Comité Européen de la Protection des Données

Actualités nationales

On this page you will find news on GDPR enforcement by the national supervisory authorities. The press releases gathered here do not constitute official EDPB communication nor an endorsement. They are published strictly for information purposes and are represented here as they appeared on the supervisory authority's website or other channels of communication. Therefore, these news items are only available in English or in the Member State's official language with a short introduction. Any questions regarding these news releases should be directed at the supervisory authority concerned. You can find all supervisory authorities here.
22 October 2019

The main novelties for consumer credit, loans and new types of financing

Greater safeguards for consumers registered in credit databases, transparency on the functioning of algorithms that analyse financial risk, openness to new technologies and fintech services.

These are some of the innovations laid down in the new ‘Code of conduct for credit reporting systems operated by private entities regarding consumer credit, creditworthiness and punctuality in payments’, proposed by the trade associations and approved by the Italian Garante after a complex review of the old Code of Ethics, which has been rendered obsolete by the changes introduced by the European and national legislation on privacy.

The new rules for credit risk analysis — in order to adapt to the challenges posed by the digital economy — do not only concern data on loans and mortgages, but also those relating to different forms of leasing, long-term rental and the most innovative forms of loan between private entities (‘peer-to-peer lending’) managed through fintech platforms.

In order to facilitate the proper functioning of the financial and credit market, the records may be processed without the data subjects’ consent, on the basis of the so-called legitimate interest of the companies participating in the credit reporting systems, while guaranteeing the wider rights set out in the European Data Protection Regulation. Only necessary, relevant data not exceeding the credit risk assessment purposes may be processed, by providing complete and timely information to the data subjects. For example, if you apply for a mortgage and your application is rejected, you will be able to know if the decision was taken also on the basis of the risk scoring given to you by an algorithm and, if so, to request to know the underlying logic.

In addition, the statistical analysis models as well as the algorithms used should be reviewed and updated at least every two years. Particular attention has been given to the security measures taken to protect the data from unlawful access and to ensure reliability of the systems. New forms of contact, such as those enabled by instant messaging systems used on smartphones, have also been identified in order to simplify the arrangements for informing data subjects prior to their registration in a credit reporting system (prior notice).

Some of the main novelties are listed below:
-    Rights: enhanced rights to protect the privacy of data subjects
-    Disclosure: more complete information about the data processed by the participating companies
-    Monitoring body: an independent body must be established to oversee the work of credit reporting systems
-    New forms of contact: subject to agreement with the data subjects, ‘alert notices’ may also be sent by means of instant messaging systems that ensure traceability of the delivery.
-    New credit categories: the scope of registered data was extended to include various forms of leasing, hire, lending between private parties (peer to peer lending)
-    Longer positive data series: positive historical data on clients may be stored for 60 months to protect credit and to meet the demand coming from supervisory bodies
-    Transparency in decisions: in the event of a denial of credit based on automated analysis, the data subject may request to know the logic underlying operation of algorithms
-    Pseudonymised data for the training of algorithms: algorithms may be ‘trained’ with pseudonymised data, i.e. data that can no longer be related to a specific entity
-    Security: additional measures are envisaged to protect data security and against unlawful access

In the approval decision, the Italian Garante nevertheless required credit reporting systems to make some changes to the functioning of the monitoring body established by the Code in order to strengthen its   independence and autonomy from sector-related companies.

The members of the new Code of Conduct have committed themselves to comply forthwith with the rules and principles, even if the text will become fully effective only upon completion of the accreditation procedure of the monitoring body which requires the favourable opinion the EU Data Protection Board (EDPB).

17 October 2019

Users who access the Vueling company’s website do not have the ability to configure the cookies that are installed on their computers.

When accessing online the cookie policy of the URL page: https://www.vueling.com/es , users are informed about what cookies are and what cookies they use. It also communicates that Vueling can use the information by itself or through third parties such as, beacons, Pixel tags and Local storage, evaluations  and  statistical calculations on anonymous data, indicating  "such information will not be used for any other purpose". They also report that they may use third-party analytics cookies.

However, on the management of cookies, the company merely indicates that: "you can configure the browser to accept or reject by default all cookies or to receive an on-screen notice of the reception of each cookie and decide at that time its implementation or not on your hard drive. You can also use "do not track" tracking cookie blocking tools. It is also noted that, "you can revoke at any time the consent given for the use of cookies by Vueling, configuring the browser for this purpose and that you can adjust the browser settings to prevent the installation of cookies websites or third parties in general."

What the company does not provide is a management system or cookie configuration panel that allows the user to delete them in a granular way. To facilitate this selection the panel would have to enable a mechanism or button to reject all cookies, another to enable all cookies or to be able to do it in a granular way in order to manage the preferences of each user. On this subject, it is considered that the information offered on the tools provided in the browsers of the computers to configure cookies would be complementary to the previous one, but insufficient for the intended purpose of allowing you to configure preferences in granular or selective form.

These facts constitute an infringement of Section 22.2 of the LSSI  (Spanish Law on Information Society Services and Electronic Commerce), according to which:  "Service providers may use of data storage and retrieval devices on recipients' terminal equipment, provided that they have given their consent after they have been provided with clear and complete information on their use, in particular , on the purposes of data processing".

Read the decision in Spanish here
For further information, please contact the Spanish DPA: prensa@aepd.es

07 October 2019

Administrative fines imposed on a telephone service provider

(1) Imposition of a fine for breach of the principle of accuracy and data protection by design when keeping personal data of subscribers

The Hellenic DPA has received complaints from telephone subscribers of the Hellenic Telecommunications Organization (“OTE”) who, although registered in the OTE’s do-not-call register (according to Article 11 of Law 3471/2006), they received unsolicited calls from third companies for the promotion of products and services.

The investigation of the case showed that those subscribers had submitted a portability request for the transfer of their subscription to another provider. As a consequence, OTE deleted their entries from the do-not-call register. However, when those subscribers cancelled their portability request, there was no proper procedure to cancel their removal from the register. Subscribers were listed as registrants in the internal system of the provider’s customer service, but their telephone numbers were not included in the register sent by OTE to the advertisers, as the two systems, due to the error in their interconnection, did not have the same content.

The Authority found that this incident affected a large number of individual subscribers, as there was an infringement of Article 25 (data protection by design) and Article 5 (1) (c) (principle of accuracy) of the General Data Protection Regulation (GDPR). It therefore imposed an administrative fine of EUR 200.000 on the basis of the criteria laid down in Article 83 (2) of the Regulation.

Decision 31/2019 is available in Greek on www.dpa.gr Decisions”

(2) Imposition of a fine for failure to satisfy the right to object and the principle of data protection by design when keeping personal data of subscribers

The Hellenic DPA has received complaints from the recipients of advertising messages from OTE concerning their lack of ability to unsubscribe from the list of recipients of advertising messages. In the course of the examination of the complaints it emerged that from 2013 onwards, due to a technical error, the removal from the lists of recipients of advertising messages did not operate for those recipients who used the “unsubscribe” link. OTE did not have the appropriate organisational measure, i.e. a defined procedure by which it could detect that the data subject’s right to object could not be satisfied.

Subsequently, OTE removed around 8.000 persons from the addressees of the messages, who had unsuccessfully attempted to withdraw from 2013 onwards. The Authority has found an infringement of the right to object to the processing for direct marketing purposes (Article 21 (3) of the GDPR) as well as Article 25 (data protection by design) of the GDPR and imposed an administrative fine of EUR 200.000 on the basis of the criteria of Article 83 (2) of the Regulation.

Decision 34/2019 is available in Greek on www.dpa.gr  Decisions”

Communications Department

For further information, please contact the Greek SA directly: contact@dpa.gr

20 September 2019

The President of the Personal Data Protection Office imposed a fine of an amount higher than PLN 2.8 million (ca. 645,000 euros) on Morele.net.

The company’s organisational and technical measures for the protection of personal data were not appropriate to the risk posed by the processing of personal data, which means that data of about 2.2 million people have fallen into the wrong hands. There was a lack of appropriate response procedures to deal with the emergence of unusual network traffic, concluded the President of the Personal Data Protection Office (UODO).

While imposing the fine, the supervisory authority concluded that the breach which took place in this case was of considerable importance and of serious character, and concerned a large number of persons. In its decision, the supervisory authority also pointed out that, as a result of the infringement, there was a high risk of adverse effects on persons whose personal data fell into the wrong hands, such as identity theft.

The data concerned included: name and surname, phone number, email, delivery address. However, in the case of about 35,000 people, the data leaked from their installment loan application. The scope of the data comprised the personal ID number (PESEL number), the series and the number of the identity document, educational background, registered address, correspondence address, source of income, amount of net income, the cost of living of the household, marital status, as well as the amount of credit commitments or maintenance obligations.

In the decision imposing the fine, the President of UODO concluded that the company by failing to comply with the required technical means of data protection, has breached, inter alia, the principle of confidentiality, as set out in Article 5 (1)(f) of the GDPR. Therefore, there has been unauthorised access to and obtaining of customers’ data. The authority considered that unsuccessful measures for the authentication of data access were put in place. The company had implemented additional technical security measures after the breach.

The investigation revealed that the infringement occurred also because of ineffective monitoring of potential risks. The investigation further revealed other misconduct, but it was the lack of appropriate technical (insufficient safeguards) and organisational measures (on the monitoring of potential risks related to atypical online behaviour) that led to imposing a fine. In determining its amount, however, the President of UODO took account of mitigating circumstances, such as: action taken by the company to put an end to the infringement, good cooperation with the controller and the fact that the company has not breached the  personal data protection law before.

To read the full press release in Polish, click here

The Polish text of the decision is available here

For further information, please contact the Polish DPA: kancelaria@uodo.gov.pl

19 September 2019

The Belgian data protection authority imposed a fine of €10,000 on a merchant for the disproportionate use of the electronical identity card for the purpose of creating a loyalty card.


