Eiropas Datu aizsardzības kolēģija

Valsts ziņas

On this page you will find news on GDPR enforcement by the national supervisory authorities. The press releases gathered here do not constitute official EDPB communication nor an endorsement. They are published strictly for information purposes and are represented here as they appeared on the supervisory authority's website or other channels of communication. Therefore, these news items are only available in English or in the Member State's official language with a short introduction. Any questions regarding these news releases should be directed at the supervisory authority concerned. You can find all supervisory authorities here.
09 July 2019

This Tuesday, the Belgian Data Protection Authority decided to reprimand the FPS Public Health for not responding to the exercise of a citizen's right of access.

Vandaag, dinsdag 9 juli 2019 besliste de Gegevensbeschermingsautoriteit om een berisping te formuleren ten aanzien van de Federale Overheidsdienst Volksgezondheid. Deze sanctie betreft een geval waarin de FOD Volksgezondheid niet heeft gereageerd op het verzoek van een burger om zijn recht van inzage uit te oefenen, ondanks een bevel van de Autoriteit. Eerbiediging van het recht van de burgers op bescherming van persoonsgegevens is volgens de Autoriteit een hoeksteen van de AVG, en de verwerkingsverantwoordelijken moeten alles in het werk stellen om dit te waarborgen.

De zaak : niet naleven van het recht van inzage

De zaak betreft een beroepsbeoefenaar in de gezondheidszorg van wie de benoeming als plaatsvervangend lid van PGC Limburg werd ontnomen (Provinciale Geneeskundige Commissie van Limburg) bij een besluit dat zijn vorige benoeming corrigeert. De klager beslist vervolgens om zijn recht op toegang tot zijn persoonsgegevens uit te oefenen om de reden te kennen waarom zijn functie werd ontnomen. Zonder antwoord van de FOD Volksgezondheid diende hij eind 2018 een eerste klacht in bij de Autoriteit.

In oktober 2018 gelastte de Geschillenkamer van de Autoriteit de FOD Volksgezondheid om te antwoorden op het verzoek van de klager, maar de FOD heeft niet gereageerd op het verzoek. De klager dient vervolgens in 2019 voor de tweede keer een klacht in.

Tijdens een hoorzitting heeft de FOD Volksgezondheid de feiten erkend en benadrukte dat er problemen zijn met de interne procedures.

Na beide partijen te hebben gehoord, concludeerde de Geschillenkamer van de Autoriteit dat er sprake was van nalatigheid van de FOD Volksgezondheid en besloot zij een berisping tegen de desbetreffende FOD uit te spreken, alsook om het besluit van de Geschillenkamer te publiceren met inbegrip van de namen van de partijen (met formele toestemming van de klager). De Kamer acht het ook belangrijk dat de FOD Volksgezondheid op korte termijn interne procedures invoert zodat zij haar verplichtingen krachtens de AVG (Algemene Verordening Gegevensbescherming) doeltreffend kan beheren.

Hielke Hijmans, Voorzitter van de Geschillenkamer legt uit: « De procedure bracht het feit aan het licht dat de FOD Volksgezondheid geen interne procedures heeft ingevoerd om aan de vereisten van de AVG te voldoen, terwijl de Verordening in mei 2016 gepubliceerd werd en sinds mei 2018 in werking is getreden. De FOD Volksgezondheid heeft zich daarbij ook niet gehouden aan het verantwoordelijkheidspincipe van de verwerkingsverantwoordelijke zoals bedoeld in de AVG.»

Rechten van de burger en invoeren van interne procedures

Burgers hebben krachtens de AVG een aantal rechten om hun gegevens te beschermen, zoals het recht op toegang tot hun gegevens, het recht om hun gegevens te corrigeren of het recht om ze te wissen of er bezwaar tegen te maken.

Burgers kunnen hun rechten uitoefenen bij de verwerkingsverantwoordelijke van hun persoonsgegevens.  Deze verantwoordelijke moet binnen een maand reageren op het verzoek van de betrokkene.

Om de burgers in staat te stellen hun rechten inzake gegevensbescherming doeltreffend uit te oefenen, is het derhalve noodzakelijk dat organisaties die persoonsgegevens verwerken, voorzien in interne maatregelen waardoor zij binnen de bij wet vastgestelde termijn kunnen reageren op verzoeken, door bijvoorbeeld een duidelijke contactpersoon voor burgers aan te duiden en een antwoordprocedure in te voeren.

« Het is voor ons van groot belang om organisaties eraan te herinneren dat zij er alles aan moeten doen om aan de AVG na te leven», besluit Hielke Hijmans, Voorzitter van de Geschillenkamer van de Autoriteit.

David Stevens, Voorzitter van de Gegevensbeschermingsautoriteit: « We zijn verheugd dat steeds meer burgers bij ons terechtkomen om hun rechten te doen gelden. »

Burgers die een verzoek tot bemiddeling of een klacht willen indienen vinden de procedure hier terug.

To read the full decision in French, click here

For further information, please contact the Belgian DPA: contact@apd-gba.be

09 July 2019

Statement in response to Marriott International, Inc’s filing with the US Securities and Exchange Commission that the Information Commissioner's Office (ICO) intends to fine it for breaches of data protection law.

Following an extensive investigation the ICO has issued a notice of its intention to fine Marriott International £99,200,396 for infringements of the General Data Protection Regulation (GDPR).

The proposed fine relates to a cyber incident which was notified to the ICO by Marriott in November 2018. A variety of personal data contained in approximately 339 million guest records globally were exposed by the incident, of which around 30 million related to residents of 31 countries in the European Economic Area (EEA). Seven million related to UK residents.

It is believed the vulnerability began when the systems of the Starwood hotels group were compromised in 2014. Marriott subsequently acquired Starwood in 2016, but the exposure of customer information was not discovered until 2018. The ICO’s investigation found that Marriott failed to undertake sufficient due diligence when it bought Starwood and should also have done more to secure its systems.

Information Commissioner Elizabeth Denham said:

“The GDPR makes it clear that organisations must be accountable for the personal data they hold. This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected.

“Personal data has a real value so organisations have a legal duty to ensure its security, just like they would do with any other asset. If that doesn’t happen, we will not hesitate to take strong action when necessary to protect the rights of the public.”

Marriott has co-operated with the ICO investigation and has made improvements to its security arrangements since these events came to light. The company will now have an opportunity to make representations to the ICO as to the proposed findings and sanction.

The ICO has been investigating this case as lead supervisory authority on behalf of other EU Member State data protection authorities. It has also liaised with other regulators. Under the GDPR ‘one stop shop’ provisions the data protection authorities in the EU whose residents have been affected will also have the chance to comment on the ICO’s findings.

