Privacy News 30/10/2020

Nov 3, 2020

 EU institutions

EDPS adopts strategy for EU institutions’ compliance with Schrems II case 

 The European Data Protection Supervisor (EDPS)  published a document aimed at ensuring the compliance of the European institutions with the ” Schrems II” judgment with regard to transfers of personal data to third countries, and especially the United States.

The aim is to ensure that current and future international transfers are carried out in accordance with European data protection regulations.

The Schrems II decision has impacted all legal instruments used to transfer personal data from the EEA to a third country, including transfers between public authorities.

The EDPS has identified two priorities to be addressed in the short term: ongoing contracts from controller to processor and contracts from processor to secondary processor involving transfers of data to third countries, with particular attention for those to the United States.

The EDPS has drawn up an action plan to streamline compliance and enforcement measures, distinguishing short-term from medium-term compliance measures.


 France: CNIL issues guidance on erasure of data of deceased persons

In this guidance, the following points are discussed:

  1. Why is the subject of “digital death” essential?
  2. What happens to the profiles of the deceased posted on social networks?
  3. Can parents and loved ones access the online accounts of a deceased relative?
  4. Can heirs or relatives update the profile of a missing person to notify third parties of their death?
  5. Is it possible to have the account of a missing loved one deleted?
  6. What are the remedies to enforce the data of deceased persons?
  7. How do I report the account of a deceased user?


 Italy:  Garante publishes its investigation plan for the second half of 2020

The Italian data protection authority announced on October 26, 2020, that it had published, in its monthly bulletin, its investigation plan for the second half of 2020.

The control plan continues the activities started during the first half of the year.

The controls will focus on the following players: electronic invoicing intermediaries, call center services, and home food delivery companies.

During the first half of 2020, the Garante imposed sanctions amounting to approximately € 7 million.


 Germany: DSK publishes the requirements for accreditation of certification bodies

The German Data Protection Conference (DSK) published on 8 October 2020 its requirements for accreditation in accordance with Art.43 (3) GDPR and DIN EN ISO / IEC 17065: 2012.

The requirements include the scope and duration of accreditation, as well as general, structural, resource, process and management systems requirements.



 Italy: Garante imposed a fine of EUR 20 000 at the polyclinic ” Università Campus Bio- Medico di Roma” for disclosing online medical reports

 The Italian data protection authority announced on 26 October 2020 its decision to impose a fine of EUR 20 000 at the polyclinic ” Università Campus Bio- Medico di Roma” for violation of Article 5, paragraph 2 a ) and f), and 9 of the GDPR.

The polyclinic had notified the Garante of a data breach in accordance with Article 33 of the GDPR. This concerned the online medical records consultation system.

39 patients were able, while accessing their medical reports, to consult the medical reports and examinations of 74 other patients.

You can find the decision (in Italian) here

 Spain: AEPD fines Play Orenes S.L. €5,000 for data minimisation violation

 On October 28, 2020, the AEPD issued a decision in the procedure PS / 00003/2020 condemning Play Orenes SL to a fine of 5,000 euros for violation of the principle of data minimization contained in Article 5, paragraph 1, point c) of the GDPR.

Play Orenes had installed video surveillance systems on the facade of its premises. This covered the adjacent streets, which goes beyond what is strictly necessary.

You can find the decision (in Spanish) here

 Spain: AEPD fines Vodafone España €36,000 for illegitimate data processing

 The Spanish data protection authority announced, on October 21, 2020, its decision, in procedure PS / 00303/2020, to impose a fine of 36,000 euros on Vodafone España, SAU for violation of article 6, paragraph 1 of the GDPR.

Vodafone processed the applicant’s personal data illegitimately: they were integrated into the company’s information system without having obtained their prior consent to their collection and subsequent processing.

You can find the decision (in Spanish) here

 Norway: Datatilsynet fines Østfold Hospital NOK 750,000 for failure to adequately secure patient data

The Norwegian Data Protection Authority announced on October 27, 2020 that it had fined Østfold HF Hospital 750,000 NOK (approx. 69,000 euros) for storing health data for an extended period without having implemented sufficient measures to secure them.

The hospital did not have access control mechanisms in place in the area where reports and patient records were kept. It had also failed to ensure that internal control procedures were followed (employee access to files, their storage and their deletion from the server).

You can find the decision (only available in Norwegian) here

 UK: ICO fines Marriott £18.4 million for data security failures

The ICO fined Marriott International, Inc. £ 18.4million for failing to keep the personal data of millions of customers safe. This fine is much lower than the £ 99million notice of intent raised in July 2019.

339 million customer records were affected as a result of a 2014 cyber-attack against Starwood Hotels and Resorts Worldwide Inc. The attack, of unknown source, remained undetected until September 2018, when the company was acquired by Marriott.

The personal data involved differed from person to person, but it included names, email addresses, phone numbers, passport numbers, arrival / departure information, VIP status of guests and the loyalty program membership number.

You can find the press release here.