L’Autorité a sanctionné un commerçant qui propose comme seul moyen de création d’une carte de fidélité la lecture de la carte d’identité électronique. L’amende administrative imposée s’élève à 10.000 €. La carte d’identité électronique contient de nombreuses données sur son titulaire et l’utilisation de ces données, sans consentement du client, est considérée comme disproportionnée au regard du service proposé.

Exposé des faits : lecture de l'eID en échange d’une carte de fidélité
L’APD a reçu une plainte concernant l’utilisation par un commerçant de la carte d’identité électronique (eID) dans le cadre d’un service commercial, à savoir la création d’une carte de fidélité. Le plaignant ne voulant pas présenter sa carte d’identité, la carte de fidélité lui a été refusée alors qu'il a proposé de transmettre par écrit au commerçant les données le concernant pour pouvoir bénéficier d’une carte de fidélité. La Chambre Contentieuse de l’APD a jugé cette pratique non conforme au Règlement général sur la protection des données (RGPD) pour plusieurs motifs.

Non-respect du principe de minimisation des données
Le principe de minimisation est un principe important dans le RGPD qui impose aux responsables du traitement de limiter la quantité de données personnelles collectées ainsi que la durée de conservation de celles-ci à ce qui est strictement nécessaire au vu du but poursuivi.

Pour la création de la carte de fidélité, le commerçant exige de lire des données sur l’eID telles que le nom, les prénoms, l'adresse, etc., mais ce dernier veut également accéder à la photo et au code-barres qui est lié au numéro de Registre national. La Chambre Contentieuse rappelle que le numéro de Registre national est une donnée qui est soumise à des règles strictes quant à sa consultation et à son utilisation.

La Chambre Contentieuse estime par conséquent que la lecture et l’utilisation de toutes les données présentes sur la carte d’identité électronique dans un cadre commercial sont des traitements de données disproportionnés au regard de l’objectif de création d’une carte de fidélité.

Absence de consentement valable
Un traitement de données à caractère personnel, pour être licite, doit reposer sur l’une des six bases légales prévues par le RGPD. Le commerçant invoque le consentement comme base légale pour justifier le traitement des données reprises sur l'eID du client mais la Chambre Contentieuse conteste la validité de cette base légale.

Pour être valable, un consentement doit être libre, spécifique et informé. La Chambre Contentieuse estime que le consentement donné dans le cas d’espèce ne peut être considéré comme un consentement donné librement car aucune alternative n’est proposée aux clients. Si les clients refusent que leur carte d’identité électronique soit utilisée pour la création d’une carte de fidélité, ils sont de ce fait pénalisés et ne peuvent jouir d’avantages et de réductions car aucune alternative ne leur est proposée.

Hielke Hijmans, Président de la Chambre Contentieuse explique : "Les entreprises ou commerçants doivent avoir une approche plus consciencieuse lorsqu'ils réclament toutes sortes de données à caractère personnel pour un service, surtout en l’absence d’un consentement valable du client. Le RGPD prévoit des principes et des obligations qui doivent servir de fil conducteur pour traiter correctement des données à caractère personnel."

Sanctions
Au vu du non-respect du principe de minimisation des données et de l’absence d’une base légale valable, la Chambre Contentieuse décide d’ordonner au commerçant de se conformer aux exigences du RGPD et de lui imposer une amende administrative s’élevant à 10.000 €.

"L’utilisation de cartes d’identité électronique comme cartes de fidélité est une pratique courante. Cependant, le RGPD ne permet pas d’accéder à de nombreuses données à caractère personnel si celles-ci ne sont pas strictement nécessaires pour l’offre d’un service et sans une base légale valable. La Chambre Contentieuse considère qu’il s’agit d’une infraction grave et impose de ce fait une amende s’élevant à 10.000 €", précise Hielke Hijmans, Président de la Chambre Contentieuse.
David Stevens, Président de l'APD : “Cette décision constitue une nouvelle balise importante du chemin vers une meilleure protection de la vie privée de nos citoyens."

To read the full press release in Dutch, click here

For further information, please contact the Belgian DPA: contact@apd-gba.be

03 September 2019

On 26 August 2019, the Director of the Data State Inspectorate of Latvia (DSI) imposed a financial penalty of 7000 euros against the online retailer, for non-compliance with the General Data Protection Regulation (GDPR), nonconformity with data subjects rights to erasure and non-cooperation with the supervisory authority.

The sanctions were applied to the retailer because the retailer failed to carry out the Controllers duty to execute the data subject request and did not cooperate with the DSI (Retailer did not provide DSI with requested information within the specified time period, nor did the retailer comply with an order issued by the DSI in accordance with GDPR Article 58(2)(c) and (g) and Article 23 of the Personal Data Processing Law).

The DSI initiated an investigation of the complaint about online retailer for non-compliance with the rights of the data subject in accordance with GDPR Article 17 – data subject right to obtain from the controller to erase his personal data without undue delay and the controller in compliance with GDPR have to response to the data subject request and erase personal data without undue delay.

Investigating the case DSI established that in 2018 claimant had repeatedly requested the retailer to delete all his personal data, including the claimants mobile phone number. The retailer did not comply with the data subject’s request to erase the data and continued to process the personal data (including claimants phone number) in question.

When determining the amount of the fine the Director of the DSI took into account the nature, gravity and duration of the infringement, the degree of cooperation with the supervisory authority, the number of data subjects affected, the total annual turnover of the preceding financial year of the retailer (GDPR Article 83(5)(b) and (e)).

The DSI informs that, in accordance with the Latvian Administrative Violations Code Article 288 and 289 the retailer has the right to appeal the decision of the Director of the DSI to the District (City) Court within ten working days from the day of receipt of the decision.

Read the full press release in Latvian here

For further information, please contact the Latvian DPA: info@dvi.gov.lv

22 August 2019

The Swedish DPA has fined a municipality 200 000 SEK (approximately 20 000 euros) for using facial recognition technology to monitor the attendance of students in school.

A school in northern Sweden has conducted a pilot using facial recognition to keep track of students’ attendance in school. The test run was conducted in one school class for a limited period of time.

The Swedish DPA concluded that the test violates several articles in GDPR and has imposed a fine on the municipality of approximately 20 000 euros. In Sweden public authorities can receive a maximum fine of 10 million SEK (approximately 1 million euros). This is the first fine issued by the Swedish DPA.
The school has processed sensitive biometric data unlawfully and failed to do an adequate impact assessment including seeking prior consultation with the Swedish DPA.

The school has based the processing on consent but the Swedish DPA considers that consent was not a valid legal basis given the clear imbalance between the data subject and the controller.

Read the full press release in Swedish below or here

For further information, please contact the Swedish DPA: datainspektionen@datainspektionen.se


Sanktionsavgift för ansiktsigenkänning i skola

Datainspektionen utfärdar en sanktionsavgift på 200 000 kronor för en skola som på prov har använt ansiktsigenkänning via kamera för att registrera elevers närvaro.

För första gången utfärdar nu Datainspektionen en sanktionsavgift mot en aktör som har brutit mot reglerna i dataskyddsförordningen, GDPR.

En gymnasieskola i Skellefteå har på prov använt ansiktsigenkänning via kamera för att registrera elevers närvaro på lektionerna. Försöket har pågått under tre veckor och berört 22 elever. Datainspektionen har granskat användningen och konstaterar att gymnasienämnden i Skellefteå har hanterat känsliga personuppgifter i strid med dataskyddsförordningen.

– Gymnasienämnden i Skellefteå har överträtt flera av bestämmelserna i dataskyddsförordningen på ett sätt som gör att vi nu utfärdar en sanktionsavgift, säger Lena Lindgren Schelin, generaldirektör för Datainspektionen.

Sanktionsavgiften är 200 000 kronor. Avgiftens storlek påverkas bland annat av att det är frågan om en myndighet och att det handlar om ett försök under en begränsad period. Myndigheter kan maximalt få tio miljoner kronor i sanktionsavgift.

– Teknik för ansiktsigenkänning är i sin linda men utvecklingen går snabbt. Vi ser därför ett stort behov av att skapa tydlighet kring vad som gäller för alla aktörer, säger Lena Lindgren Schelin.

Biometriska uppgifter, som används vid ansiktsigenkänning, är känsliga personuppgifter som är extra skyddsvärda och som det krävs uttryckliga undantag för att få hantera. Gymnasienämnden har uppgett att man har fått elevernas samtycke till att använda ansiktsigenkänning för närvarokontroll.

– Gymnasienämnden kan inte använda samtycke i det här fallet eftersom eleverna befinner sig i beroendeställning till nämnden, förklarar Ranja Bunni som är jurist på Datainspektionen och som deltagit i granskningen.

I sitt beslut konstaterar Datainspektionen att ansiktsigenkänningen inneburit kamerabevakning av eleverna i deras vardagliga miljö, varit ett intrång i deras integritet och att närvarokontroll kan göras på andra sätt som är mindre integritetskränkande än ansiktsigenkänning.

För mer information kontakta
Jurist Ranja Bunni, telefon 08-657 61 46
Jurist Jenny Bård, telefon 08-657 61 54
Presskontakt Per Lövgren, telefon 08-515 15 415

12 August 2019

On 12 August 2019, the Austrian DPA imposed an administrative fine of € 55,000 (of which € 5,000 are procedural costs) on a controller operating in the medical sector. Over the course of more than six months, the controller had neither appointed a data protection officer nor published its contact details or reported those to the supervisory authority. In addition, the controller had obliged the data subjects to give their consent to a data processing, which did not meet the criteria set out in Art. 7 GDPR and also violated its duty to provide information pursuant to Art. 13, 14 GDPR. Moreover, despite handling sensitive data, no data protection impact assessment, pursuant to Art. 35 GDPR, was carried out. The administrative fine is not final yet, a complaint against the fine is expected.

