that it had imposed, on 31 May 2021, a €18,000 fine against a company for violations of Articles 38(1), 38(2), and 39(1)(a) of the GDPR.
Following an investigative audit into the company, the CNPD found that the company had breached the obligation to involve the DPO in all matters relating to the protection of personal data. For the CNPD, the DPO’s level of involvement at an operational level was insufficient.
Furthermore, the CNPD observed that the company failed to provide the necessary resources to the DPO, particularly at local level.
The DPO was also not sufficiently involved in informing and advising on obligations under the GDPR and other EU law (lack of direct reporting from the DPO to the company)
You can read the press release here, and the deliberation here, both only available in French