Privacy News 27/11/2020

Nov 30, 2020

 European Union

Commission presents new regulation on data governance

The European Commission announced on November 25, 2020 that it had presented a new regulation on data governance.

In particular, the Commission underlined that the regulation will facilitate the sharing of data in the EU and between sectors in order to create wealth for society, increase control and confidence of citizens and businesses in their data, and to offer an alternative European model to the data processing practices of major technological platforms.

This regulation will be the basis for a new European model of data governance in line with EU values ​​and principles, such as GDPR, consumer protection and competition rules.

You can access the press release here.


European Parliament approves directive on consumer group actions

The European Parliament announced on November 24, 2020 that it had approved the directive on group actions for the protection of the collective interests of consumers.

This directive aims to set up a system of group actions for the protection of the collective interests of consumers against infringements of Community law in all the Member States.

It will apply to class actions brought against professionals for violation of provisions of Community law, such as the GDPR and the Directive on privacy and electronic communications (2002/58 / EC).

The directive will enter into force 20 days after its publication in the Official Journal of the EU, Member States will then have 24 months to transpose it into their national law, and an additional six months to apply it.

You can access the press release here.


National Authorities

 Exercise of rights via a mandate: CNIL launches a public consultation on its draft recommendation

Press release: 

“By means of a mandate, a person can designate a company so that it can exercise its rights in its place. In order to clarify the applicable framework, the CNIL is proposing a public consultation on a draft recommendation. “

You can access the press release, in French, here.



 APD imposes a fine of € 1,500 on a couple for illegitimate processing of video surveillance images

A couple of individuals had installed a video surveillance system made up of 5 cameras on their property. Their neighbors have complained to the DPA because some of these cameras were filming part of the public road and their property.

For the DPA, 2 of the 5 surveillance cameras installed by the defendants filmed the public highway and the property of the plaintiffs without any valid legal basis. The defendants’ legitimate interest in protecting their property did not justify filming the public highway and the property of others.

The APD recalls on the occasion of this decision that:

  • it is the person who decides to install and use surveillance cameras who is responsible for their correct placement and not the company involved.

The authority also considered as illegitimate, the transfer of images obtained via this video surveillance to an expert in the context of a dispute. Indeed, the law provides for the possibility of transferring images to police services or judicial authorities, but the expert in question is not part of either.

You can access the decision, in Dutch, here.


 CNIL imposes a fine of 2 250 000 € on the company Carrefour France and 800 000 € on the company Carrefour Banque

 The CNIL has just announced its decision to sanction the company CARREFOUR FRANCE (distribution) with a fine of 2,250,000 euros and CARREFOUR BANQUE (banking sector) with a fine of 800,000 euros for several breaches of the GDPR related to:

– its obligation to inform data subjects (article 13 GDPR);

– cookies (article 82 of the  French Data Protection Act);

– its obligation to limit the retention period of data (article 5 (1) e) GDPR);

– its obligation to facilitate the exercise of rights (article 12 GDPR);

– failure to respect the rights of the persons concerned (articles 15, 17 and 21 of the GDPR and L34-5 of the Postal and Electronic Communications Code);

– its obligation to process personal data in compliance with the principles of legality, fairness and transparency (article 5 GDPR).

You can access the decision against Carrefour France, here and the decision against Carrefour Banque, here, both only available in French.


 AEPD imposes a fine of 40,000 euros on Miraclia for unlawful processing of personal data

 AEPD published, on November 25, 2020, a resolution in the PS / 00416/2019 procedure, condemning Miraclia Telecomunicaciones SL to a fine of 40,000 euros for violation of articles 6, 13 and 14 of the GDPR.

The complainant claimed that his personal data had been used without his consent as part of a phone prank via the Miraclia app , which allows users to prank third parties.

Miraclia did not, at any time, obtain the consent of the interested party to the processing of his personal data and to the recording of the telephone joke.

The processing of personal data was therefore illegal.

You can access the decision, in Spanish, here.


 Covid-19 – AP notes violations of the GDPR related to body temperature checks of employees

 AP announced on November 26, 2020 that it had investigated two large companies that had implemented body temperature checks on their employees during the coronavirus pandemic. On this occasion, it found that these companies had violated the GDPR.

The AP noted in particular that the two companies questioned had processed data relating to the health of their employees in direct violation of the GDPR.

For the AP, although the explicit consent of the person concerned is likely in some cases to allow the processing of sensitive data, this legal basis is inadequate in the context of employment.

You can access the press release, in Dutch, here


 ANSPDCP fines Vodafone Romania 4,000 euros for failure to respond to access and erasure requests

 The Romanian Data Protection Authority announced, on 23 November 2020, its decision to impose a fine of 4,000 euros on Vodafone Romania SA for failure to respond to requests for the exercise of justified access and erasure rights. on Articles 12, 15 and 17 of the GDPR.

Nor did Vodafone prove during the investigation that these requests had been dealt with.

You can access the decision, in Romanian, here