For further information, please contact the Austrian DPA: dsb@dsb.gv.at

31 July 2019

Exercise of the Hellenic DPA’s corrective powers pursuant to the GDPR for selection and application of inappropriate legal basis and violation of the principle of accountability by a company

Company fined €150,000 by the Hellenic DPA

The Hellenic Data Protection Authority, in response to a complaint, conducted an ex officio investigation of the lawfulness of the processing of personal data of the employees of the company ‘PRICEWATERHOUSECOOPERS BUSINESS SOLUTIONS SA’ (PWC BS). According to the above complaint the employees were required to provide consent to the processing of their personal data.

The DPA considered that PWC BS as the controller:

i.  has unlawfully processed the personal data of its employees contrary to the provisions of Article 5(1)(a) indent (a) of the GDPR since it used an inappropriate legal basis.

ii.  has processed the personal data of its employees in an unfair and non-transparent manner contrary to the provisions of Article 5(1)(a) indent (b) and (c) of the GDPR giving them the false impression that it was processing their data under the legal basis of consent pursuant to Article 6(1)(a) of the GDPR, while in reality it was processing their data under a different legal basis about which the employees had never been informed.

iii.  although it was responsible in its capacity as the controller, it was not able to demonstrate compliance with Article 5(1) of the GDPR, and that it violated the principle of accountability set out in Article 5(2) of the GDPR by transferring the burden of proof of compliance to the data subjects.

The Hellenic DPA, after ascertaining the infringements of the GDPR, decided that in this case it should exercise the corrective powers conferred on it under Article 58(2) of the GDPR by imposing corrective measures, and that it would order the company in its capacity as the controller within three (3) months:

  • to bring the processing operations of its employees’ personal data as described in Annex I submitted by the company into compliance with the provisions of the GDPR;
  • to restore the correct application of the provisions of Article 5(1)(a) and (2) in conjunction with Article 6(1) of the GDPR in accordance with the grounds of the decision;
  • to subsequently restore the correct application of the rest of the provisions of Article 5(1)(b)-(f) of the GDPR insofar as the infringement established affects the internal organisation and compliance with the provisions of the GDPR taking all necessary measures under the accountability principle.

Moreover, as the above corrective measure is not sufficient in itself to restore compliance with the GDPR provisions infringed, the Hellenic DPA considered that, based on the circumstances identified in this case and under Article 58(2)(i), an additional effective, proportionate and dissuasive administrative fine should be imposed in accordance with Article 83 of the GDPR, which amounts to one hundred and fifty thousand Euros (EUR 150,000.00).


The Decision (in Greek) is available on www.dpa.gr (--> “Decisions”)
A summary of the Decision (in English) is available on http://www.dpa.gr/portal/page?_pageid=33,43590&_dad=portal&_schema=PORTAL

The press release is available on: https://www.dpa.gr/portal/page?_pageid=33,43547&_dad=portal&_schema=PORTAL


09 July 2019

Statement in response to Marriott International, Inc’s filing with the US Securities and Exchange Commission that the Information Commissioner's Office (ICO) intends to fine it for breaches of data protection law.

Following an extensive investigation the ICO has issued a notice of its intention to fine Marriott International £99,200,396 for infringements of the General Data Protection Regulation (GDPR).

The proposed fine relates to a cyber incident which was notified to the ICO by Marriott in November 2018. A variety of personal data contained in approximately 339 million guest records globally were exposed by the incident, of which around 30 million related to residents of 31 countries in the European Economic Area (EEA). Seven million related to UK residents.

It is believed the vulnerability began when the systems of the Starwood hotels group were compromised in 2014. Marriott subsequently acquired Starwood in 2016, but the exposure of customer information was not discovered until 2018. The ICO’s investigation found that Marriott failed to undertake sufficient due diligence when it bought Starwood and should also have done more to secure its systems.

Information Commissioner Elizabeth Denham said:

“The GDPR makes it clear that organisations must be accountable for the personal data they hold. This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected.

“Personal data has a real value so organisations have a legal duty to ensure its security, just like they would do with any other asset. If that doesn’t happen, we will not hesitate to take strong action when necessary to protect the rights of the public.”

Marriott has co-operated with the ICO investigation and has made improvements to its security arrangements since these events came to light. The company will now have an opportunity to make representations to the ICO as to the proposed findings and sanction.

The ICO has been investigating this case as lead supervisory authority on behalf of other EU Member State data protection authorities. It has also liaised with other regulators. Under the GDPR ‘one stop shop’ provisions the data protection authorities in the EU whose residents have been affected will also have the chance to comment on the ICO’s findings.

The ICO will consider carefully the representations made by the company and the other concerned data protection authorities before it takes its final decision.

You can read the press release on the ICO website here

For further information, please contact the ICO: casework@ico.org.uk

For press questions, please visit the media section on the ICO website

Notes to Editors

1.    The Information Commissioner’s Office upholds information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
2.    The ICO has specific responsibilities set out in the Data Protection Act 2018, the European Union’s General Data Protection Regulation (GDPR), the Freedom of Information Act 2000, Environmental Information Regulations 2004 and Privacy and Electronic Communications Regulations 2003.
3.    The ICO can take action to change the behaviour of organisations and individuals that collect, use and keep personal information. This includes criminal prosecution, non-criminal enforcement and audit. The ICO has the power to impose a civil monetary penalty on a data controller of up to £17million (20m Euro) or 4% of global turnover.
4.    The GDPR applied in the UK from 25 May 2018. Its provisions are included in the Data Protection Act 2018. The Act also includes measures related to wider data protection reforms in areas not covered by GDPR, such as law enforcement and security. The government intends to incorporate the GDPR into our data protection law when the UK leaves the EU.
5.    Under the GDPR, the data protection principles set out the main responsibilities for organisations. Article 5 of the GDPR requires that personal data shall be:
·         Processed lawfully, fairly and in a transparent manner in relation to individuals;
·         Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
·         Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
·         Accurate and, where necessary, kept up to date
·         Kept in a form which permits identification of data subjects for no longer than is necessary; and
·         Processed using appropriate technical or organisational measures in a manner that ensures appropriate security of the personal data.”
·         Article 5(2) requires that “the controller shall be responsible for, and be able to demonstrate, compliance with the principles.”
6.    Civil Monetary Penalties (CMPs) are subject to a right of appeal to the (First-tier Tribunal) General Regulatory Chamber against the imposition of the monetary penalty and/or the amount of the penalty specified in the monetary penalty notice.
7.    Any monetary penalty is paid into the Treasury’s Consolidated Fund and is not kept by ICO.
8.    To report a concern to the ICO telephone our helpline 0303 123 1113 or go to ico.org.uk/concerns.

09 July 2019

This Tuesday, the Belgian Data Protection Authority decided to reprimand the FPS Public Health for not responding to the exercise of a citizen's right of access.


Vandaag, dinsdag 9 juli 2019 besliste de Gegevensbeschermingsautoriteit om een berisping te formuleren ten aanzien van de Federale Overheidsdienst Volksgezondheid. Deze sanctie betreft een geval waarin de FOD Volksgezondheid niet heeft gereageerd op het verzoek van een burger om zijn recht van inzage uit te oefenen, ondanks een bevel van de Autoriteit. Eerbiediging van het recht van de burgers op bescherming van persoonsgegevens is volgens de Autoriteit een hoeksteen van de AVG, en de verwerkingsverantwoordelijken moeten alles in het werk stellen om dit te waarborgen.

De zaak : niet naleven van het recht van inzage

De zaak betreft een beroepsbeoefenaar in de gezondheidszorg van wie de benoeming als plaatsvervangend lid van PGC Limburg werd ontnomen (Provinciale Geneeskundige Commissie van Limburg) bij een besluit dat zijn vorige benoeming corrigeert. De klager beslist vervolgens om zijn recht op toegang tot zijn persoonsgegevens uit te oefenen om de reden te kennen waarom zijn functie werd ontnomen. Zonder antwoord van de FOD Volksgezondheid diende hij eind 2018 een eerste klacht in bij de Autoriteit.

In oktober 2018 gelastte de Geschillenkamer van de Autoriteit de FOD Volksgezondheid om te antwoorden op het verzoek van de klager, maar de FOD heeft niet gereageerd op het verzoek. De klager dient vervolgens in 2019 voor de tweede keer een klacht in.

Tijdens een hoorzitting heeft de FOD Volksgezondheid de feiten erkend en benadrukte dat er problemen zijn met de interne procedures.

Na beide partijen te hebben gehoord, concludeerde de Geschillenkamer van de Autoriteit dat er sprake was van nalatigheid van de FOD Volksgezondheid en besloot zij een berisping tegen de desbetreffende FOD uit te spreken, alsook om het besluit van de Geschillenkamer te publiceren met inbegrip van de namen van de partijen (met formele toestemming van de klager). De Kamer acht het ook belangrijk dat de FOD Volksgezondheid op korte termijn interne procedures invoert zodat zij haar verplichtingen krachtens de AVG (Algemene Verordening Gegevensbescherming) doeltreffend kan beheren.

Hielke Hijmans, Voorzitter van de Geschillenkamer legt uit: « De procedure bracht het feit aan het licht dat de FOD Volksgezondheid geen interne procedures heeft ingevoerd om aan de vereisten van de AVG te voldoen, terwijl de Verordening in mei 2016 gepubliceerd werd en sinds mei 2018 in werking is getreden. De FOD Volksgezondheid heeft zich daarbij ook niet gehouden aan het verantwoordelijkheidspincipe van de verwerkingsverantwoordelijke zoals bedoeld in de AVG.»

Rechten van de burger en invoeren van interne procedures

Burgers hebben krachtens de AVG een aantal rechten om hun gegevens te beschermen, zoals het recht op toegang tot hun gegevens, het recht om hun gegevens te corrigeren of het recht om ze te wissen of er bezwaar tegen te maken.