The ICO will consider carefully the representations made by the company and the other concerned data protection authorities before it takes its final decision.

You can read the press release on the ICO website here

For further information, please contact the ICO: casework@ico.org.uk

For press questions, please visit the media section on the ICO website

Notes to Editors

1.    The Information Commissioner’s Office upholds information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
2.    The ICO has specific responsibilities set out in the Data Protection Act 2018, the European Union’s General Data Protection Regulation (GDPR), the Freedom of Information Act 2000, Environmental Information Regulations 2004 and Privacy and Electronic Communications Regulations 2003.
3.    The ICO can take action to change the behaviour of organisations and individuals that collect, use and keep personal information. This includes criminal prosecution, non-criminal enforcement and audit. The ICO has the power to impose a civil monetary penalty on a data controller of up to £17million (20m Euro) or 4% of global turnover.
4.    The GDPR applied in the UK from 25 May 2018. Its provisions are included in the Data Protection Act 2018. The Act also includes measures related to wider data protection reforms in areas not covered by GDPR, such as law enforcement and security. The government intends to incorporate the GDPR into our data protection law when the UK leaves the EU.
5.    Under the GDPR, the data protection principles set out the main responsibilities for organisations. Article 5 of the GDPR requires that personal data shall be:
·         Processed lawfully, fairly and in a transparent manner in relation to individuals;
·         Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
·         Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
·         Accurate and, where necessary, kept up to date
·         Kept in a form which permits identification of data subjects for no longer than is necessary; and
·         Processed using appropriate technical or organisational measures in a manner that ensures appropriate security of the personal data.”
·         Article 5(2) requires that “the controller shall be responsible for, and be able to demonstrate, compliance with the principles.”
6.    Civil Monetary Penalties (CMPs) are subject to a right of appeal to the (First-tier Tribunal) General Regulatory Chamber against the imposition of the monetary penalty and/or the amount of the penalty specified in the monetary penalty notice.
7.    Any monetary penalty is paid into the Treasury’s Consolidated Fund and is not kept by ICO.
8.    To report a concern to the ICO telephone our helpline 0303 123 1113 or go to ico.org.uk/concerns.

08 July 2019

Following an extensive investigation the ICO has issued a notice of its intention to fine British Airways £183.39M for infringements of the General Data Protection Regulation (GDPR).

The proposed fine relates to a cyber incident notified to the ICO by British Airways in September 2018. This incident in part involved user traffic to the British Airways website being diverted to a fraudulent site. Through this false site, customer details were harvested by the attackers. Personal data of approximately 500,000 customers were compromised in this incident, which is believed to have begun in June 2018.

The ICO’s investigation has found that a variety of information was compromised by poor security arrangements at the company, including log in, payment card, and travel booking details as well name and address information.

Information Commissioner Elizabeth Denham said: “People’s personal data is just that – personal. When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience. That’s why the law is clear – when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”

British Airways has cooperated with the ICO investigation and has made improvements to its security arrangements since these events came to light. The company will now have opportunity to make representations to the ICO as to the proposed findings and sanction.

ICO has been investigating this case as lead supervisory authority on behalf of other EU Member State data protection authorities. It has also liaised with other regulators. Under the GDPR ‘one stop shop’ provisions the data protection authorities in the EU whose residents have been affected will also have the chance to comment on the ICO’s findings.

The ICO will consider carefully the representations made by the company and the other concerned data protection authorities before it takes its final decision.

You can read the press release on the ICO website here

For further information, please contact the ICO: casework@ico.org.uk

05 July 2019

The National Supervisory Authority finalised an investigation into the controller UNICREDIT BANK S.A. and found that it breached the provisions of Article 25 (1) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
The controller was sanctioned with a fine of the amount of 613,912 lei, the equivalent of 130,000 euros.
The sanction was applied to UNICREDIT BANK S.A. as a result of the failure to implement appropriate technical and organisational measures, both within the determination of the processing means and processing operations themselves, designed to effectively implement data protection principles, such as data minimisation, and to integrate the necessary safeguards in the processing, in order to meet the GDPR requirements and to protect the rights of the data subjects. This led to the disclosure of data concerning the personal identification number and the payer’s address (for situations where the payer performs the transaction from an account opened with another credit institution – external transactions and cash deposits) and data concerning the payer’s address (for situations where the payer made the transaction from an account opened with UNICREDIT BANK SA – internal transactions) in the documents containing the details of transactions and made available online to payment customers, for a number of 337,042 data subjects, during the period of the 25th of May 2018 – the 10th of December 2018.
The sanction was imposed following an intimation addressed to the National Supervisory Authority on the 22nd of November 2018 indicating that the data concerning the personal identification number and the address of the persons performing payments to UNICREDIT BANK S.A., via online transactions, were disclosed to the beneficiary of the transaction through the account statement/details.
Pursuant to Article 5 (1) c) of GDPR (“Principles relating to processing of personal data”), the controller had the obligation to process the data limited to what is necessary in relation to the purposes for which they are processed.
At the same time, Recital (78) of the Regulation states: ”The protection of the rights and freedoms of natural persons with regard to the processing of personal data require that appropriate technical and organisational measures be taken to ensure that the requirements of this Regulation are met. In order to be able to demonstrate compliance with this Regulation, the controller should adopt internal policies and implement measures which meet in particular the principles of data protection by design and data protection by default. Such measures could consist, inter alia, of minimising the processing of personal data, pseudonymising personal data as soon as possible, transparency with regard to the functions and processing of personal data, enabling the data subject to monitor the data processing, enabling the controller to create and improve security features. When developing, designing, selecting and using applications, services and products that are based on the processing of personal data or process personal data to fulfil their task, producers of the products, services and applications should be encouraged to take into account the right to data protection when developing and designing such products, services and applications and, with due regard to the state of the art, to make sure that controllers and processors are able to fulfil their data protection obligations. The principles of data protection by design and by default should also be taken into consideration in the context of public tenders.

