Europees Comité voor gegevensbescherming

National News

On this page you will find news on GDPR enforcement by the national supervisory authorities. The press releases gathered here do not constitute official EDPB communication nor an endorsement. They are published strictly for information purposes and are represented here as they appeared on the supervisory authority's website or other channels of communication. Therefore, these news items are only available in English or in the Member State's official language with a short introduction. Any questions regarding these news releases should be directed at the supervisory authority concerned. You can find all supervisory authorities here.

2020

27 May 2020

The Office of the Data Protection Ombudsman’s sanctions board imposed administrative fines on three companies for violations of data protection legislation on 18 May. These violations concerned giving insufficient information on data protection rights, neglecting to conduct a data protection impact assessment and the unnecessary collection of personal data.

Deficiencies in information provided in connection with change-of-address notifications

The individuals who filed a complaint with the Data Protection Ombudsman had received communications and direct marketing from various companies after making change-of-address notifications to Posti Oy, which is the leading postal service operator in Finland. The investigation carried out by the Office of the Data Protection Ombudsman revealed that Posti had not informed the data subjects of their rights, including the right to object the disclosure of data, in connection with making change-of-address notifications.

The company should have informed its customers clearly about their right to object to the processing of their personal data. Posti had submitted such notifications only to customers who bought additional services in addition to making the change-of-address notification.
Posti had notified the Data Protection Ombudsman that it would look into possibilities for improving the transparency of personal data processing already in 2017. The company finally improved its practices for informing customers in 2020, after the Office of the Data Protection Ombudsman had contacted Posti again. The violations affected 161,000 customers in 2019 alone.

The sanctions board imposed an administrative fine of EUR 100,000 on Posti Oy.

The data protection impact assessment on the processing of employee location data had been neglected

The second decision concerned a complaint made to the Data Protection Ombudsman about how Kymen Vesi Oy processed the location data of its employees by tracking vehicles with a vehicle information system. The controller had not made the impact assessment required by the GDPR before starting to process the location data. The location data was used for monitoring working hours, among other things.

A data protection impact assessment is required if the processing is likely to result in a high risk to the rights and freedoms of data subjects. The assessment is necessary for example if the location data of vulnerable individuals is processed or the location data is used for systematic monitoring. The decision of situations in which a data protection impact assessment of the processing of location data is required can be found on the Data Protection Ombudsman’s website.
The sanctions board imposed an administrative fine of EUR 16,000 on Kymen Vesi Oy.

Job applicants’ personal data was collected unnecessarily

In the third case, the Data Protection Ombudsman had been notified about a company collecting unnecessary personal data from job applicants and employees. According to the Finnish Act on the Protection of Privacy in Working Life, the employer is only permitted to process data that is necessary in light of the employment relationship. Deficiencies were also discovered in the controller’s documentation related to compliance with the GDPR.

The company had asked for information on matters such as religious beliefs, state of health, possible pregnancy and family status of the data subjects.
The Data Protection Ombudsman ordered the company to delete the unnecessary data and issued a reprimand on the deficiencies in documentation. The sanctions board also imposed an administrative fine of EUR 12,500 on the company.

The decisions are not final since those can be appealed in the administrative court. The Office of the Data Protection Ombudsman publishes the name of the organisation on which the administrative fine was imposed if the matter is considered to be of public significance or the organisation could be confused with another.

Sanctions must be proportionate, efficient and cautionary

This was the first time that the sanctions board imposed administrative fines for violations of data protection regulations. The board has the right to impose administrative fines for data protection violations. The maximum amount of the administrative fine is 4 % of the company’s turnover or EUR 20 million.
The sanctions board is made up of the Data Protection Ombudsman and two Deputy Data Protection Ombudsmen, with the Data Protection Ombudsman serving as chairman. The decision-making of the sanctions board and legal protection of controllers are provided for in the Finnish Data Protection Act.

To read the full decisions in Finnish, click here

For further information, please contact the Finnish DPA: reijo.aarnio(at)om.fi

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.
15 May 2020

The Danish Data Protection Authority considers that in a case on the right of access, the Danish recruitment company JobTeam has not met the basic requirements of the General Data Protection Regulation (GDPR) that personal data must be processed lawfully, fairly and transparently.

JobTeam has been reported to the police and a fine of DKK 50.000 has been proposed. The company had erased personal data subject to the access request of a data subject during the period after the request was submitted and prior to the company's reply. The Data Protection Authority became aware of the case on the basis of a complaint.

