Privacy News 26/03/2021

Mar 29, 2021

 European Union

Parliament calls for improved implementation and enforcement of the GDPR

The European Parliament issued, on 25 March 2021, a statement calling for improved implementation and enforcement of the GDPR.

The Parliament noted that implementing and effectively enforcing the GDPR is key but this can only be done if supervisory authorities are provided with sufficient funding.

MEPs are concerned that many supervisory authorities across the EU lack sufficient human, technical and financial resources to perform their tasks and that they have to deal with an increasing number of complex cases.

You can read the press release here.


EU Justice Commissioner and US Secretary of Commerce intensify negotiations for enhanced Privacy Shield

The EU Commissioner of Justice, Didier Reynders, alongside the U.S. Secretary of Commerce, Gina Raimondo, issued, on 25 March 2021, a joint statement noting that the US Government and the European Commission have decided to intensify negotiations on an enhanced EU-US Privacy Shield framework to comply with  the Schrems II Case.

Discussions on a potential enhanced EU-U.S. Privacy Shield framework for complying with the Schrems II Case commenced in August 2020.

You can read the Commission’s press release here and the Secretary of Commerce’s press release here.


National Authorities

 CNIL launches standard on medico-social care of vulnerable individuals

The CNIL announced, on 24 March 2021, that it had adopted, its standard on the processing of personal data related to providing social welfare/ medico-welfare support to vulnerable individuals, following its public consultation.

The standard addressed public and private organisations involved in the reception, housing or support of vulnerable individuals.

The standard concerns the application of data protection requirements to the social welfare/ medico-welfare sector, such as support and management.
However, it does not apply to specific processing activities, such as the processing of personal data regarding the protection of children, as a dedicated standard is presently being drafted, and processing of personal data carried out by legal representatives for protected persons, which will also be the subject of its own standard.

In response to feedback from the public consultation, the CNIL had added further provisions regarding, the legal bases which can be used, types of personal data which might be collected, retention periods, recipients of relevant personal data, and information to be provided to data subjects regarding their rights.

In addition, CNIL also published FAQs on its website.

You can read the standard here and the FAQs here, both only available in French.


 DPA publishes a data protection toolkit

The DPA recently published on its website, new compliance tools for data controllers, data processors, DPOs and SMEs. These tools include among other things, a simplified data treatment register for controllers and subcontractors, a roadmap for federal agencies’data exchanges and a personal data communication protocol template

You can access these resources, here, only available in French.



 AGCM fines Telepass Group €2M for misleading consumers and unlawful data processing

The Italian Competition Authority announced, on 18 March 2021, that it had fined Telepass SpA and Telepass Broker SpA €2 million for misleading consumer practices through its app, as well as for unlawful data processing.

The AGCM noted that the Telepass Group had, in the context of offering auto insurance policies through its app, shared users’ information with insurance companies and intermediaries without adequately informing them about the collection of their data and the types of data processing involved.

The AGCM highlighted that the Telepass Group’s consumers had not received adequate information on the intermediaries and the insurance policy providers and were, thus, unable to make an informed choice.

You can read the decision here, only available in Italian.


 Datatilsynet fines Dragefossen NOK 150,000 for unlawful CCTV and online broadcasting

Datatilsynet announced, on 25 March 2021, that it had fined Dragefossen  NOK 150,000 (approx. €15,000) for CCTV and broadcasting CCTV footage live without an appropriate legal basis for such processing.

Datatilsynet noted that the area captured by the footage covered, among others, a public road, a parking lot and a local bank, as well as that the cars and their drivers were identifiable by those who watched the live broadcast.

For Datatilsynet, the CCTV was unlawful, as it occurred without an adequate legal basis, and that it had led to the systematic monitoring of staff, including activities where there was no expectation of monitoring or live broadcasting.

Dragefossen has three weeks to appeal the decision.

You can read the decision here, only available in Norwegian.



IAB Europe publish a guide on LIA (Legitimate Interests Assessments)

You can read the guide here.