Read the full press release in Romanian here

For further information, please contact the Romanian Supervisory Authority: anspdcp@dataprotection.ro

11 June 2019

The Danish Data Protection Agency has reported IDDesign A/S and proposed a fine of DKK 1,5 million for failure to delete data about 385.000 customers.
In the autumn of 2018, the Danish Data Protection Agency carried out a supervisory visit to Danish furniture company IDDesign. One of the questions the visit focused on was whether the company had set deadlines for the deletion of customers’ data and whether the deadlines were complied with.
Prior to the inspection, IDdesign had provided an overview of the systems the company uses for the processing of personal data. This overview revealed that some of the furniture stores used an older system, which had been replaced by a newer system in the other shops. In the old system information was gathered about the names, addresses, telephone numbers, e-mail addresses and purchase history of some 385.000 customers. During the inspection, IDdesign also stated that personal data in the old system had never been deleted.
The GDPR establishes that personal data must be stored in such a way that data subjects cannot be identified for longer than is necessary for the purposes for which the personal data are processed.
IDdesign did not indicate when personal data in the old system are no longer necessary for processing purposes, and thus did not specify the deadlines applicable to erasure of the personal data processed in the system.
The Data Protection Agency therefore considers that IDdesign has not complied with the data protection requirements of the data protection regulation by having processed the personal data for a longer timer than necessary.

Read the full press release in Danish here

For further information, please contact the Danish DPA: dt@datatilsynet.dk

07 June 2019

The information provided should enable users to understand what risks they may run and how they can protect their personal data.

No generic information may be provided to users in case of a data breach, whilst specific guidance must be made available on how to prevent unlawful use of one’s personal data – in particular identity thefts.

This is the decision issued by the Italian Supervisory Authority (Garante per la protezione dei dati personali) against one of Italy’s leading email service providers following the proceeding initiated after the company had notified the Garante of a data breach. In that notification the company had declared that technical inquiries had spotted, on the 20th February, fraudulent accesses via a WiFi hotspot which had affected about one million and a half email credentials belonging to users that had accessed the service via webmail.

In the attempt to limit the consequences of the data breach, the company had ‘obliged’ users to reset their passwords and made available a webpage containing information on the data breach prior to emailing a communication to all the affected users. That communication was emailed afterwards, however it proved  to fall short of the requirements under DP legislation – based on the findings of the Garante’s inspection. Indeed, two different communications had been emailed by the company depending on whether the given user had changed his or her password or not in the 48 hours following publication of the information on the data breach.
In both cases the communication referred to ‘unusual activities on our IT systems’ and the users that had changed their passwords were not advised to take any additional measures as it was stated that the changed password had made the old credentials useless. Conversely, those users that had failed to change their passwords were only advised to do so in order to ‘do away with the risk of unauthorised access to your email account’. Such information was considered to be insufficient by the Garante in the light of the severe risks users had been exposed to.

Accordingly, the Garante ordered the company to reiterate the communication of the data breach to the affected users, by describing the type of breach and its possible consequences and providing users with specific guidance on what measures to take in order to prevent additional risks – such as not using the affected credentials and changing the passwords to access any other online service if those passwords are identical with or similar to the breached ones.  

For more information, please contact the Italian supervisory authority: garante@garanteprivacy.it 

28 May 2019

On Tuesday 28 May 2019, the Belgian DPA imposed its first financial penalty since the entry into application of the GDPR. The administrative fine amounts to EUR 2 000 and concerns the misuse of personal data for election purposes. Although the fine is modest, the message is not: Data protection is an important matter to us all, but data controllers must assume their responsibility, especially if they have a government mandate.

L’Autorité de protection des données prononce une sanction dans le cadre d’une campagne électorale

Ce mardi 28 mai 2019, l’Autorité de protection des données (APD) a prononcé sa première sanction financière depuis l’entrée en vigueur du RGPD. L’amende administrative imposée s’élève à 2000 euros et vise l’utilisation abusive de données personnelles par un bourgmestre à des fins de campagne électorale. Si l’amende est modérée, son message est important : la protection des données est l’affaire de tous, et les responsables de traitement doivent prendre leurs responsabilités, surtout quand ils détiennent un mandat public.

L’affaire : envoi de courriel électoral personnalisé par un mandataire public

L’APD a reçu une plainte concernant l’utilisation par un bourgmestre de données obtenues dans le cadre de l’exécution de sa fonction à des fins de campagne électorale.

Les plaignants étaient entrés en contact avec le bourgmestre de la commune via leur architecte dans le cadre d’une modification de lotissement. L’architecte avait, à cette occasion, contacté le bourgmestre par courrier électronique avec en copie les adresses email des plaignants. La veille des élections communales du 14 octobre 2018, le bourgmestre avait alors utilisé la fonction « Reply » de l’email afin d’envoyer un message électoral aux plaignants.

Les deux parties ont été entendues par la Chambre Contentieuse de l’APD ce 28 Mai 2019. Suite à cette audition, la chambre a conclu qu’une infraction au RGPD avait bien été commise. 

Non-respect du principe de finalité en protection des données

Le Règlement général sur la protection des données (RGPD) précise que les données collectées par un responsable de traitement (dans ce cas-ci : les adresses emails obtenues par le bourgmestre) doivent être collectées pour des finalités déterminées et ne peuvent être traitées ultérieurement de manière incompatible avec les finalités en question. La réutilisation de données obtenues dans le cadre d’un projet urbanistique à des fins de campagne électorale contrevient donc à ce principe de finalité et constitue une infraction au RGPD.

La Chambre Contentieuse de l’APD considère que le respect du principe de finalité est une des règles cruciales du RGPD et que les détenteurs d’un mandat public (comme les bourgmestres) à qui les citoyens ont confié des données personnelles doivent être particulièrement vigilants. Il faut qu’ils prennent conscience que les données acquises dans le cadre de la fonction publique ne peuvent jamais être réutilisées à des fins personnelles.  

Prenant cependant en considération le nombre limité des personnes touchées, ainsi que la nature, la gravité et la durée de l’infraction, la Chambre contentieuse a prononcé une réprimande ainsi qu’une sanction financière sous la forme d’une amende modérée de 2000 euros.

« L’utilisation de données personnelles par des personnalités politiques à des fins de campagne électorale est une question qui préoccupe beaucoup les citoyens. Il est important de rappeler que les mandataires publics doivent respecter la législation », explique Hielke Hijmans, Président de la Chambre Contentieuse de l’APD.

Le RGPD : un règlement applicable à tous

La décision de la Chambre Contentieuse constitue la première sanction financière prononcée par l’Autorité de protection des données belge et tombe un mois seulement après l’entrée en fonction de son nouveau comité de direction. Si l’amende est modérée, son message est important : la protection des données est l’affaire de tous.