Good data processing

‘Where a controller deletes information on the individual directly linked to the failure to meet an access request, the controller unlawfully denies the possibility of a review of the right of access by the data by the Data Protection Authority and the Courts. This is a violation of the citizen’s fundamental rights and is not an example of good data processing,” says Astrid Mavrogenis, Head of Unit in the Danish Data Protection Authority.

Fine proposal

The Data Protection Agency has decided to report JobTeam to the police and recommended that the company should pay a fine.

It is the view of the Danish Data Protection Agency that a breach of the fundamental principles of the regulation concerning processing security for an company in a case such as the one in question cannot, in principle, be penalised by a fine lower than DKK 50.000, if the basic requirement of effective and dissuasive penalties laid down by the regulation must be complied with at the same time. At the same time, when setting the amount of the fine, the Authority emphasises that the fine must be proportionate.

In most European countries, national data protection authorities can issue administrative fines themselves, but the rules are different in, inter alia, Denmark.

After having clarified and assessed the case, the Data Protection Authority (DPA) reports the data controller to the police. The police then considers whether there are grounds for bringing a charge, and finally any financial penalty will be decided by a court.

To read the press release in Danish, click here

For further information, please contact the Danish SA: dt@datatilsynet.dk

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.
13 May 2020

The Swedish Data Protection Authority’s investigation shows that the Healthcare Committee in Region Örebro County made a mistake when publishing on the region’s website sensitive personal data about a patient admitted to a forensic psychiatric clinic.

The Swedish Data Protection Authority received a complaint against the Healthcare Committee in Region Örebro County, in which claims that sensitive personal data about a patient admitted to forensic psychiatry clinic had been published on the region’s website was put forward.

– Our investigation into the matter shows that sensitive personal data has wrongfully been published and thereby made accessible to the public on the region’s website”, says Elin Hallström, Legal Advisor at the Swedish Data Protection Authority.

The Swedish Data Protection Authority’s audit shows that there are no written instructions relating to the publication of documents and personal data on the website in place. Instructions for publishing information are instead communicated orally. In this case, the instructions had not been followed which led to the accidental publication of the document, suggesting that the Committee had not taken sufficient organizational measures to ensure that personal data is protected from being wrongfully published on the region’s website.

– For this reason, we are now ordering the Committee to establish written instructions and introduce measures that ensure that those who publishes personal data on the region’s website does so in accordance with set instructions.

In its decision, the Swedish Data Protection Authority also concludes that in terms of publication the Committee had neither a legitimate purpose, nor a legal basis, nor fulfilled the requirements for an exemption from the general prohibition against handling sensitive personal data in the General Data Protection Regulation.

The Swedish Data Protection Authority orders the Committee to bring its personal data handling into compliance and furthermore issues an administrative fine of 120 000 Swedish kronor (approx. 11 000 euro) against the Committee.

The published document in question has been removed from the region’s website.

To read the press release in Swedish, click here

To read the full decision in Swedish, click here

For further information, please contact the Swedish SA: datainspektionen@datainspektionen.se   

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.
30 April 2020

The Swedish Data Protection Authority imposes an administrative fine of 200,000 Swedish kronor (approximately 18,700 euro) on the National Government Service Centre for failing to notify affected parties as well as the Data Protection Authority about a personal data breach in due time.

The Data Protection Authority (DPA) initiated an investigation against the National Government Service Centre (NGSC) upon having received a number of personal data breach notifications concerning an error in the IT system for salary administration. The error entailed the possibility of unauthorised access to personal data of both personnel of authorities using the system and of the personnel of the NGSC.

- Our investigation shows that it has taken too long for the NGSC to inform the concerned parties about the error and furthermore that the NGSC has failed to report the personal data breach to the DPA in due time. The documentation of the breach, as required under the GDPR, was also found incomplete with regards to the NGSC’s personnel and their data, says Elin Hallström, legal advisor, who has been leading the DPA’s audit.

The DPA noted that it took almost five months for the NGSC to notify the concerned parties and close to three months before the DPA received a data breach notification.

- When a data breach of this kind is discovered by a processor such as the NGSC in this case, it is important to inform the controllers as soon as possible so that they can report the breach to the DPA and take further actions to mitigate any related risks. The NGSC has failed to act in time.

In its decision the DPA orders the NGSC to introduce internal routines for the documentation of personal data breaches and to verify that those routines are abided by. Together with this order the DPA imposes an administrative fine on the NGSC of in total 200,000 Swedish kronor.

The National Government Service Centre coordinates the administration of government agencies by offering administrative support services to other government agencies. It offers basic services in the areas of salary administration, financial administration and eCommerce.

