Europski odbor za zaštitu podataka

National News

On this page you will find news on GDPR enforcement by the national supervisory authorities. The press releases gathered here do not constitute official EDPB communication nor an endorsement. They are published strictly for information purposes and are represented here as they appeared on the supervisory authority's website or other channels of communication. Therefore, these news items are only available in English or in the Member State's official language with a short introduction. Any questions regarding these news releases should be directed at the supervisory authority concerned. You can find all supervisory authorities here.

2021

09 April 2021


The Dutch Data Protection Authority (DPA) has imposed a €475,000 fine on Booking.com because the company took too long to report a data breach to the DPA. When the breach occurred, criminals obtained the personal data of over 4,000 customers. They also got their hands on the credit card information of almost 300 people.

In a telephone scam targeting 40 hotels in the United Arab Emirates in December 2018, the criminals persuaded hotel staff to reveal the log-in details for their accounts in a Booking.com system. In this way the criminals gained access to the data of 4,109 people who had booked a hotel room in the UAE. The data included their names, addresses and telephone numbers, as well as details of their booking. 

The criminals were also able to access the credit card information of 283 people. In 97 cases, the credit card security code was obtained as well. The criminals also tried to get hold of the credit card information of other victims, by posing as Booking.com staff in emails or on the telephone. 

Phishing
‘Booking.com customers ran a risk of falling victim to serious theft,’ says DPA deputy chair Monique Verdier, ‘even if the criminals didn’t obtain credit card information but only someone’s name, contact details and booking information. After all, those details could be used by fraudsters for “phishing” expeditions. 

‘By posing in emails or on the phone as hotel staff, they attempted to steal money from people. Such an approach can seem highly credible if the fraudster knows exactly when you made a booking and what room you booked, then asks you to pay for the nights in question. Large amounts of money can be stolen in this way.’

Breach reported 22 days too late
Booking.com was informed of the data breach on 13 January 2019, but did not report it to the DPA until 7 February, which is 22 days too late: data breaches must be reported within 72 hours. On 4 February 2019 Booking.com informed the affected customers of the breach. The company also took other measures to limit the damage, such as offering to compensate any losses.

‘This is a serious violation,’ Ms Verdier says. ‘Unfortunately, a data breach can occur anywhere, even if you have good precautionary measures in place. But in order to prevent harm to customers and future attacks, you have to report a breach on time. 

‘Taking rapid action is essential, not least for the victims of the breach. After receiving a report the DPA can order a company to immediately warn those affected. This can prevent criminals having weeks in which to attempt to defraud customers.’

Huge responsibility
According to Ms Verdier, ‘A company of this size, which stores valuable personal data of millions of customers in its systems, has a huge responsibility. Customers are entrusting their personal data to Booking.com. And the company must do everything it can to protect that data properly. That means not only ensuring good security to prevent breaches, but also taking rapid action if the worst should happen.’ 

Booking.com will not lodge an objection to or apply for review of the decision imposing the fine.

International investigation
The investigation into the Booking.com breach was international in scope. The situation involved an international company with customers from a range of countries. Booking.com’s global headquarters are in the Netherlands, which is why the Dutch DPA performed the investigation. Since this was an international matter, the DPA coordinated the investigation with other European data protection supervisory authorities.

Obligation to report data breaches
The obligation to report data breaches means that both companies and public authorities must immediately (and in any case within 72 hours) inform the DPA if they suffer a serious data breach. In certain cases they must also inform the individuals whose personal data was leaked. Data breaches must be reported to the DPA’s Data breach helpdesk.

Explosive increase in data theft
In 2020 the DPA warned it was seeing an explosive increase in the number of hacks aimed at stealing personal data. The number of reports in 2020 was 30% higher than in the previous year. This can be seen in the DPA’s 2020 Report on Data Breaches. Data theft can often be prevented by enhanced security.
 

For further information, please contact the Dutch DPA: https://autoriteitpersoonsgegevens.nl/nl

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.
30 March 2021

 

The "ruling" presented in the "Standard" concerns a remedy procedure concluded without formal supervisory measures regarding a complaint by a data subject, in which the controller (an individual company) that had used Mailchimp had, after our request for comments and detailed information on the consequences of the Schrems II- decision, announced that it had now refrained from using Mailchimp. 

Our final notice to the complainant, which apparently formed the basis of the publication and was sent in mid-March, had the following wording in extracts and translated informally: 

"... We are referring to your data protection complaint against .... concerning the use of "Mailchimp". As a result of our intervention, the company has informed us that it had used Mailchimp twice to send newsletters. As a result of our intervention, the company has now informed us that it will no longer use Mailchimp with immediate effect.

The company also informed us that it had only transmitted email addresses to Mailchimp in the context of the above-mentioned use. It also mentioned that the recommendations of the European Data Protection Board on the so-called Supplementary Measures for transfers of personal data to third countries are not yet available in a final version, but are still subject to public consultation; this is correct

According to our assessment, the use of Mailchimp by .... in the two cases mentioned - and thus also the transfer of your email address to Mailchimp, which is the subject of your complaint - was unlawful under data protection law, because .... had not examined whether, in addition to the EU standard data protection clauses (which were used), "additional measures" within the meaning of the ECJ decision "Schrems II" (ECJ, judgment of 16.7. 2020, C-311/18) were necessary in order to make the transfer compliant with data protection requirements, and in the present case there were at least indications that Mailchimp may in principle be subject to data access by US intelligence services on the basis of the US legal provision FISA702 (50 U.S.C. § 1881) as a possible so-called Electronic Communications Service Provider and thus the transfer could only be lawful if such additional measures (if possible and sufficient to remediate the problem) were taken. “

We informed the company that, due to the above, the above-mentioned transfers of personal data to the U.S.- were  not lawful.

“The processing of your complaint is thus concluded. This letter constitutes the legally required information on the outcome of the processing of your complaint pursuant to Art. 77 (2) of the GDPR. "

This case is exemplary for our supervisory enforcement of the requirements of the ECJ decision, which, contrary to recurring criticism, has already been taken up with a high degree of intensity even without publicly perceived investigations or sanctions and has so far succeeded with above-average frequency in reaching agreement.

For more information, please contact the Bavarian DPA: poststelle@lda.bayern.de

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.
23 February 2021

The Norwegian Data Protection Authority has fined Aquateknikk AS EUR 10,000 (NOK 100,000) for having performed a credit rating on a private individual without legal basis.

This case came in response to a complaint from a person who discovered that Aquateknikk had performed a credit rating on him when he had no customer relationship or any other connection with the company.

The General Data Protection Regulation requires that all processing of personal data must have a legal basis. Credit ratings are a type of personal data subject to special protections.

Lacked legal basis

A credit rating compiles personal data from many different sources for the purpose of indicating how likely it is that the person will be able to pay what they owe. A credit rating will also include detailed information about the person’s personal financial situation, such as debt-to-income ratio, payment remarks, and the person’s mortgages, if any.

Upon investigating this matter, the Data Protection Authority has concluded that the credit ratings were performed without a legal basis, in violation of the requirements of the General Data Protection Regulation. The undertaking did not have a legitimate interest in performing a credit rating on the complainant.

Insufficient knowledge of the rules

“As a credit rating includes detailed information about one’s personal financial situation, it feels very intrusive when an organization unlawfully gains access to this information,” says Bjørn Erik Thon, Director-General of the Norwegian Data Protection Authority.

“We receive many complaints concerning credit ratings, and we see that many organizations have insufficient knowledge of the rules that apply. These types of cases are serious offences, and we normally issue fines for such violations,” Thon concludes.