Hielke Hijmans précise:  « Le respect du RGPD vaut pour tous les responsables du traitement, et très certainement pour les détenteurs d’un mandat public. On s’attend à ce qu’un bourgmestre ait connaissance de la réglementation et respecte ses obligations

David Stevens, Président de l’APD commente : « La protection des données personnelles est à la fois un état d’esprit et une pratique : le responsable du traitement doit toujours poser un regard critique sur l’utilisation qu’il souhaite faire des données à sa disposition. »

To read the full decision in Dutch, click here

For further information, please contact the Belgian DPA: contact@apd-gba.be

21 May 2019

The State Data Protection Inspectorate has imposed an administrative fine in the amount of EUR 61,500 for the breaches of the General Data Protection Regulation. The sanctions were imposed on MisterTango UAB for the breaches of Articles 5, 32 and 33 of the afore-mentioned Regulation, i.e. the personal data breach in the payment initiation service system which, inter alia, has also not been reported to the supervisory authority. In the opinion of the Inspectorate, the start of imposing fines under the General Data Protection Regulation should be a significant signal to other companies which only declaratively comply with the provisions of the above legal acts.

The State Data Protection Inspectorate (Inspectorate) carried out an investigation and imposed a fine taking into account the received information on the personal data of bank customers which was made public and the possibly committed personal data breach at MisterTango UAB. The company operates internationally and provides payment services to the residents and companies of Lithuania and to foreign residents and companies. It has established a branch in Latvia, provided services in other countries. The Lithuanian supervisory authority which has coordinated its decision with the Latvian personal data protection supervisory institution according to the provisions of the General Data Protection Regulation (GDPR) had the opportunity to receive a confirmation of the correctness of the made conclusions from its colleagues. This case also shows that companies should pay more attention to the management of data breaches and cooperation with the supervisory authority in the course of the investigations.

Having carried out the investigation, the Inspectorate has determined that the company breached the requirements of the GDPR as it improperly processed personal data in screenshots (SS), made personal data publicly available and failed to report the personal data breach to the personal data protection supervisory authority.

Regarding improper processing of personal data. In the light of the information collected during the investigation and the provided clarifications, it has been determined that MisterTango UAB processes (accesses, collects) more personal data than it indicates as necessary for effecting of the payment initiated by the payer itself. The Inspectorate considers that, for the purposes of implementation of the data minimisation principle, only such data as the name, surname and, if the payer wishes, his/her identification code, bank account number, currency and balance, purpose of the payment/payment code necessary for effecting the payment should be collected. However, in addition to the afore-mentioned data, the company also collected such data as dates of provision of not reviewed electronic invoices, names of the senders and amounts; dates, topics of submission of not read notifications and a part of the text of the notification; purposes, types, amounts of the loans; names of the pension funds, accumulated units, value thereof, accumulated amounts; types of credits (e.g. mortgage credit), due balances, amounts and dates of other payments, numbers of the issued payment cards and amounts in such payment cards which should be considered as superfluous data. Furthermore, it has been determined that the company stores such data longer than it has established and indicated as necessary by itself, i.e. the data provided during the investigation suggests that the data was stored for 216 days instead of 10 minutes. According to Article 5 of the GDPR, the company shall be responsible for and be able to demonstrate compliance with the principle of accountability; nevertheless, the company failed to provide sufficient evidence to the supervisory authority during the investigation.

Regarding the publicity of personal data. During the investigation it has been determined than the website with the list of payments processed by MisterTango UAB were visible for more than 2 days (9-10 July 2018). The payments made by the customers of different bank institutions through the payment initiation service system of MisterTango UAB and personal data of such customers were made public. Besides, more than 9,000 SSs with the pages of details of the payment sessions of the customers of 12 different banks in different countries were made publicly available. Furthermore, it has been determined that management, installation and maintenance of the IT infrastructure (hardware and software) of MisterTango UAB were carried out by one employee. One employee fulfilled the contradictory functions. Consequently, proper minimisation of possible unauthorised or unintentional modifications and implementation of proper personal data protection policy were not ensured. Thus, MisterTango UAB has failed to choose the appropriate technical or organisational measures which would help to ensure a level of security appropriate to the risk, including protection against unlawful processing, disclosure, thus, breaching Articles 5 and 32 of the GDPR.

Regarding the failure to give the notification of the personal data breach. According to the GDPR, an incident leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed shall be a personal data breach. From the point of view of the Inspectorate, the afore-mentioned incident where unauthorised persons were granted access to personal data in the Internet for 2 days should be considered as a data breach which must be reported to the supervisory authority. Therefore, MisterTango UAB was obliged to without undue delay and, where feasible, not later than 72 hours after having become aware of the personal data breach, notify the personal data breach to the Inspectorate. As MisterTango has failed to notify the Inspectorate of the breach, it breached Article 33 of the GDPR.

When deciding on the amount of the administrative fine, the Inspectorate took into account all circumstances relevant to extending liability to MisterTango UAB, for example, that the company processed the personal data in a non-transparent manner, to a greater extent and longer than necessary for achievement of the purpose of the processing; the unlawful processing was done systematically; it failed to ensure security of the personal data at the moment of the personal data breach, failed to report the personal data breach which has occurred and which had an impact on the personal data allowing to directly identify the data subject to the supervisory authority; furthermore, the data constituted the banking secrecy and was processed without encryption and during the period of the personal data breach the data was processed without ensuring control of access to such data. When imposing the administrative fine in the amount of EUR 61,500 on the company, the total annual worldwide turnover of the company was taken into account. The decision of the Inspectorate is not effective and may be appealed against to the court.

According to the data available to the Inspectorate, France, Spain, Germany, Poland, Austria, Bulgaria, Cyprus, Malta have already imposed significant fines under the GDPR.

For further information, please contact the Lithuanian supervisory authority: ada@ada.lt