To read the press release in Swedish, click here
To read the full decision in Swedish, click here
For further information, please contact the Swedish SA: datainspektionen@datainspektionen.se   

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.
03 April 2020

The President of the Personal Data Protection Office imposed a fine of PLN 20 000 on Vis Consulting Sp. z o.o. in liquidation with the seat in Katowice, a company from telemarketing industry, for making it impossible to conduct inspection. Additionally, the company’s owner is subject to criminal liability for this.

The President of the Personal Data Protection Office (UODO) decided to conduct inspection activities at the penalised company, in connection with the findings made in the course of another inspection performed at the company conducting telemarketing activities. It was established that the company has a cooperation contract with regard to outsourcing of telemarketing services with Vis Consulting Sp. z o.o. Therefore, the supervisory authority found it necessary to conduct inspection activities at the entity which actually operated the telephone calls and processed the data.

Unfortunately, the UODO’s inspectors, after prior notification on the planned inspection, did not find anyone at the address indicated in the National Court Register (KRS). On the spot, there was only a company which leased office space to Vis Consulting Sp. z o.o. (so called virtual office).  

The inspectors managed, however, to contact Vis Consulting by telephone, and its proxy informed that the inspection would not take place.   
Therefore, the President of the UODO concluded that the company in no way wished to cooperate with the personal data protection authority. On two consecutive days of the planned inspection activities, the company made it impossible to carry out the inspection twice. Furthermore, on the date on which the inspectors attempted to conduct inspection at Vis Consulting Sp. z o.o., its authorities decided to liquidate that entity.

In the opinion of the President of the Office, this company does not comply with the obligations relating to the processing of personal data and, at least intentionally, avoids to be subject of inspection by the supervisory authority. Thus the company infringed the provisions of Article 31 of the GDPR with regard to Article 58(1)(e) and (f) of the GDPR referring to cooperation with the supervisory authority and enabling it access to all personal data and any information.
Hence, the President of the UODO concluded that the conditions for imposing a fine on the company were satisfied. In determining the amount of the fine, the supervisory authority did not identify any attenuating circumstances affecting the amount of the fine.

In connection with suspicion of commission of an offence under Article 108 (1) of the Act on the Protection of Personal Data by the President of the Company, the supervisory authority notified the District Public Prosecutor’s Office in Katowice thereof. According to that provision, the prevention or hindering of conducting inspection of compliance with the personal data protection provisions shall be subject to a fine, restriction of personal liberty or imprisonment for up to two years. The Public Prosecutor’s Office has already lodged an indictment against the President of the Company to the court.

To read the press release is Polish, click here

To read the full decision in Polish, click here

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this news release should be directed to the supervisory authority concerned.
11 March 2020

The Swedish Data Protection Authority imposes a fine of 75 million Swedish kronor (approximately 7 million euro) on Google for failure to comply with the GDPR. Google as a search engine operator has not fulfilled its obligations in respect of the right to request delisting.

In 2017 the Swedish Data Protection Authority (DPA) finalised an audit concerning how Google handles individuals’ right to have search result listings for searches that includes their name removed from Google’s search engine in case of for example lack of accuracy, relevance or if considered superfluous. In its decision the DPA concluded that a number of search result listings should be removed and subsequently ordered Google to do so.

In 2018, due to indications that Google had not fully complied with the previously issued order, the DPA initiated a follow-up audit. This audit is now finalised and the DPA is issuing a fine against Google.

– The General Data Protection Regulation, GDPR, increases the level of responsibility for organisations that collect and process personal data, and strengthens the rights of individuals. An important part of those rights is the possibility for individuals to have their search result delisted. We have found that Google is not fully complying with its obligations in relation to this data protection right, says Lena Lindgren Schelin, Director General at the Swedish DPA.

The Swedish Data Protection Authority is critical to the fact that Google did not properly remove two of the search result listings that the DPA had ordered them to remove back in 2017. In one of the cases Google has done a too narrow interpretation of what web addresses needed to be removed from the search result listing. In the second case Google has failed to remove the search result listing without undue delay.

When Google removes a search result listing, it notifies the website to which the link is directed in a way that gives the site-owner knowledge of which webpage link was removed and who was behind the delisting request. This allows the site-owner to re-publish the webpage in question on another web address that will then be displayed in a Google search. This in practice puts the right to delisting out of effect.

– In its delisting request form Google states that the site-owner will be notified of the request in a way that might result in individuals refraining from exercising their right to request delisting, thereby undermining the effectiveness of this right, says Olle Pettersson, legal advisor at the Swedish DPA who has participated in this audit of Google.