For further information, please contact the Norwegian DPA: international@datatilsynet.no

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.
19 February 2021

The Spanish Data Protection Authority (AEPD) imposed a total fine of 6.000.000 EUR on CAIXABANK, S.A., for unlawfully processing clients’ personal data (4.000.000 EUR) and not providing sufficient information regarding the processing of personal data (2.000.000 EUR). 

The AEPD considered that the document designed to comply with the information did not include enough information regarding the categories of personal data concerned, nor information about the purposes of the processing for which the personal data are intended as well as the legal basis for the processing, especially regarding those processing activities based on the company’s legitimate interest. Consequently, the AEPD concluded that CAIXABANK had violated Articles 13 and 14 of the GDPR. Following Article 83 (5) b of the GDPR, a fine of 2.000.000 EUR was imposed. When deciding on the amount of the administrative fine, the AEPD took into account, as aggravating factors, among others, the nature, gravity and duration of the infringement; the negligent character of the infringement; the relationship between the company’s activity and the processing of personal data; and the fact that the company is a large enterprise and its turnover.

On the other hand, the AEPD found that CAIXABANK did not provide with any mechanism to collect the data subject’s consent; that the data subject’s consent did not meet with all the elements of valid consent, and that the processing activities based on the company’s legitimate interest were not sufficiently justified; especially the relationship between the company’s activity and the processing of personal data. The AEPD concluded that this constituted a breach of Article 6 of the GDPR, and according to Article 83 (5) a of the GDPR, an administrative fine of 4.000.000 EUR was imposed. In deciding on the amount of the fine, the AEPD took into account, as aggravating factors, among others, the nature, gravity and duration of the infringement; the negligent character of the infringement; the degree of responsibility of the controller taking into account technical and organisational measures implemented pursuant to Articles 25 and 32 of the GDPR; the benefits gained from the infringement; the categories of personal data affected by the infringement; the relationship between the company’s activity and the processing of personal data; and the fact that the company is a large enterprise and its turnover. 

In addition to the administrative fine, the highest ever imposed by the Spanish DPA, the AEPD ordered CAIXABANK to bring its processing operations into compliance with Articles 6, 13 and 14 of the GDPR within the next six months. 

To read the full decision in Spanish, click here.

For further information, please contact the Spanish DPA: prensa@aepd.es

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.
 
12 February 2021

An administrative fine of more than PLN 85 000 (EUR 20 000) imposed on an entrepreneur, conducting an economic activity in the field of health care, for the failure to comply with the order imposed on it in an administrative decision.

The Personal Data Protection Office (UODO) ordered the entrepreneur to communicate the breach of their personal data to its patients and to provide these persons with recommendations on how to minimize the potential adverse effects of the incident. The controller failed to do so, as the proceedings revealed, the purpose of which was to check whether the obligations imposed in the UODO’s decision had been fulfilled.

Consequently, the persons affected by the breach knew nothing about it. In the notification there meant to be information such as:

  1. a description of the nature of personal data breach;
  2. the name and contact details for the data protection officer or other contact point where more information can be obtained;
  3. a description of the likely consequences of the personal data breach;
  4. a description of measures taken or proposed by the controller to be taken to address the personal data breach – including measures to mitigate its possible effects.

Properly fulfilling of this obligation would allow data subjects to understand what the breach of protection of their personal data consisted in, to learn the possible consequences of such an incident, and what actions they can take in order to mitigate its possible adverse effects.

Because the entrepreneur ignored the decision of supervisory authority, UODO decided to initiate an ex officio proceedings in the case of imposing an administrative fine. It should be noted that the entrepreneur, despite receiving from the Office detailed instructions concerning, inter alia, the correct wording of the communications and the form in which they should be delivered to patients, as well as the manner of documenting these actions. Even at the stage of the proceedings in the case of imposing a fine did not present complete evidence, which would allow to acknowledge that the obligation resulting from the order of the decision was fulfilled by the entrepreneur.

While imposing the fine, the Office took into account the following aggravating factors:

  • a long duration of the breach, which resulted in increased risk of the adverse effects for persons affected by the breach, and
  • intentional nature of the breach and unsatisfactory level of cooperation with the supervisory authority in order to remedy the breach – the entrepreneur did not follow the recommendations of the Office during the proceedings.

The entrepreneur’s failure to comply with the guidelines provided by the Office demonstrates the blatant disregard for the entrepreneur’s data protection obligations.

The supervisory authority is responsible for monitoring and enforcing compliance with personal data protection laws. In case of non-compliance by controllers, the President of the UODO may use the corrective powers granted to it. These are, among others, the power to order the controller to communicate a personal data breach to the data subject, and the power to impose an administrative fine, in addition to or instead of measures referred to in Article 58(2) of the GDPR.

To read the press release is Polish, click here.
To read the full decision in Polish, click here.

For more information please contact the Polish DPA at kancelaria@uodo.gov.pl
 

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.
12 February 2021

The Swedish Authority for Privacy Protection finds that the Swedish Police Authority has processed personal data in breach of the Swedish Criminal Data Act when using Clearview AI to identify individuals.

Upon news in the media of the Swedish Police Authority using the application Clearview AI for facial recognition the Swedish Authority for Privacy Protection (IMY) initiated an investigation against the Police.

The investigation concludes that Cleaview AI has been used by the Police on a number of occasions. According to the Police a few employees have used the application without any prior authorisation.

IMY concludes that the Police has not fulfilled its obligations as a data controller on a number of accounts with regards to the use of Clearview AI. The Police has failed to implement sufficient organisational measures to ensure and be able to demonstrate that the processing of personal data in this case has been carried out in compliance with the Criminal Data Act. When using Clearview AI the Police has unlawfully processed biometric data for facial recognition as well as having failed to conduct a data protection impact assessment which this case of processing would require.

There are clearly defined rules and regulations on how the Police Authority may process personal data, especially for law enforcement purposes. It is the responsibility of the Police to ensure that employees are aware of those rules, says Elena Mazzotti Pallard, legal advisor at IMY.

IMY imposes an administrative fine of SEK 2,500,000 (approximately EUR 250,000) on the Police Authority for infringements of the Criminal Data Act. IMY also orders the Police to conduct further training and education of its employees in order to avoid any future processing of personal data in breach of data protection rules and regulations.

In addition, the Police are ordered to inform the data subjects, whose data has been disclosed to Clearview AI, when confidentiality rules so allows. Finally, the Police are ordered to ensure, to the extent possible, that any personal data transferred to Clearview AI is erased.

To read IMY's decision (in Swedish), click here.

For further information, please contact:

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.
12 February 2021

The Norwegian Data Protection Authority has fined the Municipality of Indre Østfold EUR 20 000 (NOK 200,000) for a confidentiality violation. Personal data that should have been restricted was available to unauthorized persons.

The Municipality of Indre Østfold, formerly the Municipality of Askim, published the records file of a former pupil on its municipal website. This file included confidential personal data.

Tipped off by a local newspaper

The background for this incident was that the pupil needed his record file in connection with his further studies, and asked the municipality to send it to them. The municipality routinely enters such Access to Information requests in the public record. This process also entails the document to which access has been requested, being scanned and made available for public access.

The pupil’s file was available on the municipality’s website from Friday 27 September to Monday 30 September. The municipality was made aware of the incident by a journalist from the local newspaper Smaalenenes Avis. The documents were removed from the public record and exempted from public access as soon as they were discovered. The affected person was then notified.

Fine not adjusted

The municipality responded to the Data Protection Authority’s notice of fine. In its response, the municipality apologized for “sensitive personal data” having been included in the public record. At the same time, the municipality urged the Data Protection Authority to reconsider the size of the fine, considering the measures implemented after the fact.