24 April 2019
Two cases concerning Svea Ekonomi, a financial credit company, have been processed at the Office of the Data Protection Ombudsman. As a result, the Data Protection Ombudsman has ordered the company to correct its practices in the processing of personal data related to the assessment of creditworthiness, the right of inspect one’s own personal data and notification practices.
One of the cases concerning Svea Ekonomi has been processed at the Office of the Data Protection Ombudsman as a complaint made by a single data subject. It concerned the personal data used to assess creditworthiness and the data subject's right to inspect data concerning them. Furthermore, the Office of the Data Protection Ombudsman began to process the matter concerning the company's notification practices upon its own initiative.
In its decision, the Data Protection Ombudsman stated that the use of a categorical upper age limit in assessing creditworthiness is not acceptable under the definition of credit information set out in the Credit Information Act. The mere age of the credit applicant does not describe their solvency, willingness to pay or ability to deal with their commitments. Based on the account submitted by the company, the credit applicant's financial position has not been taken into consideration at all in the automatic processing of the credit application.
The Data Protection Ombudsman also pointed out that the company's on-line credit decision service should be considered automatic decision-making of the kind referred to in Article 22 of the General Data Protection Regulation, in which the decision is essential in order to conclude or implement an agreement between the company and the credit applicant.
In its decision, the Data Protection Ombudsman ordered that Svea Ekonomi to change the processing of personal data related to assessing creditworthiness. The company must also provide the private person having complained about the matter with information on the logic employed in automatic decision-making, its role in making the credit decision as well as its consequences for the credit applicant.
The procedure employed by Svea Ekonomi for assessing  creditworthiness was also processed at the National Non-Discrimination and Equality Tribunal, which in its decision 216/2017, dated 21 March 2018, prohibited the company from repeating a procedure that is against the Equality Act and the Non-Discrimination Act.
The Office of the Data Protection Ombudsman has also investigated Svea Ekonomi's notification practices related to the automatic decision-making system used to assess creditworthiness. The Data Protection Ombudsman stated that the current notification practices do not sufficiently specify the logic of data processing so that the credit applicant could understand the grounds for the decision and ordered that such notification practices be changed.
Based on the Data Protection Ombudsman's decision, Svea Ekonomi must notify by 30 April 2019 how it has changed its processing of personal data. According to the Office of the Data Protection Ombudsman, Svea Ekonomi has not applied for change in the decision, so the decision is legally enforceable.
Further information:
Data Protection Ombudsman Reijo Aarnio, tel. +358 40 520 7068, reijo.aarnio(at)om.fi
26 March 2019

The President of the Personal Data Protection Office (UODO) imposed its first fine for the amount of PLN 943 000 (around €220 000) for the failure to fulfil the information obligation.

 -“The controller was aware of its obligation to provide information. Hence the decision to impose a fine of this amount on this entity", emphasised Dr Edyta Bielak-Jomaa, President of UODO.

Many people whose data were processed by the company were not aware of this. The controller did not inform them about the processing and thus deprived them of the possibility to exercise their rights under the General Data Protection Regulation (GDPR). Therefore, they had no possibility to object to further processing of their data, to request their rectification or erasure. The President of the Personal Data Protection Office considered the breach to be serious, since it concerns the fundamental rights and freedoms of persons, whose data are processed by the company and relates to the basic issue – the information on the processing of data. Imposing the fine is necessary, because the controller does not comply with the law.

As Piotr Drobek, Director of the Analysis and Strategy Department at UODO, explained- the company did not meet the information obligation in relation to over 6 million people.  Out of about 90,000 people who were informed about the processing by the company, more than 12,000 objected to the processing of their data. This shows how important it is to properly fulfil the information obligations in order to exercise the rights we are entitled to in accordance with the GDPR.  

The decision of the UODO’s President concerned the proceedings related to the activity of a company which processed the data subjects’ data obtained from publicly available sources, inter alia from the Central Electronic Register and Information on Economic Activity, and processed the data for commercial purposes. The authority verified incompliance with the information obligation in relation to natural persons conducting business activity – entrepreneurs who are currently conducting such activity or have suspended it, as well as entrepreneurs who conducted such activity in the past. The controller fulfilled the information obligation by providing the information required under Art. 14 (1) – (3) of the GDPR only in relation to the persons whose e-mail addresses it had at its disposal. In case of the remaining persons the controller failed to comply with the information obligation – as it explained in the course of the proceedings – due to high operational costs. Therefore, it presented the information clause only on its website.

In the opinion of the President of the Personal Data Protection Office, such action was insufficient – while having the contact data to particular persons, the controller should have fulfilled the information obligation in relation to them, that is it should have informed them inter alia on: their data, the source of their data, the purpose and the period of the planned data processing, as well as the data subjects’ rights under the GDPR.

In the opinion of the UODO’s President, the provisions do not impose an obligation on the controller to send such correspondence by registered mail, which was raised by the company as an excuse for not fulfilling an expensive obligation.

In the relevant case, the entity had postal addresses and telephone numbers and could therefore comply with the obligation to provide information to the persons whose data are being processed. Therefore, this case should be distinguished from another case decided by the Polish DPA a few years ago, when another company did not have such addresses at its disposal.

The President of the Personal Data Protection Office  found that the infringement of the controller was intentional, because - as it was established during the proceedings - the company was aware of the obligation to provide relevant information, as well as the need to directly inform persons.

While imposing the fine, the authority also took into account the fact that the controller did not take any action to put an end to the infringement, nor did it declare its intention to do so.

For further information, please contact the Polish Supervisory Authority: kancelaria@uodo.gov.pl / zwme@uodo.gov.pl

25 March 2019

The Danish Data Protection Agency has issued a statement declaring that it proposes to fine Taxa 4x35 for a total of DKK 1. 2 million for a breach of the GDPR.

Taxa 4x35 could be fined for failure to delete customers’ data. This is the first time that the Danish Data Protection Agency proposes a fine in accordance with the rules of the GDPR.

8.873.333 taxi trips
In the autumn of 2018, the Danish Data Protection Agency inspected the Danish taxi company Taxa35. According to Taxa 4x35, personal data used for booking and settlement of the taxi service are made anonymous after two years, since there is no longer a need to identify the customer.

However, only the customer’s name is deleted after these two years, but not the phone number. Therefore, information on the customer’s taxi trip (including addresses) can still be traced to the customer via the phone number, which is not deleted until five years have passed. At the time of the inspection, 8.873.333 personal data records were found for taxi trips older than two years.

Assessment by the Danish Data Protection Authority
The reason why the phone number is not deleted is, according to the taxi company, that the number is key to the system’s database and is therefore necessary in relation to the company’s product and business development.

According to the Danish Data Protection Authority, however, it is not acceptable to store personal data three years longer than necessary, only because the company’s system makes compliance with the GDPR burdensome.

“We have opted for a fine in this case. This is due to the fact that there are very large amounts of personal data which have been stored without an objective purpose. One of the basic principles in the field of data protection is that you only store the information you need — and when you do not need it anymore, it must be deleted immediately,” says the Danish DPA’s director Cristina Angela Gulisano.

Next steps
In most European countries, national data supervisors themselves can issue administrative fines, but the rules are different in Estonia and Denmark. After having examined and assessed the case, the DPA transfers the case to the police. The police will then examine whether there is a basis for a charge etc. and, finally, any financial penalty will be settled before a court.