Google does not have a legal basis for informing site-owners when search result listings are removed and furthermore gives individuals misleading information by the statement in the request form. That is why the DPA orders Google to cease and desist from this practice.

Facts about the right to have search result listings removed
In May 2014 the Court of Justice of the EU ruled that an individual may request a search engine provider such as Google to remove a search result listing that contains the name of an individual in case the listing is incorrect, irrelevant or superfluous. This right was strengthened with the GDPR entering into force 25th May 2018. The right is however not absolute, you cannot demand that all search results are to be removed. Individuals who wish to exercise their right to request delisting should contact the search engine provider directly.
What happens next?
Google may appeal the decision of the Swedish DPA within three weeks. If Google decides not to appeal, the decision will enter into force by the end of that time period. Once the decision has entered into force it will be handed over to the Legal, Financial and Administrative Services Agency (Kammarkollegiet) that handles the administration of fines under the GDPR.

Note to editors:

The personal data processing in question is part of the processing operations carried out by Google as a search engine operator. For this part of Google’s activity it is Google LLC (parent company of the Google group) established in the United States that decides the purpose and means of the processing. Since there is no main establishment within the EU for this part of Google’s operations, each Supervisory Authority in the EU is competent for investigating possible infringements of the GDPR within their territory.

To read the press release in Swedish, click here

To read the full decision in Swedish, click here

For further information, please contact the Swedish SA: datainspektionen@datainspektionen.se  

10 March 2020

On 5 March 2020, the Icelandic Supervisory Authority (SA) took the decision to impose an administrative fine of ISK 3.000.000 (EUR 20.643) on the National Center of Addiction Medicine in a case relating to a personal data breach.

The National Center of Addiction Medicine is an NGO that operates a detoxification clinic and four inpatient and outpatient rehabilitation centers, as well as a center for family services and a social center in Iceland. Its services are delivered by a staff of medical doctors, psychologists, registered nurses, nurse practitioners and licensed counselors.

The breach occurred when a former employee of the National Center of Addiction Medicine received boxes containing what were supposed to be personal belongings that he had left there. However, it turned out that the boxes contained patient data as well, including health records of 252 former patients and records containing the names of approximately 3.000 people who had attended rehabilitation for alcohol and substance abuse.

After carrying out an investigation of the data breach, the SA concluded that the breach was a result of a lack of implementation of appropriate data protection policies and appropriate technical and organisational measures to protect the data by the controller. The lack of appropriate measures to protect the personal data therefore constituted violations of, inter alia, Art. 5(1)f and Art. 32 of the GDPR.

When determining the fine, the SA referred to the nature of the personal data involved in the breach, which were data concerning health, and the large scope of the processing. The SA also cited the nature of the National Center of Addiction Medicine as a non-profit health care provider and the fact that the Center had made considerable efforts to improve handling of personal data, beginning before the breach came to light.

The full decision in Icelandic is available here

For further information, please contact the Icelandic SA: postur@dpa.is

10 March 2020

On 5 March 2020, the Icelandic SA took the decision to impose an administrative fine of ISK 1.300.000 (EUR 8.945) on the Breiðholt Upper Secondary School in a case relating to a personal data breach.

The breach occurred when a teacher at the school sent an e-mail to his students and their parents/guardians, 57 people in total. Attached to the e-mail was a document that the teacher believed to contain information on consultation appointments. However, the attachment concerned a different group of students, 18 in total, and contained data on their well-being, study performance, and social conditions. To a considerable extent, the information concerned the students' problems. In one instance, the data had to do with an intervention by child protection services. Furthermore, there were data on one student's physical illness, and on another student's mental health problem.

After carrying out an investigation of the data breach, the SA concluded that the breach was a result of a lack of implementation of appropriate data protection policies and appropriate technical and organisational measures to protect the data by the controller. The lack of appropriate measures to protect the personal data therefore constituted violations of, inter alia, Art. 5(1)f and Art. 32 of the GDPR.

When determining the fine, the SA referred to the nature of the personal information involved in the breach, which were data concerning health and other personal issues. The SA also cited the nature of the Breiðholt Upper Secondary School as a nonprofit institution.

The full decision in Icelandic is available here

For further information, please contact the Icelandic SA: postur@dpa.is

10 March 2020

The Danish Data Protection Agency has reported the municipality of Gladsaxe and the Municipality of Hørsholm to the police, as it finds that the municipalities have not met the requirements of an adequate level of security under the General Data Protection Regulation (GDPR).

For the municipalities of Gladsaxe and Hørsholm Municipality fines of DKK 100.000 and DKK 50.000 have been proposed respectively.