A fine should reflect the severity of the violation. Norwegian law requires the municipality to implement any measures necessary to prevent future violations. The Data Protection Authority has found that, given the severity of the violation, the measures later implemented to remedy the incident do not significantly affect the amount of the fine imposed.

The Norwegian Data Protection Authority have therefore decided not to reduce the fine.

For further information, please contact the Norwegian DPA: international@datatilsynet.no

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.
12 February 2021

The Norwegian Data Protection Authority have issued a reprimand to Telenor Norge AS for inadequate protection of personal data in its voicemail function, and for failing to submit a data breach notification to the Norwegian Data Protection Authority.

A security error has made it possible for unauthorized persons to access the voicemails of approx. 1.3 million customers by using so-called 'spoofing' services. The Data Protection Authority finds that Telenor Norge AS had not implemented satisfactory security measures. This vulnerability in the voicemail function had been known for many years.

“Unlawful hacking of voicemail inboxes using ‘spoofing’ services has been a known problem for years. We believe Telenor should have identified this vulnerability in their voicemail function at an earlier date,” says Bjørn Erik Thon, Director-General of the Norwegian Data Protection Authority.

Failed to submit Data Breach Notification

This vulnerability affected a large number of subscribers. Voicemail messages may contain a lot of information, and this content has been largely outside Telenor’s control. These factors indicate that Telenor’s security measures have been inadequate.

“This decision also takes account of the fact that Telenor failed to submit a data breach notification to the Data Protection Authority. We believe Telenor Norge AS should have reported the security breach to us as soon as they became aware of the vulnerability,” says Bjørn Erik Thon.

Fine issued by the Norwegian Communications Authority (NKOM)

The Norwegian Communications Authority (NKOM) formerly issued a fine in the amount of EUR 150 000 (NOK 1.5 million) for violation of the Electronic Communications Act, for the same circumstances as the Data Protection Authority has now considered. To prevent Telenor Norge AS from being penalized twice for the same offence, the Norwegian Data Protection Authority opted to issue a formal reprimand instead. 

Two violations of the Regulation

A reprimand is a punitive measure introduced by the General Data Protection Regulation, and means we have concluded that a violation of the law has occurred. In this case, we believe the following provisions of the General Data Protection Regulation have been breached:

  • Violation of Article 32 (1) of the GDPR, by failing to implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.
  • Violation of Article 33 of the GDPR, by failing to notify the personal data breach to the Data Protection Authority.

For further information, please contact the Norwegian DPA: international@datatilsynet.no

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.
11 February 2021

The Dutch Data Protection Authority (DPA) has imposed a fine of €440,000 on the Amsterdam-based hospital OLVG for its inadequate protection of patients’ medical records. Between 2018 and 2020 OLVG did not have sufficient safeguards in place to prevent unauthorised access to the records. It did not carry out proper checks of who accessed which records, and there were shortcomings in information systems security. In response to the DPA’s investigation OLVG has made the required improvements.

‘You should be able to count on whatever you discuss with your doctor staying confidential,’ DPA deputy chair Monique Verdier said. ‘It doesn’t bear thinking about that people who have no business doing so could look at your doctor’s notes and pry into your state of health and personal details. Patients have the right to expect that staff members will only access their medical records if it is necessary for the patient’s treatment. OLVG’s security measures couldn’t guarantee that. That’s a serious breach and that’s why the DPA has imposed this fine.’

Besides medical information, patient records also contain personal data like citizen service numbers, addresses and phone numbers. These types of data must also be properly secured to avoid risks like identity fraud and phishing.

Two violations

The DPA launched its investigation after a tip from a concerned member of the public, reports in the media and two notifications of data breaches by OLVG about work placement students and other staff accessing medical records even though it was not necessary for their work. After its investigation, the DPA concluded that there are structural shortcomings in the way OLVG secures access to medical records. Specifically, it found two violations of data protection law:

  • Every time a staff member accesses medical records, these details must be recorded in a log. In addition, the hospital must review this access log regularly, so that it can take timely steps if it finds that someone has accessed a record when they are not actually authorised to do so. OLVG did have an automated procedure that logged who accessed which files, but it did not review the logs often enough to check for cases of unauthorised access.
  • Good security requires two-factor authentication to establish the identity of a user who wants access to a patient record. Examples are a code or password in combination with a personnel badge. OLVG did not require two-factor authentication when access was requested from inside the hospital. Access from a location outside the hospital was secured with two-factor authentication.

‘It’s crucial to protect patient data’

‘The healthcare sector has consistently been in the top 3 sectors with the most data breaches in the past few years. And we’re talking about a sector that stores a lot of highly sensitive personal data,’ Ms Verdier said. ‘Protecting patient data is crucial. Patients share a lot of information with healthcare providers – and it’s vital that they do so, perhaps now more than ever because of COVID-19. But that means people have to be able to have confidence that their data is safe. So we’re asking hospitals and other healthcare providers to take a good look at how they protect their patient data and take steps to improve this where necessary.’ Healthcare providers can find more information about adequately protecting personal data on the DPA’s website.

Security improved

OLVG improved its systems security during the DPA’s investigation. The hospital introduced a structural procedure for reviewing access logs, as well as two-factor authentication for access to medical records from inside the hospital.

OLVG will not lodge an objection or appeal against the decision of the DPA to impose a fine.

For further information, please contact the Dutch DPA: https://autoriteitpersoonsgegevens.nl/nl

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.
11 February 2021

The Norwegian Data Protection Authority has fined an organization EUR 40 000 (NOK 400,000) for unlawfully setting up automatic forwarding of an employee’s e-mails.

The background for this case is a complaint from an employee who discovered that their employer had activated automatic forwarding of the employee’s inbox.

Lacks legal basis

This automatic forwarding was activated in connection with the employee’s sickness absence, and remained active for more than a month. After investigating the matter, the Data Protection Authority concludes that the forwarding was in violation of the national regulations concerning an employer’s access to e-mail inboxes and other electronic information, as well as the requirements of the General Data Protection Regulation concerning legal basis, informing the data subject and the obligation to consider the employee’s objections.

On this basis, the Data Protection Authority has ordered the organization to review its written procedures for access to e-mail inboxes and issued a fine in the amount of EUR 40 000 for the unlawful forwarding.

The name of the organization has been withheld from public access to protect the identity of the complainant. The organization has appealed the decision.

For further information, please contact the Norwegian DPA: international@datatilsynet.no

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.
11 February 2021

The Norwegian Data Protection Authority has issued a fine in the amount of EUR 40 000 (NOK 400,000) to Coop Finnmark SA. The case concerns unlawful distribution of a camera recording from a shop.

The manager of the shop in question made a recording of surveillance footage with their phone and distributed the recording. The recording quickly spread.

The amount of the fine has not changed since our first notice in this case.

Lacked legal basis

All processing of personal data requires a legal basis in order to be lawful. After reviewing the case, the Data Protection Authority finds that Coop Finnmark lacked a legal basis for the shop manager’s distribution of the surveillance footage.

“The requirement for a legal basis is a basic principle of the General Data Protection Regulation, and any violation of this principle is considered serious,” Bjørn Erik Thon, Director-General of the Norwegian Data Protection Authority, explains.

This case was reported as a personal data breach notification from Coop Finnmark AS on April 10th 2019, and the Data Protection Authority issued a notice of fine in March 2020. Coop Finnmark has submitted comments to the notice, which the Data Protection Authority now has considered.

Responded with a fine

The Data Protection Authority finds that this case is so severe that a fine is the appropriate corrective measure. The Authority has given weight to the fact that the camera footage showed children, and that the distribution potentially entailed a major risk to their privacy.