Read the full press release in Danish here

For further information, please contact the Danish DPA: dt@datatilsynet.dk

21 March 2019

The NAIH received a public notice regarding a webpage http://web.dkp.hu operated by a Hungarian parliamentary party, Democratic Coalition (DK). In the public notice the NAIH was informed by a Hungarian citizen, that the database containing personal data of the party’s supporters is openly accessible via an anonymous hacker forum. The database contains the users’ e-mail addresses, users’ full names, their login names and the weakly encrypted (MD5) passwords. The database became accessible on the hacker forum, when an unknown attacker due to SQLi vulnerability of the webpage reached it, then he uploaded the data on the internet. DK was aware of the data breach, because the hacker informed them as well. The party yet did not notice the NAIH of the breach, nor informed the data subjects, pursuant to Article 33-34 of the GDPR.

The NAIH launched an administrative control procedure, which led into a data protection administrative procedure regarding to Article 9 (1) and Article 33 (1) of the GDPR and the Hungarian Privacy Act Section 60 (1).

DK was on the opinion during the whole procedure that they are not obliged to notify the supervisory authority and the data subjects, because the leaked database contained only out-of-date personal data of the members and sympathizers of the party which has not been updated for years.

NAIH pointed out in its resolution that it is irrelevant regarding the risk of the data breach that the leaked data has not been updated for a long time. The breach is still considered as a high risk incident, because it affected data of real natural persons who are / could be still members or sympathizers of the political party. Therefore the NAIH considered as aggravating circumstance regarding the risk of the breach that the concerned data are special categories of personal data revealing political opinions of data subjects. Moreover, DK used an out-of-date encryption technology (MD5) regarding the passwords that can cause also a serious risk to the rights and freedoms of individuals, because the public availability of such information can lead to other breaches of online services used by the data subject.

NAIH issued an administrative fine of 11 million HUF (~ 35 000 €) to DK for violating the provisions Article 33-34 of the GDPR because DK did not notify the high risk personal data breach to the supervisory authority and did not communicate it to the approximately 6000 data subjects despite being aware of it.

The decision of the NAIH is available in Hungarian at https://www.naih.hu/files/NAIH-2019-2668-hatarozat.pdf

For further information, please contact the NAIH directly: ugyfelszolgalat@naih.hu

20 March 2019

A decision by the Italian Garante issued on 20 December 2018 set out the conditions for the Italian Revenue Agency to start processing activities under the new e-invoicing legislation that came into force on 1 January 2019 – whereby e-invoices will have to be issued for all payment transactions between suppliers of goods and services as well as between suppliers and consumers of those goods and services.

The December 20 Decision followed a previous decision by the Garante of 16 November 2018 where several criticalities had been highlighted in terms of data protection compatibility of the implementing mechanisms envisaged by the Agency. The November decision had led the Garante actually to issuing its first-ever ‘warning’, by relying on the new powers set out in Article 58 of the EU GDPR. The warning was addressed to the Revenue Agency to point out the ‘major criticalities related to the systematic, generalised, detailed processing of personal data on a large scale’ envisaged by the Agency, which was requested by the Garante to clarify how they planned to bring the relevant processing operations into line with the Italian and European legal framework.

An ad-hoc working party was set up by the Agency with the Garante and the Ministry of economics and finance to tackle and do away with those criticalities, involving additional stakeholders such as the National Council of Chartered Accountants and Accounting Experts, the National Council of Occupational Consultants, and the Association of Producers of Management and Accounting Software (AssoSoftware).

The working party dealt with the shortcomings pointed out by the Garante in its November decision, which were  multifarious in nature. Indeed, the Revenue Agency had planned to store and make available, on its web portal, all e-invoicing files in full (about 2.1 billion in 2017), but those files include detailed information on the purchased goods and services that is per se irrelevant for taxation purposes. On the other hand, that information can disclose consumption patterns in the most diverse areas  ranging from utilities and telecoms to transportation (highway tolls, flight tickets, hotel bookings) up to legal and health care services (where the e-invoice includes references to criminal or other proceedings or the medical diagnosis performed on a given patient undergoing treatment). This was found to be disproportionate compared to the public interest purpose the new legislation was intended to achieve.

The revised e-invoicing system envisages storage by the Agency of only the data required for the automated checks the Agency is called upon to perform for taxation purposes – e.g., in terms of consistency between e-invoicing data and the information held by the Agency on a given taxpayer; no information describing the purchased goods or services will be stored. Additionally, no e-invoices will have to be issued for health care services or goods. Storage of and access to the full contents of e-invoices will only be possible (after the initial implementing period) on the taxpayer’s specific request and based on agreements for which the Garante’s green light will be necessary.

Two additional major criticalities had been detected by the Garante, who had warned the Agency of the need to remedy them prior to the final roll-out of the system. One had to do with the role played by the intermediaries taxpayers may rely on for transmitting, receiving and storing their e-invoices; since those intermediaries may  happen to provide their services to several companies and entities at the same time, there is an increased risk of data leaks or misuse due to cross-referencing and combination of huge amounts of information. Secondly, there were several IT security risks in the system, starting from the lack of data encryption mechanisms especially for the e-invoices transmitted via ‘certified’ emailing systems, which the Garante had urged the Agency to address.

Those additional criticalities were remedied in part by the working group and the Garante called upon the Agency in December to make further efforts in that direction. In particular, the Agency will have to carry out an additional data protection impact assessment exercise by the 15th of April this year, pursuant to Article 35 of the GDPR. The Garante had already emphasized that the Agency should have taken care to carry out a DPIA prior to submitting the e-invoicing project to the Garante’s scrutiny, in line with the requirements for a data protection by design approach that is set forth in the GDPR; indeed, the Garante had pointed out that such a requirement was already envisaged in the pre-GDPR legislation under the ‘prior checking’ umbrella.

For Further information, please contact the Italian SA directly: garante@garanteprivacy.it

19 March 2019

The Norwegian Data Protection Authority (Datatilsynet) has imposed an administrative fine of 1.6 million Norwegian kroner, or the equivalent of €170,000, on the Municipality of Bergen.
The incident relates to computer files with usernames and passwords to over 35000 user accounts in the municipality’s computer system. The user accounts related to both pupils in the municipality’s primary schools, and to the employees of the same schools. Due to insufficient security measures, these files have been unprotected and openly accessible. The lack of security measures in the system made it possible for anyone to log in to the school’s various information systems, and thereby to access various categories of personal data relating to the pupils and employees of the schools.

Inadequate Data Security
Datatilsynet found that the municipality’s lack of appropriate measures to protect the personal data in the computer file systems constituted violations of both art. 5(1)f and art. 32 GDPR. Consequently the supervisory authority issued an administrative decision, imposing a fine of 170,000 € on the municipality.
- The security in the login system has been so poor, that unauthorized persons could get access to usernames and passwords in the learning platform and in the school’s administrative systems, says director Bjørn Erik Thon.