Burgers kunnen hun rechten uitoefenen bij de verwerkingsverantwoordelijke van hun persoonsgegevens.  Deze verantwoordelijke moet binnen een maand reageren op het verzoek van de betrokkene.

Om de burgers in staat te stellen hun rechten inzake gegevensbescherming doeltreffend uit te oefenen, is het derhalve noodzakelijk dat organisaties die persoonsgegevens verwerken, voorzien in interne maatregelen waardoor zij binnen de bij wet vastgestelde termijn kunnen reageren op verzoeken, door bijvoorbeeld een duidelijke contactpersoon voor burgers aan te duiden en een antwoordprocedure in te voeren.

« Het is voor ons van groot belang om organisaties eraan te herinneren dat zij er alles aan moeten doen om aan de AVG na te leven», besluit Hielke Hijmans, Voorzitter van de Geschillenkamer van de Autoriteit.

David Stevens, Voorzitter van de Gegevensbeschermingsautoriteit: « We zijn verheugd dat steeds meer burgers bij ons terechtkomen om hun rechten te doen gelden. »

Burgers die een verzoek tot bemiddeling of een klacht willen indienen vinden de procedure hier terug.

To read the full decision in French, click here

For further information, please contact the Belgian DPA: contact@apd-gba.be

08 July 2019

Following an extensive investigation the ICO has issued a notice of its intention to fine British Airways £183.39M for infringements of the General Data Protection Regulation (GDPR).

The proposed fine relates to a cyber incident notified to the ICO by British Airways in September 2018. This incident in part involved user traffic to the British Airways website being diverted to a fraudulent site. Through this false site, customer details were harvested by the attackers. Personal data of approximately 500,000 customers were compromised in this incident, which is believed to have begun in June 2018.

The ICO’s investigation has found that a variety of information was compromised by poor security arrangements at the company, including log in, payment card, and travel booking details as well name and address information.

Information Commissioner Elizabeth Denham said: “People’s personal data is just that – personal. When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience. That’s why the law is clear – when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”

British Airways has cooperated with the ICO investigation and has made improvements to its security arrangements since these events came to light. The company will now have opportunity to make representations to the ICO as to the proposed findings and sanction.

ICO has been investigating this case as lead supervisory authority on behalf of other EU Member State data protection authorities. It has also liaised with other regulators. Under the GDPR ‘one stop shop’ provisions the data protection authorities in the EU whose residents have been affected will also have the chance to comment on the ICO’s findings.

The ICO will consider carefully the representations made by the company and the other concerned data protection authorities before it takes its final decision.

You can read the press release on the ICO website here

For further information, please contact the ICO: casework@ico.org.uk

05 July 2019

On the 5th of July 2019, the National Supervisory Authority finalised an investigation into controller LEGAL COMPANY & TAX HUB SRL and found that the controller infringed the provisions of Article 32 (1) and (2) of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

The data controller, LEGAL COMPANY & TAX HUB SRL, was sanctioned to a fine of 14173.50 lei, the equivalent of 3,000 Euros.
The sanction was issued to the data controller, because it has not implemented adequate technical and organisational measures in order to ensure a level of security appropriate to the risk of accidental or unlawful processing.

This led to unauthorized disclosure of and unauthorized access to the personal data of persons who performed transactions received by the avocatoo.ro website (name, surname, mailing address, email, phone, job, details of transactions made), publicly accessible documents, between 10 December 2018 and 1 February 2019.

The National Supervisory Authority imposed the sanction following an intimation received on the 10th of December 2018 indicating that a set of files on the details of the transactions received by the avocatoo.ro website, which contained the name, surname, mailing address, email, telephone, job and details of transactions made, was publicly accessible through two links.

We underline that pursuant to Article 5.1 (f) GDPR, the data controller had the obligation to process personal data in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (“integrity and confidentiality”).

Also, the General Data Protection Regulation provides under Article 32 that: “1.  Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:
a)    the pseudonymisation and encryption of personal data;
b)    the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
c)    the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
d)    a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
2.   In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.”

Read the full press release in Romanian here

For further information, please contact the Romanian Supervisory Authority: anspdcp@dataprotection.ro

02 July 2019

On the 2nd of July 2019, the National Supervisory Authority finalised an investigation into controller WORLD TRADE CENTER BUCHAREST S.A. and found that the controller infringed the provisions of Article 32 (4) in relation to Article 32 (1) and (2) of the General Data Protection Regulation in respect of the security of  processing.

The data controller, WORLD TRADE CENTER BUCHAREST S.A., was sanctioned to a fine of 71028 lei, the equivalent of 15,000 Euros.
The breach of personal data security consisted in the fact that a printed paper list used to check the customers attending breakfast and which contained personal data of 46 clients accommodated at the hotel belonging to WORLD TRADE CENTER BUCHAREST S.A. was photographed by unauthorized people outside the company, which led to the disclosure of the personal data of some clients through publication.

The data controller, WORLD TRADE CENTER BUCHAREST S.A., has been sanctioned because it has not taken measures in order to ensure that its employees who have access to personal data process data only at its request, according to the law.

Also, the data controller did not implement adequate technical and organisational measures to ensure a level of security appropriate to the risk of accidental or unlawful processing, in particular, of unauthorized disclosure or unauthorized access to personal data. This has led to unauthorized access to the personal data of 46 clients of WORLD TRADE CENTER BUCHAREST SA and unauthorized disclosure of these data in the on-line environment, which has led to the violation of right to privacy and right to the protection of personal data, guaranteed by Article 7 and Article 8 of the Charter of Fundamental Rights of the European Union and Article 16 of the Treaty on the Functioning of the European Union.

The National Supervisory Authority performed the investigation following the notification of a personal data breach received from WORLD TRADE CENTER BUCHAREST S.A., by filling out the form concerning the personal data breach provided by Article 33 of GDPR.

The General Regulation on Data Protection establishes, by art. 24, the principle of responsibility of data controller, according to which: “Taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation. Those measures shall be reviewed and updated where necessary.”

Moreover, Recital (75) of GDPR states that:
“The risk to the rights and freedoms of natural persons, of varying likelihood and severity, may result from personal data processing which could lead to physical, material or non-material damage, in particular: where the processing may give rise to discrimination, identity theft or fraud, financial loss, damage to the reputation, loss of confidentiality of personal data protected by professional secrecy, unauthorised reversal of pseudonymisation, or any other significant economic or social disadvantage; where data subjects might be deprived of their rights and freedoms or prevented from exercising control over their personal data; where personal data are processed which reveal racial or ethnic origin, political opinions, religion or philosophical beliefs, trade union membership, and the processing of genetic data, data concerning health or data concerning sex life or criminal convictions and offences or related security measures; where personal aspects are evaluated, in particular analysing or predicting aspects concerning performance at work, economic situation, health, personal preferences or interests, reliability or behaviour, location or movements, in order to create or use personal profiles; where personal data of vulnerable natural persons, in particular of children, are processed; or where processing involves a large amount of personal data and affects a large number of data subjects.”

Read the full press release in Romanian here

For further information, please contact the Romanian Supervisory Authority: anspdcp@dataprotection.ro

26 June 2019

The National Supervisory Authority finalised an investigation into the controller UNICREDIT BANK S.A. and found that it breached the provisions of Article 25 (1) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
 
The controller was sanctioned with a fine of the amount of 613,912 lei, the equivalent of 130,000 euros.
 
The sanction was applied to UNICREDIT BANK S.A. as a result of the failure to implement appropriate technical and organisational measures, both within the determination of the processing means and processing operations themselves, designed to effectively implement data protection principles, such as data minimisation, and to integrate the necessary safeguards in the processing, in order to meet the GDPR requirements and to protect the rights of the data subjects. This led to the disclosure of data concerning the personal identification number and the payer’s address (for situations where the payer performs the transaction from an account opened with another credit institution – external transactions and cash deposits) and data concerning the payer’s address (for situations where the payer made the transaction from an account opened with UNICREDIT BANK SA – internal transactions) in the documents containing the details of transactions and made available online to payment customers, for a number of 337,042 data subjects, during the period of the 25th of May 2018 – the 10th of December 2018.
 
The sanction was imposed following an intimation addressed to the National Supervisory Authority on the 22nd of November 2018 indicating that the data concerning the personal identification number and the address of the persons performing payments to UNICREDIT BANK S.A., via online transactions, were disclosed to the beneficiary of the transaction through the account statement/details.
 
Pursuant to Article 5 (1) c) of GDPR (“Principles relating to processing of personal data”), the controller had the obligation to process the data limited to what is necessary in relation to the purposes for which they are processed.
 
At the same time, Recital (78) of the Regulation states: ”The protection of the rights and freedoms of natural persons with regard to the processing of personal data require that appropriate technical and organisational measures be taken to ensure that the requirements of this Regulation are met. In order to be able to demonstrate compliance with this Regulation, the controller should adopt internal policies and implement measures which meet in particular the principles of data protection by design and data protection by default. Such measures could consist, inter alia, of minimising the processing of personal data, pseudonymising personal data as soon as possible, transparency with regard to the functions and processing of personal data, enabling the data subject to monitor the data processing, enabling the controller to create and improve security features. When developing, designing, selecting and using applications, services and products that are based on the processing of personal data or process personal data to fulfil their task, producers of the products, services and applications should be encouraged to take into account the right to data protection when developing and designing such products, services and applications and, with due regard to the state of the art, to make sure that controllers and processors are able to fulfil their data protection obligations. The principles of data protection by design and by default should also be taken into consideration in the context of public tenders.

Read the full press release in Romanian here

For further information, please contact the Romanian Supervisory Authority: anspdcp@dataprotection.ro

11 June 2019

The Danish Data Protection Agency has reported IDDesign A/S and proposed a fine of DKK 1,5 million for failure to delete data about 385.000 customers.
 