The fine amount was calculated on the basis of an overall assessment of the severity of the violation and the financial situation of the organization, among other things.

“This case is a textbook example of how easy it is to lose control of personal data once shared — these things spread quickly,” says Bjørn Erik Thon 

For further information, please contact the Norwegian DPA: international@datatilsynet.no
 

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.
11 February 2021

The President of the Polish DPA found the breach of GDPR and imposed an administrative fine in the amount of PLN 100 000 (nearly EUR 22 000) on KSSIP for failing to fulfil its obligations as a controller.

According to the Personal Data Protection Office, the controller did not take the necessary technical and organisational measures, which would allow to ensure the confidentiality of the processing services. KSSIP failed to test and did not carry out the impact assessment of effectiveness of the technical and organisational measures in order to ensure the security of personal data contained in the copy of the database of the training platform of the KSSIP, and thus improperly took into account the risks associated with changes in the processing of personal data.

In addition, it should be pointed out that the controller entrusted the processing of personal data to a processor without contractual binding commitment to process personal data only on documented instructions from the controller.

Let us recall, the KSSIP notified to the UODO a breach of personal data protection, in connection with the notification by the National Police Headquarters of the appearance on the Internet of personal data related to the domain kssip.gov.pl. The notified incident involved unknown persons gaining unauthorized access to a copy of the KSSIP training site database created during a test migration to a new training platform. The breach involved the personal data of more than 50 000 people, users subject to continuous training, whose personal data were collected on the KSSIP training platform. Those persons hold positions, among others, of judges, court assessors, prosecutors and assistant prosecutors, law clerks. 

Organizational and technical measures

A controller implements appropriate technical and organizational measures so that the processing of personal data should be carried out in accordance with the GDPR. These measures shall be reviewed and updated as necessary. This means that the controller, when carrying out the assessment of the proportionality of the safeguards, should take into account the factors and circumstances concerning the processing (e.g. type, means of processing) and the risks involved.

On the IT resources of KSSIP there was a copy of the database, the existence and security of which, after performing the migration activities, was in no way verified by the controller, which is its legal obligation resulting from the personal data protection provisions. KSSIP, in regard to the changes in the processing, did not take the sufficient measures in order to verify the security of the processing environment before and after the migration activities.

The entrustment of data processing must be precisely defined

In the situation of entrusting the processing of personal data to an external processor, the subject-matter and duration of the processing, the nature and the purpose of the processing, the type of personal data and the categories of data subjects, as well as the obligations and rights of the controller shall be specified in the personal data entrustment contract.

The content of the entrustment contract in this case insufficiently defined the scope of entrusted data. KSSIP, while entrusting the processing of personal data to the processor, did not include in the personal data processing entrustment contract of the categories of data subjects and did not specify the type of personal data by indicating their categories. In addition, the fined entity did not include in the contract the obligation of the processor to process personal data only on the documented instructions from the controller.

The model of cooperation between the controller and the processor was ineffective. The controller’s lack of understanding of its role in the relationship with the processor led to the personal data protection breach. KSSIP, both before and after the data protection breach was determined, was not fully aware of how the rights and obligations between the controller and the processor were shaped.

The proceedings against the processor discontinued

The processor complied with the obligations under the entrustment contract and the main contract, and applied the organizational measures adopted by it in order to ensure the security of the IT systems. It was the controller that did not undertake an analysis whether, by indicating to the processor a place to make a backup copy of the database, it was exposing the personal data contained therein to the breach of their confidentiality.

In the opinion of the Personal Data Protection Office there are also no legal grounds to accuse the processor of breaching the obligation to support the controller in complying with its duties. As a result, the proceedings in this respect were discontinued.

To read the press release is Polish, click here.
To read the full decision in Polish, click here.

For more information please contact the Polish DPA at kancelaria@uodo.gov.pl 

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.
11 February 2021

The Norwegian Data Protection Authority has fined Cyberbook AS EUR 20 000 (NOK 200,000) for unlawfully setting up the automatic forwarding of a former employee’s e-mails.

The background for this case is a complaint filed by a former employee of Cyberbook. The person discovered that the company had activated automatic forwarding of their personal e-mail address at the company.

In violation of regulations

This forwarding remained active for several months without the former employee being informed of it.
After reviewing the matter, the Data Protection Authority finds that the forwarding is in violation of the national regulations concerning an employer’s access to e-mail inboxes and other electronic information.

Ordered to implement procedures

In addition, we find that the organization has violated the requirements of the General Data Protection Regulation concerning legal basis, informing the data subject and the obligation to consider the employee’s objections, as well as the provisions concerning erasure of personal data.

On this basis, the Data Protection Authority has ordered the organization to implement written procedures for access to the e-mail inboxes of employees and former employees, and issued a fine in the amount of EUR 20,000 for the unlawful forwarding.

Cyberbook has three weeks to appeal, from the date on which they received notice of our decision.

For further information, please contact the Norwegian DPA: international@datatilsynet.no
 

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.
11 February 2021

The Norwegian Data Protection Authority has fined Gveik AS EUR 7 500 (NOK 75,000) for having conducted a credit rating without a legal basis.

An individual with no customer relationship or other affiliation with Gveik AS received a notice and became aware that the company had performed a credit rating on them. The individual filed a complaint with the Data Protection Authority.

Credit rating for personal purposes

The General Data Protection Regulation (GDPR) requires that all processing of personal data must have a legal basis. When an organization performs a credit rating, it collects detailed information about an individual’s personal financial situation. A credit rating is a compilation of personal data from many different sources. In certain cases, it will indicate how likely it is that a person will be able to pay their debts, and it will include any payment defaults, the debt-to-income ratio and whether the person has any mortgages.

In this case, the purpose of conducting the credit rating was personal and outside of the business interests of the organization. These types of cases are serious, and the Data Protection Authority normally issues fines for such violations.

Gveik AS may appeal the fine within the term set.

For further information, please contact the Norwegian DPA: international@datatilsynet.no

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.
11 February 2021

The Norwegian Data Protection Authority has decided to issue a fine of EUR 10 000 (NOK 100,000) to Lindstrand Trading AS for conducting a total of four credit ratings of individuals and sole proprietorships without a legal basis.

This fine was issued in response to a complaint filed by an individual who discovered she had been subjected to credit ratings without having any form of customer relationship or other association with Lindstrand Trading.

The General Data Protection Regulation requires that all processing of personal data must have a legal basis. Credit ratings are a type of personal data subject to special protections.

 “As a credit rating includes detailed information about one’s personal financial situation, it feels very intrusive when an organization unlawfully gains access to this information,” says Bjørn Erik Thon, Director-General of the Norwegian Data Protection Authority.

Directly linked to the owner’s personal financial situation

Credit ratings of a sole proprietorship are also considered personal data, as this type of business enterprise is directly linked to the owner and thereby also the owner’s personal financial situation. This means that a legal basis is required to subject sole proprietorships to a credit rating.

A credit rating compiles personal data from many different sources and estimates how likely it is that a person will be able to pay what they owe. A credit rating will also include detailed information concerning the personal financial situation of individuals, such as any payment defaults, debt-to-income ratio and whether the person has any mortgages.

Serious violation

The Data Protection Authority finds that these credit ratings were conducted for personal purposes, completely disconnected from the organization’s business activities. On this basis, we have concluded that the credit ratings were conducted without a legal basis, thus constituting a violation of the provisions of the General Data Protection Regulation.

“We receive many complaints concerning credit ratings, and we see that many organizations have insufficient knowledge of the rules that apply. These types of cases are serious offences, and we normally issue fines for such violations,” Bjørn Erik Thon concludes.