The system in question contains information about a user’s name, password, date of birth, address, school affiliation and school grade. When employees and pupils log in, they get access to various systems, for instance the central digital learning platform, which contains the pupils’ schoolwork and the teachers’ evaluations of each individual pupil’s performance at school.

Personal data of 35 000 individuals, primarily children

The fact that the security breach encompasses personal data to over 35 000 individuals, and that the majority of these are children, were considered to be aggravating factors. The municipality had also been warned several times, both by the authority and an internal whistleblower, that the data security was inadequate.

- In the GDPR, children are defined as a particularly vulnerable group that shall be given special protection. It is important that municipalities and other public bodies that process personal data are aware of their responsibilities. Public authorities often process information about us that we do not control, neither do we have a choice in whether or not this information is made available to others. We should be able to trust the public sector, says director Bjørn Erik Thon.

The GDPR stipulates that administrative fines shall be effective, dissuasive and proportionate, and Datatilsynet is of the opinion that the size of the fine reflects this. The Norwegian Personal Data Act sets out that all Norwegian public authorities are subject to the provisions on administrative fines in art. 83 GDPR.  
Datatilsynet made its decision in March 2019, and on the 4th of April 2019, the municipality stated in a press conference that it did not wish to appeal the decision.

You can read the full press release in Norwegian here

For further information, please contact the Norwegian DPA: postkasse@datatilsynet.no

20 February 2019

The Commissioner has today issued his decision to the Lands Authority after concluding the investigation of the data breach, that was brought to his attention by the Times of Malta on 23rd November 2018.  The findings of the investigation established that the online application platform available on the Authority’s portal lacked the necessary technical and organisational measures to ensure the security of processing.  The Lands Authority was found to have infringed the provisions of Article 32 of the General Data Protection Regulation (GDPR) and, in terms of Article 21 of the Data Protection Act (CAP. 586), was served with an administrative fine of €5,000. The level of the fine was reached after the Commissioner took into account the circumstances set out under Article 83.2 of the GDPR.

The temporary ban imposed on the Authority’s portal has been lifted.

The Lands Authority offered their full and unrestricted collaboration to the Commissioner during the course of the entire investigation.    

You can read the original press release here

For further information, please contact the Maltese Supervisory Authority: idpc.info@idpc.org.mt

12 February 2019

The Austrian Data Protection Authority has finalised its investigation into the Austrian Post (Österreichische Post AG) and issued a decision stating the Austrian Post has violated several provisions of the GDPR.

Specifically, the Austrian DPA is of the opinion that the Austrian Post processes special categories of personal data (political opinions) by attributing preferences for certain political parties to data subjects by using statistical calculation methods. In the absence of explicit consent given by the data subjects concerned and in the absence of any other legal basis for processing these data the Austrian DPA found this to be contradictory to the GDPR.

Furthermore, the Austrian DPA found that the DPIA for this kind of processing and the record of processing activities were erroneous.

Consequently, the Austrian DPA imposed an immediate ban on these processing operations, ordered the erasure of the data and ordered the Austrian Post to carry out a new DPIA and to rectify its record of processing.

The decision is not final and will be challenged before the Federal Administrative Court.

Datenschutzbehörde beendet Prüfverfahren gegen Post und stellt Rechtsverletzungen fest

Wien (OTS) - Die Datenschutzbehörde hat die Berichte, wonach die Österreichische Post Aktiengesellschaft (Post) Daten zur Parteiaffinität verarbeite, zum Anlass genommen, ein amtswegiges Prüfverfahren einzuleiten.

Das Prüfverfahren hat hervorgebracht, dass die Post tatsächlich im Rahmen des Gewerbes "Adressverlage und Direktmarketingunternehmen" mittels statistischer Verfahren u.a. die Parteiaffinitäten von Personen ermittelt.

Die Datenschutzbehörde hat festgestellt, dass diese Daten ohne Einwilligung der betroffenen Personen nicht verarbeitet werden dürfen. Es wurde angeordnet, diese Datenverarbeitung mit sofortiger Wirkung zu unterlassen und die Daten zu löschen, sofern im Einzelfall kein Grund für eine weitere Verarbeitung gegeben ist. Dies könnte insbesondere der Fall sein, wenn es um die Bearbeitung von Auskunftsersuchen geht oder tatsächlich eine Einwilligung zur Verarbeitung vorliegt.

Darüber hinaus stellte die Datenschutzbehörde fest, dass die Datenschutz-Folgenabschätzung für diese Datenverarbeitung und der Eintrag in das interne Verzeichnis der Verarbeitungstätigkeiten mangelhaft sind. Es wurde angeordnet, die Datenschutz-Folgenabschätzung zu wiederholen und den Eintrag richtigzustellen.

For more information, please contact the Austrian supervisory authority at dsb@dsb.gv.at 

31 January 2019

The Hellenic DPA, in order to a) explore the level of compliance with the General Data Protection Regulation (GDPR) -six months after its entry into force- and the specific legislation on e-privacy, b) raise the awareness of data controllers and data subjects, and also c) exercise its envisaged powers, has carried out the following “ex officio” investigation, which was initiated in December 2018 and is ongoing:

More particularly, the Hellenic DPA carried out an investigation to 65 controllers operating online in the fields of financial services, insurance services, e-commerce, ticket services and public sector services, for exploring the way specific requirements are met in the areas of transparency, the use of cookies, the sending of online messages and the security of websites through indicative checkpoints, perceived to the citizen in their navigation and the use of internet services.

  1. The initial conclusions that were drawn as a result of this initiative highlight, in general, the lack of compliance with the legislation on cookies and relevant technologies in almost all the controllers.
  2. There was also a lack of information on the processing operations and the recipients of the data at around 40% of the controllers. It is worth noting that the public sector lags behind in compliance, mainly with regard to transparency, in almost all of the organizations that were investigated.
  3. On the contrary, at a high percentage of more than 80% of data controllers, a satisfactory level of security was observed.
  4. Furthermore, a sufficient degree, more than 70%, of Data Protection Officers’ designation was noted in the private sector.

On the basis of the final conclusions of this first large-scale investigation to check compliance, after the entry into force of the Regulation, the DPA will exercise its powers that are envisaged by the pertinent provisions.

The investigation was presented in the Authority’s recent Information Day on the occasion of the 13th European Data Protection Day on January 28th and is available in Greek at www.dpa.gr  (http://www.dpa.gr/pls/portal/docs/PAGE/APDPX/EUROPEAN_DP_DAY_GENERAL/2019_DP_DAY/FILES%202018/PANAGOPOULOU_G.PDF).

