European Union
EDPS launches two investigations following Schrems II judgment
The EDPS announced, on 27 May 2021, that it had launched two investigations, one regarding the use of cloud services provided by Amazon Web Services and Microsoft under the Cloud II contracts by EU institutions and one regarding the use of Microsoft Office 365 by the European Commission, following the Schrems II decision.
These investigations are part of the EDPS’ strategy for EU institutions to comply with the Schrems II judgment so that ongoing and future international transfers are carried out according to EU data protection law.
The objective of the first investigation is to assess EUIs’ compliance with the Schrems II judgment when using cloud services provided by Amazon and Microsoft Web Services when data is transferred to non-EU countries, in particular to the US.
The objective of the second investigation into the use of Microsoft Office 365 is to verify the European Commission’s compliance with the recommendations previously issued by the EDPS on the use of Microsoft’s products and services by EUIs.
You can read the press release here.
National Authorities
Spain : AEPD publishes guide on notifying personal data breaches
The AEPD published, on 24 May 2021, a guide on notifying personal data breaches.
According to the AEPD, almost 700 data breaches have been reported in the first five months of 2021, the majority of which were the result of ransomware attacks.
The guidance aims to assist organisations responsible for processing personal data with the obligation to notify data breaches to the AEPD and to the individuals whose data has been affected.
Moreover, the guidance seeks to facilitate the effective protection of the rights and freedoms of individual, a more resilient work environment; and legal certainty.
You can read the press release here and read the guidance here, both only available in Spanish.
Italy : Garante issues guidelines and FAQs on DPOs
The Garante issued, on 24 May 2021, guidelines on the designation, role, and duties of DPOs in the public sector, while also updating its FAQs on DPOs in the private sector.
The guidelines explore a number of key issues related to DPOs, including with respect to their role and responsibilities in the public sphere, the qualifications and professional experience they should possess when the position of DPO is incompatible with other positions or conflict of interest considerations, and how DPOs should be supported.
Furthermore, the guidelines emphasise the importance of DPOs in ensuring the correct approach to data processing, particularly considering that public administrations are increasingly stressed by the challenge of digital transformation.
You can read the guidelines here, and the updated FAQs here, both only available in Italian.
Germany : LfD Niedersachsen publishes annual activity report for 2020
The LfD Niedersachsen published, on 27 May 2021, its annual report to summarise its activities for 2020.
The LfD Niedersachsen recorded a significant rise in complaints and reported data protection violations in 2020, with a total of 2,479 complaints and 989 notifications of violations received.
According to the LfD Niedersachsen, this rise can be partly attributed to the COVID-19 pandemic, as well as the increasing complexity of processing operations as a result of digitalisation in business and administration.
Additionally, in terms of fines issued under the GDPR, the LfD Niedersachsen noted that the cost of fine proceedings had significantly increased since the GDPR came into force. The LfD Niedersachsen had imposed its highest fine in 2020, a sum of €10.4 million on a company that had been monitoring its employees via video for two years without a legal basis.
You can read the press release here and download the report here, both only available in German.
France : CNIL and UNAF publishes a guide to GDPR in social and medical care sector
The CNIL announced, on 25 May 2021, that the National Union of Family Associations (UNAF) had published a guide on how to implement the GDPR in the social and medical care services sector.
The guide is divided into four chapters, with practical examples specific to the social and medical care sector featured throughout :
- key concepts under the GDPR in the context of the sector, including the roles of data controllers and processors;
- data protection principles, including the principles of lawfulness, purpose and storage limitation, necessity and proportionality, confidentiality, and security;
- data subject rights and how to facilitate them; and
- the various stages of compliance with the GDPR, from the designation of a DPO to carrying out DPIAs and properly documenting compliance.
You can read CNIL’s press release here and the guide here, both only available in French.
France : CNIL orders 20 companies to comply with cookie rules within one month
The CNIL announced, on 25 May 2021, that it had issued formal notices to around 20 organisations which do not comply with CNIL’s cookie guidelines and recommendations, ordering them to amend their practices and come into compliance with the same.
The infringements relate to not enabling users to refuse cookies as easily as to accept them, while revealing that most of the addressed organisations are major players in the digital sector, as well as some public bodies.
The CNIL indicates that the addressed organisations have one month to comply and will incur financial penalties of up to 2% of their turnover if this deadline is not respected.
This is the first campaign of verifications and corrective measures since the entry into effect of the cookie guidelines and recommendations, and similar actions will be carried out over the coming months, cookie compliance being a priority for CNIL in 2021.
You can read the press release, only available in French, here.
Fines
Spain : AEPD fines Vodafone Spain €100,000 for unlawful data processing and failures to monitor Robinson List
The AEPD issued, on 25 May 2021, a decision in proceeding PS/00030/2021, fining Vodafone España, S.A.U €100,000 for advertising calls to phone numbers registered within the Robinson List.
For the AEPD,Vodafone was responsible to act as a data processor, and therefore had breached its duties under Article 28(1) of the GDPR.
Vodafone had also failed to record and monitor the treatement of personal data that is processed for marketing calls, and the monitoring and exclusion of numbers that are registered and updated on the Robinson List.
You can read the decision, only available in Spanish, here.