Lindstrand Trading AS has appealed the fine.

For further information, please contact the Norwegian DPA: international@datatilsynet.no

 

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.
02 February 2021

A fine of over PLN 12 000 (EUR 3 000) was imposed on Smart Cities company from Warsaw for not cooperating with the Personal Data Protection Office (UODO) by failing to reply to its letter and failing to provide access to personal data and other information necessary to perform its tasks.

As a supervisory authority within the remit of Article 51 of the GDPR, UODO monitors and enforces the application of this regulation in its territory. In order to enable the performance of tasks, the UODO has a number of powers in the field of proceedings, including the power to order the controller and processor to provide all the information necessary for the performance of its tasks and to obtain from the controller and processor access to all personal data and all information necessary for the performance of its tasks.

Hindering and preventing access to the information that the UODO requested from the Company, which it undoubtedly has in its possession, demonstrates a flagrant disregard for its obligations concerning cooperation with the supervisory authority in the performance of its tasks

To read the press release is Polish, click here.

To read the full decision in Polish, click here.

For more information please contact the Polish DPA at kancelaria@uodo.gov.pl

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.
01 February 2021

The BE DPA has just imposed a fine of 50,000 euro on a company which distributes promotional packages well known by mothers and fathers-to-be in Belgium, for various breaches of the GDPR. 

The defendent is a marketing company that distributes promotional packages that include samples, special offers and information sheets for future parents. The inspection service of the BE DPA launched an investigation into the company after a complaint was lodged at the DPA alleging the company transferred personal data to third parties, including data brokers, without valid consent on the part of the customer, and without the provision of sufficient information. 

The Inspection Service and the Litigation Chamber of the BE DPA found that the company was renting and/or selling personal data for commercial purposes. However, these practices were not indicated in the communication to customers in a clear and comprehensible manner. It is all the more important for the company in this case to properly inform the client about these practices, given that the promotional packagaes were distributed via gynaecologists and hospitals, which could have led clients to believe that the initiative came from the public sector, and not from a private company whose core business is trading data.   

What’s more, the consent given by the customers for these transfers of data were not valid, as consent was clearly not informed, but also not specific (as consent for receiving the boxes automatically involved the transfer of data) or freely given (as the lack of consent involved the loss of some benefits). 

Taking into consideration the number of data subjects (the company processes data relating to 21.10% of the Belgian population), the seriousness of the breach and the nature of the data processed (in particular data relating to children), the Litigation Chamber of the BE DPA decided to impose a fine of 50,000 euro, and ordered the company to comply with the GDPR. Given the size of the company, this is a considerable amount, but the BE DPA decided that a significant sanction was needed as the business model of the company is clearly not compliant with the GDPR.

To read the decision (in Dutch) click here

For further information, please contact the Belgian DPA: contact@apd-gba.be

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.
01 February 2021

Rome, 27 January 2021

Probe to be extended to additional social platforms

The Garante (Italian data protection authority) is stepping up its action to protect children using social networks, after the case of the 10-year-old girl from Palermo and the limitation on processing imposed on TikTok. Inquiries were started yesterday into the processing by Facebook and Instagram.

Media reports over the past few days mentioned that the girl had allegedly opened several profiles on both social networks.

The Garante requested Facebook, which owns Instagram, to provide information including how many and which profiles were held by the girl and, if so, how a 10-year-old girl could manage  to register with both platforms.

More importantly, specific information was requested on the registration mechanisms in place and the age verification methods applied by both social networks to check compliance with the age threshold for registration.

Replies from Facebook are expected within 15 days.

The probe by the Italian SA will be also extended to other social networks with particular regard to the mechanisms regulating children’s access to the platforms. 

For further information, please contact the Italian SA: ufficiostampa@gpdp.it

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.
26 January 2021

The Italian SA (Garante per la protezione dei dati personali) imposed an immediate limitation on the processing performed by TikTok with regard to the data of users whose age could not be established with certainty.

The SA decided to take urgent measures (GDPR, art. 58, comma 2, lett. f) and art. 66, comma 1) following the dismay caused by the death of a 10-year-old girl from Palermo.

In December, the Garante had already notified several infringements to TikTok including poor attention to the protection of minors, the easy dodging of the registration ban the company applies to children under 13 years, non-transparent and unclear information provided to users, and default settings falling short of privacy requirements.

Pending receipt of the feedback that was requested via the above notification, the Garante decided to anyhow step in today in order to afford immediate protection to the minors in Italy that have joined the social platform.

This is why the Italian SA banned TikTok from further processing the data relating to any user ‘whose age could not be established with full certainty so as to ensure compliance with the age-related requirements’.

The ban will apply provisionally until 15 February as the Garante plans to conclude its further assessment by that date.

The limitation order will be brought to the attention of the Irish SA, since TikTok recently communicated that it had set its main EU establishment in Ireland. 

To read the decision in Italian, click here.

For further information, please contact the Italian SA: ufficiostampa@gpdp.it

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.
26 January 2021

(Issued December 2020)

The State Commissioner for Data Protection in Lower Saxony has imposed a fine of 10.4 million euros against notebooksbilliger.de AG. The company had been using video surveillance to monitor its employees for at least two years with no legal justification. Some of the areas recorded by the illegal cameras included workspaces, sales floors, warehouses and staff rooms.

The company claimed the video cameras had been installed to prevent and investigate criminal offences and to track the flow of goods in warehouses. In order to prevent theft, however, a company must first implement less severe means (e.g. random bag checks when leaving the business premises). Furthermore, video surveillance may only be used to investigate crimes if specific individuals are reasonably suspected of committing such offences. If this is the case, the company may be allowed to monitor the individuals with cameras for a limited period. However, notebooksbilliger.de had not limited its video surveillance to specific employees or a specific period. In addition, many of the recordings were saved for 60 days, which is much longer than necessary.

General suspicion is not enough

“This is a serious case of workplace surveillance”, says the State Commissioner for Data Protection in Lower Saxony, Barbara Thiel. “Companies have to understand that such intensive video surveillance is a major violation of their employees’ rights”. While businesses often argue that video surveillance can be effectively used to deter criminals, this does not justify the permanent and unjustified interference with the personal rights of their employees. “If that were the case, companies would be able to extend their surveillance without limit. Employees do not have to sacrifice their personal rights just because their employer puts them under general suspicion”, explains Thiel. “Video surveillance is a particularly invasive encroachment on a person’s rights, because their entire behaviour can theoretically be observed and analysed. According to the case law of the Federal Labour Court, this can put staff under pressure to act as inconspicuously as possible to avoid being criticised or sanctioned for their behaviour”.

The customers of notebooksbilliger.de were also affected by the illegal video surveillance, because some cameras were directed at seating on the sales floor. In areas where people typically spend more time (e.g. to try out devices), data subjects have high legitimate interests. This is especially true for seating areas, where customers are clearly invited to take their time. Therefore, the video surveillance used by notebooksbilliger.de was not justified.

The fine of 10.4 million euros is the highest penalty that has ever been imposed by the State Commissioner for Data Protection in Lower Saxony under the General Data Protection Regulation (GDPR). The GDPR enables supervisory authorities to impose fines of up to 20 million euros – or up to 4% of a company’s total annual turnover worldwide – whichever is higher. The fine imposed against notebooksbilliger.de is pending legal enforcement. The company has since arranged its video surveillance in accordance with the law and proved this to the State Commissioner for Data Protection in Lower Saxony.

The State Commissioner for Data Protection in Lower Saxony provides more information on video surveillance here.