The Data Protection Agency became aware of the cases when both municipalities notified the agency of personal data breaches relating to the theft of computers containing personal data.

Neither computers were protected by encryption, and the loss of personal data by the municipalities therefore posed an undue risk to its citizens.

In one of the cases, the lack of security resulted in a serious personal data breach, as a computer containing personal data of 20.620 citizens, including information of a sensitive nature and personal data, was stolen from Gladsaxe City Hall.

The second security breach took place when the computer of an employee from the municipality of Hørsholm was stolen from his car. On the computer, there was information on about 1.600 employees in the municipality of Hørsholm, including information of a sensitive nature and personal data.

The specific security breaches express some of the possible consequences of the insufficient level of security which poses a high risk to all citizens of whom the municipality processes data.

Municipalities have a great deal of responsibility
“A municipality processes very large amounts of personal data concerning the municipality’s citizens, including information of a sensitive nature. As a citizen, it is not possible to opt out of the municipality’s processing of information about oneself, and the municipality therefore has a high responsibility to avoid the information being disclosed, "said Frederik Viksøe Siegumfeldt, Head of Unit of the Supervisory Unit in the Danish Data Protection Agency. He explains:

“It is simple to access the files stored on the computer when a computer’s hard drive is not encrypted, for example by moving the hard drive to another computer. Therefore, when personal data are stored locally on the computer, it is very imprudent that the municipalities' computers were not encrypted.”

Proposal of fines
The Danish Data Protection Agency has decided to report the Municipality of Gladsaxe and the Municipality of Hørsholm to the police and proposes that the two municipalities be fined DKK 100.000 and DKK 50.000 respectively.

To read the press release in Danish, click here

For further information, please contact the Danish DPA: dt@datatilsynet.dk

05 March 2020

The President of the Personal Data Protection Office imposed a fine of PLN 20 000 in connection with the breach consisting in the processing of biometric data of children when using the school canteen.

The school processed special categories of data (biometric data) of 680 children without a legal basis, whereas in fact it could use other forms of students identification.

For that breach, an administrative fine was imposed on Primary School No. 2 in Gdansk. In addition, the President of the Personal Data Protection Office (UODO) has ordered the erasure of the personal data processed in the form of digital information on the specific fingerprints of the children and the cessation of any further collection of personal data.

Following an ex officio administrative proceedings, the President of the UODO has established that the school is using a biometric reader at the entrance to the school canteen that identifies the children in order to verify the payment of the meal fee.

The proceedings has shown that the school obtains the data and processes them on the basis of the written consent of the parents or legal guardians. The solution has been in place since 1 April 2015. In the school year 2019/2020, 680 pupils use a biometric reader and four pupils - an alternative identification system.

In this case, it is important to stress that the processing of biometric data is not essential for achieving the goal of identifying a child’s entitlement to receive lunch. The school may carry out the identification by other means that do not interfere so much in the child’s privacy. Moreover, the school makes it possible to use the services of the school canteen not only by means of fingerprints verification, but also electronic cards, or by giving the name and contract number. Thus, in the school, there are alternative forms of identification of the child’s entitlement to receive lunch.

In the fined Primary School No. 2, in accordance with the lunch rules, available on the website of the school’s canteen, students who do not have biometric identification have to wait at the end of the queue until all the students with biometric identification enter the canteen. Once all the students with biometric identification have entered the canteen, the students without biometric identification are allowed to enter, one by one. In the opinion of the President of the UODO, such rules introduce unequal treatment of students and their unjustified differentiation, as they clearly favour students with biometric identification. Moreover, in the authority’s view, the use of biometric data, considering the purpose for which they are processed, is significantly disproportionate.

The President of the UODO, in the grounds of his decision, emphasised that children require special protection of personal data. Moreover, in the present case, the processed data constitute the data of special categories. The biometric system identifies characteristics which are not subject to change, as in the case of dactyloscopic data. Due to the unique and permanent character of biometric data, which means that they cannot change over time, the biometric data should be used with due care. Biometric data are unique in the light of fundamental rights and freedoms and therefore require special protection. Their possible leakage may result in a high risk to the rights and freedoms of natural persons.

To read the press release in Polish, click here

The Polish text of the decision is available here

For further information, please contact the Polish SA: http://kancelaria@uodo.gov.pl

03 March 2020

The Dutch DPA imposed a fine of EUR 525,000 on tennis association KNLTB for selling the personal data of its Members. In 2018, KNLTB unlawfully provided personal data of a few thousand of its members to two sponsors.