In the autumn of 2018, the Danish Data Protection Agency carried out a supervisory visit to Danish furniture company IDDesign. One of the questions the visit focused on was whether the company had set deadlines for the deletion of customers’ data and whether the deadlines were complied with.
 
Prior to the inspection, IDdesign had provided an overview of the systems the company uses for the processing of personal data. This overview revealed that some of the furniture stores used an older system, which had been replaced by a newer system in the other shops. In the old system information was gathered about the names, addresses, telephone numbers, e-mail addresses and purchase history of some 385.000 customers. During the inspection, IDdesign also stated that personal data in the old system had never been deleted.
 
The GDPR establishes that personal data must be stored in such a way that data subjects cannot be identified for longer than is necessary for the purposes for which the personal data are processed.
 
IDdesign did not indicate when personal data in the old system are no longer necessary for processing purposes, and thus did not specify the deadlines applicable to erasure of the personal data processed in the system.
 
The Data Protection Agency therefore considers that IDdesign has not complied with the data protection requirements of the data protection regulation by having processed the personal data for a longer timer than necessary.

Read the full press release in Danish here

For further information, please contact the Danish DPA: dt@datatilsynet.dk

07 June 2019

The information provided should enable users to understand what risks they may run and how they can protect their personal data.

No generic information may be provided to users in case of a data breach, whilst specific guidance must be made available on how to prevent unlawful use of one’s personal data – in particular identity thefts.

This is the decision issued by the Italian Supervisory Authority (Garante per la protezione dei dati personali) against one of Italy’s leading email service providers following the proceeding initiated after the company had notified the Garante of a data breach. In that notification the company had declared that technical inquiries had spotted, on the 20th February, fraudulent accesses via a WiFi hotspot which had affected about one million and a half email credentials belonging to users that had accessed the service via webmail.

In the attempt to limit the consequences of the data breach, the company had ‘obliged’ users to reset their passwords and made available a webpage containing information on the data breach prior to emailing a communication to all the affected users. That communication was emailed afterwards, however it proved  to fall short of the requirements under DP legislation – based on the findings of the Garante’s inspection. Indeed, two different communications had been emailed by the company depending on whether the given user had changed his or her password or not in the 48 hours following publication of the information on the data breach.
In both cases the communication referred to ‘unusual activities on our IT systems’ and the users that had changed their passwords were not advised to take any additional measures as it was stated that the changed password had made the old credentials useless. Conversely, those users that had failed to change their passwords were only advised to do so in order to ‘do away with the risk of unauthorised access to your email account’. Such information was considered to be insufficient by the Garante in the light of the severe risks users had been exposed to.

Accordingly, the Garante ordered the company to reiterate the communication of the data breach to the affected users, by describing the type of breach and its possible consequences and providing users with specific guidance on what measures to take in order to prevent additional risks – such as not using the affected credentials and changing the passwords to access any other online service if those passwords are identical with or similar to the breached ones.  

For more information, please contact the Italian supervisory authority: garante@garanteprivacy.it 

28 May 2019

On Tuesday 28 May 2019, the Belgian DPA imposed its first financial penalty since the entry into application of the GDPR. The administrative fine amounts to EUR 2 000 and concerns the misuse of personal data for election purposes. Although the fine is modest, the message is not: Data protection is an important matter to us all, but data controllers must assume their responsibility, especially if they have a government mandate.


L’Autorité de protection des données prononce une sanction dans le cadre d’une campagne électorale

Ce mardi 28 mai 2019, l’Autorité de protection des données (APD) a prononcé sa première sanction financière depuis l’entrée en vigueur du RGPD. L’amende administrative imposée s’élève à 2000 euros et vise l’utilisation abusive de données personnelles par un bourgmestre à des fins de campagne électorale. Si l’amende est modérée, son message est important : la protection des données est l’affaire de tous, et les responsables de traitement doivent prendre leurs responsabilités, surtout quand ils détiennent un mandat public.

L’affaire : envoi de courriel électoral personnalisé par un mandataire public

L’APD a reçu une plainte concernant l’utilisation par un bourgmestre de données obtenues dans le cadre de l’exécution de sa fonction à des fins de campagne électorale.

Les plaignants étaient entrés en contact avec le bourgmestre de la commune via leur architecte dans le cadre d’une modification de lotissement. L’architecte avait, à cette occasion, contacté le bourgmestre par courrier électronique avec en copie les adresses email des plaignants. La veille des élections communales du 14 octobre 2018, le bourgmestre avait alors utilisé la fonction « Reply » de l’email afin d’envoyer un message électoral aux plaignants.

Les deux parties ont été entendues par la Chambre Contentieuse de l’APD ce 28 Mai 2019. Suite à cette audition, la chambre a conclu qu’une infraction au RGPD avait bien été commise. 

Non-respect du principe de finalité en protection des données

Le Règlement général sur la protection des données (RGPD) précise que les données collectées par un responsable de traitement (dans ce cas-ci : les adresses emails obtenues par le bourgmestre) doivent être collectées pour des finalités déterminées et ne peuvent être traitées ultérieurement de manière incompatible avec les finalités en question. La réutilisation de données obtenues dans le cadre d’un projet urbanistique à des fins de campagne électorale contrevient donc à ce principe de finalité et constitue une infraction au RGPD.

La Chambre Contentieuse de l’APD considère que le respect du principe de finalité est une des règles cruciales du RGPD et que les détenteurs d’un mandat public (comme les bourgmestres) à qui les citoyens ont confié des données personnelles doivent être particulièrement vigilants. Il faut qu’ils prennent conscience que les données acquises dans le cadre de la fonction publique ne peuvent jamais être réutilisées à des fins personnelles.  

Prenant cependant en considération le nombre limité des personnes touchées, ainsi que la nature, la gravité et la durée de l’infraction, la Chambre contentieuse a prononcé une réprimande ainsi qu’une sanction financière sous la forme d’une amende modérée de 2000 euros.

« L’utilisation de données personnelles par des personnalités politiques à des fins de campagne électorale est une question qui préoccupe beaucoup les citoyens. Il est important de rappeler que les mandataires publics doivent respecter la législation », explique Hielke Hijmans, Président de la Chambre Contentieuse de l’APD.

Le RGPD : un règlement applicable à tous

La décision de la Chambre Contentieuse constitue la première sanction financière prononcée par l’Autorité de protection des données belge et tombe un mois seulement après l’entrée en fonction de son nouveau comité de direction. Si l’amende est modérée, son message est important : la protection des données est l’affaire de tous.

Hielke Hijmans précise:  « Le respect du RGPD vaut pour tous les responsables du traitement, et très certainement pour les détenteurs d’un mandat public. On s’attend à ce qu’un bourgmestre ait connaissance de la réglementation et respecte ses obligations

David Stevens, Président de l’APD commente : « La protection des données personnelles est à la fois un état d’esprit et une pratique : le responsable du traitement doit toujours poser un regard critique sur l’utilisation qu’il souhaite faire des données à sa disposition. »

To read the full decision in Dutch, click here

For further information, please contact the Belgian DPA: contact@apd-gba.be

21 May 2019

The State Data Protection Inspectorate has imposed an administrative fine in the amount of EUR 61,500 for the breaches of the General Data Protection Regulation. The sanctions were imposed on MisterTango UAB for the breaches of Articles 5, 32 and 33 of the afore-mentioned Regulation, i.e. the personal data breach in the payment initiation service system which, inter alia, has also not been reported to the supervisory authority. In the opinion of the Inspectorate, the start of imposing fines under the General Data Protection Regulation should be a significant signal to other companies which only declaratively comply with the provisions of the above legal acts.

The State Data Protection Inspectorate (Inspectorate) carried out an investigation and imposed a fine taking into account the received information on the personal data of bank customers which was made public and the possibly committed personal data breach at MisterTango UAB. The company operates internationally and provides payment services to the residents and companies of Lithuania and to foreign residents and companies. It has established a branch in Latvia, provided services in other countries. The Lithuanian supervisory authority which has coordinated its decision with the Latvian personal data protection supervisory institution according to the provisions of the General Data Protection Regulation (GDPR) had the opportunity to receive a confirmation of the correctness of the made conclusions from its colleagues. This case also shows that companies should pay more attention to the management of data breaches and cooperation with the supervisory authority in the course of the investigations.

Having carried out the investigation, the Inspectorate has determined that the company breached the requirements of the GDPR as it improperly processed personal data in screenshots (SS), made personal data publicly available and failed to report the personal data breach to the personal data protection supervisory authority.

Regarding improper processing of personal data. In the light of the information collected during the investigation and the provided clarifications, it has been determined that MisterTango UAB processes (accesses, collects) more personal data than it indicates as necessary for effecting of the payment initiated by the payer itself. The Inspectorate considers that, for the purposes of implementation of the data minimisation principle, only such data as the name, surname and, if the payer wishes, his/her identification code, bank account number, currency and balance, purpose of the payment/payment code necessary for effecting the payment should be collected. However, in addition to the afore-mentioned data, the company also collected such data as dates of provision of not reviewed electronic invoices, names of the senders and amounts; dates, topics of submission of not read notifications and a part of the text of the notification; purposes, types, amounts of the loans; names of the pension funds, accumulated units, value thereof, accumulated amounts; types of credits (e.g. mortgage credit), due balances, amounts and dates of other payments, numbers of the issued payment cards and amounts in such payment cards which should be considered as superfluous data. Furthermore, it has been determined that the company stores such data longer than it has established and indicated as necessary by itself, i.e. the data provided during the investigation suggests that the data was stored for 216 days instead of 10 minutes. According to Article 5 of the GDPR, the company shall be responsible for and be able to demonstrate compliance with the principle of accountability; nevertheless, the company failed to provide sufficient evidence to the supervisory authority during the investigation.