For more information please contact the Lower Saxony DPA here: poststelle@lfd.niedersachsen.de

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.
26 January 2021

The Dutch Data Protection Authority (DPA) has issued a formal warning to a supermarket for its use of facial recognition technology. Although the facial recognition technology has been disabled since December 2019, the supermarket wished to turn it back on.

The supermarket claims that it used facial recognition technology to protect its customers and staff and to prevent shoplifting. The technology was connected to cameras at the store’s entrance.

The technology scanned the face of everyone who entered the store and compared it to a database of people who had been banned from entering stores. The faces of people who had not been banned were deleted after several seconds.

Following reports in the media, on 6 December 2019 the DPA requested information from the owner of the supermarket. On 8 December 2019, the supermarket disabled the facial recognition technology. The owner indicated in documents provided to the DPA, however, that he wished to turn it back on.

Ban on facial recognition technology

‘It’s unacceptable for this supermarket – or any other store in the Netherlands – to just start using facial recognition technology,’ says Monique Verdier, deputy chairperson of the DPA. ‘Use of such technology outside of the home is banned in nearly all cases. And that’s for good reason.’

Walking bar codes

‘Facial recognition makes us all walking bar codes,’ explains Verdier. ‘Your face is scanned every time you enter a store, a stadium or an arena that uses this technology. And it’s done without your consent. By putting your face through a search engine, there is a possibility that your face could be linked to your name and other personal data. This could be done by cross-checking your face with your social media profile, for example.’ 

‘The technology can then decide what to do with the information: Are you suspected of something? Are you of interest as a customer? Is there value in monitoring your purchasing behaviour and creating a profile for you? If we have cameras with facial recognition technology everywhere, everything and all of us can be continuously monitored.’

Two exceptions

Facial recognition technology uses biometric data to identify people. The use of facial recognition for security is prohibited in all but two situations.

The first is if the people have given explicit consent for their data to be processed. Here, although the owner of the supermarket claims customers had been warned that the store used facial recognition technology, the customers did not give explicit consent for this.

‘The presumption that silence equals approval does not work here,’ says Verdier. ‘Simply entering the supermarket doesn’t count as giving consent.’

The other exception is if facial recognition technology is necessary for authentication or security purposes, but only in so far as substantial public interest is concerned. The supermarket claims that this is the case. The DPA considers that it is not.

‘The only example that the law gives is for the security of a nuclear power plant,’ explains Verdier. ‘The bar is therefore very high. Preventing shoplifting is of a completely different magnitude than preventing a nuclear disaster.’

For further information, please contact the Dutch DPA: https://autoriteitpersoonsgegevens.nl/nl

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.
26 January 2021

The President of the Personal Data Protection Office (UODO) imposed a fine of PLN 25 000 (over EUR 5 850) on the Medical University of Silesia, as there was a data protection breach at the university, of which the controller should notify not only the supervisory authority but also the persons affected by the incident.

Besides the imposed fine, the supervisory authority also ordered the university to notify the persons affected by the breach that occurred in connection with the examinations conducted in the form of videoconference on the special e-learning platform.

Signals that a data protection breach had occurred at the Medical University of Silesia reached the UODO in early June 2020. The information and the description of the complaint allowed to conclude that students were identified during the examinations held at the end of May 2020 in the form of a video conference. After the end of the examination, the recordings were available not only to the examined people but also to others who had access to the system. Moreover, by using a direct link, any third party could have access to the examination recordings, and the examined students' personal data presented during identification.

Because the information indicated that there could have occurred a high risk to the rights and freedoms of the persons who took the examination, the UODO asked the data controller to clarify the situation. In reply to the letter, the controller argued that it was not necessary to notify the Office in connection with the breach, as in its opinion the risk to the rights or freedoms of the persons affected by the incident was low. Furthermore, after this incident, the system was modified so that files with the recorded course of examinations were not shared by mistake. The controller also indicated that it had identified the persons who downloaded the examination file and notified them of responsibility for using these data.

However, the university has still not notified a data breach and has not notified the persons affected by this incident. It did not do so, despite another letter from the UODO that indicated the situations in which a data breach should be notified to the supervisory authority and the affected persons should also be notified of the incident. Therefore, an administrative proceeding was instituted. In its course, it was established that the breach occurred, because one of the employees, after the completed examination on the e-learning platform, did not close the access to the virtual room, in which the test was held. As a result, the examination recordings could be downloaded. Since the students, before the examination, were identified based on their identity cards or student IDs, a number of their personal data was recorded on the recordings. Depending on the type of identity card or student ID they used, there was a different scope of data in case of individual affected persons. However, in some cases, they were, e.g. an image, a PESEL number (personal identification number), an identity document number or album number, a name and surname, an address of residence. Also, due to the breach, unauthorized persons could view other data such as a year of study, a group, a field of study, information about the subject being taken or the answers given during the examination.

The Office found that the data breach had occurred, and that the controller had failed to comply with its obligations to notify about this fact both the supervisory authority and the persons affected by the breach. Such obligations arise when, due to the breach, there is a high risk to the rights or freedoms of the persons affected (e.g. the danger of incurring various obligations on someone's data). The controller had, therefore, incorrectly assessed the risk involved.
In its decision, UODO has also indicated that it does not matter, as the controller claims, that the file with the course of the examination was downloaded only by 26 persons. Since there is no certainty that it will not be made available further to unauthorized persons.

In the Office's opinion, the responsibility for these data lies with the controller, and not with the persons who downloaded the file with the course of the examination after it had finished. It was due to the controller's negligence that a breach occurred, resulting in a high risk for students' rights and freedoms.
The supervisory authority welcomed the implemented changes on the e-learning platform, which prevent students from downloading files with examinations. They will allow avoiding similar situations in the future.

The President of the Office, while imposing the fine for not notifying the supervisory authority and not informing the persons whom the incident concerned, took into account, among others, the duration of the breach (from the breach to the issuing of the decision several months passed), the intentional action of the controller, who decided not to notify a breach and not to inform the students about it, the unsatisfactory cooperation of the controller with the authority (the controller did not notify a breach despite the letters sent and the proceedings initiated). 

The imposed fine will fulfil not only a repressive but also a preventive function, as it shows that one cannot neglect the obligations that arise in connection with the personal data protection breach. Especially, that an inappropriate approach to the obligations imposed by the GDPR may lead to adverse effects for the persons affected by the breaches.

To read the press release is Polish, click here.

To read the full decision in Polish, click here.

For more information please contact the Polish DPA at kancelaria@uodo.gov.pl

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.
26 January 2021

The Norwegian Data Protection Authority has notified Grindr LLC (Grindr) that we intend to issue an administrative fine of NOK 100 000 000 for not complying with the GDPR rules on consent. 

- Our preliminary conclusion is that Grindr has shared user data to a number of third parties without legal basis, said Bjørn Erik Thon, Director-General of the Norwegian Data Protection Authority.

Grindr is a location-based social networking app for gay, bi, trans, and queer people. In 2020, the Norwegian Consumer Council filed a complaint against Grindr claiming unlawful sharing of personal data with third parties for marketing purposes. The data shared include GPS location, user profile data, and the fact that the user in question is on Grindr. 

Our preliminary conclusion is that Grindr needs consent to share these personal data and that Grindr’s consents were not valid. Additionally, we believe that the fact that someone is a Grindr user speaks to their sexual orientation, and therefore this constitutes special category data that merit particular protection.

- The Norwegian Data Protection Authority considers that this is a serious case. Users were not able to exercise real and effective control over the sharing of their data. Business models where users are pressured into giving consent, and where they are not properly informed about what they are consenting to, are not compliant with the law, said Bjørn Erik Thon, Director-General of the Norwegian Data Protection Authority.