Boete voor tennisbond vanwege verkoop van persoonsgegevens

De Autoriteit Persoonsgegevens (AP) legt tennisbond KNLTB een boete op van 525.000 euro voor het verkopen van persoonsgegevens. De KNLTB heeft in 2018 onrechtmatig tegen betaling persoonsgegevens van een paar honderdduizend van zijn leden verstrekt aan twee sponsoren.

De Koninklijke Nederlandse Lawn Tennisbond (KNLTB) verstrekte de sponsoren persoonsgegevens zoals naam, geslacht en adres, zodat zij een selectie van KNLTB-leden konden benaderen met tennisgerelateerde en andere aanbiedingen. De ene sponsor ontving persoonsgegevens van 50.000, de andere van meer dan 300.000 leden. Die sponsors benaderden een deel van die KNLTB-leden per post of telefoon.

Verkoop van persoonsgegevens

Voor elke verwerking van persoonsgegevens moet de organisatie die ze verwerkt zich kunnen beroepen op één van de zes grondslagen uit de AVG. Bijvoorbeeld dat degene om wie het gaat toestemming heeft gegeven voor die verwerking. Verkoop van persoonsgegevens zonder toestemming van de persoon achter de gegevens is doorgaans verboden. De KNLTB vond dat hij een gerechtvaardigd belang had bij verkoop van de gegevens. De AP is het daarmee niet eens en heeft geoordeeld dat KNLTB geen grondslag had om die persoonsgegevens door te geven aan de sponsoren.

Klacht KNLTB over AP
Tijdens het onderzoek naar de KNLTB diende de tennisbond een klacht in tegen de AP, die de AP gegrond verklaarde. Die klacht ging over het optreden van AP-voorzitter Aleid Wolfsen in Nieuwsuur, op 17 december 2018. Daarin gaf Wolfsen aan dat de AP ‘een sportbond’ onderzocht. De AP heeft in reactie op deze klacht erkend dat zij in die uitzending de indruk heeft gewekt dat de handelwijze van KNLTB niet correct was, terwijl het onderzoek daarnaar nog liep. De KNLTB zag in die uitlatingen de schijn van vooringenomenheid en dat betreurt de AP. Op aanbeveling van de Nationale Ombudsman laat de AP hierbij weten dat de uitlatingen van Wolfsen ten onrechte vooruitliepen op de uitkomsten van het onderzoek.

Bezwaar KNLTB
De KNLTB heeft bezwaar gemaakt tegen het boetebesluit. De AP zal dit gaan beoordelen.

To read the full decision, click here

For further information, please contact the Dutch DPA: https://autoriteitpersoonsgegevens.nl/nl

01 February 2020

The Italian SA (Garante per la protezione dei dati personali) fined TIM SpA EUR 27,802,496 on account of several instances of unlawful processing for marketing purposes. The infringements concerned on the whole millions of individuals.

From January 2017 to the beginning of 2019, the SA received hundreds of complaints regarding, in particular, unsolicited marketing calls that had been performed without any consent or in spite of the called parties’ inclusion in the public opt-out register; in yet other cases, the called parties had clearly denied their consent to receiving marketing calls. Allegedly unfair processing practices were also mentioned in the complaints with regard to prize competitions and the relevant forms as submitted by TIM to users.
Complex investigations were carried out also with the support provided by a specialised unit of the Italian Financial Police and brought to light a number of severe infringements of personal data protection legislation.
TIM were proven to be insufficiently familiar with fundamental features of the processing activities they performed (accountability).
In many cases out of the millions of marketing calls that had been placed in a six-month period with ‘non-customers’, the SA could establish that the call centre operators relied upon by TIM had contacted the data subjects in the absence of whatever consent. In one case, a person was contacted 155 times in one month. In about two hundred thousand cases, ‘off-list’ numbers – that is, numbers not included in TIM’s list of marketing numbers – had been called. Other types of illicit conduct were also found such as TIM’s failure to supervise the activities of some call centres or to properly manage and update their blacklists (listing individuals who do not wish to receive marketing calls), and the fact that consent to marketing activities was mandatory in order to join the ‘Tim Party’ incentive discount scheme.
Inaccurate, unclear data processing information was provided in connection with certain apps targeted to customers and the arrangements for obtaining the required consent were inadequate. In a few cases paper forms were to be filled in where a single consent statement was available in respect of different purposes including marketing.
The data breach management system proved ineffective as well and no adequate implementation and management systems were in place regarding personal data processing, which fell short of privacy by design requirements. TIM’s blacklists were found not to match those of the contractor call centres, and this also applied to the recordings of the ‘verbal orders’ - that is, the contracts stipulated on the phone. The numbers relating to other phone operators’ customers, which TIM held in their capacity as network provider, were stored for longer than permitted by the law and had been used for marketing campaigns without the customers’ consent.
As well as the fine, the Italian SA imposed 20 corrective measures on TIM including both prohibitions and injunctions. In particular, the SA banned TIM from using, for marketing purposes, the data of the users that had denied their consent to marketing calls when contacted by call centres, of the users included in the black lists, and of the ‘non-customers’ that had not given their consent.
The company is not permitted to use any longer the customer data that were collected via the ‘MyTim’, ‘TimPersonal’ and ‘TimSmartKid’ apps for purposes other than the provision of the relevant services without the users’ free, specific consent.