Regarding the publicity of personal data. During the investigation it has been determined than the website with the list of payments processed by MisterTango UAB were visible for more than 2 days (9-10 July 2018). The payments made by the customers of different bank institutions through the payment initiation service system of MisterTango UAB and personal data of such customers were made public. Besides, more than 9,000 SSs with the pages of details of the payment sessions of the customers of 12 different banks in different countries were made publicly available. Furthermore, it has been determined that management, installation and maintenance of the IT infrastructure (hardware and software) of MisterTango UAB were carried out by one employee. One employee fulfilled the contradictory functions. Consequently, proper minimisation of possible unauthorised or unintentional modifications and implementation of proper personal data protection policy were not ensured. Thus, MisterTango UAB has failed to choose the appropriate technical or organisational measures which would help to ensure a level of security appropriate to the risk, including protection against unlawful processing, disclosure, thus, breaching Articles 5 and 32 of the GDPR.

Regarding the failure to give the notification of the personal data breach. According to the GDPR, an incident leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed shall be a personal data breach. From the point of view of the Inspectorate, the afore-mentioned incident where unauthorised persons were granted access to personal data in the Internet for 2 days should be considered as a data breach which must be reported to the supervisory authority. Therefore, MisterTango UAB was obliged to without undue delay and, where feasible, not later than 72 hours after having become aware of the personal data breach, notify the personal data breach to the Inspectorate. As MisterTango has failed to notify the Inspectorate of the breach, it breached Article 33 of the GDPR.

When deciding on the amount of the administrative fine, the Inspectorate took into account all circumstances relevant to extending liability to MisterTango UAB, for example, that the company processed the personal data in a non-transparent manner, to a greater extent and longer than necessary for achievement of the purpose of the processing; the unlawful processing was done systematically; it failed to ensure security of the personal data at the moment of the personal data breach, failed to report the personal data breach which has occurred and which had an impact on the personal data allowing to directly identify the data subject to the supervisory authority; furthermore, the data constituted the banking secrecy and was processed without encryption and during the period of the personal data breach the data was processed without ensuring control of access to such data. When imposing the administrative fine in the amount of EUR 61,500 on the company, the total annual worldwide turnover of the company was taken into account. The decision of the Inspectorate is not effective and may be appealed against to the court.

According to the data available to the Inspectorate, France, Spain, Germany, Poland, Austria, Bulgaria, Cyprus, Malta have already imposed significant fines under the GDPR.

For further information, please contact the Lithuanian supervisory authority: ada@ada.lt

24 April 2019
Two cases concerning Svea Ekonomi, a financial credit company, have been processed at the Office of the Data Protection Ombudsman. As a result, the Data Protection Ombudsman has ordered the company to correct its practices in the processing of personal data related to the assessment of creditworthiness, the right of inspect one’s own personal data and notification practices.
One of the cases concerning Svea Ekonomi has been processed at the Office of the Data Protection Ombudsman as a complaint made by a single data subject. It concerned the personal data used to assess creditworthiness and the data subject's right to inspect data concerning them. Furthermore, the Office of the Data Protection Ombudsman began to process the matter concerning the company's notification practices upon its own initiative.
In its decision, the Data Protection Ombudsman stated that the use of a categorical upper age limit in assessing creditworthiness is not acceptable under the definition of credit information set out in the Credit Information Act. The mere age of the credit applicant does not describe their solvency, willingness to pay or ability to deal with their commitments. Based on the account submitted by the company, the credit applicant's financial position has not been taken into consideration at all in the automatic processing of the credit application.
The Data Protection Ombudsman also pointed out that the company's on-line credit decision service should be considered automatic decision-making of the kind referred to in Article 22 of the General Data Protection Regulation, in which the decision is essential in order to conclude or implement an agreement between the company and the credit applicant.
In its decision, the Data Protection Ombudsman ordered that Svea Ekonomi to change the processing of personal data related to assessing creditworthiness. The company must also provide the private person having complained about the matter with information on the logic employed in automatic decision-making, its role in making the credit decision as well as its consequences for the credit applicant.
The procedure employed by Svea Ekonomi for assessing  creditworthiness was also processed at the National Non-Discrimination and Equality Tribunal, which in its decision 216/2017, dated 21 March 2018, prohibited the company from repeating a procedure that is against the Equality Act and the Non-Discrimination Act.
The Office of the Data Protection Ombudsman has also investigated Svea Ekonomi's notification practices related to the automatic decision-making system used to assess creditworthiness. The Data Protection Ombudsman stated that the current notification practices do not sufficiently specify the logic of data processing so that the credit applicant could understand the grounds for the decision and ordered that such notification practices be changed.
Based on the Data Protection Ombudsman's decision, Svea Ekonomi must notify by 30 April 2019 how it has changed its processing of personal data. According to the Office of the Data Protection Ombudsman, Svea Ekonomi has not applied for change in the decision, so the decision is legally enforceable.
Further information:
Data Protection Ombudsman Reijo Aarnio, tel. +358 40 520 7068, reijo.aarnio(at)om.fi
26 March 2019

The President of the Personal Data Protection Office (UODO) imposed its first fine for the amount of PLN 943 000 (around €220 000) for the failure to fulfil the information obligation.

 -“The controller was aware of its obligation to provide information. Hence the decision to impose a fine of this amount on this entity", emphasised Dr Edyta Bielak-Jomaa, President of UODO.

Many people whose data were processed by the company were not aware of this. The controller did not inform them about the processing and thus deprived them of the possibility to exercise their rights under the General Data Protection Regulation (GDPR). Therefore, they had no possibility to object to further processing of their data, to request their rectification or erasure. The President of the Personal Data Protection Office considered the breach to be serious, since it concerns the fundamental rights and freedoms of persons, whose data are processed by the company and relates to the basic issue – the information on the processing of data. Imposing the fine is necessary, because the controller does not comply with the law.

As Piotr Drobek, Director of the Analysis and Strategy Department at UODO, explained- the company did not meet the information obligation in relation to over 6 million people.  Out of about 90,000 people who were informed about the processing by the company, more than 12,000 objected to the processing of their data. This shows how important it is to properly fulfil the information obligations in order to exercise the rights we are entitled to in accordance with the GDPR.  

The decision of the UODO’s President concerned the proceedings related to the activity of a company which processed the data subjects’ data obtained from publicly available sources, inter alia from the Central Electronic Register and Information on Economic Activity, and processed the data for commercial purposes. The authority verified incompliance with the information obligation in relation to natural persons conducting business activity – entrepreneurs who are currently conducting such activity or have suspended it, as well as entrepreneurs who conducted such activity in the past. The controller fulfilled the information obligation by providing the information required under Art. 14 (1) – (3) of the GDPR only in relation to the persons whose e-mail addresses it had at its disposal. In case of the remaining persons the controller failed to comply with the information obligation – as it explained in the course of the proceedings – due to high operational costs. Therefore, it presented the information clause only on its website.

In the opinion of the President of the Personal Data Protection Office, such action was insufficient – while having the contact data to particular persons, the controller should have fulfilled the information obligation in relation to them, that is it should have informed them inter alia on: their data, the source of their data, the purpose and the period of the planned data processing, as well as the data subjects’ rights under the GDPR.

In the opinion of the UODO’s President, the provisions do not impose an obligation on the controller to send such correspondence by registered mail, which was raised by the company as an excuse for not fulfilling an expensive obligation.

In the relevant case, the entity had postal addresses and telephone numbers and could therefore comply with the obligation to provide information to the persons whose data are being processed. Therefore, this case should be distinguished from another case decided by the Polish DPA a few years ago, when another company did not have such addresses at its disposal.

The President of the Personal Data Protection Office  found that the infringement of the controller was intentional, because - as it was established during the proceedings - the company was aware of the obligation to provide relevant information, as well as the need to directly inform persons.

While imposing the fine, the authority also took into account the fact that the controller did not take any action to put an end to the infringement, nor did it declare its intention to do so.

For further information, please contact the Polish Supervisory Authority: kancelaria@uodo.gov.pl / zwme@uodo.gov.pl

25 March 2019

The Danish Data Protection Agency has issued a statement declaring that it proposes to fine Taxa 4x35 for a total of DKK 1. 2 million for a breach of the GDPR.

Taxa 4x35 could be fined for failure to delete customers’ data. This is the first time that the Danish Data Protection Agency proposes a fine in accordance with the rules of the GDPR.

8.873.333 taxi trips
In the autumn of 2018, the Danish Data Protection Agency inspected the Danish taxi company Taxa35. According to Taxa 4x35, personal data used for booking and settlement of the taxi service are made anonymous after two years, since there is no longer a need to identify the customer.

However, only the customer’s name is deleted after these two years, but not the phone number. Therefore, information on the customer’s taxi trip (including addresses) can still be traced to the customer via the phone number, which is not deleted until five years have passed. At the time of the inspection, 8.873.333 personal data records were found for taxi trips older than two years.

Assessment by the Danish Data Protection Authority
The reason why the phone number is not deleted is, according to the taxi company, that the number is key to the system’s database and is therefore necessary in relation to the company’s product and business development.

According to the Danish Data Protection Authority, however, it is not acceptable to store personal data three years longer than necessary, only because the company’s system makes compliance with the GDPR burdensome.

“We have opted for a fine in this case. This is due to the fact that there are very large amounts of personal data which have been stored without an objective purpose. One of the basic principles in the field of data protection is that you only store the information you need — and when you do not need it anymore, it must be deleted immediately,” says the Danish DPA’s director Cristina Angela Gulisano.

Next steps
In most European countries, national data supervisors themselves can issue administrative fines, but the rules are different in Estonia and Denmark. After having examined and assessed the case, the DPA transfers the case to the police. The police will then examine whether there is a basis for a charge etc. and, finally, any financial penalty will be settled before a court.