Invalid consents

The Norwegian Data Protection Authority considers that as a general rule, consent is required for intrusive profiling and tracking practices for marketing or advertising purposes, for example those that involve tracking individuals across multiple websites, locations, devices, services or data-brokering. The same applies where a commercial app wishes to share data concerning users’ sexual orientation.

Users were forced to accept the privacy policy in its entirety to use the app, and they were not asked specifically if they wanted to consent to the sharing of their data with third parties. Furthermore, the information about the sharing of personal data was not properly communicated to users. We consider that this was contrary to the GDPR requirements for valid consent. 

- Grindr is seen as a safe space, and many users wish to be discrete. Nonetheless, their data have been shared with an unknown number of third parties, and any information regarding this was hidden away, Thon added.

Could result in highest Norwegian DPA fine to date

An administrative fine should be effective, proportionate and dissuasive. 

- We have notified Grindr that we intend to impose a fine of high magnitude as our findings suggest grave violations of the GDPR. Grindr has 13.7 million active users, of which thousands reside in Norway. Our view is that these people have had their personal data shared unlawfully. An important objective of the GDPR is precisely to prevent take-it-or-leave-it “consents”. It is imperative that such practices cease, Thon emphasised.

We have based our calculations on a conservative estimate of Grindr’s worldwide annual turnover, according to which the turnover approaches € 100 000 000 M. This means that our proposed fine will constitute approximately 10 % of the company’s turnover.

Applicability of the GDPR

Although Grindr does not have any establishments within the EEA, the company is subject to the GDPR by virtue of its Article 3.2. Pursuant to this provision, the GDPR applies to controllers that offer goods or services to, or that monitor the behaviour of, people in the EEA.

Our investigation has focused on the consent mechanism in place from the GDPR became applicable until April 2020, when Grindr changed how the app asks for consent. We have not to date assessed whether the subsequent changes comply with the GDPR.

Not a final decision

The document we have issued to Grindr is a draft decision. Grindr has been given the opportunity to comment on our findings within 15 February 2021. We will make our final decision once we have assessed any remarks the company may have.

Our draft decision concerns the free version of the Grindr app.

The Norwegian Consumer Council also filed complaints against five of the third parties receiving data from Grindr: MoPub (owned by Twitter Inc.), Xandr Inc. (formerly known as AppNexus Inc.), OpenX Software Ltd., AdColony Inc., and Smaato Inc. These cases are ongoing.

You can read the press release on the Norwwegian DPA's website here.

For more information, please contact the Norwegian DPA: International@datatilsynet.no

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.
13 January 2021

The inability to quickly identify the threat and remove it led the company ID Finance Poland to data loss. Therefore, the President of the Personal Data Protection Office (UODO) found that the company had not implemented appropriate technical and organizational measures, which resulted in a loss of confidentiality of the personal data principle, and imposed an administrative fine on the company in the amount of over PLN 1 million (EUR 250,000).

The punished company (owner of a lending platform MoneyMan.pl) did not respond adequately to the signal about gaps in its security. It did not check quickly enough the information that its client’s data was available on one of its servers. Such notification was not treated seriously, so a few days after the company received the signal, an unauthorized person copied the data and then deleted it from the server. The person demanded a ransom for returning the stolen information. Only then did the company start analysing the security features on its servers and notified data breach to the supervisory authority at the same time. 
In the proceedings, the UODO established that the breach took place following the failure to restore the appropriate security configuration after one of the servers operated by the processor (hosting company) was restarted. The controller was notified about this by one of its cybersecurity specialists, who detected the vulnerability and indicated sample, publicly available information. Instead of diligently checking the received notifications and monitoring the processor, whether it duly dealt with the case in terms of checking the security, the controller had doubts about whether this was an attempt to extort other data from him, which he indicated in his correspondence to the processor. As a result, they did not immediately check the system’s identified vulnerabilities and a few days later, the data was stolen from this server.

This breach would not have occurred if the controller had immediately reacted appropriately to the information that the data on his server was unsecured. In the opinion of the Personal Data Protection Office, the controller should maintain the ability to quickly and effectively identify any breaches in order to be able to take appropriate action. Moreover, the controller should be able to quickly investigate the incident in terms of whether there has been a data breach and take appropriate remedial action.

The supervisory authority also found that the processor's lack of a sufficiently quick response to the notification of a system vulnerability does not exclude the controller's responsibility for the data breach. The controller must be able to detect, address, and notify data breach - this is a critical element of technical and organizational measures.

In the opinion of the UODO, the company, despite promptly providing the processor with information about a potential vulnerability in the server's security, did not take sufficient action. The proceedings showed that the controller briefly analysed the signal received, did not take it seriously and did not oblige the processor to deal with the case properly. 

When imposing a fine for the loss of the confidentiality of personal data due to a series of negligence by the controller, the UODO took into account the scale of the breach and the scope of the stolen data. In addition, because unencrypted passwords have also leaked, it is possible to use these data to log in to different customer accounts, if they used the same login (e.g. e-mail) and password on other websites. In establishing the amount of the fine, the authority also took into account the controller's delay in taking preventive measures.

The amount of the fine should fulfil both a repressive and a preventive function. In the opinion of the authority, it should prevent similar breaches in the future both in the penalized company and at other controllers’.

To read the press release is Polish, click here.

To read the full decision in Polish, click here.

For more information please contact the Polish DPA at kancelaria@uodo.gov.pl

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.
13 January 2021

Towarzystwo Ubezpieczeń i Reasekuracji WARTA S.A. (WARTA S.A. Insurance and Reinsurance Company) infringed the provisions of the General Data Protection Regulation, because it did not notify a personal data breach to the President of the Personal Data Protection Office. The supervisory authority therefore imposed a fine on the company in the amount of PLN 85 588 (EUR 20,000).

In May 2020, the Personal Data Protection Office (UODO) received information from a third party about the personal data breach which consisted in sending by e-mail an insurance policy by an insurance agent, being a processor for the WARTA S.A. Insurance and Reinsurance Company, to an unauthorised addressee.

The attached document contained personal data in the scope of, among others, names, surnames, addresses of residence, PESEL numbers (personal identification numbers) and information concerning the subject matter of insurance (passenger car). Important in this case is the fact that the supervisory authority has been informed of the personal data breach by an unauthorised addressee who has taken possession of documents not intended for him or her, and the confidentiality of the persons concerned has been breached. 

Therefore, the supervisory authority requested the Company to clarify whether, in connection with sending of electronic correspondence to an unauthorised recipient, an analysis was carried out in terms of the risk to the rights and freedoms of natural persons necessary to assess whether there was a data protection breach resulting in the need to notify the UODO and the persons affected by the breach. In the letter, the supervisory authority indicated to the company how it could notify the breach and called for explanations. 

The Company confirmed that there had been an incident related to a personal data breach and that an assessment had been conducted in terms of the risk to the rights and freedoms of natural persons. It was on the basis of that assessment that the fined company found that the breach did not require notification to the UODO. The company considered that the breach was caused by sending the insurance policy document to the wrong e-mail address indicated by the customer himself or herself. In addition, the unauthorised recipient addressed the company with a request for and the company asked for a permanent deletion of the message with a request for feedback confirming its deletion.

Despite the letter from UODO requesting clarification, the company still did not notify a personal data breach and did not communicate the incident to the persons affected by the breach. The supervisory authority has therefore initiated administrative proceedings. It was only as a result of the initiation of the proceedings that the company notified a personal data breach and informed two persons affected by the breach.