For further questions, please contact the Hellenic Data Protection Authority: contact@dpa.gr

21 January 2019

On 21 January 2019, the CNIL’s restricted committee imposed a financial penalty of 50 Million euros against the company GOOGLE LLC, in accordance with the General Data Protection Regulation (GDPR), for lack of transparency, inadequate information and lack of valid consent regarding the ads personalization.

On 25 and 28 May 2018, the National Data Protection Commission (CNIL) received group complaints from the associations None Of Your Business (“NOYB”) and La Quadrature du Net (“LQDN”). LQDN was mandated by 10 000 people to refer the matter to the CNIL. In the two complaints, the associations reproach GOOGLE for not having a valid legal basis to process the personal data of the users of its services, particularly for ads personalization purposes.

The handling of the complaints by the CNIL

The CNIL immediately started investigating the complaints. On 1st June 2018, in accordance with the provisions on European cooperation as defined in the General Data Protection Regulation (“GDPR”), the CNIL sent these two complaints to its European counterparts to assess if it was competent to deal with them. Indeed, the GDPR establishes a “one-stop-shop mechanism” which provides that an organization set up in the European Union shall have only one interlocutor, which is the Data Protection Authority (“DPA”) of the country where its “main establishment” is located. This authority serves as “lead authority”. It must therefore coordinate the cooperation between the other Data Protection Authorities before taking any decision about a cross-border processing carried out by the company.

In this case, the discussions with the other authorities, in particular with the Irish DPA, where GOOGLE’s European headquarters are situated, did not allow to consider that GOOGLE had a main establishment in the European Union. Indeed, when the CNIL initiated proceedings, the Irish establishment did not have a decision-making power on the processing operations carried out in the context of the operating system Android and the services provided by GOOGLE LLC, in relation to the creation of an account during the configuration of a mobile phone.

As the “one-stop-shop mechanism” was not applicable, the CNIL was competent to take any decision regarding processing operations carried out by GOOGLE LLC, as were the other DPA. The CNIL implemented the new European Framework as interpreted by all European authorities in the European Data Protection Board’s (EDPB) guidelines.

In order to deal with the complaints received, the CNIL carried out online inspections in September 2018. The aim was to verify the compliance of the processing operations implemented by GOOGLE with the French Data Protection Act and the GDPR by analysing the browsing pattern of a user and the documents he or she can have access, when creating a GOOGLE account during the configuration of a mobile equipment using Android.

The violations observed by the restricted committee

On the basis of the inspections carried out, the CNIL’s restricted committee responsible for examining breaches of the Data Protection Act observed two types of breaches of the GDPR.

A violation of the obligations of transparency and information:

First, the restricted committee notices that the information provided by GOOGLE is not easily accessible for users.

Indeed, the general structure of the information chosen by the company does not enable to comply with the Regulation. Essential information, such as the data processing purposes, the data storage periods or the categories of personal data used for the ads personalization, are excessively disseminated  across several documents, with buttons and links on which it is required to click to access complementary information. The relevant information is accessible after several steps only, implying sometimes up to 5 or 6 actions. For instance, this is the case when a user wants to have a complete information on his or her data collected for the personalization purposes or for the geo-tracking service.

Moreover, the restricted committee observes that some information is not always clear nor comprehensive.

Users are not able to fully understand the extent of the processing operations carried out by GOOGLE. But the processing operations are particularly massive and intrusive because of the number of services offered (about twenty), the amount and the nature of the data processed and combined. The restricted committee observes in particular that the purposes of processing are described in a too generic and vague manner, and so are the categories of data processed for these various purposes. Similarly, the information communicated is not clear enough so that the user can understand that the legal basis of processing operations for the ads personalization is the consent, and not the legitimate interest of the company. Finally, the restricted committee notices that the information about the retention period is not provided for some data.

A violation of the obligation to have a legal basis for ads personalization processing:

The company GOOGLE states that it obtains the user’s consent to process data for ads personalization purposes. However, the restricted committee considers that the consent is not validly obtained for two reasons.

First, the restricted committee observes that the users’ consent is not sufficiently informed.

The information on processing operations for the ads personalization is diluted in several documents and does not enable the user to be aware of their extent. For example, in the section “Ads Personalization”, it is not possible to be aware of the plurality of services, websites and applications involved in these processing operations (Google search, You tube, Google home, Google maps, Playstore, Google pictures…) and therefore of the amount of data processed and combined.

Then, the restricted committee observes that the collected consent is neither “specific” nor “unambiguous”.

When an account is created, the user can admittedly modify some options associated to the account by clicking on the button « More options », accessible above the button « Create Account ». It is notably possible to configure the display of personalized ads.

That does not mean that the GDPR is respected. Indeed, the user not only has to click on the button “More options” to access the configuration, but the display of the ads personalization is moreover pre-ticked. However, as provided by the GDPR, consent is “unambiguous” only with a clear affirmative action from the user (by ticking a non-pre-ticked box for instance). Finally, before creating an account, the user is asked to tick the boxes « I agree to Google’s Terms of Service» and « I agree to the processing of my information as described above and further explained in the Privacy Policy» in order to create the account. Therefore, the user gives his or her consent in full, for all the processing operations purposes carried out by GOOGLE based on this consent (ads personalization, speech recognition, etc.). However, the GDPR provides that the consent is “specific” only if it is given distinctly for each purpose.

The fine imposed by the restricted committee and its publicity

The CNIL restricted committee publicly imposes a financial penalty of 50 Million euros against GOOGLE.

This is the first time that the CNIL applies the new sanction limits provided by the GDPR. The amount decided, and the publicity of the fine, are justified by the severity of the infringements observed regarding the essential principles of the GDPR: transparency, information and consent.

Despite the measures implemented by GOOGLE (documentation and configuration tools), the infringements observed deprive the users of essential guarantees regarding processing operations that can reveal important parts of their private life since they are based on a huge amount of data, a wide variety of services and almost unlimited possible combinations. The restricted committee recalls that the extent of these processing operations in question imposes to enable the users to control their data and therefore to sufficiently inform them and allow them to validly consent.

Moreover, the violations are continuous breaches of the Regulation as they are still observed to date. It is not a one-off, time-limited, infringement.

Finally, taking into account the important place that the operating system Android has on the French market, thousands of French people create, every day, a GOOGLE account when using their smartphone. Furthermore, the restricted committee points out that the economic model of the company is partly based on the ads personalization. Therefore, it is of its utmost responsibility to comply with the obligations on the matter.

You can read the original press release here and in French here .

For further questions, please contact the CNIL directly: https://www.cnil.fr/en/contact-cnil