Read the full press release in Danish here

For further information, please contact the Danish DPA: dt@datatilsynet.dk

21 March 2019

The NAIH received a public notice regarding a webpage http://web.dkp.hu operated by a Hungarian parliamentary party, Democratic Coalition (DK). In the public notice the NAIH was informed by a Hungarian citizen, that the database containing personal data of the party’s supporters is openly accessible via an anonymous hacker forum. The database contains the users’ e-mail addresses, users’ full names, their login names and the weakly encrypted (MD5) passwords. The database became accessible on the hacker forum, when an unknown attacker due to SQLi vulnerability of the webpage reached it, then he uploaded the data on the internet. DK was aware of the data breach, because the hacker informed them as well. The party yet did not notice the NAIH of the breach, nor informed the data subjects, pursuant to Article 33-34 of the GDPR.

The NAIH launched an administrative control procedure, which led into a data protection administrative procedure regarding to Article 9 (1) and Article 33 (1) of the GDPR and the Hungarian Privacy Act Section 60 (1).

DK was on the opinion during the whole procedure that they are not obliged to notify the supervisory authority and the data subjects, because the leaked database contained only out-of-date personal data of the members and sympathizers of the party which has not been updated for years.

NAIH pointed out in its resolution that it is irrelevant regarding the risk of the data breach that the leaked data has not been updated for a long time. The breach is still considered as a high risk incident, because it affected data of real natural persons who are / could be still members or sympathizers of the political party. Therefore the NAIH considered as aggravating circumstance regarding the risk of the breach that the concerned data are special categories of personal data revealing political opinions of data subjects. Moreover, DK used an out-of-date encryption technology (MD5) regarding the passwords that can cause also a serious risk to the rights and freedoms of individuals, because the public availability of such information can lead to other breaches of online services used by the data subject.

NAIH issued an administrative fine of 11 million HUF (~ 35 000 €) to DK for violating the provisions Article 33-34 of the GDPR because DK did not notify the high risk personal data breach to the supervisory authority and did not communicate it to the approximately 6000 data subjects despite being aware of it.

The decision of the NAIH is available in Hungarian at https://www.naih.hu/files/NAIH-2019-2668-hatarozat.pdf

For further information, please contact the NAIH directly: ugyfelszolgalat@naih.hu

20 March 2019

A decision by the Italian Garante issued on 20 December 2018 set out the conditions for the Italian Revenue Agency to start processing activities under the new e-invoicing legislation that came into force on 1 January 2019 – whereby e-invoices will have to be issued for all payment transactions between suppliers of goods and services as well as between suppliers and consumers of those goods and services.

The December 20 Decision followed a previous decision by the Garante of 16 November 2018 where several criticalities had been highlighted in terms of data protection compatibility of the implementing mechanisms envisaged by the Agency. The November decision had led the Garante actually to issuing its first-ever ‘warning’, by relying on the new powers set out in Article 58 of the EU GDPR. The warning was addressed to the Revenue Agency to point out the ‘major criticalities related to the systematic, generalised, detailed processing of personal data on a large scale’ envisaged by the Agency, which was requested by the Garante to clarify how they planned to bring the relevant processing operations into line with the Italian and European legal framework.

An ad-hoc working party was set up by the Agency with the Garante and the Ministry of economics and finance to tackle and do away with those criticalities, involving additional stakeholders such as the National Council of Chartered Accountants and Accounting Experts, the National Council of Occupational Consultants, and the Association of Producers of Management and Accounting Software (AssoSoftware).

The working party dealt with the shortcomings pointed out by the Garante in its November decision, which were  multifarious in nature. Indeed, the Revenue Agency had planned to store and make available, on its web portal, all e-invoicing files in full (about 2.1 billion in 2017), but those files include detailed information on the purchased goods and services that is per se irrelevant for taxation purposes. On the other hand, that information can disclose consumption patterns in the most diverse areas  ranging from utilities and telecoms to transportation (highway tolls, flight tickets, hotel bookings) up to legal and health care services (where the e-invoice includes references to criminal or other proceedings or the medical diagnosis performed on a given patient undergoing treatment). This was found to be disproportionate compared to the public interest purpose the new legislation was intended to achieve.

The revised e-invoicing system envisages storage by the Agency of only the data required for the automated checks the Agency is called upon to perform for taxation purposes – e.g., in terms of consistency between e-invoicing data and the information held by the Agency on a given taxpayer; no information describing the purchased goods or services will be stored. Additionally, no e-invoices will have to be issued for health care services or goods. Storage of and access to the full contents of e-invoices will only be possible (after the initial implementing period) on the taxpayer’s specific request and based on agreements for which the Garante’s green light will be necessary.

Two additional major criticalities had been detected by the Garante, who had warned the Agency of the need to remedy them prior to the final roll-out of the system. One had to do with the role played by the intermediaries taxpayers may rely on for transmitting, receiving and storing their e-invoices; since those intermediaries may  happen to provide their services to several companies and entities at the same time, there is an increased risk of data leaks or misuse due to cross-referencing and combination of huge amounts of information. Secondly, there were several IT security risks in the system, starting from the lack of data encryption mechanisms especially for the e-invoices transmitted via ‘certified’ emailing systems, which the Garante had urged the Agency to address.

Those additional criticalities were remedied in part by the working group and the Garante called upon the Agency in December to make further efforts in that direction. In particular, the Agency will have to carry out an additional data protection impact assessment exercise by the 15th of April this year, pursuant to Article 35 of the GDPR. The Garante had already emphasized that the Agency should have taken care to carry out a DPIA prior to submitting the e-invoicing project to the Garante’s scrutiny, in line with the requirements for a data protection by design approach that is set forth in the GDPR; indeed, the Garante had pointed out that such a requirement was already envisaged in the pre-GDPR legislation under the ‘prior checking’ umbrella.

For Further information, please contact the Italian SA directly: garante@garanteprivacy.it

19 March 2019

The Norwegian Data Protection Authority (Datatilsynet) has imposed an administrative fine of 1.6 million Norwegian kroner, or the equivalent of €170,000, on the Municipality of Bergen.
The incident relates to computer files with usernames and passwords to over 35000 user accounts in the municipality’s computer system. The user accounts related to both pupils in the municipality’s primary schools, and to the employees of the same schools. Due to insufficient security measures, these files have been unprotected and openly accessible. The lack of security measures in the system made it possible for anyone to log in to the school’s various information systems, and thereby to access various categories of personal data relating to the pupils and employees of the schools.

Inadequate Data Security
Datatilsynet found that the municipality’s lack of appropriate measures to protect the personal data in the computer file systems constituted violations of both art. 5(1)f and art. 32 GDPR. Consequently the supervisory authority issued an administrative decision, imposing a fine of 170,000 € on the municipality.
- The security in the login system has been so poor, that unauthorized persons could get access to usernames and passwords in the learning platform and in the school’s administrative systems, says director Bjørn Erik Thon.

The system in question contains information about a user’s name, password, date of birth, address, school affiliation and school grade. When employees and pupils log in, they get access to various systems, for instance the central digital learning platform, which contains the pupils’ schoolwork and the teachers’ evaluations of each individual pupil’s performance at school.

Personal data of 35 000 individuals, primarily children

The fact that the security breach encompasses personal data to over 35 000 individuals, and that the majority of these are children, were considered to be aggravating factors. The municipality had also been warned several times, both by the authority and an internal whistleblower, that the data security was inadequate.

- In the GDPR, children are defined as a particularly vulnerable group that shall be given special protection. It is important that municipalities and other public bodies that process personal data are aware of their responsibilities. Public authorities often process information about us that we do not control, neither do we have a choice in whether or not this information is made available to others. We should be able to trust the public sector, says director Bjørn Erik Thon.

The GDPR stipulates that administrative fines shall be effective, dissuasive and proportionate, and Datatilsynet is of the opinion that the size of the fine reflects this. The Norwegian Personal Data Act sets out that all Norwegian public authorities are subject to the provisions on administrative fines in art. 83 GDPR.  
Datatilsynet made its decision in March 2019, and on the 4th of April 2019, the municipality stated in a press conference that it did not wish to appeal the decision.

You can read the full press release in Norwegian here

For further information, please contact the Norwegian DPA: postkasse@datatilsynet.no

20 February 2019

The Commissioner has today issued his decision to the Lands Authority after concluding the investigation of the data breach, that was brought to his attention by the Times of Malta on 23rd November 2018.  The findings of the investigation established that the online application platform available on the Authority’s portal lacked the necessary technical and organisational measures to ensure the security of processing.  The Lands Authority was found to have infringed the provisions of Article 32 of the General Data Protection Regulation (GDPR) and, in terms of Article 21 of the Data Protection Act (CAP. 586), was served with an administrative fine of €5,000. The level of the fine was reached after the Commissioner took into account the circumstances set out under Article 83.2 of the GDPR.

The temporary ban imposed on the Authority’s portal has been lifted.

The Lands Authority offered their full and unrestricted collaboration to the Commissioner during the course of the entire investigation.    

You can read the original press release here

For further information, please contact the Maltese Supervisory Authority: idpc.info@idpc.org.mt

12 February 2019

Summary
The Austrian Data Protection Authority has finalised its investigation into the Austrian Post (Österreichische Post AG) and issued a decision stating the Austrian Post has violated several provisions of the GDPR.

Specifically, the Austrian DPA is of the opinion that the Austrian Post processes special categories of personal data (political opinions) by attributing preferences for certain political parties to data subjects by using statistical calculation methods. In the absence of explicit consent given by the data subjects concerned and in the absence of any other legal basis for processing these data the Austrian DPA found this to be contradictory to the GDPR.

Furthermore, the Austrian DPA found that the DPIA for this kind of processing and the record of processing activities were erroneous.

Consequently, the Austrian DPA imposed an immediate ban on these processing operations, ordered the erasure of the data and ordered the Austrian Post to carry out a new DPIA and to rectify its record of processing.

The decision is not final and will be challenged before the Federal Administrative Court.