The injunctions issued by the Italian SA include the obligation for TIM to check consistency of their blacklists and to timely acquire those put together by call centres so as to update their own blacklists. TIM will have to reconsider the ‘TimParty’ scheme and enable customers to access discount schemes and prize competitions without having to consent to marketing activities. TIM will also have to check the app activation procedures; always specify, in clear and understandable language, the processing activities they perform along with the purposes and the relevant processing mechanisms; and obtain valid consent. TIM will have to implement technical and organisational measures in respect of data subject rights requests and enhance the measures to ensure quality, accuracy and timely updates of the personal data that are processed in their individual systems.
The measures and implementing arrangements imposed will have to be in place and notified to the Italian SA according to a specific timeline, whilst the fine will have to be paid within thirty days.

For further information, please contact the Italian SA: ufficiostampa@gpdp.it

27 January 2020

The Commissioner for Personal Data Protection (Cypriot SA) fined LGS Handling Ltd, Louis Travel Ltd and Louis Aviation Ltd (Louis Group of Companies) for a total amount of EUR 82,000.00, concerning the lack of legal basis of “Bradford Factor” tool, which was used to score sick leaves of employees.

The Commissioner launched an investigation after a complaint was lodged by the employees’ trade union.

The reasoning behind Bradford's Factor automated system for scoring employees' sick leave was that short, frequent, and unplanned absences lead to a higher disorganising of the company rather than longer absences.

The date and the frequency of a sick leave relating to an individual, insofar as his or her identity is directly or indirectly disclosed, entail the processing of "special categories of personal data", as defined under Article 9(1) of the GDPR. Providing personal data to an automated system, scoring the data using 'Bradford Factor', and profiling individuals based on the results, is considered as processing of personal data; therefore such a processing operation needs to be in line with the principles defined in the GDPR.

The controller carried out an impact assessment of the processing operation, and it was submitted to the Commissioner for consultation during the investigation. The Commissioner was of the opinion that the controller failed to demonstrate through the impact assessment that its legitimate interest prevailed over the interests, rights and freedoms of its employees and consequently the mitigation of the risks was inadequate.

In the course of the investigation, we made use of the possibility to raise legal questions to the other EEA SAs via the so called Mutual assistance procedure and received input from 25 authorities. The replies received validated the absence of legal basis of the said processing and highlighted the necessity to regulate such issues with specific rules in line with article 88 of the GDPR.

After assessing all the elements gathered for the purpose of the investigation, the Commissioner decided that such processing operation had no legal basis. Primarily, it had not been established that the legitimate interest of the controller overrides the interests, rights and freedoms of its employees, which would enable the controller to rely on article 6(1)(f) of the GDPR. Likewise, none of the provisions of Article 9(2) of the GDPR would apply in this case, enabling the controller to process health data of employees.

The controller, as the employer, was entitled to supervise the frequency of sick leaves and the validity of sick leaves certificates. However, such a perquisite should not lead to mishandling and should be applied within the limits set by the relevant legislative framework.

Having established such unlawful conduct, the Commissioner ordered the controller to interrupt the processing and delete all data collected. Moreover, a fine of €70.000 was imposed to LGS Handling Ltd, a fine of €10.000 was imposed to Louis Travel Ltd and a fine of €2.000 was imposed to Louis Aviation Ltd, in relation to the infringements of articles 6(1) and 9 of the GDPR.

When deciding on the amount of the administrative fines, due regard was given to the number of data subjects (818 employees in total), the nature and duration of the infringements and the relevant turnover of the companies.

The full decision in Greek is available here

For further information, please contact the Cypriot SA: commissioner@dataprotection.gov.cy

17 January 2020

The Italian Supervisory Authority imposed two fines on Eni Gas and Luce (Egl), totalling EUR 11,5 million, concerning respectively illicit processing of personal data in the context of promotional activities and the activation of unsolicited contracts. The fines were determined in the light of the parameters set out in the EU Regulation, including the wide range of stakeholders involved, the pervasiveness of the conduct, the duration of the infringement, and the economic conditions of Egl.