Such action by the company resulted in a long duration of the breach, which must be regarded as an aggravating circumstance. All the more so, since five months have elapsed from being informed of the personal data breach to the notification of the personal data breach to the supervisory authority.

In the course of the proceedings, the UODO considered that the fact that the breach occurred as a result of a mistake of a customer who provided the wrong e-mail address cannot cause the lack of qualification of the event as a personal data breach. When allowing the possibility to use e-mail for communication with the customer, the controller should be aware of the risks associated with, for example, incorrect e-mail address provided by the customer. Therefore, in order to minimise these risks, the controller should take appropriate organisational and technical measures, such as verification of the address provided or encrypting the documents sent in this way.

Also, the fact of requesting the wrong recipient to permanently delete the correspondence received cannot determine that a risk to the rights and freedoms of the data subjects is not high. The controller is not sure whether the unauthorised addressee has not made, for example, a copy of the documents or has not recorded them. 

When imposing an administrative fine, the President of the UODO also took into account mitigating circumstances, such as the fact that the breach concerned the personal data of two persons and that the company asked the wrong recipient to permanently delete the correspondence received. However, it is worth mentioning that a request for deletion of data is not tantamount to guaranteeing that the data is actually erased by an unauthorised person and does not preclude possible negative consequences of their use.

To read the press release is Polish, click here.

To read the full decision in Polish, click here.

For more information please contact the Polish DPA at kancelaria@uodo.gov.pl

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.
13 January 2021

 

The President of the Personal Data Protection Office (UODO) imposed a fine of PLN 1.9 million (EUR 460,000) on Virgin Mobile Polska for the lack of implemented appropriate technical and organisational measures to ensure the security of the processed data.

UODO stated that the company infringed the principles of data confidentiality and accountability specified in the GDPR. Virgin Mobile did not carry out regular and comprehensive tests, measurements and evaluations of the effectiveness of the technical and organisational measures applied to ensure the security of the data processed. Activities in this regard were only undertaken when there were suspicions of vulnerability or in connection with organisational changes. Moreover, no tests were carried out to verify safeguards related to the transfer of data between applications related to the servicing of buyers of prepaid services. In addition, the vulnerability associated with data exchange in these systems was used by an unauthorised person to obtain data from some of the company’s clients.

In connection with a data breach, as a result of which an unauthorised person obtained customers data from one of the databases, the Supervisory Authority carried out the inspection at the company. As a result of the irregularities found, the authority instituted administrative proceedings finalised with the imposition of a fine.
In the course of the proceedings, the UODO disagreed with the controller which claimed to have tested and monitored the technical and organisational measures taken to ensure the security of personal data. The Supervisory Authority considered that these activities were neither regular nor comprehensive, as they were carried out incidentally and did not cover all the systems in which the data was processed.

In the course of the proceeding, it turned out that data exchange between applications in the IT system was to take place after verification of certain parameters from registration applications of prepaid services’ customers. The aim was for the programme to check whether the request for the transfer of the data had been received from the authorised entity. In practice, this verification did not work, and before its implementation the mechanism was not tested. However, vulnerability in this process (consisting in failure to verify the relevant parameters) was used by an unauthorised person to obtain the data. It was only after this incident that appropriate activities were undertaken regarding the repair of this functionality in the company’s IT system.

The Supervisory Authority considered that the implementation of a data processing system for use without proper validation of assumed parameters was a flagrant breach by the controller.

In imposing a fine, the UODO took into account that the breach committed by the operator was serious as it posed a high risk of adverse effects of legal remedies for a large number of persons (e.g. the risk of identity theft). It should be remembered that although unauthorised persons had short-term access to the systems, but sufficient to collect large amounts of data. Moreover, the breach itself was long-term, with the vulnerability of data leakage existing for a long time.
The Office also took into account mitigating circumstances, such as the good cooperation of the controller, the quick removal of the breach after its detection, but also the implementation of additional solutions to further improve the security of the data processed.

However, given the scale and gravity of the breaches, the UODO considered that it would be disproportionate to apply remedies other than an administrative fine.

The fine is intended to prevent the company from committing similar negligence in the future.

To read the press release is Polish, click here.

To read the full decision in Polish, click here.

For more information please contact the Polish DPA at kancelaria@uodo.gov.pl

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.
11 January 2021

The President of the Polish DPA imposed an administrative fine of over PLN 136 000 (nearly EUR 30 000) on ENEA S.A. company for failing to notify a personal data breach.

The Personal Data Protection Office (UODO) received information about the personal data breach from a person who became an unauthorized recipient of personal data. The breach involved sending an email with an unencrypted, non-password protected attachment containing personal data of several hundred people. The sender of the email was a co-worker of the fined company.

The DPA has asked the company to clarify the circumstances of the event, and to provide the analysis of the incident along with its assessment, whether in the occurred situation there was a need of notifying the breach to the supervisory authority and the persons affected.

The fined entity indicated that the assessment regarding the risk of breach of rights and freedoms of natural persons was carried out, on the basis of which the company found that there was no breach resulting in the need of notifying the DPA. Moreover, the company considered that due to the prompt actions taken, such as the unauthorized addressee’s statement that he had permanently destroyed the attachment that he was not authorized to receive, the possibility of adverse effects of this event for the data subjects in the future was eliminated.

Due to the failure to notify the data breach, the supervisory authority initiated administrative proceedings against the company, which in the course of the proceedings maintained its previous positions presented in the correspondence with the Office since June 2020 and continued to fail to notify the breach to the supervisory authority.

In the case in question, an e-mail was sent to an unauthorized recipient along with an attachment in the form of an unencrypted file containing personal data of the addressee of the e-mail and other persons. This means that there was a breach of security leading to accidental disclosure of personal data to a person unauthorized to receive such data, and thus to the breach of confidentiality of the data of these persons, which determines that there was the personal data breach.

Until the day of issue of this decision, the company has not complied with the obligation under Article 33 of the GDPR. When determining the amount of the administrative fine, the Office also took into account mitigating circumstances affecting the final amount of the fine, i.e. actions taken by the controller in order to mitigate the damages suffered by the data subjects.

The DPA reminds that pursuant to Article 33 (1) and (3) of the GDPR, in the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reason for the delay.

To read the press release in Polish, click here.
To read the full decision in Polish, click here.

For more information please contact the Polish DPA at kancelaria@uodo.gov.pl

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.
05 January 2021

The President of the Polish DPA imposed a fine in the amount of over PLN 21 000 (EUR 5 000) on Anwara Sp. Z o.o. company based in Warsaw, which, as the controller of personal data, did not meet the obligation of cooperation with the supervisory authority and did not provide any information it required for the performance of its tasks in the course of proceedings.

With regard to the administrative proceedings conducted in order to examine a complaint of a natural person, the fined company ignored the written requests to provide explanations twice. Despite proper delivery of the letters, the company failed to provide any reasons for not taking action.

In regard to the company’s failure to provide the necessary information to resolve the case, the supervisory authority initiated ex officio administrative proceedings to impose an administrative fine on the company. The fined entity also in this case did not respond in any way to the above mentioned correspondence and did not provide explanations.

It should be emphasized that the entity’s activity (e.g. running post-secondary schools, secondary schools, primary schools and pre-school education facilities) is closely related to obtaining and processing of personal data. The personal data protection regulations and the obligations they impose on controllers should be well known to the company, which is an entity professionally involved in legal and economic transactions. One of such obligations is the cooperation of data controllers or processors with the Personal Data Protection Office (UODO).

To read the press release in Polish, click here.
To read the full decision in Polish, click here.

For more information please contact the Polish DPA at kancelaria@uodo.gov.pl 

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.