Datenschutzbehörde beendet Prüfverfahren gegen Post und stellt Rechtsverletzungen fest

Wien (OTS) - Die Datenschutzbehörde hat die Berichte, wonach die Österreichische Post Aktiengesellschaft (Post) Daten zur Parteiaffinität verarbeite, zum Anlass genommen, ein amtswegiges Prüfverfahren einzuleiten.

Das Prüfverfahren hat hervorgebracht, dass die Post tatsächlich im Rahmen des Gewerbes "Adressverlage und Direktmarketingunternehmen" mittels statistischer Verfahren u.a. die Parteiaffinitäten von Personen ermittelt.

Die Datenschutzbehörde hat festgestellt, dass diese Daten ohne Einwilligung der betroffenen Personen nicht verarbeitet werden dürfen. Es wurde angeordnet, diese Datenverarbeitung mit sofortiger Wirkung zu unterlassen und die Daten zu löschen, sofern im Einzelfall kein Grund für eine weitere Verarbeitung gegeben ist. Dies könnte insbesondere der Fall sein, wenn es um die Bearbeitung von Auskunftsersuchen geht oder tatsächlich eine Einwilligung zur Verarbeitung vorliegt.

Darüber hinaus stellte die Datenschutzbehörde fest, dass die Datenschutz-Folgenabschätzung für diese Datenverarbeitung und der Eintrag in das interne Verzeichnis der Verarbeitungstätigkeiten mangelhaft sind. Es wurde angeordnet, die Datenschutz-Folgenabschätzung zu wiederholen und den Eintrag richtigzustellen.

For more information, please contact the Austrian supervisory authority at dsb@dsb.gv.at 

31 January 2019

The Hellenic DPA, in order to a) explore the level of compliance with the General Data Protection Regulation (GDPR) -six months after its entry into force- and the specific legislation on e-privacy, b) raise the awareness of data controllers and data subjects, and also c) exercise its envisaged powers, has carried out the following “ex officio” investigation, which was initiated in December 2018 and is ongoing:

More particularly, the Hellenic DPA carried out an investigation to 65 controllers operating online in the fields of financial services, insurance services, e-commerce, ticket services and public sector services, for exploring the way specific requirements are met in the areas of transparency, the use of cookies, the sending of online messages and the security of websites through indicative checkpoints, perceived to the citizen in their navigation and the use of internet services.

  1. The initial conclusions that were drawn as a result of this initiative highlight, in general, the lack of compliance with the legislation on cookies and relevant technologies in almost all the controllers.
  2. There was also a lack of information on the processing operations and the recipients of the data at around 40% of the controllers. It is worth noting that the public sector lags behind in compliance, mainly with regard to transparency, in almost all of the organizations that were investigated.
  3. On the contrary, at a high percentage of more than 80% of data controllers, a satisfactory level of security was observed.
  4. Furthermore, a sufficient degree, more than 70%, of Data Protection Officers’ designation was noted in the private sector.

On the basis of the final conclusions of this first large-scale investigation to check compliance, after the entry into force of the Regulation, the DPA will exercise its powers that are envisaged by the pertinent provisions.

The investigation was presented in the Authority’s recent Information Day on the occasion of the 13th European Data Protection Day on January 28th and is available in Greek at www.dpa.gr  (http://www.dpa.gr/pls/portal/docs/PAGE/APDPX/EUROPEAN_DP_DAY_GENERAL/2019_DP_DAY/FILES%202018/PANAGOPOULOU_G.PDF).

For further questions, please contact the Hellenic Data Protection Authority: contact@dpa.gr

21 January 2019

On 21 January 2019, the CNIL’s restricted committee imposed a financial penalty of 50 Million euros against the company GOOGLE LLC, in accordance with the General Data Protection Regulation (GDPR), for lack of transparency, inadequate information and lack of valid consent regarding the ads personalization.

On 25 and 28 May 2018, the National Data Protection Commission (CNIL) received group complaints from the associations None Of Your Business (“NOYB”) and La Quadrature du Net (“LQDN”). LQDN was mandated by 10 000 people to refer the matter to the CNIL. In the two complaints, the associations reproach GOOGLE for not having a valid legal basis to process the personal data of the users of its services, particularly for ads personalization purposes.

The handling of the complaints by the CNIL

The CNIL immediately started investigating the complaints. On 1st June 2018, in accordance with the provisions on European cooperation as defined in the General Data Protection Regulation (“GDPR”), the CNIL sent these two complaints to its European counterparts to assess if it was competent to deal with them. Indeed, the GDPR establishes a “one-stop-shop mechanism” which provides that an organization set up in the European Union shall have only one interlocutor, which is the Data Protection Authority (“DPA”) of the country where its “main establishment” is located. This authority serves as “lead authority”. It must therefore coordinate the cooperation between the other Data Protection Authorities before taking any decision about a cross-border processing carried out by the company.

In this case, the discussions with the other authorities, in particular with the Irish DPA, where GOOGLE’s European headquarters are situated, did not allow to consider that GOOGLE had a main establishment in the European Union. Indeed, when the CNIL initiated proceedings, the Irish establishment did not have a decision-making power on the processing operations carried out in the context of the operating system Android and the services provided by GOOGLE LLC, in relation to the creation of an account during the configuration of a mobile phone.

As the “one-stop-shop mechanism” was not applicable, the CNIL was competent to take any decision regarding processing operations carried out by GOOGLE LLC, as were the other DPA. The CNIL implemented the new European Framework as interpreted by all European authorities in the European Data Protection Board’s (EDPB) guidelines.

In order to deal with the complaints received, the CNIL carried out online inspections in September 2018. The aim was to verify the compliance of the processing operations implemented by GOOGLE with the French Data Protection Act and the GDPR by analysing the browsing pattern of a user and the documents he or she can have access, when creating a GOOGLE account during the configuration of a mobile equipment using Android.

The violations observed by the restricted committee

On the basis of the inspections carried out, the CNIL’s restricted committee responsible for examining breaches of the Data Protection Act observed two types of breaches of the GDPR.

A violation of the obligations of transparency and information:

First, the restricted committee notices that the information provided by GOOGLE is not easily accessible for users.

Indeed, the general structure of the information chosen by the company does not enable to comply with the Regulation. Essential information, such as the data processing purposes, the data storage periods or the categories of personal data used for the ads personalization, are excessively disseminated  across several documents, with buttons and links on which it is required to click to access complementary information. The relevant information is accessible after several steps only, implying sometimes up to 5 or 6 actions. For instance, this is the case when a user wants to have a complete information on his or her data collected for the personalization purposes or for the geo-tracking service.

Moreover, the restricted committee observes that some information is not always clear nor comprehensive.

Users are not able to fully understand the extent of the processing operations carried out by GOOGLE. But the processing operations are particularly massive and intrusive because of the number of services offered (about twenty), the amount and the nature of the data processed and combined. The restricted committee observes in particular that the purposes of processing are described in a too generic and vague manner, and so are the categories of data processed for these various purposes. Similarly, the information communicated is not clear enough so that the user can understand that the legal basis of processing operations for the ads personalization is the consent, and not the legitimate interest of the company. Finally, the restricted committee notices that the information about the retention period is not provided for some data.

A violation of the obligation to have a legal basis for ads personalization processing:

The company GOOGLE states that it obtains the user’s consent to process data for ads personalization purposes. However, the restricted committee considers that the consent is not validly obtained for two reasons.

First, the restricted committee observes that the users’ consent is not sufficiently informed.

The information on processing operations for the ads personalization is diluted in several documents and does not enable the user to be aware of their extent. For example, in the section “Ads Personalization”, it is not possible to be aware of the plurality of services, websites and applications involved in these processing operations (Google search, You tube, Google home, Google maps, Playstore, Google pictures…) and therefore of the amount of data processed and combined.

Then, the restricted committee observes that the collected consent is neither “specific” nor “unambiguous”.

When an account is created, the user can admittedly modify some options associated to the account by clicking on the button « More options », accessible above the button « Create Account ». It is notably possible to configure the display of personalized ads.

That does not mean that the GDPR is respected. Indeed, the user not only has to click on the button “More options” to access the configuration, but the display of the ads personalization is moreover pre-ticked. However, as provided by the GDPR, consent is “unambiguous” only with a clear affirmative action from the user (by ticking a non-pre-ticked box for instance). Finally, before creating an account, the user is asked to tick the boxes « I agree to Google’s Terms of Service» and « I agree to the processing of my information as described above and further explained in the Privacy Policy» in order to create the account. Therefore, the user gives his or her consent in full, for all the processing operations purposes carried out by GOOGLE based on this consent (ads personalization, speech recognition, etc.). However, the GDPR provides that the consent is “specific” only if it is given distinctly for each purpose.

The fine imposed by the restricted committee and its publicity

The CNIL restricted committee publicly imposes a financial penalty of 50 Million euros against GOOGLE.

This is the first time that the CNIL applies the new sanction limits provided by the GDPR. The amount decided, and the publicity of the fine, are justified by the severity of the infringements observed regarding the essential principles of the GDPR: transparency, information and consent.

Despite the measures implemented by GOOGLE (documentation and configuration tools), the infringements observed deprive the users of essential guarantees regarding processing operations that can reveal important parts of their private life since they are based on a huge amount of data, a wide variety of services and almost unlimited possible combinations. The restricted committee recalls that the extent of these processing operations in question imposes to enable the users to control their data and therefore to sufficiently inform them and allow them to validly consent.

Moreover, the violations are continuous breaches of the Regulation as they are still observed to date. It is not a one-off, time-limited, infringement.

Finally, taking into account the important place that the operating system Android has on the French market, thousands of French people create, every day, a GOOGLE account when using their smartphone. Furthermore, the restricted committee points out that the economic model of the company is partly based on the ads personalization. Therefore, it is of its utmost responsibility to comply with the obligations on the matter.

You can read the original press release here and in French here .

For further questions, please contact the CNIL directly: https://www.cnil.fr/en/contact-cnil