The first fine of EUR 8,5 million relates to unlawful processing in connection with telemarketing and teleselling activities as found during inspections and inquiries that were carried out by the Authority following several dozens of alerts and complaints received in the immediate aftermath of the full application of the GDPR.  
The verifications revealed a limited number of cases, which however pointed to ‘systematic’ conduct  by Egl and highlighted serious criticalities with regard to the general processing of data.

The violations brought to light include advertising calls made without the consent of the contacted person or despite that person’s refusal to receive promotional calls, or without triggering the specific procedures for verifying the public opt-out register; the absence of technical and organisational measures to take account of the indications provided by users; longer than permitted data retention periods; and the acquisition of the data on prospective customers from entities (list providers) that had not obtained any consent for the disclosure of such data.

Having declared the conduct detected as unlawful, the Italian SA ordered Egl to put in place procedures and systems in order to verify, also by examining a large sample of customers, the consent of the persons included in the contact lists prior to the start of promotional campaigns. Egl will also have to ensure full automation of data flows from its database to the company’s own black list, i.e., the list of those who do not wish to receive advertising.  

The Italian SA further prohibited the company from using the data made available by the list providers  if the latter had not obtained specific consent for the communication of such data to Egl.

The second fine of EUR 3 million concerns breaches due to the conclusion of unsolicited contracts for the supply of electricity and gas under ‘free market’ conditions. Many individuals complained to the Authority that they learned about the conclusion of a new contract only on receiving the letter of termination of the contract with the previous supplier or else the first Egl bills. In some cases, the complaints reported incorrect  data in the contracts and forged signatures.

About 7200 consumers were affected by the above serious irregularities. The Authority’s findings showed that the conduct of Egl in acquiring new customers through certain external agencies operating on its behalf led, in organisational and managerial terms, to processing activities in breach of the EU Regulation  as they violated the principles of data fairness, accuracy and up-to-dateness.

Having established such unlawful conduct, the Italian SA ordered Egl to take several corrective measures and to introduce specific alerts in order to detect various procedural anomalies.  

Implementation of the above measures will have to take place and be communicated to the Authority within a set timeframe, while the fines will have to be paid within 30 days.

To read the press release in Italian, click here

For further information, please contact the Italian SA: garante@garanteprivacy.it

14 January 2020

The Ηellenic DPA in response to a complaint conducted an investigation regarding the lawfulness of personal data processing on a server of ‘ALLSEAS MARINE S.A.’, as well as the lawfulness of access to and inspection of deleted emails of a senior manager for whom there was suspicion that he had committed unlawful acts against the company’s interests.

The Authority found that the company as a controller had complied with the requirements of the GDPR and that its internal policies and regulations provided for a ban on the use of the company’s electronic communications and networks for private purposes, and for the possibility of carrying out internal inspections. The company therefore had a legal right under Articles 5(1) and 6(1)(f) of the GDPR to carry out an internal investigation searching and retreating employee’s emails.

The DPA, on the other hand, found that the closed-circuit video-surveillance system had been installed and operated illegally and, in addition, the recorded material submitted to the Authority was considered to be illegal.

Finally, the Authority found that the company did not satisfy the employee’s right of access to his personal data contained in his corporate PC.

Following the finding that the GDPR had been infringed, the Authority decided in this particular case to exercise its corrective powers under Article 58(2) of the GDPR by means of corrective measures, and decided to:

i) order the company to comply immediately with the complainant’s request to exercise his right to access and information concerning his personal data stored in the company’s computer that the complainant used, and inform the Authority thereof;
ii) ensure within one (1) month of receipt of the decision that the processing operations which take place by means of its video surveillance system comply with the provisions of the GDPR, and inform the Authority thereof, and, in particular:

(a) restore the application of the provisions of Article 5(1)(a) and (2) of the GDPR in accordance with the grounds of the judgement;
(b) also restore the application of the other provisions of subparagraphs (b) to (f) of Article 5(1) of the GDPR in so far as the infringement found affects the internal organisation and compliance with the provisions of the GDPR by taking all necessary measures under the principle of accountability;
iii) impose on the company an effective, proportionate and dissuasive administrative fine, as appropriate in the case of illegal installation and operation of a closed-circuit video-surveillance system, in accordance with the specific circumstances of this case, amounting to fifteen thousand euros (EUR 15,000.00).

Decision 43/2019 is available in Greek on www.dpa.gr  “Decisions”

For further information, please contact the Hellenic DPA: contact@dpa.gr