National Authorities

 DPA publishes recommendations for data cleansing and record destruction

The Belgian DPA released, on 27 January 2021, recommendations for data controllers on data cleansing and the destruction of records.

The recommendations aim to aid data controllers in the prevention of non-authorised access to personal data contained within such records and to ensure the privacy of personal data belonging to Belgian citizens.

They cover legal considerations, technical application, and organisational measures in relation to data cleansing. The recommendations also outline key principles and concepts such as the classification and documentation of information, procedural steps from policy formulation to evaluation, categories of records and practical examples.

You can read the recommendations in Dutch here and in French here.

Fines

 Garante fines Rome Municipality €500,000 for unlawful processing through appointment booking system

The Garante published, on 15 January 2021, its newsletter announcing that it had fined the municipality of Rome €500,000 for the unlawful processing of users’ and employees’ personal data through the use of an appointment booking system named ‘TuPassi’.

Further to an investigation into the TuPassi system, the Garante found several data protection deficiencies (processing of large amounts of personal data including sensitive personal data, data retained on the servers of the municipality for a long period of time, inadequate technical and organisational measures, and the employees had not been adequately informed about the processing of personal data).

You can access the newsletter here and the decision against the municipality here, both only available in Italian.

 CNIL fines data controller €150,000 and its data processor €75,000 for inadequate measures to deal with credential stuffing attacks

The CNIL announced, on 27 January 2021, its decision to fine a data processor €75,000 for their failure to implement adequate measures to deal with credential stuffing attacks on their data controller’s website.

CNIL noted that its investigation of the data controller’s website had indicated that it had suffered numerous credential stuffing attacks involving stolen account credentials, such as email addresses, and their subsequent use by attackers to access account information, related to customer orders and loyalty card balances.

CNIL found that the data controller and processor had failed to take adequate measures to ensure the security of customers’ personal data, thus acting in violation of Article 32 of the GDPR.

For the CNIL, the data controller and processor had been slow in creating a tool for detecting and blocking cyber-attacks, as well as noted that they had failed to take measures, such as using CAPTCHA for user account authentication or limiting the number of requests per IP address.

You can read the announcement, only available in French, here.

 Datatilsynet notifies intention to fine Grindr NOK 100M for GDPR consent failures

Datatilsynet announced, on 16 January 2021, that it had notified its intention to fine Grindr LLC NOK 100 million (approx. €10 million) for its failure to comply with the rules on consent under the GDPR.

Datatilsynet found that Grindr had failed to obtain freely given, specific, unambiguous, and informed consent for the sharing of data, thereby violating Article 6(1)(a) of the GDPR.

For Datatilsynet, Grindr did not obtain adequate consent for profiling and sharing of data, including GPS and user profiles, with third parties for marketing purposes.

Datatilsynet also considered that Grindr had not adequately informed users about the sharing of their personal data, alongside finding that Grindr’s choice to bundle users’ consent with agreeing to the general privacy policy had not allowed users to give separate consent for a different purpose of processing, such as processing of data for marketing purposes.

Datatislynet noted that Grindr has until 15 February 2021 to respond to this notification and that, if the fine is imposed, it will be the highest fine to be imposed by Datatilsynet.

You can read the press release here and the decision here.

EDPB published a summary of Datatilsynet’s decision in English, here

 ICO fines Chameleon Marketing £100,000 for making unsolicited marketing calls

The ICO issued, on 27 January 2021, a monetary penalty notice of £100,000 to Chameleon Marketing (H.I) Ltd for making 617,323 direct marketing calls to people registered with the Telephone Preference Service Ltd without obtaining consent.

The monetary penalty notice highlights that Chameoleon’s failure to obtain consent violated Regulation 21 of the Privacy and Electronic Communications Regulations 2003, which applies to the making of unsolicited calls for direct marketing purposes, meaning that if a company wants to make calls promoting a product or service to an individual who has a telephone number which is registered with the TPS, then that individual must have given their consent to that company to receive such calls.

You can read the press release here and the monetary penalty notice here.

 ICO fines Solar Style Solutions for making unsolicited marketing calls

The ICO issued, on 27 January 2020, a monetary penalty notice of £90,000 to Solar Style Solutions for making 188,665 calls marketing calls over a four-month period, 126,019 of which were to TPS registered users.

The monetary penalty notice highlights that this violated Regulation 21 of the Privacy and Electronic Communications Regulations 2003 which applies to the making of unsolicited calls for direct marketing purposes, meaning that if a company wants to make calls promoting a product or service to an individual who has a telephone number which is registered with the TPS, then that individual must have given their consent to that company to receive such calls.

You can read the press release here and the monetary penalty notice here.